From dc61d132cf86d838d584feaf7c837d69438aaa3e Mon Sep 17 00:00:00 2001 From: Joshua Casey Date: Tue, 1 Aug 2023 13:29:43 -0500 Subject: [PATCH] Address PR feedback, especially to check that the CA bundle is some kind of valid cert --- .../v1alpha1/types_credentialissuer.go.tmpl | 8 + ...cierge.pinniped.dev_credentialissuers.yaml | 5 +- generated/1.17/README.adoc | 7 +- .../config/v1alpha1/types_credentialissuer.go | 8 + ...cierge.pinniped.dev_credentialissuers.yaml | 5 +- generated/1.18/README.adoc | 7 +- .../config/v1alpha1/types_credentialissuer.go | 8 + ...cierge.pinniped.dev_credentialissuers.yaml | 5 +- generated/1.19/README.adoc | 7 +- .../config/v1alpha1/types_credentialissuer.go | 8 + ...cierge.pinniped.dev_credentialissuers.yaml | 5 +- generated/1.20/README.adoc | 7 +- .../config/v1alpha1/types_credentialissuer.go | 8 + ...cierge.pinniped.dev_credentialissuers.yaml | 5 +- generated/1.21/README.adoc | 7 +- .../config/v1alpha1/types_credentialissuer.go | 8 + ...cierge.pinniped.dev_credentialissuers.yaml | 5 +- generated/1.22/README.adoc | 7 +- .../config/v1alpha1/types_credentialissuer.go | 8 + ...cierge.pinniped.dev_credentialissuers.yaml | 5 +- generated/1.23/README.adoc | 7 +- .../config/v1alpha1/types_credentialissuer.go | 8 + ...cierge.pinniped.dev_credentialissuers.yaml | 5 +- generated/1.24/README.adoc | 7 +- .../config/v1alpha1/types_credentialissuer.go | 8 + ...cierge.pinniped.dev_credentialissuers.yaml | 5 +- generated/1.25/README.adoc | 7 +- .../config/v1alpha1/types_credentialissuer.go | 8 + ...cierge.pinniped.dev_credentialissuers.yaml | 5 +- generated/1.26/README.adoc | 7 +- .../config/v1alpha1/types_credentialissuer.go | 8 + ...cierge.pinniped.dev_credentialissuers.yaml | 5 +- generated/1.27/README.adoc | 7 +- .../config/v1alpha1/types_credentialissuer.go | 8 + ...cierge.pinniped.dev_credentialissuers.yaml | 5 +- .../config/v1alpha1/types_credentialissuer.go | 8 + .../impersonatorconfig/impersonator_config.go | 33 +++- .../impersonator_config_test.go | 146 +++++++++++++++++- .../concierge_impersonation_proxy_test.go | 71 ++++----- 39 files changed, 397 insertions(+), 94 deletions(-) diff --git a/apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl b/apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl index 1e869247..0ee0f0db 100644 --- a/apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl +++ b/apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl @@ -82,6 +82,12 @@ const ( // ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should // serve TLS. +// +// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret +// for a field called "ca.crt", which will be used as the CertificateAuthorityData. +// +// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for +// the impersonation proxy endpoint. type ImpersonationProxyTLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). // Used to advertise the CA bundle for the impersonation proxy endpoint. @@ -119,6 +125,8 @@ type ImpersonationProxySpec struct { // TLS contains information about how the Concierge impersonation proxy should serve TLS. // + // If this field is empty, the impersonation proxy will generate its own TLS certificate. + // // +optional TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"` } diff --git a/deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml b/deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml index 76b3a3db..f2710862 100644 --- a/deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml @@ -104,8 +104,9 @@ spec: type: string type: object tls: - description: TLS contains information about how the Concierge - impersonation proxy should serve TLS. + description: "TLS contains information about how the Concierge + impersonation proxy should serve TLS. \n If this field is empty, + the impersonation proxy will generate its own TLS certificate." properties: certificateAuthorityData: description: X.509 Certificate Authority (base64-encoded PEM diff --git a/generated/1.17/README.adoc b/generated/1.17/README.adoc index 3fef5a09..d6e0632e 100644 --- a/generated/1.17/README.adoc +++ b/generated/1.17/README.adoc @@ -568,14 +568,17 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients. | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. This field must be non-empty when spec.impersonationProxy.service.type is "None". -| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. + If this field is empty, the impersonation proxy will generate its own TLS certificate. |=== [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxytlsspec"] ==== ImpersonationProxyTLSSpec -ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. +ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. + If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData. + If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint. .Appears In: **** diff --git a/generated/1.17/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.17/apis/concierge/config/v1alpha1/types_credentialissuer.go index 1e869247..0ee0f0db 100644 --- a/generated/1.17/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/1.17/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -82,6 +82,12 @@ const ( // ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should // serve TLS. +// +// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret +// for a field called "ca.crt", which will be used as the CertificateAuthorityData. +// +// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for +// the impersonation proxy endpoint. type ImpersonationProxyTLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). // Used to advertise the CA bundle for the impersonation proxy endpoint. @@ -119,6 +125,8 @@ type ImpersonationProxySpec struct { // TLS contains information about how the Concierge impersonation proxy should serve TLS. // + // If this field is empty, the impersonation proxy will generate its own TLS certificate. + // // +optional TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"` } diff --git a/generated/1.17/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.17/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 76b3a3db..f2710862 100644 --- a/generated/1.17/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.17/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -104,8 +104,9 @@ spec: type: string type: object tls: - description: TLS contains information about how the Concierge - impersonation proxy should serve TLS. + description: "TLS contains information about how the Concierge + impersonation proxy should serve TLS. \n If this field is empty, + the impersonation proxy will generate its own TLS certificate." properties: certificateAuthorityData: description: X.509 Certificate Authority (base64-encoded PEM diff --git a/generated/1.18/README.adoc b/generated/1.18/README.adoc index f68201ae..6b4c9c4c 100644 --- a/generated/1.18/README.adoc +++ b/generated/1.18/README.adoc @@ -568,14 +568,17 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients. | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. This field must be non-empty when spec.impersonationProxy.service.type is "None". -| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. + If this field is empty, the impersonation proxy will generate its own TLS certificate. |=== [id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-impersonationproxytlsspec"] ==== ImpersonationProxyTLSSpec -ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. +ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. + If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData. + If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint. .Appears In: **** diff --git a/generated/1.18/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.18/apis/concierge/config/v1alpha1/types_credentialissuer.go index 1e869247..0ee0f0db 100644 --- a/generated/1.18/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/1.18/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -82,6 +82,12 @@ const ( // ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should // serve TLS. +// +// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret +// for a field called "ca.crt", which will be used as the CertificateAuthorityData. +// +// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for +// the impersonation proxy endpoint. type ImpersonationProxyTLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). // Used to advertise the CA bundle for the impersonation proxy endpoint. @@ -119,6 +125,8 @@ type ImpersonationProxySpec struct { // TLS contains information about how the Concierge impersonation proxy should serve TLS. // + // If this field is empty, the impersonation proxy will generate its own TLS certificate. + // // +optional TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"` } diff --git a/generated/1.18/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.18/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 76b3a3db..f2710862 100644 --- a/generated/1.18/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.18/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -104,8 +104,9 @@ spec: type: string type: object tls: - description: TLS contains information about how the Concierge - impersonation proxy should serve TLS. + description: "TLS contains information about how the Concierge + impersonation proxy should serve TLS. \n If this field is empty, + the impersonation proxy will generate its own TLS certificate." properties: certificateAuthorityData: description: X.509 Certificate Authority (base64-encoded PEM diff --git a/generated/1.19/README.adoc b/generated/1.19/README.adoc index 192ffaa7..9d555af3 100644 --- a/generated/1.19/README.adoc +++ b/generated/1.19/README.adoc @@ -568,14 +568,17 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients. | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. This field must be non-empty when spec.impersonationProxy.service.type is "None". -| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. + If this field is empty, the impersonation proxy will generate its own TLS certificate. |=== [id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-impersonationproxytlsspec"] ==== ImpersonationProxyTLSSpec -ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. +ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. + If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData. + If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint. .Appears In: **** diff --git a/generated/1.19/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.19/apis/concierge/config/v1alpha1/types_credentialissuer.go index 1e869247..0ee0f0db 100644 --- a/generated/1.19/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/1.19/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -82,6 +82,12 @@ const ( // ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should // serve TLS. +// +// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret +// for a field called "ca.crt", which will be used as the CertificateAuthorityData. +// +// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for +// the impersonation proxy endpoint. type ImpersonationProxyTLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). // Used to advertise the CA bundle for the impersonation proxy endpoint. @@ -119,6 +125,8 @@ type ImpersonationProxySpec struct { // TLS contains information about how the Concierge impersonation proxy should serve TLS. // + // If this field is empty, the impersonation proxy will generate its own TLS certificate. + // // +optional TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"` } diff --git a/generated/1.19/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.19/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 76b3a3db..f2710862 100644 --- a/generated/1.19/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.19/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -104,8 +104,9 @@ spec: type: string type: object tls: - description: TLS contains information about how the Concierge - impersonation proxy should serve TLS. + description: "TLS contains information about how the Concierge + impersonation proxy should serve TLS. \n If this field is empty, + the impersonation proxy will generate its own TLS certificate." properties: certificateAuthorityData: description: X.509 Certificate Authority (base64-encoded PEM diff --git a/generated/1.20/README.adoc b/generated/1.20/README.adoc index 4bc125c3..344061cc 100644 --- a/generated/1.20/README.adoc +++ b/generated/1.20/README.adoc @@ -568,14 +568,17 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients. | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. This field must be non-empty when spec.impersonationProxy.service.type is "None". -| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. + If this field is empty, the impersonation proxy will generate its own TLS certificate. |=== [id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-impersonationproxytlsspec"] ==== ImpersonationProxyTLSSpec -ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. +ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. + If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData. + If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint. .Appears In: **** diff --git a/generated/1.20/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.20/apis/concierge/config/v1alpha1/types_credentialissuer.go index 1e869247..0ee0f0db 100644 --- a/generated/1.20/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/1.20/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -82,6 +82,12 @@ const ( // ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should // serve TLS. +// +// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret +// for a field called "ca.crt", which will be used as the CertificateAuthorityData. +// +// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for +// the impersonation proxy endpoint. type ImpersonationProxyTLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). // Used to advertise the CA bundle for the impersonation proxy endpoint. @@ -119,6 +125,8 @@ type ImpersonationProxySpec struct { // TLS contains information about how the Concierge impersonation proxy should serve TLS. // + // If this field is empty, the impersonation proxy will generate its own TLS certificate. + // // +optional TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"` } diff --git a/generated/1.20/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.20/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 76b3a3db..f2710862 100644 --- a/generated/1.20/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.20/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -104,8 +104,9 @@ spec: type: string type: object tls: - description: TLS contains information about how the Concierge - impersonation proxy should serve TLS. + description: "TLS contains information about how the Concierge + impersonation proxy should serve TLS. \n If this field is empty, + the impersonation proxy will generate its own TLS certificate." properties: certificateAuthorityData: description: X.509 Certificate Authority (base64-encoded PEM diff --git a/generated/1.21/README.adoc b/generated/1.21/README.adoc index 1c9167e1..7e9cab09 100644 --- a/generated/1.21/README.adoc +++ b/generated/1.21/README.adoc @@ -568,14 +568,17 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients. | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. This field must be non-empty when spec.impersonationProxy.service.type is "None". -| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. + If this field is empty, the impersonation proxy will generate its own TLS certificate. |=== [id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-config-v1alpha1-impersonationproxytlsspec"] ==== ImpersonationProxyTLSSpec -ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. +ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. + If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData. + If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint. .Appears In: **** diff --git a/generated/1.21/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.21/apis/concierge/config/v1alpha1/types_credentialissuer.go index 1e869247..0ee0f0db 100644 --- a/generated/1.21/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/1.21/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -82,6 +82,12 @@ const ( // ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should // serve TLS. +// +// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret +// for a field called "ca.crt", which will be used as the CertificateAuthorityData. +// +// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for +// the impersonation proxy endpoint. type ImpersonationProxyTLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). // Used to advertise the CA bundle for the impersonation proxy endpoint. @@ -119,6 +125,8 @@ type ImpersonationProxySpec struct { // TLS contains information about how the Concierge impersonation proxy should serve TLS. // + // If this field is empty, the impersonation proxy will generate its own TLS certificate. + // // +optional TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"` } diff --git a/generated/1.21/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.21/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 76b3a3db..f2710862 100644 --- a/generated/1.21/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.21/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -104,8 +104,9 @@ spec: type: string type: object tls: - description: TLS contains information about how the Concierge - impersonation proxy should serve TLS. + description: "TLS contains information about how the Concierge + impersonation proxy should serve TLS. \n If this field is empty, + the impersonation proxy will generate its own TLS certificate." properties: certificateAuthorityData: description: X.509 Certificate Authority (base64-encoded PEM diff --git a/generated/1.22/README.adoc b/generated/1.22/README.adoc index 6b6f46cc..9a3c07fa 100644 --- a/generated/1.22/README.adoc +++ b/generated/1.22/README.adoc @@ -568,14 +568,17 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients. | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. This field must be non-empty when spec.impersonationProxy.service.type is "None". -| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. + If this field is empty, the impersonation proxy will generate its own TLS certificate. |=== [id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-concierge-config-v1alpha1-impersonationproxytlsspec"] ==== ImpersonationProxyTLSSpec -ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. +ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. + If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData. + If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint. .Appears In: **** diff --git a/generated/1.22/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.22/apis/concierge/config/v1alpha1/types_credentialissuer.go index 1e869247..0ee0f0db 100644 --- a/generated/1.22/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/1.22/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -82,6 +82,12 @@ const ( // ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should // serve TLS. +// +// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret +// for a field called "ca.crt", which will be used as the CertificateAuthorityData. +// +// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for +// the impersonation proxy endpoint. type ImpersonationProxyTLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). // Used to advertise the CA bundle for the impersonation proxy endpoint. @@ -119,6 +125,8 @@ type ImpersonationProxySpec struct { // TLS contains information about how the Concierge impersonation proxy should serve TLS. // + // If this field is empty, the impersonation proxy will generate its own TLS certificate. + // // +optional TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"` } diff --git a/generated/1.22/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.22/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 76b3a3db..f2710862 100644 --- a/generated/1.22/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.22/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -104,8 +104,9 @@ spec: type: string type: object tls: - description: TLS contains information about how the Concierge - impersonation proxy should serve TLS. + description: "TLS contains information about how the Concierge + impersonation proxy should serve TLS. \n If this field is empty, + the impersonation proxy will generate its own TLS certificate." properties: certificateAuthorityData: description: X.509 Certificate Authority (base64-encoded PEM diff --git a/generated/1.23/README.adoc b/generated/1.23/README.adoc index caf71a7a..6d8677e2 100644 --- a/generated/1.23/README.adoc +++ b/generated/1.23/README.adoc @@ -568,14 +568,17 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients. | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. This field must be non-empty when spec.impersonationProxy.service.type is "None". -| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. + If this field is empty, the impersonation proxy will generate its own TLS certificate. |=== [id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-concierge-config-v1alpha1-impersonationproxytlsspec"] ==== ImpersonationProxyTLSSpec -ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. +ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. + If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData. + If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint. .Appears In: **** diff --git a/generated/1.23/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.23/apis/concierge/config/v1alpha1/types_credentialissuer.go index 1e869247..0ee0f0db 100644 --- a/generated/1.23/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/1.23/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -82,6 +82,12 @@ const ( // ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should // serve TLS. +// +// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret +// for a field called "ca.crt", which will be used as the CertificateAuthorityData. +// +// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for +// the impersonation proxy endpoint. type ImpersonationProxyTLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). // Used to advertise the CA bundle for the impersonation proxy endpoint. @@ -119,6 +125,8 @@ type ImpersonationProxySpec struct { // TLS contains information about how the Concierge impersonation proxy should serve TLS. // + // If this field is empty, the impersonation proxy will generate its own TLS certificate. + // // +optional TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"` } diff --git a/generated/1.23/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.23/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 76b3a3db..f2710862 100644 --- a/generated/1.23/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.23/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -104,8 +104,9 @@ spec: type: string type: object tls: - description: TLS contains information about how the Concierge - impersonation proxy should serve TLS. + description: "TLS contains information about how the Concierge + impersonation proxy should serve TLS. \n If this field is empty, + the impersonation proxy will generate its own TLS certificate." properties: certificateAuthorityData: description: X.509 Certificate Authority (base64-encoded PEM diff --git a/generated/1.24/README.adoc b/generated/1.24/README.adoc index c0efdc4c..e534819a 100644 --- a/generated/1.24/README.adoc +++ b/generated/1.24/README.adoc @@ -568,14 +568,17 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients. | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. This field must be non-empty when spec.impersonationProxy.service.type is "None". -| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. + If this field is empty, the impersonation proxy will generate its own TLS certificate. |=== [id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-config-v1alpha1-impersonationproxytlsspec"] ==== ImpersonationProxyTLSSpec -ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. +ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. + If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData. + If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint. .Appears In: **** diff --git a/generated/1.24/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.24/apis/concierge/config/v1alpha1/types_credentialissuer.go index 1e869247..0ee0f0db 100644 --- a/generated/1.24/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/1.24/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -82,6 +82,12 @@ const ( // ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should // serve TLS. +// +// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret +// for a field called "ca.crt", which will be used as the CertificateAuthorityData. +// +// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for +// the impersonation proxy endpoint. type ImpersonationProxyTLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). // Used to advertise the CA bundle for the impersonation proxy endpoint. @@ -119,6 +125,8 @@ type ImpersonationProxySpec struct { // TLS contains information about how the Concierge impersonation proxy should serve TLS. // + // If this field is empty, the impersonation proxy will generate its own TLS certificate. + // // +optional TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"` } diff --git a/generated/1.24/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.24/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 76b3a3db..f2710862 100644 --- a/generated/1.24/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.24/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -104,8 +104,9 @@ spec: type: string type: object tls: - description: TLS contains information about how the Concierge - impersonation proxy should serve TLS. + description: "TLS contains information about how the Concierge + impersonation proxy should serve TLS. \n If this field is empty, + the impersonation proxy will generate its own TLS certificate." properties: certificateAuthorityData: description: X.509 Certificate Authority (base64-encoded PEM diff --git a/generated/1.25/README.adoc b/generated/1.25/README.adoc index 15332b46..c9c94198 100644 --- a/generated/1.25/README.adoc +++ b/generated/1.25/README.adoc @@ -566,14 +566,17 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients. | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. This field must be non-empty when spec.impersonationProxy.service.type is "None". -| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. + If this field is empty, the impersonation proxy will generate its own TLS certificate. |=== [id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-config-v1alpha1-impersonationproxytlsspec"] ==== ImpersonationProxyTLSSpec -ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. +ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. + If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData. + If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint. .Appears In: **** diff --git a/generated/1.25/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.25/apis/concierge/config/v1alpha1/types_credentialissuer.go index 1e869247..0ee0f0db 100644 --- a/generated/1.25/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/1.25/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -82,6 +82,12 @@ const ( // ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should // serve TLS. +// +// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret +// for a field called "ca.crt", which will be used as the CertificateAuthorityData. +// +// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for +// the impersonation proxy endpoint. type ImpersonationProxyTLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). // Used to advertise the CA bundle for the impersonation proxy endpoint. @@ -119,6 +125,8 @@ type ImpersonationProxySpec struct { // TLS contains information about how the Concierge impersonation proxy should serve TLS. // + // If this field is empty, the impersonation proxy will generate its own TLS certificate. + // // +optional TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"` } diff --git a/generated/1.25/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.25/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 76b3a3db..f2710862 100644 --- a/generated/1.25/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.25/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -104,8 +104,9 @@ spec: type: string type: object tls: - description: TLS contains information about how the Concierge - impersonation proxy should serve TLS. + description: "TLS contains information about how the Concierge + impersonation proxy should serve TLS. \n If this field is empty, + the impersonation proxy will generate its own TLS certificate." properties: certificateAuthorityData: description: X.509 Certificate Authority (base64-encoded PEM diff --git a/generated/1.26/README.adoc b/generated/1.26/README.adoc index c68d22d4..77d7cc3c 100644 --- a/generated/1.26/README.adoc +++ b/generated/1.26/README.adoc @@ -566,14 +566,17 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients. | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. This field must be non-empty when spec.impersonationProxy.service.type is "None". -| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. + If this field is empty, the impersonation proxy will generate its own TLS certificate. |=== [id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-config-v1alpha1-impersonationproxytlsspec"] ==== ImpersonationProxyTLSSpec -ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. +ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. + If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData. + If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint. .Appears In: **** diff --git a/generated/1.26/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.26/apis/concierge/config/v1alpha1/types_credentialissuer.go index 1e869247..0ee0f0db 100644 --- a/generated/1.26/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/1.26/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -82,6 +82,12 @@ const ( // ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should // serve TLS. +// +// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret +// for a field called "ca.crt", which will be used as the CertificateAuthorityData. +// +// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for +// the impersonation proxy endpoint. type ImpersonationProxyTLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). // Used to advertise the CA bundle for the impersonation proxy endpoint. @@ -119,6 +125,8 @@ type ImpersonationProxySpec struct { // TLS contains information about how the Concierge impersonation proxy should serve TLS. // + // If this field is empty, the impersonation proxy will generate its own TLS certificate. + // // +optional TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"` } diff --git a/generated/1.26/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.26/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 76b3a3db..f2710862 100644 --- a/generated/1.26/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.26/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -104,8 +104,9 @@ spec: type: string type: object tls: - description: TLS contains information about how the Concierge - impersonation proxy should serve TLS. + description: "TLS contains information about how the Concierge + impersonation proxy should serve TLS. \n If this field is empty, + the impersonation proxy will generate its own TLS certificate." properties: certificateAuthorityData: description: X.509 Certificate Authority (base64-encoded PEM diff --git a/generated/1.27/README.adoc b/generated/1.27/README.adoc index f4fbe660..b371df55 100644 --- a/generated/1.27/README.adoc +++ b/generated/1.27/README.adoc @@ -566,14 +566,17 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients. | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. This field must be non-empty when spec.impersonationProxy.service.type is "None". -| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. + If this field is empty, the impersonation proxy will generate its own TLS certificate. |=== [id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-config-v1alpha1-impersonationproxytlsspec"] ==== ImpersonationProxyTLSSpec -ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. +ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. + If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData. + If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint. .Appears In: **** diff --git a/generated/1.27/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.27/apis/concierge/config/v1alpha1/types_credentialissuer.go index 1e869247..0ee0f0db 100644 --- a/generated/1.27/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/1.27/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -82,6 +82,12 @@ const ( // ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should // serve TLS. +// +// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret +// for a field called "ca.crt", which will be used as the CertificateAuthorityData. +// +// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for +// the impersonation proxy endpoint. type ImpersonationProxyTLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). // Used to advertise the CA bundle for the impersonation proxy endpoint. @@ -119,6 +125,8 @@ type ImpersonationProxySpec struct { // TLS contains information about how the Concierge impersonation proxy should serve TLS. // + // If this field is empty, the impersonation proxy will generate its own TLS certificate. + // // +optional TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"` } diff --git a/generated/1.27/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.27/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 76b3a3db..f2710862 100644 --- a/generated/1.27/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.27/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -104,8 +104,9 @@ spec: type: string type: object tls: - description: TLS contains information about how the Concierge - impersonation proxy should serve TLS. + description: "TLS contains information about how the Concierge + impersonation proxy should serve TLS. \n If this field is empty, + the impersonation proxy will generate its own TLS certificate." properties: certificateAuthorityData: description: X.509 Certificate Authority (base64-encoded PEM diff --git a/generated/latest/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/latest/apis/concierge/config/v1alpha1/types_credentialissuer.go index 1e869247..0ee0f0db 100644 --- a/generated/latest/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/latest/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -82,6 +82,12 @@ const ( // ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should // serve TLS. +// +// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret +// for a field called "ca.crt", which will be used as the CertificateAuthorityData. +// +// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for +// the impersonation proxy endpoint. type ImpersonationProxyTLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). // Used to advertise the CA bundle for the impersonation proxy endpoint. @@ -119,6 +125,8 @@ type ImpersonationProxySpec struct { // TLS contains information about how the Concierge impersonation proxy should serve TLS. // + // If this field is empty, the impersonation proxy will generate its own TLS certificate. + // // +optional TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"` } diff --git a/internal/controller/impersonatorconfig/impersonator_config.go b/internal/controller/impersonatorconfig/impersonator_config.go index e3978b47..401abf0f 100644 --- a/internal/controller/impersonatorconfig/impersonator_config.go +++ b/internal/controller/impersonatorconfig/impersonator_config.go @@ -328,7 +328,8 @@ func (c *impersonatorConfigController) doSync(syncCtx controllerlib.Context, cre func (c *impersonatorConfigController) ensureCAAndTLSSecrets( ctx context.Context, - nameInfo *certNameInfo) ([]byte, error) { + nameInfo *certNameInfo, +) ([]byte, error) { var ( impersonationCA *certauthority.CA err error @@ -349,7 +350,8 @@ func (c *impersonatorConfigController) ensureCAAndTLSSecrets( func (c *impersonatorConfigController) evaluateExternallyProvidedTLSSecret( ctx context.Context, - tlsSpec *v1alpha1.ImpersonationProxyTLSSpec) ([]byte, error) { + tlsSpec *v1alpha1.ImpersonationProxyTLSSpec, +) ([]byte, error) { if tlsSpec.SecretName == "" { return nil, fmt.Errorf("must provide impersonationSpec.TLS.secretName if impersonationSpec.TLS is provided") } @@ -378,6 +380,11 @@ func (c *impersonatorConfigController) evaluateExternallyProvidedTLSSecret( return nil, fmt.Errorf("could not decode impersonationSpec.TLS.certificateAuthorityData: %w", err) } + block, _ := pem.Decode(caBundle) + if block == nil { + return nil, fmt.Errorf("could not decode impersonationSpec.TLS.certificateAuthorityData: data is not a certificate") + } + c.infoLog.Info("the impersonation proxy will advertise its CA Bundle from impersonationSpec.TLS.CertificateAuthorityData", "CertificateAuthorityData", caBundle) } @@ -723,7 +730,27 @@ func (c *impersonatorConfigController) readExternalTLSSecret(externalTLSSecretNa return nil, err } - return secretFromInformer.Data[caCrtKey], nil + base64EncodedCaCert := secretFromInformer.Data[caCrtKey] + + if len(base64EncodedCaCert) > 0 { + var decodedCaCert []byte + decodedCaCert, err = base64.StdEncoding.DecodeString(string(secretFromInformer.Data[caCrtKey])) + if err != nil { + err = fmt.Errorf("unable to read provided ca.crt: %w", err) + plog.Error("error loading cert from externally provided TLS secret for the impersonation proxy", err) + return nil, err + } + + block, _ := pem.Decode(decodedCaCert) + if block == nil { + plog.Warning("error loading cert from externally provided TLS secret for the impersonation proxy: data is not a certificate") + return nil, fmt.Errorf("unable to read provided ca.crt: data is not a certificate") + } + + return decodedCaCert, nil + } + + return nil, nil } func (c *impersonatorConfigController) ensureTLSSecret(ctx context.Context, nameInfo *certNameInfo, ca *certauthority.CA) error { diff --git a/internal/controller/impersonatorconfig/impersonator_config_test.go b/internal/controller/impersonatorconfig/impersonator_config_test.go index 6a805f79..b25dadcf 100644 --- a/internal/controller/impersonatorconfig/impersonator_config_test.go +++ b/internal/controller/impersonatorconfig/impersonator_config_test.go @@ -1278,11 +1278,85 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { }) }) + when("the CertificateAuthorityData is configured with invalid data", func() { + it.Before(func() { + addNodeWithRoleToTracker("worker", kubeAPIClient) + }) + + when("CertificateAuthorityData is not base64 encoded", func() { + it.Before(func() { + addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient) + addSecretToTrackers(externalTLSSecret, kubeInformerClient) + addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, + Spec: v1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ + Mode: v1alpha1.ImpersonationProxyModeAuto, + ExternalEndpoint: localhostIP, + Service: v1alpha1.ImpersonationProxyServiceSpec{ + Type: v1alpha1.ImpersonationProxyServiceTypeNone, + }, + TLS: &v1alpha1.ImpersonationProxyTLSSpec{ + CertificateAuthorityData: string(externalCA.Bundle()), + SecretName: externallyProvidedTLSSecretName, + }, + }, + }, + }, pinnipedInformerClient, pinnipedAPIClient) + }) + + it("returns an error", func() { + startInformersAndController() + r.Error(runControllerSync(), "could not decode impersonationSpec.TLS.certificateAuthorityData: illegal base64 data at input byte 0") + r.Len(kubeAPIClient.Actions(), 1) + requireNodesListed(kubeAPIClient.Actions()[0]) + requireCredentialIssuer(newErrorStrategy("could not decode impersonationSpec.TLS.certificateAuthorityData: illegal base64 data at input byte 0")) + requireMTLSClientCertProviderHasLoadedCerts([]byte{}, []byte{}) + }) + }) + + when("CertificateAuthorityData is not a cert", func() { + it.Before(func() { + addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient) + addSecretToTrackers(externalTLSSecret, kubeInformerClient) + addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, + Spec: v1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ + Mode: v1alpha1.ImpersonationProxyModeAuto, + ExternalEndpoint: localhostIP, + Service: v1alpha1.ImpersonationProxyServiceSpec{ + Type: v1alpha1.ImpersonationProxyServiceTypeNone, + }, + TLS: &v1alpha1.ImpersonationProxyTLSSpec{ + CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte("hello")), + SecretName: externallyProvidedTLSSecretName, + }, + }, + }, + }, pinnipedInformerClient, pinnipedAPIClient) + }) + + it("returns an error", func() { + startInformersAndController() + r.Error(runControllerSync(), "could not decode impersonationSpec.TLS.certificateAuthorityData: data is not a certificate") + r.Len(kubeAPIClient.Actions(), 1) + requireNodesListed(kubeAPIClient.Actions()[0]) + requireCredentialIssuer(newErrorStrategy("could not decode impersonationSpec.TLS.certificateAuthorityData: data is not a certificate")) + requireMTLSClientCertProviderHasLoadedCerts([]byte{}, []byte{}) + }) + }) + }) + when("the CertificateAuthorityData is not configured", func() { + it.Before(func() { + addNodeWithRoleToTracker("worker", kubeAPIClient) + }) + when("the externally provided TLS secret has a ca.crt field", func() { it.Before(func() { addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient) - externalTLSSecret.Data["ca.crt"] = externalCA.Bundle() + externalTLSSecret.Data["ca.crt"] = []byte(base64.StdEncoding.EncodeToString(externalCA.Bundle())) addSecretToTrackers(externalTLSSecret, kubeInformerClient) addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, @@ -1299,7 +1373,6 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { }, }, }, pinnipedInformerClient, pinnipedAPIClient) - addNodeWithRoleToTracker("worker", kubeAPIClient) }) it("will advertise ca.crt from the externally provided secret", func() { @@ -1307,12 +1380,76 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { r.NoError(runControllerSync()) r.Len(kubeAPIClient.Actions(), 1) requireNodesListed(kubeAPIClient.Actions()[0]) - requireTLSServerIsRunning(externalTLSSecret.Data["ca.crt"], testServerAddr(), nil) - requireCredentialIssuer(newSuccessStrategy(localhostIP, externalTLSSecret.Data["ca.crt"])) + requireTLSServerIsRunning(externalCA.Bundle(), testServerAddr(), nil) + requireCredentialIssuer(newSuccessStrategy(localhostIP, externalCA.Bundle())) requireMTLSClientCertProviderHasLoadedCerts(mTLSClientCertCACertPEM, mTLSClientCertCAPrivateKeyPEM) }) }) + when("the externally provided TLS secret has a ca.crt field that is not base64-encoded", func() { + it.Before(func() { + addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient) + externalTLSSecret.Data["ca.crt"] = []byte("hello") + addSecretToTrackers(externalTLSSecret, kubeInformerClient) + addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, + Spec: v1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ + Mode: v1alpha1.ImpersonationProxyModeAuto, + ExternalEndpoint: localhostIP, + Service: v1alpha1.ImpersonationProxyServiceSpec{ + Type: v1alpha1.ImpersonationProxyServiceTypeNone, + }, + TLS: &v1alpha1.ImpersonationProxyTLSSpec{ + SecretName: externallyProvidedTLSSecretName, + }, + }, + }, + }, pinnipedInformerClient, pinnipedAPIClient) + }) + + it("returns an error", func() { + startInformersAndController() + r.Error(runControllerSync(), "could not load the externally provided TLS secret for the impersonation proxy: unable to read provided ca.crt: illegal base64 data at input byte 4") + r.Len(kubeAPIClient.Actions(), 1) + requireNodesListed(kubeAPIClient.Actions()[0]) + requireCredentialIssuer(newErrorStrategy("could not load the externally provided TLS secret for the impersonation proxy: unable to read provided ca.crt: illegal base64 data at input byte 4")) + requireMTLSClientCertProviderHasLoadedCerts([]byte{}, []byte{}) + }) + }) + + when("the externally provided TLS secret has a ca.crt field that is not a valid cert", func() { + it.Before(func() { + addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient) + externalTLSSecret.Data["ca.crt"] = []byte(base64.StdEncoding.EncodeToString([]byte("hello"))) + addSecretToTrackers(externalTLSSecret, kubeInformerClient) + addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, + Spec: v1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ + Mode: v1alpha1.ImpersonationProxyModeAuto, + ExternalEndpoint: localhostIP, + Service: v1alpha1.ImpersonationProxyServiceSpec{ + Type: v1alpha1.ImpersonationProxyServiceTypeNone, + }, + TLS: &v1alpha1.ImpersonationProxyTLSSpec{ + SecretName: externallyProvidedTLSSecretName, + }, + }, + }, + }, pinnipedInformerClient, pinnipedAPIClient) + }) + + it("returns an error", func() { + startInformersAndController() + r.Error(runControllerSync(), "could not load the externally provided TLS secret for the impersonation proxy: unable to read provided ca.crt: data is not a certificate") + r.Len(kubeAPIClient.Actions(), 1) + requireNodesListed(kubeAPIClient.Actions()[0]) + requireCredentialIssuer(newErrorStrategy("could not load the externally provided TLS secret for the impersonation proxy: unable to read provided ca.crt: data is not a certificate")) + requireMTLSClientCertProviderHasLoadedCerts([]byte{}, []byte{}) + }) + }) + when("the externally provided TLS secret does not have a ca.crt field", func() { it.Before(func() { addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient) @@ -1332,7 +1469,6 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { }, }, }, pinnipedInformerClient, pinnipedAPIClient) - addNodeWithRoleToTracker("worker", kubeAPIClient) }) it("will advertise an empty CA bundle", func() { diff --git a/test/integration/concierge_impersonation_proxy_test.go b/test/integration/concierge_impersonation_proxy_test.go index a456451c..42ed3c9c 100644 --- a/test/integration/concierge_impersonation_proxy_test.go +++ b/test/integration/concierge_impersonation_proxy_test.go @@ -1787,29 +1787,39 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl externallyProvidedTLSServingCertPEM, externallyProvidedTLSServingKeyPEM, err = externallyProvidedCA.IssueServerCertPEM([]string{proxyServiceEndpoint}, nil, 1*time.Hour) require.NoError(t, err) - externallyProvidedTLSServingCertSecretName := "external-tls-cert-secret-name" //nolint:gosec // this is not a credential - externallyProvidedTLSServingCertSecret := &corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: externallyProvidedTLSServingCertSecretName, - Namespace: env.ConciergeNamespace, - }, - Type: corev1.SecretTypeTLS, - Data: map[string][]byte{ - v1.TLSCertKey: externallyProvidedTLSServingCertPEM, - v1.TLSPrivateKeyKey: externallyProvidedTLSServingKeyPEM, - }, - } - - _, err = adminClient.CoreV1().Secrets(env.ConciergeNamespace).Create(ctx, externallyProvidedTLSServingCertSecret, metav1.CreateOptions{}) - require.NoError(t, err) - - t.Cleanup(func() { - err := adminClient.CoreV1().Secrets(env.ConciergeNamespace).Delete(ctx, externallyProvidedTLSServingCertSecretName, metav1.DeleteOptions{}) - require.NoError(t, err) - }) + externallyProvidedTLSServingCertSecret := testlib.CreateTestSecret( + t, + env.ConciergeNamespace, + "external-tls-cert-secret-name", + corev1.SecretTypeTLS, + map[string]string{ + v1.TLSCertKey: string(externallyProvidedTLSServingCertPEM), + v1.TLSPrivateKeyKey: string(externallyProvidedTLSServingKeyPEM), + }) _, originalInternallyGeneratedCAPEM := performImpersonatorDiscoveryURL(ctx, t, env, adminConciergeClient) + t.Cleanup(func() { + // Remove the TLS block from the CredentialIssuer, which should revert the ImpersonationProxy to using an + // internally generated TLS serving cert derived from the original CA. + updateCredentialIssuer(ctx, t, env, adminConciergeClient, conciergev1alpha.CredentialIssuerSpec{ + ImpersonationProxy: &conciergev1alpha.ImpersonationProxySpec{ + Mode: conciergev1alpha.ImpersonationProxyModeEnabled, + ExternalEndpoint: proxyServiceEndpoint, + Service: conciergev1alpha.ImpersonationProxyServiceSpec{ + Type: conciergev1alpha.ImpersonationProxyServiceTypeClusterIP, + }, + }, + }) + + // Wait for the CredentialIssuer's impersonation proxy frontend strategy to be updated to the original CA bundle + testlib.RequireEventuallyWithoutError(t, func() (bool, error) { + _, impersonationProxyCACertPEM = performImpersonatorDiscoveryURL(ctx, t, env, adminConciergeClient) + + return bytes.Equal(impersonationProxyCACertPEM, originalInternallyGeneratedCAPEM), nil + }, 2*time.Minute, 500*time.Millisecond) + }) + updateCredentialIssuer(ctx, t, env, adminConciergeClient, conciergev1alpha.CredentialIssuerSpec{ ImpersonationProxy: &conciergev1alpha.ImpersonationProxySpec{ Mode: conciergev1alpha.ImpersonationProxyModeEnabled, @@ -1819,7 +1829,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl }, TLS: &conciergev1alpha.ImpersonationProxyTLSSpec{ CertificateAuthorityData: base64.StdEncoding.EncodeToString(externallyProvidedCA.Bundle()), - SecretName: externallyProvidedTLSServingCertSecretName, + SecretName: externallyProvidedTLSServingCertSecret.Name, }, }, }) @@ -1835,25 +1845,6 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl _, newImpersonationProxyCACertPEM := performImpersonatorDiscovery(ctx, t, env, adminClient, adminConciergeClient, refreshCredential) return bytes.Equal(newImpersonationProxyCACertPEM, externallyProvidedCA.Bundle()), err }, 2*time.Minute, 500*time.Millisecond) - - // Remove the TLS block from the CredentialIssuer, which should revert the ImpersonationProxy to using an - // internally generated TLS serving cert derived from the original CA. - updateCredentialIssuer(ctx, t, env, adminConciergeClient, conciergev1alpha.CredentialIssuerSpec{ - ImpersonationProxy: &conciergev1alpha.ImpersonationProxySpec{ - Mode: conciergev1alpha.ImpersonationProxyModeEnabled, - ExternalEndpoint: proxyServiceEndpoint, - Service: conciergev1alpha.ImpersonationProxyServiceSpec{ - Type: conciergev1alpha.ImpersonationProxyServiceTypeClusterIP, - }, - }, - }) - - // Wait for the CredentialIssuer's impersonation proxy frontend strategy to be updated to the original CA bundle - testlib.RequireEventuallyWithoutError(t, func() (bool, error) { - _, impersonationProxyCACertPEM = performImpersonatorDiscoveryURL(ctx, t, env, adminConciergeClient) - - return bytes.Equal(impersonationProxyCACertPEM, originalInternallyGeneratedCAPEM), nil - }, 2*time.Minute, 500*time.Millisecond) }) t.Run("manually disabling the impersonation proxy feature", func(t *testing.T) {