From cd47ba53c2ceebbec183a756b913546f1b308f9a Mon Sep 17 00:00:00 2001 From: Margo Crawford Date: Fri, 3 Jun 2022 16:22:15 -0700 Subject: [PATCH 02/61] Add CRD for OIDCClient Signed-off-by: Margo Crawford --- apis/supervisor/oauth/v1alpha1/doc.go.tmpl | 10 + .../oauth/v1alpha1/register.go.tmpl | 43 +++++ .../oauth/v1alpha1/types_oidcclient.go.tmpl | 84 ++++++++ ...h.supervisor.pinniped.dev_oidcclients.yaml | 121 ++++++++++++ generated/1.17/README.adoc | 54 ++++++ .../apis/supervisor/oauth/v1alpha1/doc.go | 10 + .../supervisor/oauth/v1alpha1/register.go | 43 +++++ .../oauth/v1alpha1/types_oidcclient.go | 84 ++++++++ .../oauth/v1alpha1/zz_generated.deepcopy.go | 121 ++++++++++++ .../clientset/versioned/clientset.go | 14 ++ .../versioned/fake/clientset_generated.go | 7 + .../clientset/versioned/fake/register.go | 2 + .../clientset/versioned/scheme/register.go | 2 + .../versioned/typed/oauth/v1alpha1/doc.go | 7 + .../typed/oauth/v1alpha1/fake/doc.go | 7 + .../oauth/v1alpha1/fake/fake_oauth_client.go | 27 +++ .../oauth/v1alpha1/fake/fake_oidcclient.go | 127 ++++++++++++ .../oauth/v1alpha1/generated_expansion.go | 8 + .../typed/oauth/v1alpha1/oauth_client.go | 76 ++++++++ .../typed/oauth/v1alpha1/oidcclient.go | 178 +++++++++++++++++ .../informers/externalversions/factory.go | 6 + .../informers/externalversions/generic.go | 5 + .../externalversions/oauth/interface.go | 33 ++++ .../oauth/v1alpha1/interface.go | 32 +++ .../oauth/v1alpha1/oidcclient.go | 76 ++++++++ .../oauth/v1alpha1/expansion_generated.go | 14 ++ .../listers/oauth/v1alpha1/oidcclient.go | 81 ++++++++ ...h.supervisor.pinniped.dev_oidcclients.yaml | 121 ++++++++++++ generated/1.18/README.adoc | 54 ++++++ .../apis/supervisor/oauth/v1alpha1/doc.go | 10 + .../supervisor/oauth/v1alpha1/register.go | 43 +++++ .../oauth/v1alpha1/types_oidcclient.go | 84 ++++++++ .../oauth/v1alpha1/zz_generated.deepcopy.go | 121 ++++++++++++ .../clientset/versioned/clientset.go | 14 ++ .../versioned/fake/clientset_generated.go | 7 + .../clientset/versioned/fake/register.go | 2 + .../clientset/versioned/scheme/register.go | 2 + .../versioned/typed/oauth/v1alpha1/doc.go | 7 + .../typed/oauth/v1alpha1/fake/doc.go | 7 + .../oauth/v1alpha1/fake/fake_oauth_client.go | 27 +++ .../oauth/v1alpha1/fake/fake_oidcclient.go | 129 +++++++++++++ .../oauth/v1alpha1/generated_expansion.go | 8 + .../typed/oauth/v1alpha1/oauth_client.go | 76 ++++++++ .../typed/oauth/v1alpha1/oidcclient.go | 182 ++++++++++++++++++ .../informers/externalversions/factory.go | 6 + .../informers/externalversions/generic.go | 5 + .../externalversions/oauth/interface.go | 33 ++++ .../oauth/v1alpha1/interface.go | 32 +++ .../oauth/v1alpha1/oidcclient.go | 77 ++++++++ .../oauth/v1alpha1/expansion_generated.go | 14 ++ .../listers/oauth/v1alpha1/oidcclient.go | 81 ++++++++ ...h.supervisor.pinniped.dev_oidcclients.yaml | 121 ++++++++++++ generated/1.19/README.adoc | 54 ++++++ .../apis/supervisor/oauth/v1alpha1/doc.go | 10 + .../supervisor/oauth/v1alpha1/register.go | 43 +++++ .../oauth/v1alpha1/types_oidcclient.go | 84 ++++++++ .../oauth/v1alpha1/zz_generated.deepcopy.go | 121 ++++++++++++ .../clientset/versioned/clientset.go | 14 ++ .../versioned/fake/clientset_generated.go | 7 + .../clientset/versioned/fake/register.go | 2 + .../clientset/versioned/scheme/register.go | 2 + .../versioned/typed/oauth/v1alpha1/doc.go | 7 + .../typed/oauth/v1alpha1/fake/doc.go | 7 + .../oauth/v1alpha1/fake/fake_oauth_client.go | 27 +++ .../oauth/v1alpha1/fake/fake_oidcclient.go | 129 +++++++++++++ .../oauth/v1alpha1/generated_expansion.go | 8 + .../typed/oauth/v1alpha1/oauth_client.go | 76 ++++++++ .../typed/oauth/v1alpha1/oidcclient.go | 182 ++++++++++++++++++ .../informers/externalversions/factory.go | 6 + .../informers/externalversions/generic.go | 5 + .../externalversions/oauth/interface.go | 33 ++++ .../oauth/v1alpha1/interface.go | 32 +++ .../oauth/v1alpha1/oidcclient.go | 77 ++++++++ .../oauth/v1alpha1/expansion_generated.go | 14 ++ .../listers/oauth/v1alpha1/oidcclient.go | 86 +++++++++ ...h.supervisor.pinniped.dev_oidcclients.yaml | 121 ++++++++++++ generated/1.20/README.adoc | 54 ++++++ .../apis/supervisor/oauth/v1alpha1/doc.go | 10 + .../supervisor/oauth/v1alpha1/register.go | 43 +++++ .../oauth/v1alpha1/types_oidcclient.go | 84 ++++++++ .../oauth/v1alpha1/zz_generated.deepcopy.go | 121 ++++++++++++ .../clientset/versioned/clientset.go | 14 ++ .../versioned/fake/clientset_generated.go | 7 + .../clientset/versioned/fake/register.go | 2 + .../clientset/versioned/scheme/register.go | 2 + .../versioned/typed/oauth/v1alpha1/doc.go | 7 + .../typed/oauth/v1alpha1/fake/doc.go | 7 + .../oauth/v1alpha1/fake/fake_oauth_client.go | 27 +++ .../oauth/v1alpha1/fake/fake_oidcclient.go | 129 +++++++++++++ .../oauth/v1alpha1/generated_expansion.go | 8 + .../typed/oauth/v1alpha1/oauth_client.go | 76 ++++++++ .../typed/oauth/v1alpha1/oidcclient.go | 182 ++++++++++++++++++ .../informers/externalversions/factory.go | 6 + .../informers/externalversions/generic.go | 5 + .../externalversions/oauth/interface.go | 33 ++++ .../oauth/v1alpha1/interface.go | 32 +++ .../oauth/v1alpha1/oidcclient.go | 77 ++++++++ .../oauth/v1alpha1/expansion_generated.go | 14 ++ .../listers/oauth/v1alpha1/oidcclient.go | 86 +++++++++ ...h.supervisor.pinniped.dev_oidcclients.yaml | 121 ++++++++++++ generated/1.21/README.adoc | 54 ++++++ .../apis/supervisor/oauth/v1alpha1/doc.go | 10 + .../supervisor/oauth/v1alpha1/register.go | 43 +++++ .../oauth/v1alpha1/types_oidcclient.go | 84 ++++++++ .../oauth/v1alpha1/zz_generated.deepcopy.go | 121 ++++++++++++ .../clientset/versioned/clientset.go | 14 ++ .../versioned/fake/clientset_generated.go | 7 + .../clientset/versioned/fake/register.go | 2 + .../clientset/versioned/scheme/register.go | 2 + .../versioned/typed/oauth/v1alpha1/doc.go | 7 + .../typed/oauth/v1alpha1/fake/doc.go | 7 + .../oauth/v1alpha1/fake/fake_oauth_client.go | 27 +++ .../oauth/v1alpha1/fake/fake_oidcclient.go | 129 +++++++++++++ .../oauth/v1alpha1/generated_expansion.go | 8 + .../typed/oauth/v1alpha1/oauth_client.go | 76 ++++++++ .../typed/oauth/v1alpha1/oidcclient.go | 182 ++++++++++++++++++ .../informers/externalversions/factory.go | 6 + .../informers/externalversions/generic.go | 5 + .../externalversions/oauth/interface.go | 33 ++++ .../oauth/v1alpha1/interface.go | 32 +++ .../oauth/v1alpha1/oidcclient.go | 77 ++++++++ .../oauth/v1alpha1/expansion_generated.go | 14 ++ .../listers/oauth/v1alpha1/oidcclient.go | 86 +++++++++ ...h.supervisor.pinniped.dev_oidcclients.yaml | 121 ++++++++++++ generated/1.22/README.adoc | 54 ++++++ .../apis/supervisor/oauth/v1alpha1/doc.go | 10 + .../supervisor/oauth/v1alpha1/register.go | 43 +++++ .../oauth/v1alpha1/types_oidcclient.go | 84 ++++++++ .../oauth/v1alpha1/zz_generated.deepcopy.go | 121 ++++++++++++ .../clientset/versioned/clientset.go | 14 ++ .../versioned/fake/clientset_generated.go | 7 + .../clientset/versioned/fake/register.go | 2 + .../clientset/versioned/scheme/register.go | 2 + .../versioned/typed/oauth/v1alpha1/doc.go | 7 + .../typed/oauth/v1alpha1/fake/doc.go | 7 + .../oauth/v1alpha1/fake/fake_oauth_client.go | 27 +++ .../oauth/v1alpha1/fake/fake_oidcclient.go | 129 +++++++++++++ .../oauth/v1alpha1/generated_expansion.go | 8 + .../typed/oauth/v1alpha1/oauth_client.go | 76 ++++++++ .../typed/oauth/v1alpha1/oidcclient.go | 182 ++++++++++++++++++ .../informers/externalversions/factory.go | 6 + .../informers/externalversions/generic.go | 5 + .../externalversions/oauth/interface.go | 33 ++++ .../oauth/v1alpha1/interface.go | 32 +++ .../oauth/v1alpha1/oidcclient.go | 77 ++++++++ .../oauth/v1alpha1/expansion_generated.go | 14 ++ .../listers/oauth/v1alpha1/oidcclient.go | 86 +++++++++ ...h.supervisor.pinniped.dev_oidcclients.yaml | 121 ++++++++++++ generated/1.23/README.adoc | 54 ++++++ .../apis/supervisor/oauth/v1alpha1/doc.go | 10 + .../supervisor/oauth/v1alpha1/register.go | 43 +++++ .../oauth/v1alpha1/types_oidcclient.go | 84 ++++++++ .../oauth/v1alpha1/zz_generated.deepcopy.go | 121 ++++++++++++ .../clientset/versioned/clientset.go | 13 ++ .../versioned/fake/clientset_generated.go | 7 + .../clientset/versioned/fake/register.go | 2 + .../clientset/versioned/scheme/register.go | 2 + .../versioned/typed/oauth/v1alpha1/doc.go | 7 + .../typed/oauth/v1alpha1/fake/doc.go | 7 + .../oauth/v1alpha1/fake/fake_oauth_client.go | 27 +++ .../oauth/v1alpha1/fake/fake_oidcclient.go | 129 +++++++++++++ .../oauth/v1alpha1/generated_expansion.go | 8 + .../typed/oauth/v1alpha1/oauth_client.go | 94 +++++++++ .../typed/oauth/v1alpha1/oidcclient.go | 182 ++++++++++++++++++ .../informers/externalversions/factory.go | 6 + .../informers/externalversions/generic.go | 5 + .../externalversions/oauth/interface.go | 33 ++++ .../oauth/v1alpha1/interface.go | 32 +++ .../oauth/v1alpha1/oidcclient.go | 77 ++++++++ .../oauth/v1alpha1/expansion_generated.go | 14 ++ .../listers/oauth/v1alpha1/oidcclient.go | 86 +++++++++ ...h.supervisor.pinniped.dev_oidcclients.yaml | 121 ++++++++++++ .../apis/supervisor/oauth/v1alpha1/doc.go | 10 + .../supervisor/oauth/v1alpha1/register.go | 43 +++++ .../oauth/v1alpha1/types_oidcclient.go | 84 ++++++++ .../oauth/v1alpha1/zz_generated.deepcopy.go | 121 ++++++++++++ .../clientset/versioned/clientset.go | 13 ++ .../versioned/fake/clientset_generated.go | 7 + .../clientset/versioned/fake/register.go | 2 + .../clientset/versioned/scheme/register.go | 2 + .../versioned/typed/oauth/v1alpha1/doc.go | 7 + .../typed/oauth/v1alpha1/fake/doc.go | 7 + .../oauth/v1alpha1/fake/fake_oauth_client.go | 27 +++ .../oauth/v1alpha1/fake/fake_oidcclient.go | 129 +++++++++++++ .../oauth/v1alpha1/generated_expansion.go | 8 + .../typed/oauth/v1alpha1/oauth_client.go | 94 +++++++++ .../typed/oauth/v1alpha1/oidcclient.go | 182 ++++++++++++++++++ .../informers/externalversions/factory.go | 6 + .../informers/externalversions/generic.go | 5 + .../externalversions/oauth/interface.go | 33 ++++ .../oauth/v1alpha1/interface.go | 32 +++ .../oauth/v1alpha1/oidcclient.go | 77 ++++++++ .../oauth/v1alpha1/expansion_generated.go | 14 ++ .../listers/oauth/v1alpha1/oidcclient.go | 86 +++++++++ hack/lib/update-codegen.sh | 5 +- 195 files changed, 9279 insertions(+), 2 deletions(-) create mode 100644 apis/supervisor/oauth/v1alpha1/doc.go.tmpl create mode 100644 apis/supervisor/oauth/v1alpha1/register.go.tmpl create mode 100644 apis/supervisor/oauth/v1alpha1/types_oidcclient.go.tmpl create mode 100644 deploy/supervisor/oauth.supervisor.pinniped.dev_oidcclients.yaml create mode 100644 generated/1.17/apis/supervisor/oauth/v1alpha1/doc.go create mode 100644 generated/1.17/apis/supervisor/oauth/v1alpha1/register.go create mode 100644 generated/1.17/apis/supervisor/oauth/v1alpha1/types_oidcclient.go create mode 100644 generated/1.17/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go create mode 100644 generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go create mode 100644 generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go create mode 100644 generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go create mode 100644 generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go create mode 100644 generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go create mode 100644 generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go create mode 100644 generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go create mode 100644 generated/1.17/client/supervisor/informers/externalversions/oauth/interface.go create mode 100644 generated/1.17/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go create mode 100644 generated/1.17/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go create mode 100644 generated/1.17/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go create mode 100644 generated/1.17/client/supervisor/listers/oauth/v1alpha1/oidcclient.go create mode 100644 generated/1.17/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml create mode 100644 generated/1.18/apis/supervisor/oauth/v1alpha1/doc.go create mode 100644 generated/1.18/apis/supervisor/oauth/v1alpha1/register.go create mode 100644 generated/1.18/apis/supervisor/oauth/v1alpha1/types_oidcclient.go create mode 100644 generated/1.18/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go create mode 100644 generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go create mode 100644 generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go create mode 100644 generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go create mode 100644 generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go create mode 100644 generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go create mode 100644 generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go create mode 100644 generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go create mode 100644 generated/1.18/client/supervisor/informers/externalversions/oauth/interface.go create mode 100644 generated/1.18/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go create mode 100644 generated/1.18/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go create mode 100644 generated/1.18/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go create mode 100644 generated/1.18/client/supervisor/listers/oauth/v1alpha1/oidcclient.go create mode 100644 generated/1.18/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml create mode 100644 generated/1.19/apis/supervisor/oauth/v1alpha1/doc.go create mode 100644 generated/1.19/apis/supervisor/oauth/v1alpha1/register.go create mode 100644 generated/1.19/apis/supervisor/oauth/v1alpha1/types_oidcclient.go create mode 100644 generated/1.19/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go create mode 100644 generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go create mode 100644 generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go create mode 100644 generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go create mode 100644 generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go create mode 100644 generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go create mode 100644 generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go create mode 100644 generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go create mode 100644 generated/1.19/client/supervisor/informers/externalversions/oauth/interface.go create mode 100644 generated/1.19/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go create mode 100644 generated/1.19/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go create mode 100644 generated/1.19/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go create mode 100644 generated/1.19/client/supervisor/listers/oauth/v1alpha1/oidcclient.go create mode 100644 generated/1.19/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml create mode 100644 generated/1.20/apis/supervisor/oauth/v1alpha1/doc.go create mode 100644 generated/1.20/apis/supervisor/oauth/v1alpha1/register.go create mode 100644 generated/1.20/apis/supervisor/oauth/v1alpha1/types_oidcclient.go create mode 100644 generated/1.20/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go create mode 100644 generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go create mode 100644 generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go create mode 100644 generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go create mode 100644 generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go create mode 100644 generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go create mode 100644 generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go create mode 100644 generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go create mode 100644 generated/1.20/client/supervisor/informers/externalversions/oauth/interface.go create mode 100644 generated/1.20/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go create mode 100644 generated/1.20/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go create mode 100644 generated/1.20/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go create mode 100644 generated/1.20/client/supervisor/listers/oauth/v1alpha1/oidcclient.go create mode 100644 generated/1.20/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml create mode 100644 generated/1.21/apis/supervisor/oauth/v1alpha1/doc.go create mode 100644 generated/1.21/apis/supervisor/oauth/v1alpha1/register.go create mode 100644 generated/1.21/apis/supervisor/oauth/v1alpha1/types_oidcclient.go create mode 100644 generated/1.21/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go create mode 100644 generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go create mode 100644 generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go create mode 100644 generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go create mode 100644 generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go create mode 100644 generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go create mode 100644 generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go create mode 100644 generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go create mode 100644 generated/1.21/client/supervisor/informers/externalversions/oauth/interface.go create mode 100644 generated/1.21/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go create mode 100644 generated/1.21/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go create mode 100644 generated/1.21/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go create mode 100644 generated/1.21/client/supervisor/listers/oauth/v1alpha1/oidcclient.go create mode 100644 generated/1.21/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml create mode 100644 generated/1.22/apis/supervisor/oauth/v1alpha1/doc.go create mode 100644 generated/1.22/apis/supervisor/oauth/v1alpha1/register.go create mode 100644 generated/1.22/apis/supervisor/oauth/v1alpha1/types_oidcclient.go create mode 100644 generated/1.22/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go create mode 100644 generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go create mode 100644 generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go create mode 100644 generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go create mode 100644 generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go create mode 100644 generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go create mode 100644 generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go create mode 100644 generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go create mode 100644 generated/1.22/client/supervisor/informers/externalversions/oauth/interface.go create mode 100644 generated/1.22/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go create mode 100644 generated/1.22/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go create mode 100644 generated/1.22/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go create mode 100644 generated/1.22/client/supervisor/listers/oauth/v1alpha1/oidcclient.go create mode 100644 generated/1.22/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml create mode 100644 generated/1.23/apis/supervisor/oauth/v1alpha1/doc.go create mode 100644 generated/1.23/apis/supervisor/oauth/v1alpha1/register.go create mode 100644 generated/1.23/apis/supervisor/oauth/v1alpha1/types_oidcclient.go create mode 100644 generated/1.23/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go create mode 100644 generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go create mode 100644 generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go create mode 100644 generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go create mode 100644 generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go create mode 100644 generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go create mode 100644 generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go create mode 100644 generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go create mode 100644 generated/1.23/client/supervisor/informers/externalversions/oauth/interface.go create mode 100644 generated/1.23/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go create mode 100644 generated/1.23/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go create mode 100644 generated/1.23/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go create mode 100644 generated/1.23/client/supervisor/listers/oauth/v1alpha1/oidcclient.go create mode 100644 generated/1.23/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml create mode 100644 generated/latest/apis/supervisor/oauth/v1alpha1/doc.go create mode 100644 generated/latest/apis/supervisor/oauth/v1alpha1/register.go create mode 100644 generated/latest/apis/supervisor/oauth/v1alpha1/types_oidcclient.go create mode 100644 generated/latest/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go create mode 100644 generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go create mode 100644 generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go create mode 100644 generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go create mode 100644 generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go create mode 100644 generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go create mode 100644 generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go create mode 100644 generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go create mode 100644 generated/latest/client/supervisor/informers/externalversions/oauth/interface.go create mode 100644 generated/latest/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go create mode 100644 generated/latest/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go create mode 100644 generated/latest/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go create mode 100644 generated/latest/client/supervisor/listers/oauth/v1alpha1/oidcclient.go diff --git a/apis/supervisor/oauth/v1alpha1/doc.go.tmpl b/apis/supervisor/oauth/v1alpha1/doc.go.tmpl new file mode 100644 index 00000000..75580481 --- /dev/null +++ b/apis/supervisor/oauth/v1alpha1/doc.go.tmpl @@ -0,0 +1,10 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen=package +// +k8s:defaulter-gen=TypeMeta +// +groupName=oauth.supervisor.pinniped.dev + +// Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. +package v1alpha1 diff --git a/apis/supervisor/oauth/v1alpha1/register.go.tmpl b/apis/supervisor/oauth/v1alpha1/register.go.tmpl new file mode 100644 index 00000000..37ae1fbf --- /dev/null +++ b/apis/supervisor/oauth/v1alpha1/register.go.tmpl @@ -0,0 +1,43 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "oauth.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = localSchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClient{}, + &OIDCClientList{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/apis/supervisor/oauth/v1alpha1/types_oidcclient.go.tmpl b/apis/supervisor/oauth/v1alpha1/types_oidcclient.go.tmpl new file mode 100644 index 00000000..ee125443 --- /dev/null +++ b/apis/supervisor/oauth/v1alpha1/types_oidcclient.go.tmpl @@ -0,0 +1,84 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// OIDCClientSpec is a struct that describes an OIDC Client. +type OIDCClientSpec struct { + // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this + // client. Any other uris will be rejected. + // Must be https, unless it is a loopback. + // +kubebuilder:validation:UniqueItems=true + // +kubebuilder:validation:MinItems=1 + AllowedRedirectURIs []string `json:"allowedRedirectURIs"` + + // allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this + // client. + // + // Must only contain the following values: + // - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to + // authenticate users. This grant must always be listed. + // - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. + // This grant must be listed if allowedScopes lists offline_access. + // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, + // which is a step in the process to be able to get a cluster credential for the user. + // This grant must be listed if allowedScopes lists pinniped:request-audience. + // +kubebuilder:validation:UniqueItems=true + // +kubebuilder:validation:MinItems=1 + AllowedGrantTypes []string `json:"allowedGrantTypes"` + + // allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + // + // Must only contain the following values: + // - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). + // This scope must always be listed. + // - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. + // This scope must be listed if allowedGrantTypes lists refresh_token. + // - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, + // which is a step in the process to be able to get a cluster credential for the user. + // openid, username and groups scopes must be listed when this scope is present. + // This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. + // - username: The client is allowed to request that ID tokens contain the user's username. + // Without the username scope being requested and allowed, the ID token will not contain the user's username. + // - groups: The client is allowed to request that ID tokens contain the user's group membership, + // if their group membership is discoverable by the Supervisor. + // Without the groups scope being requested and allowed, the ID token will not contain groups. + // +kubebuilder:validation:UniqueItems=true + // +kubebuilder:validation:MinItems=1 + AllowedScopes []string `json:"allowedScopes"` +} + +// OIDCClientStatus is a struct that describes the actual state of an OIDC Client. +type OIDCClientStatus struct { +} + +// OIDCClient describes the configuration of an OIDC client. +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped +// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type OIDCClient struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec of the OIDC provider. + Spec OIDCClientSpec `json:"spec"` + + // Status of the OIDC provider. + Status OIDCClientStatus `json:"status,omitempty"` +} + +// List of OIDCClient objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []OIDCClient `json:"items"` +} diff --git a/deploy/supervisor/oauth.supervisor.pinniped.dev_oidcclients.yaml b/deploy/supervisor/oauth.supervisor.pinniped.dev_oidcclients.yaml new file mode 100644 index 00000000..0b4ee157 --- /dev/null +++ b/deploy/supervisor/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -0,0 +1,121 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: oidcclients.oauth.supervisor.pinniped.dev +spec: + group: oauth.supervisor.pinniped.dev + names: + categories: + - pinniped + kind: OIDCClient + listKind: OIDCClientList + plural: oidcclients + singular: oidcclient + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}' + name: Privileged + type: boolean + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: OIDCClient describes the configuration of an OIDC client. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec of the OIDC provider. + properties: + allowedGrantTypes: + description: "allowedGrantTypes is a list of the allowed grant_type + param values that should be accepted during OIDC flows with this + client. \n Must only contain the following values: - authorization_code: + allows the client to perform the authorization code grant flow, + i.e. allows the webapp to authenticate users. This grant must always + be listed. - refresh_token: allows the client to perform refresh + grants for the user to extend the user's session. This grant must + be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: + allows the client to perform RFC8693 token exchange, which is a + step in the process to be able to get a cluster credential for the + user. This grant must be listed if allowedScopes lists pinniped:request-audience." + items: + type: string + minItems: 1 + type: array + uniqueItems: true + allowedRedirectURIs: + description: allowedRedirectURIs is a list of the allowed redirect_uri + param values that should be accepted during OIDC flows with this + client. Any other uris will be rejected. Must be https, unless it + is a loopback. + items: + type: string + minItems: 1 + type: array + uniqueItems: true + allowedScopes: + description: "allowedScopes is a list of the allowed scopes param + values that should be accepted during OIDC flows with this client. + \n Must only contain the following values: - openid: The client + is allowed to request ID tokens. ID tokens only include the required + claims by default (iss, sub, aud, exp, iat). This scope must always + be listed. - offline_access: The client is allowed to request an + initial refresh token during the authorization code grant flow. + This scope must be listed if allowedGrantTypes lists refresh_token. + - pinniped:request-audience: The client is allowed to request a + new audience value during a RFC8693 token exchange, which is a step + in the process to be able to get a cluster credential for the user. + openid, username and groups scopes must be listed when this scope + is present. This scope must be listed if allowedGrantTypes lists + urn:ietf:params:oauth:grant-type:token-exchange. - username: The + client is allowed to request that ID tokens contain the user's username. + Without the username scope being requested and allowed, the ID token + will not contain the user's username. - groups: The client is allowed + to request that ID tokens contain the user's group membership, if + their group membership is discoverable by the Supervisor. Without + the groups scope being requested and allowed, the ID token will + not contain groups." + items: + type: string + minItems: 1 + type: array + uniqueItems: true + required: + - allowedGrantTypes + - allowedRedirectURIs + - allowedScopes + type: object + status: + description: Status of the OIDC provider. + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/generated/1.17/README.adoc b/generated/1.17/README.adoc index 9efe8a67..a7396f25 100644 --- a/generated/1.17/README.adoc +++ b/generated/1.17/README.adoc @@ -12,6 +12,7 @@ - xref:{anchor_prefix}-identity-concierge-pinniped-dev-v1alpha1[$$identity.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1[$$idp.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$] +- xref:{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1[$$oauth.supervisor.pinniped.dev/v1alpha1$$] [id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"] @@ -1332,3 +1333,56 @@ TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned |=== + +[id="{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1"] +=== oauth.supervisor.pinniped.dev/v1alpha1 + +Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-oauth-v1alpha1-oidcclient"] +==== OIDCClient + +OIDCClient describes the configuration of an OIDC client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-oauth-v1alpha1-oidcclientlist[$$OIDCClientList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-oauth-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC provider. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-oauth-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC provider. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-oauth-v1alpha1-oidcclientspec"] +==== OIDCClientSpec + +OIDCClientSpec is a struct that describes an OIDC Client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-oauth-v1alpha1-oidcclient[$$OIDCClient$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. +| *`allowedGrantTypes`* __string array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. +| *`allowedScopes`* __string array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. +|=== + + + + diff --git a/generated/1.17/apis/supervisor/oauth/v1alpha1/doc.go b/generated/1.17/apis/supervisor/oauth/v1alpha1/doc.go new file mode 100644 index 00000000..75580481 --- /dev/null +++ b/generated/1.17/apis/supervisor/oauth/v1alpha1/doc.go @@ -0,0 +1,10 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen=package +// +k8s:defaulter-gen=TypeMeta +// +groupName=oauth.supervisor.pinniped.dev + +// Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. +package v1alpha1 diff --git a/generated/1.17/apis/supervisor/oauth/v1alpha1/register.go b/generated/1.17/apis/supervisor/oauth/v1alpha1/register.go new file mode 100644 index 00000000..37ae1fbf --- /dev/null +++ b/generated/1.17/apis/supervisor/oauth/v1alpha1/register.go @@ -0,0 +1,43 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "oauth.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = localSchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClient{}, + &OIDCClientList{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/generated/1.17/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.17/apis/supervisor/oauth/v1alpha1/types_oidcclient.go new file mode 100644 index 00000000..ee125443 --- /dev/null +++ b/generated/1.17/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -0,0 +1,84 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// OIDCClientSpec is a struct that describes an OIDC Client. +type OIDCClientSpec struct { + // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this + // client. Any other uris will be rejected. + // Must be https, unless it is a loopback. + // +kubebuilder:validation:UniqueItems=true + // +kubebuilder:validation:MinItems=1 + AllowedRedirectURIs []string `json:"allowedRedirectURIs"` + + // allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this + // client. + // + // Must only contain the following values: + // - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to + // authenticate users. This grant must always be listed. + // - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. + // This grant must be listed if allowedScopes lists offline_access. + // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, + // which is a step in the process to be able to get a cluster credential for the user. + // This grant must be listed if allowedScopes lists pinniped:request-audience. + // +kubebuilder:validation:UniqueItems=true + // +kubebuilder:validation:MinItems=1 + AllowedGrantTypes []string `json:"allowedGrantTypes"` + + // allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + // + // Must only contain the following values: + // - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). + // This scope must always be listed. + // - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. + // This scope must be listed if allowedGrantTypes lists refresh_token. + // - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, + // which is a step in the process to be able to get a cluster credential for the user. + // openid, username and groups scopes must be listed when this scope is present. + // This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. + // - username: The client is allowed to request that ID tokens contain the user's username. + // Without the username scope being requested and allowed, the ID token will not contain the user's username. + // - groups: The client is allowed to request that ID tokens contain the user's group membership, + // if their group membership is discoverable by the Supervisor. + // Without the groups scope being requested and allowed, the ID token will not contain groups. + // +kubebuilder:validation:UniqueItems=true + // +kubebuilder:validation:MinItems=1 + AllowedScopes []string `json:"allowedScopes"` +} + +// OIDCClientStatus is a struct that describes the actual state of an OIDC Client. +type OIDCClientStatus struct { +} + +// OIDCClient describes the configuration of an OIDC client. +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped +// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type OIDCClient struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec of the OIDC provider. + Spec OIDCClientSpec `json:"spec"` + + // Status of the OIDC provider. + Status OIDCClientStatus `json:"status,omitempty"` +} + +// List of OIDCClient objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []OIDCClient `json:"items"` +} diff --git a/generated/1.17/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.17/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go new file mode 100644 index 00000000..cb35cea5 --- /dev/null +++ b/generated/1.17/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go @@ -0,0 +1,121 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. +func (in *OIDCClient) DeepCopy() *OIDCClient { + if in == nil { + return nil + } + out := new(OIDCClient) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClient) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClient, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. +func (in *OIDCClientList) DeepCopy() *OIDCClientList { + if in == nil { + return nil + } + out := new(OIDCClientList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { + *out = *in + if in.AllowedRedirectURIs != nil { + in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.AllowedGrantTypes != nil { + in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.AllowedScopes != nil { + in, out := &in.AllowedScopes, &out.AllowedScopes + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. +func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { + if in == nil { + return nil + } + out := new(OIDCClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. +func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { + if in == nil { + return nil + } + out := new(OIDCClientStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.17/client/supervisor/clientset/versioned/clientset.go b/generated/1.17/client/supervisor/clientset/versioned/clientset.go index d1845d53..c51ef35e 100644 --- a/generated/1.17/client/supervisor/clientset/versioned/clientset.go +++ b/generated/1.17/client/supervisor/clientset/versioned/clientset.go @@ -10,6 +10,7 @@ import ( configv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1" + oauthv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" discovery "k8s.io/client-go/discovery" rest "k8s.io/client-go/rest" flowcontrol "k8s.io/client-go/util/flowcontrol" @@ -19,6 +20,7 @@ type Interface interface { Discovery() discovery.DiscoveryInterface ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface + OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface } // Clientset contains the clients for groups. Each group has exactly one @@ -27,6 +29,7 @@ type Clientset struct { *discovery.DiscoveryClient configV1alpha1 *configv1alpha1.ConfigV1alpha1Client iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client + oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client } // ConfigV1alpha1 retrieves the ConfigV1alpha1Client @@ -39,6 +42,11 @@ func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return c.iDPV1alpha1 } +// OauthV1alpha1 retrieves the OauthV1alpha1Client +func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { + return c.oauthV1alpha1 +} + // Discovery retrieves the DiscoveryClient func (c *Clientset) Discovery() discovery.DiscoveryInterface { if c == nil { @@ -68,6 +76,10 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { if err != nil { return nil, err } + cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfig(&configShallowCopy) + if err != nil { + return nil, err + } cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfig(&configShallowCopy) if err != nil { @@ -82,6 +94,7 @@ func NewForConfigOrDie(c *rest.Config) *Clientset { var cs Clientset cs.configV1alpha1 = configv1alpha1.NewForConfigOrDie(c) cs.iDPV1alpha1 = idpv1alpha1.NewForConfigOrDie(c) + cs.oauthV1alpha1 = oauthv1alpha1.NewForConfigOrDie(c) cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c) return &cs @@ -92,6 +105,7 @@ func New(c rest.Interface) *Clientset { var cs Clientset cs.configV1alpha1 = configv1alpha1.New(c) cs.iDPV1alpha1 = idpv1alpha1.New(c) + cs.oauthV1alpha1 = oauthv1alpha1.New(c) cs.DiscoveryClient = discovery.NewDiscoveryClient(c) return &cs diff --git a/generated/1.17/client/supervisor/clientset/versioned/fake/clientset_generated.go b/generated/1.17/client/supervisor/clientset/versioned/fake/clientset_generated.go index 0bc2edfc..7139764c 100644 --- a/generated/1.17/client/supervisor/clientset/versioned/fake/clientset_generated.go +++ b/generated/1.17/client/supervisor/clientset/versioned/fake/clientset_generated.go @@ -11,6 +11,8 @@ import ( fakeconfigv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake" idpv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1" fakeidpv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake" + oauthv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" + fakeoauthv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/watch" "k8s.io/client-go/discovery" @@ -74,3 +76,8 @@ func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake} } + +// OauthV1alpha1 retrieves the OauthV1alpha1Client +func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { + return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} +} diff --git a/generated/1.17/client/supervisor/clientset/versioned/fake/register.go b/generated/1.17/client/supervisor/clientset/versioned/fake/register.go index 5717b4eb..980ce98f 100644 --- a/generated/1.17/client/supervisor/clientset/versioned/fake/register.go +++ b/generated/1.17/client/supervisor/clientset/versioned/fake/register.go @@ -8,6 +8,7 @@ package fake import ( configv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/idp/v1alpha1" + oauthv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -21,6 +22,7 @@ var parameterCodec = runtime.NewParameterCodec(scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, + oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.17/client/supervisor/clientset/versioned/scheme/register.go b/generated/1.17/client/supervisor/clientset/versioned/scheme/register.go index 3d881a08..676b0aae 100644 --- a/generated/1.17/client/supervisor/clientset/versioned/scheme/register.go +++ b/generated/1.17/client/supervisor/clientset/versioned/scheme/register.go @@ -8,6 +8,7 @@ package scheme import ( configv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/idp/v1alpha1" + oauthv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -21,6 +22,7 @@ var ParameterCodec = runtime.NewParameterCodec(Scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, + oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go new file mode 100644 index 00000000..e7a470b6 --- /dev/null +++ b/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated typed clients. +package v1alpha1 diff --git a/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go new file mode 100644 index 00000000..7906901b --- /dev/null +++ b/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// Package fake has the automatically generated clients. +package fake diff --git a/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go new file mode 100644 index 00000000..1625045c --- /dev/null +++ b/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go @@ -0,0 +1,27 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + v1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" + rest "k8s.io/client-go/rest" + testing "k8s.io/client-go/testing" +) + +type FakeOauthV1alpha1 struct { + *testing.Fake +} + +func (c *FakeOauthV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { + return &FakeOIDCClients{c, namespace} +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { + var ret *rest.RESTClient + return ret +} diff --git a/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go b/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go new file mode 100644 index 00000000..69c8555d --- /dev/null +++ b/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go @@ -0,0 +1,127 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeOIDCClients implements OIDCClientInterface +type FakeOIDCClients struct { + Fake *FakeOauthV1alpha1 + ns string +} + +var oidcclientsResource = schema.GroupVersionResource{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} + +var oidcclientsKind = schema.GroupVersionKind{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} + +// Get takes name of the oIDCClient, and returns the corresponding oIDCClient object, and an error if there is any. +func (c *FakeOIDCClients) Get(name string, options v1.GetOptions) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(oidcclientsResource, c.ns, name), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// List takes label and field selectors, and returns the list of OIDCClients that match those selectors. +func (c *FakeOIDCClients) List(opts v1.ListOptions) (result *v1alpha1.OIDCClientList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(oidcclientsResource, oidcclientsKind, c.ns, opts), &v1alpha1.OIDCClientList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.OIDCClientList{ListMeta: obj.(*v1alpha1.OIDCClientList).ListMeta} + for _, item := range obj.(*v1alpha1.OIDCClientList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested oIDCClients. +func (c *FakeOIDCClients) Watch(opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(oidcclientsResource, c.ns, opts)) + +} + +// Create takes the representation of a oIDCClient and creates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *FakeOIDCClients) Create(oIDCClient *v1alpha1.OIDCClient) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(oidcclientsResource, c.ns, oIDCClient), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// Update takes the representation of a oIDCClient and updates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *FakeOIDCClients) Update(oIDCClient *v1alpha1.OIDCClient) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(oidcclientsResource, c.ns, oIDCClient), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeOIDCClients) UpdateStatus(oIDCClient *v1alpha1.OIDCClient) (*v1alpha1.OIDCClient, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(oidcclientsResource, "status", c.ns, oIDCClient), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// Delete takes name of the oIDCClient and deletes it. Returns an error if one occurs. +func (c *FakeOIDCClients) Delete(name string, options *v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteAction(oidcclientsResource, c.ns, name), &v1alpha1.OIDCClient{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeOIDCClients) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(oidcclientsResource, c.ns, listOptions) + + _, err := c.Fake.Invokes(action, &v1alpha1.OIDCClientList{}) + return err +} + +// Patch applies the patch and returns the patched oIDCClient. +func (c *FakeOIDCClients) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(oidcclientsResource, c.ns, name, pt, data, subresources...), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} diff --git a/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go new file mode 100644 index 00000000..87d22ea9 --- /dev/null +++ b/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go @@ -0,0 +1,8 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +type OIDCClientExpansion interface{} diff --git a/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go new file mode 100644 index 00000000..32dae26a --- /dev/null +++ b/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go @@ -0,0 +1,76 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/oauth/v1alpha1" + "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/scheme" + rest "k8s.io/client-go/rest" +) + +type OauthV1alpha1Interface interface { + RESTClient() rest.Interface + OIDCClientsGetter +} + +// OauthV1alpha1Client is used to interact with features provided by the oauth.supervisor.pinniped.dev group. +type OauthV1alpha1Client struct { + restClient rest.Interface +} + +func (c *OauthV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { + return newOIDCClients(c, namespace) +} + +// NewForConfig creates a new OauthV1alpha1Client for the given config. +func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { + config := *c + if err := setConfigDefaults(&config); err != nil { + return nil, err + } + client, err := rest.RESTClientFor(&config) + if err != nil { + return nil, err + } + return &OauthV1alpha1Client{client}, nil +} + +// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { + client, err := NewForConfig(c) + if err != nil { + panic(err) + } + return client +} + +// New creates a new OauthV1alpha1Client for the given RESTClient. +func New(c rest.Interface) *OauthV1alpha1Client { + return &OauthV1alpha1Client{c} +} + +func setConfigDefaults(config *rest.Config) error { + gv := v1alpha1.SchemeGroupVersion + config.GroupVersion = &gv + config.APIPath = "/apis" + config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() + + if config.UserAgent == "" { + config.UserAgent = rest.DefaultKubernetesUserAgent() + } + + return nil +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *OauthV1alpha1Client) RESTClient() rest.Interface { + if c == nil { + return nil + } + return c.restClient +} diff --git a/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go b/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go new file mode 100644 index 00000000..322bcb9d --- /dev/null +++ b/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go @@ -0,0 +1,178 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "time" + + v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/oauth/v1alpha1" + scheme "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// OIDCClientsGetter has a method to return a OIDCClientInterface. +// A group's client should implement this interface. +type OIDCClientsGetter interface { + OIDCClients(namespace string) OIDCClientInterface +} + +// OIDCClientInterface has methods to work with OIDCClient resources. +type OIDCClientInterface interface { + Create(*v1alpha1.OIDCClient) (*v1alpha1.OIDCClient, error) + Update(*v1alpha1.OIDCClient) (*v1alpha1.OIDCClient, error) + UpdateStatus(*v1alpha1.OIDCClient) (*v1alpha1.OIDCClient, error) + Delete(name string, options *v1.DeleteOptions) error + DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error + Get(name string, options v1.GetOptions) (*v1alpha1.OIDCClient, error) + List(opts v1.ListOptions) (*v1alpha1.OIDCClientList, error) + Watch(opts v1.ListOptions) (watch.Interface, error) + Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.OIDCClient, err error) + OIDCClientExpansion +} + +// oIDCClients implements OIDCClientInterface +type oIDCClients struct { + client rest.Interface + ns string +} + +// newOIDCClients returns a OIDCClients +func newOIDCClients(c *OauthV1alpha1Client, namespace string) *oIDCClients { + return &oIDCClients{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the oIDCClient, and returns the corresponding oIDCClient object, and an error if there is any. +func (c *oIDCClients) Get(name string, options v1.GetOptions) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Get(). + Namespace(c.ns). + Resource("oidcclients"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of OIDCClients that match those selectors. +func (c *oIDCClients) List(opts v1.ListOptions) (result *v1alpha1.OIDCClientList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.OIDCClientList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("oidcclients"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested oIDCClients. +func (c *oIDCClients) Watch(opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("oidcclients"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch() +} + +// Create takes the representation of a oIDCClient and creates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *oIDCClients) Create(oIDCClient *v1alpha1.OIDCClient) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Post(). + Namespace(c.ns). + Resource("oidcclients"). + Body(oIDCClient). + Do(). + Into(result) + return +} + +// Update takes the representation of a oIDCClient and updates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *oIDCClients) Update(oIDCClient *v1alpha1.OIDCClient) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Put(). + Namespace(c.ns). + Resource("oidcclients"). + Name(oIDCClient.Name). + Body(oIDCClient). + Do(). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). + +func (c *oIDCClients) UpdateStatus(oIDCClient *v1alpha1.OIDCClient) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Put(). + Namespace(c.ns). + Resource("oidcclients"). + Name(oIDCClient.Name). + SubResource("status"). + Body(oIDCClient). + Do(). + Into(result) + return +} + +// Delete takes name of the oIDCClient and deletes it. Returns an error if one occurs. +func (c *oIDCClients) Delete(name string, options *v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("oidcclients"). + Name(name). + Body(options). + Do(). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *oIDCClients) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error { + var timeout time.Duration + if listOptions.TimeoutSeconds != nil { + timeout = time.Duration(*listOptions.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("oidcclients"). + VersionedParams(&listOptions, scheme.ParameterCodec). + Timeout(timeout). + Body(options). + Do(). + Error() +} + +// Patch applies the patch and returns the patched oIDCClient. +func (c *oIDCClients) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("oidcclients"). + SubResource(subresources...). + Name(name). + Body(data). + Do(). + Into(result) + return +} diff --git a/generated/1.17/client/supervisor/informers/externalversions/factory.go b/generated/1.17/client/supervisor/informers/externalversions/factory.go index 10a7bf92..ac94e186 100644 --- a/generated/1.17/client/supervisor/informers/externalversions/factory.go +++ b/generated/1.17/client/supervisor/informers/externalversions/factory.go @@ -14,6 +14,7 @@ import ( config "go.pinniped.dev/generated/1.17/client/supervisor/informers/externalversions/config" idp "go.pinniped.dev/generated/1.17/client/supervisor/informers/externalversions/idp" internalinterfaces "go.pinniped.dev/generated/1.17/client/supervisor/informers/externalversions/internalinterfaces" + oauth "go.pinniped.dev/generated/1.17/client/supervisor/informers/externalversions/oauth" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -162,6 +163,7 @@ type SharedInformerFactory interface { Config() config.Interface IDP() idp.Interface + Oauth() oauth.Interface } func (f *sharedInformerFactory) Config() config.Interface { @@ -171,3 +173,7 @@ func (f *sharedInformerFactory) Config() config.Interface { func (f *sharedInformerFactory) IDP() idp.Interface { return idp.New(f, f.namespace, f.tweakListOptions) } + +func (f *sharedInformerFactory) Oauth() oauth.Interface { + return oauth.New(f, f.namespace, f.tweakListOptions) +} diff --git a/generated/1.17/client/supervisor/informers/externalversions/generic.go b/generated/1.17/client/supervisor/informers/externalversions/generic.go index 945a84dd..4f5c74e4 100644 --- a/generated/1.17/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.17/client/supervisor/informers/externalversions/generic.go @@ -10,6 +10,7 @@ import ( v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/idp/v1alpha1" + oauthv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/oauth/v1alpha1" schema "k8s.io/apimachinery/pkg/runtime/schema" cache "k8s.io/client-go/tools/cache" ) @@ -52,6 +53,10 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().OIDCIdentityProviders().Informer()}, nil + // Group=oauth.supervisor.pinniped.dev, Version=v1alpha1 + case oauthv1alpha1.SchemeGroupVersion.WithResource("oidcclients"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Oauth().V1alpha1().OIDCClients().Informer()}, nil + } return nil, fmt.Errorf("no informer found for %v", resource) diff --git a/generated/1.17/client/supervisor/informers/externalversions/oauth/interface.go b/generated/1.17/client/supervisor/informers/externalversions/oauth/interface.go new file mode 100644 index 00000000..06b9370b --- /dev/null +++ b/generated/1.17/client/supervisor/informers/externalversions/oauth/interface.go @@ -0,0 +1,33 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package oauth + +import ( + internalinterfaces "go.pinniped.dev/generated/1.17/client/supervisor/informers/externalversions/internalinterfaces" + v1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/informers/externalversions/oauth/v1alpha1" +) + +// Interface provides access to each of this group's versions. +type Interface interface { + // V1alpha1 provides access to shared informers for resources in V1alpha1. + V1alpha1() v1alpha1.Interface +} + +type group struct { + factory internalinterfaces.SharedInformerFactory + namespace string + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// New returns a new Interface. +func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { + return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} +} + +// V1alpha1 returns a new v1alpha1.Interface. +func (g *group) V1alpha1() v1alpha1.Interface { + return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions) +} diff --git a/generated/1.17/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go b/generated/1.17/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go new file mode 100644 index 00000000..46d19a40 --- /dev/null +++ b/generated/1.17/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go @@ -0,0 +1,32 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + internalinterfaces "go.pinniped.dev/generated/1.17/client/supervisor/informers/externalversions/internalinterfaces" +) + +// Interface provides access to all the informers in this group version. +type Interface interface { + // OIDCClients returns a OIDCClientInformer. + OIDCClients() OIDCClientInformer +} + +type version struct { + factory internalinterfaces.SharedInformerFactory + namespace string + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// New returns a new Interface. +func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { + return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} +} + +// OIDCClients returns a OIDCClientInformer. +func (v *version) OIDCClients() OIDCClientInformer { + return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} diff --git a/generated/1.17/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go b/generated/1.17/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go new file mode 100644 index 00000000..1996f202 --- /dev/null +++ b/generated/1.17/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go @@ -0,0 +1,76 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + time "time" + + oauthv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/oauth/v1alpha1" + versioned "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned" + internalinterfaces "go.pinniped.dev/generated/1.17/client/supervisor/informers/externalversions/internalinterfaces" + v1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/listers/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// OIDCClientInformer provides access to a shared informer and lister for +// OIDCClients. +type OIDCClientInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.OIDCClientLister +} + +type oIDCClientInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewOIDCClientInformer constructs a new informer for OIDCClient type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewOIDCClientInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredOIDCClientInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredOIDCClientInformer constructs a new informer for OIDCClient type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredOIDCClientInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.OauthV1alpha1().OIDCClients(namespace).List(options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.OauthV1alpha1().OIDCClients(namespace).Watch(options) + }, + }, + &oauthv1alpha1.OIDCClient{}, + resyncPeriod, + indexers, + ) +} + +func (f *oIDCClientInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredOIDCClientInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *oIDCClientInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&oauthv1alpha1.OIDCClient{}, f.defaultInformer) +} + +func (f *oIDCClientInformer) Lister() v1alpha1.OIDCClientLister { + return v1alpha1.NewOIDCClientLister(f.Informer().GetIndexer()) +} diff --git a/generated/1.17/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go b/generated/1.17/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go new file mode 100644 index 00000000..c19310da --- /dev/null +++ b/generated/1.17/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go @@ -0,0 +1,14 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +// OIDCClientListerExpansion allows custom methods to be added to +// OIDCClientLister. +type OIDCClientListerExpansion interface{} + +// OIDCClientNamespaceListerExpansion allows custom methods to be added to +// OIDCClientNamespaceLister. +type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/1.17/client/supervisor/listers/oauth/v1alpha1/oidcclient.go b/generated/1.17/client/supervisor/listers/oauth/v1alpha1/oidcclient.go new file mode 100644 index 00000000..8395809f --- /dev/null +++ b/generated/1.17/client/supervisor/listers/oauth/v1alpha1/oidcclient.go @@ -0,0 +1,81 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/oauth/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// OIDCClientLister helps list OIDCClients. +type OIDCClientLister interface { + // List lists all OIDCClients in the indexer. + List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) + // OIDCClients returns an object that can list and get OIDCClients. + OIDCClients(namespace string) OIDCClientNamespaceLister + OIDCClientListerExpansion +} + +// oIDCClientLister implements the OIDCClientLister interface. +type oIDCClientLister struct { + indexer cache.Indexer +} + +// NewOIDCClientLister returns a new OIDCClientLister. +func NewOIDCClientLister(indexer cache.Indexer) OIDCClientLister { + return &oIDCClientLister{indexer: indexer} +} + +// List lists all OIDCClients in the indexer. +func (s *oIDCClientLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.OIDCClient)) + }) + return ret, err +} + +// OIDCClients returns an object that can list and get OIDCClients. +func (s *oIDCClientLister) OIDCClients(namespace string) OIDCClientNamespaceLister { + return oIDCClientNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// OIDCClientNamespaceLister helps list and get OIDCClients. +type OIDCClientNamespaceLister interface { + // List lists all OIDCClients in the indexer for a given namespace. + List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) + // Get retrieves the OIDCClient from the indexer for a given namespace and name. + Get(name string) (*v1alpha1.OIDCClient, error) + OIDCClientNamespaceListerExpansion +} + +// oIDCClientNamespaceLister implements the OIDCClientNamespaceLister +// interface. +type oIDCClientNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all OIDCClients in the indexer for a given namespace. +func (s oIDCClientNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.OIDCClient)) + }) + return ret, err +} + +// Get retrieves the OIDCClient from the indexer for a given namespace and name. +func (s oIDCClientNamespaceLister) Get(name string) (*v1alpha1.OIDCClient, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("oidcclient"), name) + } + return obj.(*v1alpha1.OIDCClient), nil +} diff --git a/generated/1.17/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.17/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml new file mode 100644 index 00000000..0b4ee157 --- /dev/null +++ b/generated/1.17/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -0,0 +1,121 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: oidcclients.oauth.supervisor.pinniped.dev +spec: + group: oauth.supervisor.pinniped.dev + names: + categories: + - pinniped + kind: OIDCClient + listKind: OIDCClientList + plural: oidcclients + singular: oidcclient + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}' + name: Privileged + type: boolean + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: OIDCClient describes the configuration of an OIDC client. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec of the OIDC provider. + properties: + allowedGrantTypes: + description: "allowedGrantTypes is a list of the allowed grant_type + param values that should be accepted during OIDC flows with this + client. \n Must only contain the following values: - authorization_code: + allows the client to perform the authorization code grant flow, + i.e. allows the webapp to authenticate users. This grant must always + be listed. - refresh_token: allows the client to perform refresh + grants for the user to extend the user's session. This grant must + be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: + allows the client to perform RFC8693 token exchange, which is a + step in the process to be able to get a cluster credential for the + user. This grant must be listed if allowedScopes lists pinniped:request-audience." + items: + type: string + minItems: 1 + type: array + uniqueItems: true + allowedRedirectURIs: + description: allowedRedirectURIs is a list of the allowed redirect_uri + param values that should be accepted during OIDC flows with this + client. Any other uris will be rejected. Must be https, unless it + is a loopback. + items: + type: string + minItems: 1 + type: array + uniqueItems: true + allowedScopes: + description: "allowedScopes is a list of the allowed scopes param + values that should be accepted during OIDC flows with this client. + \n Must only contain the following values: - openid: The client + is allowed to request ID tokens. ID tokens only include the required + claims by default (iss, sub, aud, exp, iat). This scope must always + be listed. - offline_access: The client is allowed to request an + initial refresh token during the authorization code grant flow. + This scope must be listed if allowedGrantTypes lists refresh_token. + - pinniped:request-audience: The client is allowed to request a + new audience value during a RFC8693 token exchange, which is a step + in the process to be able to get a cluster credential for the user. + openid, username and groups scopes must be listed when this scope + is present. This scope must be listed if allowedGrantTypes lists + urn:ietf:params:oauth:grant-type:token-exchange. - username: The + client is allowed to request that ID tokens contain the user's username. + Without the username scope being requested and allowed, the ID token + will not contain the user's username. - groups: The client is allowed + to request that ID tokens contain the user's group membership, if + their group membership is discoverable by the Supervisor. Without + the groups scope being requested and allowed, the ID token will + not contain groups." + items: + type: string + minItems: 1 + type: array + uniqueItems: true + required: + - allowedGrantTypes + - allowedRedirectURIs + - allowedScopes + type: object + status: + description: Status of the OIDC provider. + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/generated/1.18/README.adoc b/generated/1.18/README.adoc index f6ecc0f5..53a3a986 100644 --- a/generated/1.18/README.adoc +++ b/generated/1.18/README.adoc @@ -12,6 +12,7 @@ - xref:{anchor_prefix}-identity-concierge-pinniped-dev-v1alpha1[$$identity.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1[$$idp.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$] +- xref:{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1[$$oauth.supervisor.pinniped.dev/v1alpha1$$] [id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"] @@ -1332,3 +1333,56 @@ TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned |=== + +[id="{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1"] +=== oauth.supervisor.pinniped.dev/v1alpha1 + +Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-oauth-v1alpha1-oidcclient"] +==== OIDCClient + +OIDCClient describes the configuration of an OIDC client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-oauth-v1alpha1-oidcclientlist[$$OIDCClientList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-oauth-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC provider. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-oauth-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC provider. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-oauth-v1alpha1-oidcclientspec"] +==== OIDCClientSpec + +OIDCClientSpec is a struct that describes an OIDC Client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-oauth-v1alpha1-oidcclient[$$OIDCClient$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. +| *`allowedGrantTypes`* __string array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. +| *`allowedScopes`* __string array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. +|=== + + + + diff --git a/generated/1.18/apis/supervisor/oauth/v1alpha1/doc.go b/generated/1.18/apis/supervisor/oauth/v1alpha1/doc.go new file mode 100644 index 00000000..75580481 --- /dev/null +++ b/generated/1.18/apis/supervisor/oauth/v1alpha1/doc.go @@ -0,0 +1,10 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen=package +// +k8s:defaulter-gen=TypeMeta +// +groupName=oauth.supervisor.pinniped.dev + +// Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. +package v1alpha1 diff --git a/generated/1.18/apis/supervisor/oauth/v1alpha1/register.go b/generated/1.18/apis/supervisor/oauth/v1alpha1/register.go new file mode 100644 index 00000000..37ae1fbf --- /dev/null +++ b/generated/1.18/apis/supervisor/oauth/v1alpha1/register.go @@ -0,0 +1,43 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "oauth.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = localSchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClient{}, + &OIDCClientList{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/generated/1.18/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.18/apis/supervisor/oauth/v1alpha1/types_oidcclient.go new file mode 100644 index 00000000..ee125443 --- /dev/null +++ b/generated/1.18/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -0,0 +1,84 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// OIDCClientSpec is a struct that describes an OIDC Client. +type OIDCClientSpec struct { + // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this + // client. Any other uris will be rejected. + // Must be https, unless it is a loopback. + // +kubebuilder:validation:UniqueItems=true + // +kubebuilder:validation:MinItems=1 + AllowedRedirectURIs []string `json:"allowedRedirectURIs"` + + // allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this + // client. + // + // Must only contain the following values: + // - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to + // authenticate users. This grant must always be listed. + // - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. + // This grant must be listed if allowedScopes lists offline_access. + // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, + // which is a step in the process to be able to get a cluster credential for the user. + // This grant must be listed if allowedScopes lists pinniped:request-audience. + // +kubebuilder:validation:UniqueItems=true + // +kubebuilder:validation:MinItems=1 + AllowedGrantTypes []string `json:"allowedGrantTypes"` + + // allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + // + // Must only contain the following values: + // - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). + // This scope must always be listed. + // - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. + // This scope must be listed if allowedGrantTypes lists refresh_token. + // - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, + // which is a step in the process to be able to get a cluster credential for the user. + // openid, username and groups scopes must be listed when this scope is present. + // This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. + // - username: The client is allowed to request that ID tokens contain the user's username. + // Without the username scope being requested and allowed, the ID token will not contain the user's username. + // - groups: The client is allowed to request that ID tokens contain the user's group membership, + // if their group membership is discoverable by the Supervisor. + // Without the groups scope being requested and allowed, the ID token will not contain groups. + // +kubebuilder:validation:UniqueItems=true + // +kubebuilder:validation:MinItems=1 + AllowedScopes []string `json:"allowedScopes"` +} + +// OIDCClientStatus is a struct that describes the actual state of an OIDC Client. +type OIDCClientStatus struct { +} + +// OIDCClient describes the configuration of an OIDC client. +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped +// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type OIDCClient struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec of the OIDC provider. + Spec OIDCClientSpec `json:"spec"` + + // Status of the OIDC provider. + Status OIDCClientStatus `json:"status,omitempty"` +} + +// List of OIDCClient objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []OIDCClient `json:"items"` +} diff --git a/generated/1.18/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.18/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go new file mode 100644 index 00000000..cb35cea5 --- /dev/null +++ b/generated/1.18/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go @@ -0,0 +1,121 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. +func (in *OIDCClient) DeepCopy() *OIDCClient { + if in == nil { + return nil + } + out := new(OIDCClient) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClient) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClient, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. +func (in *OIDCClientList) DeepCopy() *OIDCClientList { + if in == nil { + return nil + } + out := new(OIDCClientList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { + *out = *in + if in.AllowedRedirectURIs != nil { + in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.AllowedGrantTypes != nil { + in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.AllowedScopes != nil { + in, out := &in.AllowedScopes, &out.AllowedScopes + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. +func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { + if in == nil { + return nil + } + out := new(OIDCClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. +func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { + if in == nil { + return nil + } + out := new(OIDCClientStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.18/client/supervisor/clientset/versioned/clientset.go b/generated/1.18/client/supervisor/clientset/versioned/clientset.go index 1427efc1..d9bb8ce9 100644 --- a/generated/1.18/client/supervisor/clientset/versioned/clientset.go +++ b/generated/1.18/client/supervisor/clientset/versioned/clientset.go @@ -10,6 +10,7 @@ import ( configv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1" + oauthv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" discovery "k8s.io/client-go/discovery" rest "k8s.io/client-go/rest" flowcontrol "k8s.io/client-go/util/flowcontrol" @@ -19,6 +20,7 @@ type Interface interface { Discovery() discovery.DiscoveryInterface ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface + OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface } // Clientset contains the clients for groups. Each group has exactly one @@ -27,6 +29,7 @@ type Clientset struct { *discovery.DiscoveryClient configV1alpha1 *configv1alpha1.ConfigV1alpha1Client iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client + oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client } // ConfigV1alpha1 retrieves the ConfigV1alpha1Client @@ -39,6 +42,11 @@ func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return c.iDPV1alpha1 } +// OauthV1alpha1 retrieves the OauthV1alpha1Client +func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { + return c.oauthV1alpha1 +} + // Discovery retrieves the DiscoveryClient func (c *Clientset) Discovery() discovery.DiscoveryInterface { if c == nil { @@ -68,6 +76,10 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { if err != nil { return nil, err } + cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfig(&configShallowCopy) + if err != nil { + return nil, err + } cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfig(&configShallowCopy) if err != nil { @@ -82,6 +94,7 @@ func NewForConfigOrDie(c *rest.Config) *Clientset { var cs Clientset cs.configV1alpha1 = configv1alpha1.NewForConfigOrDie(c) cs.iDPV1alpha1 = idpv1alpha1.NewForConfigOrDie(c) + cs.oauthV1alpha1 = oauthv1alpha1.NewForConfigOrDie(c) cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c) return &cs @@ -92,6 +105,7 @@ func New(c rest.Interface) *Clientset { var cs Clientset cs.configV1alpha1 = configv1alpha1.New(c) cs.iDPV1alpha1 = idpv1alpha1.New(c) + cs.oauthV1alpha1 = oauthv1alpha1.New(c) cs.DiscoveryClient = discovery.NewDiscoveryClient(c) return &cs diff --git a/generated/1.18/client/supervisor/clientset/versioned/fake/clientset_generated.go b/generated/1.18/client/supervisor/clientset/versioned/fake/clientset_generated.go index 4a5361d2..be0ba580 100644 --- a/generated/1.18/client/supervisor/clientset/versioned/fake/clientset_generated.go +++ b/generated/1.18/client/supervisor/clientset/versioned/fake/clientset_generated.go @@ -11,6 +11,8 @@ import ( fakeconfigv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake" idpv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1" fakeidpv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake" + oauthv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" + fakeoauthv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/watch" "k8s.io/client-go/discovery" @@ -74,3 +76,8 @@ func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake} } + +// OauthV1alpha1 retrieves the OauthV1alpha1Client +func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { + return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} +} diff --git a/generated/1.18/client/supervisor/clientset/versioned/fake/register.go b/generated/1.18/client/supervisor/clientset/versioned/fake/register.go index 20b81309..9a64a8a9 100644 --- a/generated/1.18/client/supervisor/clientset/versioned/fake/register.go +++ b/generated/1.18/client/supervisor/clientset/versioned/fake/register.go @@ -8,6 +8,7 @@ package fake import ( configv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/idp/v1alpha1" + oauthv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -21,6 +22,7 @@ var parameterCodec = runtime.NewParameterCodec(scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, + oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.18/client/supervisor/clientset/versioned/scheme/register.go b/generated/1.18/client/supervisor/clientset/versioned/scheme/register.go index 23788bd1..1de4c05d 100644 --- a/generated/1.18/client/supervisor/clientset/versioned/scheme/register.go +++ b/generated/1.18/client/supervisor/clientset/versioned/scheme/register.go @@ -8,6 +8,7 @@ package scheme import ( configv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/idp/v1alpha1" + oauthv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -21,6 +22,7 @@ var ParameterCodec = runtime.NewParameterCodec(Scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, + oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go new file mode 100644 index 00000000..e7a470b6 --- /dev/null +++ b/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated typed clients. +package v1alpha1 diff --git a/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go new file mode 100644 index 00000000..7906901b --- /dev/null +++ b/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// Package fake has the automatically generated clients. +package fake diff --git a/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go new file mode 100644 index 00000000..0483f163 --- /dev/null +++ b/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go @@ -0,0 +1,27 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + v1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" + rest "k8s.io/client-go/rest" + testing "k8s.io/client-go/testing" +) + +type FakeOauthV1alpha1 struct { + *testing.Fake +} + +func (c *FakeOauthV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { + return &FakeOIDCClients{c, namespace} +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { + var ret *rest.RESTClient + return ret +} diff --git a/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go b/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go new file mode 100644 index 00000000..a177ce4a --- /dev/null +++ b/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go @@ -0,0 +1,129 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeOIDCClients implements OIDCClientInterface +type FakeOIDCClients struct { + Fake *FakeOauthV1alpha1 + ns string +} + +var oidcclientsResource = schema.GroupVersionResource{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} + +var oidcclientsKind = schema.GroupVersionKind{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} + +// Get takes name of the oIDCClient, and returns the corresponding oIDCClient object, and an error if there is any. +func (c *FakeOIDCClients) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(oidcclientsResource, c.ns, name), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// List takes label and field selectors, and returns the list of OIDCClients that match those selectors. +func (c *FakeOIDCClients) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.OIDCClientList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(oidcclientsResource, oidcclientsKind, c.ns, opts), &v1alpha1.OIDCClientList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.OIDCClientList{ListMeta: obj.(*v1alpha1.OIDCClientList).ListMeta} + for _, item := range obj.(*v1alpha1.OIDCClientList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested oIDCClients. +func (c *FakeOIDCClients) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(oidcclientsResource, c.ns, opts)) + +} + +// Create takes the representation of a oIDCClient and creates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *FakeOIDCClients) Create(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.CreateOptions) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(oidcclientsResource, c.ns, oIDCClient), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// Update takes the representation of a oIDCClient and updates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *FakeOIDCClients) Update(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(oidcclientsResource, c.ns, oIDCClient), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeOIDCClients) UpdateStatus(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (*v1alpha1.OIDCClient, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(oidcclientsResource, "status", c.ns, oIDCClient), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// Delete takes name of the oIDCClient and deletes it. Returns an error if one occurs. +func (c *FakeOIDCClients) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteAction(oidcclientsResource, c.ns, name), &v1alpha1.OIDCClient{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeOIDCClients) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(oidcclientsResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha1.OIDCClientList{}) + return err +} + +// Patch applies the patch and returns the patched oIDCClient. +func (c *FakeOIDCClients) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(oidcclientsResource, c.ns, name, pt, data, subresources...), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} diff --git a/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go new file mode 100644 index 00000000..87d22ea9 --- /dev/null +++ b/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go @@ -0,0 +1,8 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +type OIDCClientExpansion interface{} diff --git a/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go new file mode 100644 index 00000000..17d59cf4 --- /dev/null +++ b/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go @@ -0,0 +1,76 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/oauth/v1alpha1" + "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/scheme" + rest "k8s.io/client-go/rest" +) + +type OauthV1alpha1Interface interface { + RESTClient() rest.Interface + OIDCClientsGetter +} + +// OauthV1alpha1Client is used to interact with features provided by the oauth.supervisor.pinniped.dev group. +type OauthV1alpha1Client struct { + restClient rest.Interface +} + +func (c *OauthV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { + return newOIDCClients(c, namespace) +} + +// NewForConfig creates a new OauthV1alpha1Client for the given config. +func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { + config := *c + if err := setConfigDefaults(&config); err != nil { + return nil, err + } + client, err := rest.RESTClientFor(&config) + if err != nil { + return nil, err + } + return &OauthV1alpha1Client{client}, nil +} + +// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { + client, err := NewForConfig(c) + if err != nil { + panic(err) + } + return client +} + +// New creates a new OauthV1alpha1Client for the given RESTClient. +func New(c rest.Interface) *OauthV1alpha1Client { + return &OauthV1alpha1Client{c} +} + +func setConfigDefaults(config *rest.Config) error { + gv := v1alpha1.SchemeGroupVersion + config.GroupVersion = &gv + config.APIPath = "/apis" + config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() + + if config.UserAgent == "" { + config.UserAgent = rest.DefaultKubernetesUserAgent() + } + + return nil +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *OauthV1alpha1Client) RESTClient() rest.Interface { + if c == nil { + return nil + } + return c.restClient +} diff --git a/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go b/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go new file mode 100644 index 00000000..26026924 --- /dev/null +++ b/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go @@ -0,0 +1,182 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + "time" + + v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/oauth/v1alpha1" + scheme "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// OIDCClientsGetter has a method to return a OIDCClientInterface. +// A group's client should implement this interface. +type OIDCClientsGetter interface { + OIDCClients(namespace string) OIDCClientInterface +} + +// OIDCClientInterface has methods to work with OIDCClient resources. +type OIDCClientInterface interface { + Create(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.CreateOptions) (*v1alpha1.OIDCClient, error) + Update(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (*v1alpha1.OIDCClient, error) + UpdateStatus(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (*v1alpha1.OIDCClient, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.OIDCClient, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.OIDCClientList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCClient, err error) + OIDCClientExpansion +} + +// oIDCClients implements OIDCClientInterface +type oIDCClients struct { + client rest.Interface + ns string +} + +// newOIDCClients returns a OIDCClients +func newOIDCClients(c *OauthV1alpha1Client, namespace string) *oIDCClients { + return &oIDCClients{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the oIDCClient, and returns the corresponding oIDCClient object, and an error if there is any. +func (c *oIDCClients) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Get(). + Namespace(c.ns). + Resource("oidcclients"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of OIDCClients that match those selectors. +func (c *oIDCClients) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.OIDCClientList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.OIDCClientList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("oidcclients"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested oIDCClients. +func (c *oIDCClients) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("oidcclients"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a oIDCClient and creates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *oIDCClients) Create(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.CreateOptions) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Post(). + Namespace(c.ns). + Resource("oidcclients"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(oIDCClient). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a oIDCClient and updates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *oIDCClients) Update(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Put(). + Namespace(c.ns). + Resource("oidcclients"). + Name(oIDCClient.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(oIDCClient). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *oIDCClients) UpdateStatus(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Put(). + Namespace(c.ns). + Resource("oidcclients"). + Name(oIDCClient.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(oIDCClient). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the oIDCClient and deletes it. Returns an error if one occurs. +func (c *oIDCClients) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("oidcclients"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *oIDCClients) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("oidcclients"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched oIDCClient. +func (c *oIDCClients) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("oidcclients"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/generated/1.18/client/supervisor/informers/externalversions/factory.go b/generated/1.18/client/supervisor/informers/externalversions/factory.go index 997de893..158fded5 100644 --- a/generated/1.18/client/supervisor/informers/externalversions/factory.go +++ b/generated/1.18/client/supervisor/informers/externalversions/factory.go @@ -14,6 +14,7 @@ import ( config "go.pinniped.dev/generated/1.18/client/supervisor/informers/externalversions/config" idp "go.pinniped.dev/generated/1.18/client/supervisor/informers/externalversions/idp" internalinterfaces "go.pinniped.dev/generated/1.18/client/supervisor/informers/externalversions/internalinterfaces" + oauth "go.pinniped.dev/generated/1.18/client/supervisor/informers/externalversions/oauth" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -162,6 +163,7 @@ type SharedInformerFactory interface { Config() config.Interface IDP() idp.Interface + Oauth() oauth.Interface } func (f *sharedInformerFactory) Config() config.Interface { @@ -171,3 +173,7 @@ func (f *sharedInformerFactory) Config() config.Interface { func (f *sharedInformerFactory) IDP() idp.Interface { return idp.New(f, f.namespace, f.tweakListOptions) } + +func (f *sharedInformerFactory) Oauth() oauth.Interface { + return oauth.New(f, f.namespace, f.tweakListOptions) +} diff --git a/generated/1.18/client/supervisor/informers/externalversions/generic.go b/generated/1.18/client/supervisor/informers/externalversions/generic.go index 665f95b9..43579b43 100644 --- a/generated/1.18/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.18/client/supervisor/informers/externalversions/generic.go @@ -10,6 +10,7 @@ import ( v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/idp/v1alpha1" + oauthv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/oauth/v1alpha1" schema "k8s.io/apimachinery/pkg/runtime/schema" cache "k8s.io/client-go/tools/cache" ) @@ -52,6 +53,10 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().OIDCIdentityProviders().Informer()}, nil + // Group=oauth.supervisor.pinniped.dev, Version=v1alpha1 + case oauthv1alpha1.SchemeGroupVersion.WithResource("oidcclients"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Oauth().V1alpha1().OIDCClients().Informer()}, nil + } return nil, fmt.Errorf("no informer found for %v", resource) diff --git a/generated/1.18/client/supervisor/informers/externalversions/oauth/interface.go b/generated/1.18/client/supervisor/informers/externalversions/oauth/interface.go new file mode 100644 index 00000000..7a2b6531 --- /dev/null +++ b/generated/1.18/client/supervisor/informers/externalversions/oauth/interface.go @@ -0,0 +1,33 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package oauth + +import ( + internalinterfaces "go.pinniped.dev/generated/1.18/client/supervisor/informers/externalversions/internalinterfaces" + v1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/informers/externalversions/oauth/v1alpha1" +) + +// Interface provides access to each of this group's versions. +type Interface interface { + // V1alpha1 provides access to shared informers for resources in V1alpha1. + V1alpha1() v1alpha1.Interface +} + +type group struct { + factory internalinterfaces.SharedInformerFactory + namespace string + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// New returns a new Interface. +func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { + return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} +} + +// V1alpha1 returns a new v1alpha1.Interface. +func (g *group) V1alpha1() v1alpha1.Interface { + return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions) +} diff --git a/generated/1.18/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go b/generated/1.18/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go new file mode 100644 index 00000000..86b4efd0 --- /dev/null +++ b/generated/1.18/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go @@ -0,0 +1,32 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + internalinterfaces "go.pinniped.dev/generated/1.18/client/supervisor/informers/externalversions/internalinterfaces" +) + +// Interface provides access to all the informers in this group version. +type Interface interface { + // OIDCClients returns a OIDCClientInformer. + OIDCClients() OIDCClientInformer +} + +type version struct { + factory internalinterfaces.SharedInformerFactory + namespace string + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// New returns a new Interface. +func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { + return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} +} + +// OIDCClients returns a OIDCClientInformer. +func (v *version) OIDCClients() OIDCClientInformer { + return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} diff --git a/generated/1.18/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go b/generated/1.18/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go new file mode 100644 index 00000000..c5869b86 --- /dev/null +++ b/generated/1.18/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go @@ -0,0 +1,77 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + time "time" + + oauthv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/oauth/v1alpha1" + versioned "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned" + internalinterfaces "go.pinniped.dev/generated/1.18/client/supervisor/informers/externalversions/internalinterfaces" + v1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/listers/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// OIDCClientInformer provides access to a shared informer and lister for +// OIDCClients. +type OIDCClientInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.OIDCClientLister +} + +type oIDCClientInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewOIDCClientInformer constructs a new informer for OIDCClient type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewOIDCClientInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredOIDCClientInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredOIDCClientInformer constructs a new informer for OIDCClient type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredOIDCClientInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.OauthV1alpha1().OIDCClients(namespace).List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.OauthV1alpha1().OIDCClients(namespace).Watch(context.TODO(), options) + }, + }, + &oauthv1alpha1.OIDCClient{}, + resyncPeriod, + indexers, + ) +} + +func (f *oIDCClientInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredOIDCClientInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *oIDCClientInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&oauthv1alpha1.OIDCClient{}, f.defaultInformer) +} + +func (f *oIDCClientInformer) Lister() v1alpha1.OIDCClientLister { + return v1alpha1.NewOIDCClientLister(f.Informer().GetIndexer()) +} diff --git a/generated/1.18/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go b/generated/1.18/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go new file mode 100644 index 00000000..c19310da --- /dev/null +++ b/generated/1.18/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go @@ -0,0 +1,14 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +// OIDCClientListerExpansion allows custom methods to be added to +// OIDCClientLister. +type OIDCClientListerExpansion interface{} + +// OIDCClientNamespaceListerExpansion allows custom methods to be added to +// OIDCClientNamespaceLister. +type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/1.18/client/supervisor/listers/oauth/v1alpha1/oidcclient.go b/generated/1.18/client/supervisor/listers/oauth/v1alpha1/oidcclient.go new file mode 100644 index 00000000..77d38f1e --- /dev/null +++ b/generated/1.18/client/supervisor/listers/oauth/v1alpha1/oidcclient.go @@ -0,0 +1,81 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/oauth/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// OIDCClientLister helps list OIDCClients. +type OIDCClientLister interface { + // List lists all OIDCClients in the indexer. + List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) + // OIDCClients returns an object that can list and get OIDCClients. + OIDCClients(namespace string) OIDCClientNamespaceLister + OIDCClientListerExpansion +} + +// oIDCClientLister implements the OIDCClientLister interface. +type oIDCClientLister struct { + indexer cache.Indexer +} + +// NewOIDCClientLister returns a new OIDCClientLister. +func NewOIDCClientLister(indexer cache.Indexer) OIDCClientLister { + return &oIDCClientLister{indexer: indexer} +} + +// List lists all OIDCClients in the indexer. +func (s *oIDCClientLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.OIDCClient)) + }) + return ret, err +} + +// OIDCClients returns an object that can list and get OIDCClients. +func (s *oIDCClientLister) OIDCClients(namespace string) OIDCClientNamespaceLister { + return oIDCClientNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// OIDCClientNamespaceLister helps list and get OIDCClients. +type OIDCClientNamespaceLister interface { + // List lists all OIDCClients in the indexer for a given namespace. + List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) + // Get retrieves the OIDCClient from the indexer for a given namespace and name. + Get(name string) (*v1alpha1.OIDCClient, error) + OIDCClientNamespaceListerExpansion +} + +// oIDCClientNamespaceLister implements the OIDCClientNamespaceLister +// interface. +type oIDCClientNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all OIDCClients in the indexer for a given namespace. +func (s oIDCClientNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.OIDCClient)) + }) + return ret, err +} + +// Get retrieves the OIDCClient from the indexer for a given namespace and name. +func (s oIDCClientNamespaceLister) Get(name string) (*v1alpha1.OIDCClient, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("oidcclient"), name) + } + return obj.(*v1alpha1.OIDCClient), nil +} diff --git a/generated/1.18/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.18/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml new file mode 100644 index 00000000..0b4ee157 --- /dev/null +++ b/generated/1.18/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -0,0 +1,121 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: oidcclients.oauth.supervisor.pinniped.dev +spec: + group: oauth.supervisor.pinniped.dev + names: + categories: + - pinniped + kind: OIDCClient + listKind: OIDCClientList + plural: oidcclients + singular: oidcclient + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}' + name: Privileged + type: boolean + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: OIDCClient describes the configuration of an OIDC client. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec of the OIDC provider. + properties: + allowedGrantTypes: + description: "allowedGrantTypes is a list of the allowed grant_type + param values that should be accepted during OIDC flows with this + client. \n Must only contain the following values: - authorization_code: + allows the client to perform the authorization code grant flow, + i.e. allows the webapp to authenticate users. This grant must always + be listed. - refresh_token: allows the client to perform refresh + grants for the user to extend the user's session. This grant must + be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: + allows the client to perform RFC8693 token exchange, which is a + step in the process to be able to get a cluster credential for the + user. This grant must be listed if allowedScopes lists pinniped:request-audience." + items: + type: string + minItems: 1 + type: array + uniqueItems: true + allowedRedirectURIs: + description: allowedRedirectURIs is a list of the allowed redirect_uri + param values that should be accepted during OIDC flows with this + client. Any other uris will be rejected. Must be https, unless it + is a loopback. + items: + type: string + minItems: 1 + type: array + uniqueItems: true + allowedScopes: + description: "allowedScopes is a list of the allowed scopes param + values that should be accepted during OIDC flows with this client. + \n Must only contain the following values: - openid: The client + is allowed to request ID tokens. ID tokens only include the required + claims by default (iss, sub, aud, exp, iat). This scope must always + be listed. - offline_access: The client is allowed to request an + initial refresh token during the authorization code grant flow. + This scope must be listed if allowedGrantTypes lists refresh_token. + - pinniped:request-audience: The client is allowed to request a + new audience value during a RFC8693 token exchange, which is a step + in the process to be able to get a cluster credential for the user. + openid, username and groups scopes must be listed when this scope + is present. This scope must be listed if allowedGrantTypes lists + urn:ietf:params:oauth:grant-type:token-exchange. - username: The + client is allowed to request that ID tokens contain the user's username. + Without the username scope being requested and allowed, the ID token + will not contain the user's username. - groups: The client is allowed + to request that ID tokens contain the user's group membership, if + their group membership is discoverable by the Supervisor. Without + the groups scope being requested and allowed, the ID token will + not contain groups." + items: + type: string + minItems: 1 + type: array + uniqueItems: true + required: + - allowedGrantTypes + - allowedRedirectURIs + - allowedScopes + type: object + status: + description: Status of the OIDC provider. + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/generated/1.19/README.adoc b/generated/1.19/README.adoc index 197ed326..a8dd26ee 100644 --- a/generated/1.19/README.adoc +++ b/generated/1.19/README.adoc @@ -12,6 +12,7 @@ - xref:{anchor_prefix}-identity-concierge-pinniped-dev-v1alpha1[$$identity.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1[$$idp.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$] +- xref:{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1[$$oauth.supervisor.pinniped.dev/v1alpha1$$] [id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"] @@ -1332,3 +1333,56 @@ TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned |=== + +[id="{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1"] +=== oauth.supervisor.pinniped.dev/v1alpha1 + +Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-oauth-v1alpha1-oidcclient"] +==== OIDCClient + +OIDCClient describes the configuration of an OIDC client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-oauth-v1alpha1-oidcclientlist[$$OIDCClientList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-oauth-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC provider. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-oauth-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC provider. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-oauth-v1alpha1-oidcclientspec"] +==== OIDCClientSpec + +OIDCClientSpec is a struct that describes an OIDC Client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-oauth-v1alpha1-oidcclient[$$OIDCClient$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. +| *`allowedGrantTypes`* __string array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. +| *`allowedScopes`* __string array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. +|=== + + + + diff --git a/generated/1.19/apis/supervisor/oauth/v1alpha1/doc.go b/generated/1.19/apis/supervisor/oauth/v1alpha1/doc.go new file mode 100644 index 00000000..75580481 --- /dev/null +++ b/generated/1.19/apis/supervisor/oauth/v1alpha1/doc.go @@ -0,0 +1,10 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen=package +// +k8s:defaulter-gen=TypeMeta +// +groupName=oauth.supervisor.pinniped.dev + +// Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. +package v1alpha1 diff --git a/generated/1.19/apis/supervisor/oauth/v1alpha1/register.go b/generated/1.19/apis/supervisor/oauth/v1alpha1/register.go new file mode 100644 index 00000000..37ae1fbf --- /dev/null +++ b/generated/1.19/apis/supervisor/oauth/v1alpha1/register.go @@ -0,0 +1,43 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "oauth.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = localSchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClient{}, + &OIDCClientList{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/generated/1.19/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.19/apis/supervisor/oauth/v1alpha1/types_oidcclient.go new file mode 100644 index 00000000..ee125443 --- /dev/null +++ b/generated/1.19/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -0,0 +1,84 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// OIDCClientSpec is a struct that describes an OIDC Client. +type OIDCClientSpec struct { + // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this + // client. Any other uris will be rejected. + // Must be https, unless it is a loopback. + // +kubebuilder:validation:UniqueItems=true + // +kubebuilder:validation:MinItems=1 + AllowedRedirectURIs []string `json:"allowedRedirectURIs"` + + // allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this + // client. + // + // Must only contain the following values: + // - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to + // authenticate users. This grant must always be listed. + // - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. + // This grant must be listed if allowedScopes lists offline_access. + // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, + // which is a step in the process to be able to get a cluster credential for the user. + // This grant must be listed if allowedScopes lists pinniped:request-audience. + // +kubebuilder:validation:UniqueItems=true + // +kubebuilder:validation:MinItems=1 + AllowedGrantTypes []string `json:"allowedGrantTypes"` + + // allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + // + // Must only contain the following values: + // - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). + // This scope must always be listed. + // - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. + // This scope must be listed if allowedGrantTypes lists refresh_token. + // - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, + // which is a step in the process to be able to get a cluster credential for the user. + // openid, username and groups scopes must be listed when this scope is present. + // This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. + // - username: The client is allowed to request that ID tokens contain the user's username. + // Without the username scope being requested and allowed, the ID token will not contain the user's username. + // - groups: The client is allowed to request that ID tokens contain the user's group membership, + // if their group membership is discoverable by the Supervisor. + // Without the groups scope being requested and allowed, the ID token will not contain groups. + // +kubebuilder:validation:UniqueItems=true + // +kubebuilder:validation:MinItems=1 + AllowedScopes []string `json:"allowedScopes"` +} + +// OIDCClientStatus is a struct that describes the actual state of an OIDC Client. +type OIDCClientStatus struct { +} + +// OIDCClient describes the configuration of an OIDC client. +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped +// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type OIDCClient struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec of the OIDC provider. + Spec OIDCClientSpec `json:"spec"` + + // Status of the OIDC provider. + Status OIDCClientStatus `json:"status,omitempty"` +} + +// List of OIDCClient objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []OIDCClient `json:"items"` +} diff --git a/generated/1.19/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.19/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go new file mode 100644 index 00000000..cb35cea5 --- /dev/null +++ b/generated/1.19/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go @@ -0,0 +1,121 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. +func (in *OIDCClient) DeepCopy() *OIDCClient { + if in == nil { + return nil + } + out := new(OIDCClient) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClient) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClient, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. +func (in *OIDCClientList) DeepCopy() *OIDCClientList { + if in == nil { + return nil + } + out := new(OIDCClientList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { + *out = *in + if in.AllowedRedirectURIs != nil { + in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.AllowedGrantTypes != nil { + in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.AllowedScopes != nil { + in, out := &in.AllowedScopes, &out.AllowedScopes + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. +func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { + if in == nil { + return nil + } + out := new(OIDCClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. +func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { + if in == nil { + return nil + } + out := new(OIDCClientStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.19/client/supervisor/clientset/versioned/clientset.go b/generated/1.19/client/supervisor/clientset/versioned/clientset.go index a5d5b43c..09f209c0 100644 --- a/generated/1.19/client/supervisor/clientset/versioned/clientset.go +++ b/generated/1.19/client/supervisor/clientset/versioned/clientset.go @@ -10,6 +10,7 @@ import ( configv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1" + oauthv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" discovery "k8s.io/client-go/discovery" rest "k8s.io/client-go/rest" flowcontrol "k8s.io/client-go/util/flowcontrol" @@ -19,6 +20,7 @@ type Interface interface { Discovery() discovery.DiscoveryInterface ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface + OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface } // Clientset contains the clients for groups. Each group has exactly one @@ -27,6 +29,7 @@ type Clientset struct { *discovery.DiscoveryClient configV1alpha1 *configv1alpha1.ConfigV1alpha1Client iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client + oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client } // ConfigV1alpha1 retrieves the ConfigV1alpha1Client @@ -39,6 +42,11 @@ func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return c.iDPV1alpha1 } +// OauthV1alpha1 retrieves the OauthV1alpha1Client +func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { + return c.oauthV1alpha1 +} + // Discovery retrieves the DiscoveryClient func (c *Clientset) Discovery() discovery.DiscoveryInterface { if c == nil { @@ -68,6 +76,10 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { if err != nil { return nil, err } + cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfig(&configShallowCopy) + if err != nil { + return nil, err + } cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfig(&configShallowCopy) if err != nil { @@ -82,6 +94,7 @@ func NewForConfigOrDie(c *rest.Config) *Clientset { var cs Clientset cs.configV1alpha1 = configv1alpha1.NewForConfigOrDie(c) cs.iDPV1alpha1 = idpv1alpha1.NewForConfigOrDie(c) + cs.oauthV1alpha1 = oauthv1alpha1.NewForConfigOrDie(c) cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c) return &cs @@ -92,6 +105,7 @@ func New(c rest.Interface) *Clientset { var cs Clientset cs.configV1alpha1 = configv1alpha1.New(c) cs.iDPV1alpha1 = idpv1alpha1.New(c) + cs.oauthV1alpha1 = oauthv1alpha1.New(c) cs.DiscoveryClient = discovery.NewDiscoveryClient(c) return &cs diff --git a/generated/1.19/client/supervisor/clientset/versioned/fake/clientset_generated.go b/generated/1.19/client/supervisor/clientset/versioned/fake/clientset_generated.go index 6fbd1410..cc7334de 100644 --- a/generated/1.19/client/supervisor/clientset/versioned/fake/clientset_generated.go +++ b/generated/1.19/client/supervisor/clientset/versioned/fake/clientset_generated.go @@ -11,6 +11,8 @@ import ( fakeconfigv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake" idpv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1" fakeidpv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake" + oauthv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" + fakeoauthv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/watch" "k8s.io/client-go/discovery" @@ -74,3 +76,8 @@ func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake} } + +// OauthV1alpha1 retrieves the OauthV1alpha1Client +func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { + return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} +} diff --git a/generated/1.19/client/supervisor/clientset/versioned/fake/register.go b/generated/1.19/client/supervisor/clientset/versioned/fake/register.go index 93a34271..31bd0f0b 100644 --- a/generated/1.19/client/supervisor/clientset/versioned/fake/register.go +++ b/generated/1.19/client/supervisor/clientset/versioned/fake/register.go @@ -8,6 +8,7 @@ package fake import ( configv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/idp/v1alpha1" + oauthv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -21,6 +22,7 @@ var codecs = serializer.NewCodecFactory(scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, + oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.19/client/supervisor/clientset/versioned/scheme/register.go b/generated/1.19/client/supervisor/clientset/versioned/scheme/register.go index 0f2ac77b..bd2ef62e 100644 --- a/generated/1.19/client/supervisor/clientset/versioned/scheme/register.go +++ b/generated/1.19/client/supervisor/clientset/versioned/scheme/register.go @@ -8,6 +8,7 @@ package scheme import ( configv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/idp/v1alpha1" + oauthv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -21,6 +22,7 @@ var ParameterCodec = runtime.NewParameterCodec(Scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, + oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go new file mode 100644 index 00000000..e7a470b6 --- /dev/null +++ b/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated typed clients. +package v1alpha1 diff --git a/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go new file mode 100644 index 00000000..7906901b --- /dev/null +++ b/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// Package fake has the automatically generated clients. +package fake diff --git a/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go new file mode 100644 index 00000000..9430b71b --- /dev/null +++ b/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go @@ -0,0 +1,27 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + v1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" + rest "k8s.io/client-go/rest" + testing "k8s.io/client-go/testing" +) + +type FakeOauthV1alpha1 struct { + *testing.Fake +} + +func (c *FakeOauthV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { + return &FakeOIDCClients{c, namespace} +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { + var ret *rest.RESTClient + return ret +} diff --git a/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go b/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go new file mode 100644 index 00000000..078ab176 --- /dev/null +++ b/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go @@ -0,0 +1,129 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeOIDCClients implements OIDCClientInterface +type FakeOIDCClients struct { + Fake *FakeOauthV1alpha1 + ns string +} + +var oidcclientsResource = schema.GroupVersionResource{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} + +var oidcclientsKind = schema.GroupVersionKind{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} + +// Get takes name of the oIDCClient, and returns the corresponding oIDCClient object, and an error if there is any. +func (c *FakeOIDCClients) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(oidcclientsResource, c.ns, name), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// List takes label and field selectors, and returns the list of OIDCClients that match those selectors. +func (c *FakeOIDCClients) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.OIDCClientList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(oidcclientsResource, oidcclientsKind, c.ns, opts), &v1alpha1.OIDCClientList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.OIDCClientList{ListMeta: obj.(*v1alpha1.OIDCClientList).ListMeta} + for _, item := range obj.(*v1alpha1.OIDCClientList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested oIDCClients. +func (c *FakeOIDCClients) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(oidcclientsResource, c.ns, opts)) + +} + +// Create takes the representation of a oIDCClient and creates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *FakeOIDCClients) Create(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.CreateOptions) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(oidcclientsResource, c.ns, oIDCClient), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// Update takes the representation of a oIDCClient and updates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *FakeOIDCClients) Update(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(oidcclientsResource, c.ns, oIDCClient), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeOIDCClients) UpdateStatus(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (*v1alpha1.OIDCClient, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(oidcclientsResource, "status", c.ns, oIDCClient), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// Delete takes name of the oIDCClient and deletes it. Returns an error if one occurs. +func (c *FakeOIDCClients) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteAction(oidcclientsResource, c.ns, name), &v1alpha1.OIDCClient{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeOIDCClients) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(oidcclientsResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha1.OIDCClientList{}) + return err +} + +// Patch applies the patch and returns the patched oIDCClient. +func (c *FakeOIDCClients) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(oidcclientsResource, c.ns, name, pt, data, subresources...), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} diff --git a/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go new file mode 100644 index 00000000..87d22ea9 --- /dev/null +++ b/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go @@ -0,0 +1,8 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +type OIDCClientExpansion interface{} diff --git a/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go new file mode 100644 index 00000000..0e347f19 --- /dev/null +++ b/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go @@ -0,0 +1,76 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/oauth/v1alpha1" + "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/scheme" + rest "k8s.io/client-go/rest" +) + +type OauthV1alpha1Interface interface { + RESTClient() rest.Interface + OIDCClientsGetter +} + +// OauthV1alpha1Client is used to interact with features provided by the oauth.supervisor.pinniped.dev group. +type OauthV1alpha1Client struct { + restClient rest.Interface +} + +func (c *OauthV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { + return newOIDCClients(c, namespace) +} + +// NewForConfig creates a new OauthV1alpha1Client for the given config. +func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { + config := *c + if err := setConfigDefaults(&config); err != nil { + return nil, err + } + client, err := rest.RESTClientFor(&config) + if err != nil { + return nil, err + } + return &OauthV1alpha1Client{client}, nil +} + +// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { + client, err := NewForConfig(c) + if err != nil { + panic(err) + } + return client +} + +// New creates a new OauthV1alpha1Client for the given RESTClient. +func New(c rest.Interface) *OauthV1alpha1Client { + return &OauthV1alpha1Client{c} +} + +func setConfigDefaults(config *rest.Config) error { + gv := v1alpha1.SchemeGroupVersion + config.GroupVersion = &gv + config.APIPath = "/apis" + config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() + + if config.UserAgent == "" { + config.UserAgent = rest.DefaultKubernetesUserAgent() + } + + return nil +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *OauthV1alpha1Client) RESTClient() rest.Interface { + if c == nil { + return nil + } + return c.restClient +} diff --git a/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go b/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go new file mode 100644 index 00000000..93cd5805 --- /dev/null +++ b/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go @@ -0,0 +1,182 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + "time" + + v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/oauth/v1alpha1" + scheme "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// OIDCClientsGetter has a method to return a OIDCClientInterface. +// A group's client should implement this interface. +type OIDCClientsGetter interface { + OIDCClients(namespace string) OIDCClientInterface +} + +// OIDCClientInterface has methods to work with OIDCClient resources. +type OIDCClientInterface interface { + Create(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.CreateOptions) (*v1alpha1.OIDCClient, error) + Update(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (*v1alpha1.OIDCClient, error) + UpdateStatus(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (*v1alpha1.OIDCClient, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.OIDCClient, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.OIDCClientList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCClient, err error) + OIDCClientExpansion +} + +// oIDCClients implements OIDCClientInterface +type oIDCClients struct { + client rest.Interface + ns string +} + +// newOIDCClients returns a OIDCClients +func newOIDCClients(c *OauthV1alpha1Client, namespace string) *oIDCClients { + return &oIDCClients{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the oIDCClient, and returns the corresponding oIDCClient object, and an error if there is any. +func (c *oIDCClients) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Get(). + Namespace(c.ns). + Resource("oidcclients"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of OIDCClients that match those selectors. +func (c *oIDCClients) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.OIDCClientList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.OIDCClientList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("oidcclients"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested oIDCClients. +func (c *oIDCClients) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("oidcclients"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a oIDCClient and creates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *oIDCClients) Create(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.CreateOptions) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Post(). + Namespace(c.ns). + Resource("oidcclients"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(oIDCClient). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a oIDCClient and updates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *oIDCClients) Update(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Put(). + Namespace(c.ns). + Resource("oidcclients"). + Name(oIDCClient.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(oIDCClient). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *oIDCClients) UpdateStatus(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Put(). + Namespace(c.ns). + Resource("oidcclients"). + Name(oIDCClient.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(oIDCClient). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the oIDCClient and deletes it. Returns an error if one occurs. +func (c *oIDCClients) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("oidcclients"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *oIDCClients) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("oidcclients"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched oIDCClient. +func (c *oIDCClients) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("oidcclients"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/generated/1.19/client/supervisor/informers/externalversions/factory.go b/generated/1.19/client/supervisor/informers/externalversions/factory.go index 0ad18aae..90fff5ef 100644 --- a/generated/1.19/client/supervisor/informers/externalversions/factory.go +++ b/generated/1.19/client/supervisor/informers/externalversions/factory.go @@ -14,6 +14,7 @@ import ( config "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/config" idp "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/idp" internalinterfaces "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/internalinterfaces" + oauth "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/oauth" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -162,6 +163,7 @@ type SharedInformerFactory interface { Config() config.Interface IDP() idp.Interface + Oauth() oauth.Interface } func (f *sharedInformerFactory) Config() config.Interface { @@ -171,3 +173,7 @@ func (f *sharedInformerFactory) Config() config.Interface { func (f *sharedInformerFactory) IDP() idp.Interface { return idp.New(f, f.namespace, f.tweakListOptions) } + +func (f *sharedInformerFactory) Oauth() oauth.Interface { + return oauth.New(f, f.namespace, f.tweakListOptions) +} diff --git a/generated/1.19/client/supervisor/informers/externalversions/generic.go b/generated/1.19/client/supervisor/informers/externalversions/generic.go index 644f1b12..ffc852ca 100644 --- a/generated/1.19/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.19/client/supervisor/informers/externalversions/generic.go @@ -10,6 +10,7 @@ import ( v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/idp/v1alpha1" + oauthv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/oauth/v1alpha1" schema "k8s.io/apimachinery/pkg/runtime/schema" cache "k8s.io/client-go/tools/cache" ) @@ -52,6 +53,10 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().OIDCIdentityProviders().Informer()}, nil + // Group=oauth.supervisor.pinniped.dev, Version=v1alpha1 + case oauthv1alpha1.SchemeGroupVersion.WithResource("oidcclients"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Oauth().V1alpha1().OIDCClients().Informer()}, nil + } return nil, fmt.Errorf("no informer found for %v", resource) diff --git a/generated/1.19/client/supervisor/informers/externalversions/oauth/interface.go b/generated/1.19/client/supervisor/informers/externalversions/oauth/interface.go new file mode 100644 index 00000000..2b6d2943 --- /dev/null +++ b/generated/1.19/client/supervisor/informers/externalversions/oauth/interface.go @@ -0,0 +1,33 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package oauth + +import ( + internalinterfaces "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/internalinterfaces" + v1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/oauth/v1alpha1" +) + +// Interface provides access to each of this group's versions. +type Interface interface { + // V1alpha1 provides access to shared informers for resources in V1alpha1. + V1alpha1() v1alpha1.Interface +} + +type group struct { + factory internalinterfaces.SharedInformerFactory + namespace string + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// New returns a new Interface. +func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { + return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} +} + +// V1alpha1 returns a new v1alpha1.Interface. +func (g *group) V1alpha1() v1alpha1.Interface { + return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions) +} diff --git a/generated/1.19/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go b/generated/1.19/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go new file mode 100644 index 00000000..3db762a4 --- /dev/null +++ b/generated/1.19/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go @@ -0,0 +1,32 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + internalinterfaces "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/internalinterfaces" +) + +// Interface provides access to all the informers in this group version. +type Interface interface { + // OIDCClients returns a OIDCClientInformer. + OIDCClients() OIDCClientInformer +} + +type version struct { + factory internalinterfaces.SharedInformerFactory + namespace string + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// New returns a new Interface. +func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { + return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} +} + +// OIDCClients returns a OIDCClientInformer. +func (v *version) OIDCClients() OIDCClientInformer { + return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} diff --git a/generated/1.19/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go b/generated/1.19/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go new file mode 100644 index 00000000..749b0977 --- /dev/null +++ b/generated/1.19/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go @@ -0,0 +1,77 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + time "time" + + oauthv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/oauth/v1alpha1" + versioned "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned" + internalinterfaces "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/internalinterfaces" + v1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/listers/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// OIDCClientInformer provides access to a shared informer and lister for +// OIDCClients. +type OIDCClientInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.OIDCClientLister +} + +type oIDCClientInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewOIDCClientInformer constructs a new informer for OIDCClient type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewOIDCClientInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredOIDCClientInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredOIDCClientInformer constructs a new informer for OIDCClient type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredOIDCClientInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.OauthV1alpha1().OIDCClients(namespace).List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.OauthV1alpha1().OIDCClients(namespace).Watch(context.TODO(), options) + }, + }, + &oauthv1alpha1.OIDCClient{}, + resyncPeriod, + indexers, + ) +} + +func (f *oIDCClientInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredOIDCClientInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *oIDCClientInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&oauthv1alpha1.OIDCClient{}, f.defaultInformer) +} + +func (f *oIDCClientInformer) Lister() v1alpha1.OIDCClientLister { + return v1alpha1.NewOIDCClientLister(f.Informer().GetIndexer()) +} diff --git a/generated/1.19/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go b/generated/1.19/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go new file mode 100644 index 00000000..c19310da --- /dev/null +++ b/generated/1.19/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go @@ -0,0 +1,14 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +// OIDCClientListerExpansion allows custom methods to be added to +// OIDCClientLister. +type OIDCClientListerExpansion interface{} + +// OIDCClientNamespaceListerExpansion allows custom methods to be added to +// OIDCClientNamespaceLister. +type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/1.19/client/supervisor/listers/oauth/v1alpha1/oidcclient.go b/generated/1.19/client/supervisor/listers/oauth/v1alpha1/oidcclient.go new file mode 100644 index 00000000..7040f4c9 --- /dev/null +++ b/generated/1.19/client/supervisor/listers/oauth/v1alpha1/oidcclient.go @@ -0,0 +1,86 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/oauth/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// OIDCClientLister helps list OIDCClients. +// All objects returned here must be treated as read-only. +type OIDCClientLister interface { + // List lists all OIDCClients in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) + // OIDCClients returns an object that can list and get OIDCClients. + OIDCClients(namespace string) OIDCClientNamespaceLister + OIDCClientListerExpansion +} + +// oIDCClientLister implements the OIDCClientLister interface. +type oIDCClientLister struct { + indexer cache.Indexer +} + +// NewOIDCClientLister returns a new OIDCClientLister. +func NewOIDCClientLister(indexer cache.Indexer) OIDCClientLister { + return &oIDCClientLister{indexer: indexer} +} + +// List lists all OIDCClients in the indexer. +func (s *oIDCClientLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.OIDCClient)) + }) + return ret, err +} + +// OIDCClients returns an object that can list and get OIDCClients. +func (s *oIDCClientLister) OIDCClients(namespace string) OIDCClientNamespaceLister { + return oIDCClientNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// OIDCClientNamespaceLister helps list and get OIDCClients. +// All objects returned here must be treated as read-only. +type OIDCClientNamespaceLister interface { + // List lists all OIDCClients in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) + // Get retrieves the OIDCClient from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha1.OIDCClient, error) + OIDCClientNamespaceListerExpansion +} + +// oIDCClientNamespaceLister implements the OIDCClientNamespaceLister +// interface. +type oIDCClientNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all OIDCClients in the indexer for a given namespace. +func (s oIDCClientNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.OIDCClient)) + }) + return ret, err +} + +// Get retrieves the OIDCClient from the indexer for a given namespace and name. +func (s oIDCClientNamespaceLister) Get(name string) (*v1alpha1.OIDCClient, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("oidcclient"), name) + } + return obj.(*v1alpha1.OIDCClient), nil +} diff --git a/generated/1.19/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.19/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml new file mode 100644 index 00000000..0b4ee157 --- /dev/null +++ b/generated/1.19/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -0,0 +1,121 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: oidcclients.oauth.supervisor.pinniped.dev +spec: + group: oauth.supervisor.pinniped.dev + names: + categories: + - pinniped + kind: OIDCClient + listKind: OIDCClientList + plural: oidcclients + singular: oidcclient + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}' + name: Privileged + type: boolean + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: OIDCClient describes the configuration of an OIDC client. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec of the OIDC provider. + properties: + allowedGrantTypes: + description: "allowedGrantTypes is a list of the allowed grant_type + param values that should be accepted during OIDC flows with this + client. \n Must only contain the following values: - authorization_code: + allows the client to perform the authorization code grant flow, + i.e. allows the webapp to authenticate users. This grant must always + be listed. - refresh_token: allows the client to perform refresh + grants for the user to extend the user's session. This grant must + be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: + allows the client to perform RFC8693 token exchange, which is a + step in the process to be able to get a cluster credential for the + user. This grant must be listed if allowedScopes lists pinniped:request-audience." + items: + type: string + minItems: 1 + type: array + uniqueItems: true + allowedRedirectURIs: + description: allowedRedirectURIs is a list of the allowed redirect_uri + param values that should be accepted during OIDC flows with this + client. Any other uris will be rejected. Must be https, unless it + is a loopback. + items: + type: string + minItems: 1 + type: array + uniqueItems: true + allowedScopes: + description: "allowedScopes is a list of the allowed scopes param + values that should be accepted during OIDC flows with this client. + \n Must only contain the following values: - openid: The client + is allowed to request ID tokens. ID tokens only include the required + claims by default (iss, sub, aud, exp, iat). This scope must always + be listed. - offline_access: The client is allowed to request an + initial refresh token during the authorization code grant flow. + This scope must be listed if allowedGrantTypes lists refresh_token. + - pinniped:request-audience: The client is allowed to request a + new audience value during a RFC8693 token exchange, which is a step + in the process to be able to get a cluster credential for the user. + openid, username and groups scopes must be listed when this scope + is present. This scope must be listed if allowedGrantTypes lists + urn:ietf:params:oauth:grant-type:token-exchange. - username: The + client is allowed to request that ID tokens contain the user's username. + Without the username scope being requested and allowed, the ID token + will not contain the user's username. - groups: The client is allowed + to request that ID tokens contain the user's group membership, if + their group membership is discoverable by the Supervisor. Without + the groups scope being requested and allowed, the ID token will + not contain groups." + items: + type: string + minItems: 1 + type: array + uniqueItems: true + required: + - allowedGrantTypes + - allowedRedirectURIs + - allowedScopes + type: object + status: + description: Status of the OIDC provider. + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/generated/1.20/README.adoc b/generated/1.20/README.adoc index 8ad43876..5d419a80 100644 --- a/generated/1.20/README.adoc +++ b/generated/1.20/README.adoc @@ -12,6 +12,7 @@ - xref:{anchor_prefix}-identity-concierge-pinniped-dev-v1alpha1[$$identity.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1[$$idp.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$] +- xref:{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1[$$oauth.supervisor.pinniped.dev/v1alpha1$$] [id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"] @@ -1332,3 +1333,56 @@ TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned |=== + +[id="{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1"] +=== oauth.supervisor.pinniped.dev/v1alpha1 + +Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-oauth-v1alpha1-oidcclient"] +==== OIDCClient + +OIDCClient describes the configuration of an OIDC client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-oauth-v1alpha1-oidcclientlist[$$OIDCClientList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.2/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-oauth-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC provider. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-oauth-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC provider. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-oauth-v1alpha1-oidcclientspec"] +==== OIDCClientSpec + +OIDCClientSpec is a struct that describes an OIDC Client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-oauth-v1alpha1-oidcclient[$$OIDCClient$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. +| *`allowedGrantTypes`* __string array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. +| *`allowedScopes`* __string array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. +|=== + + + + diff --git a/generated/1.20/apis/supervisor/oauth/v1alpha1/doc.go b/generated/1.20/apis/supervisor/oauth/v1alpha1/doc.go new file mode 100644 index 00000000..75580481 --- /dev/null +++ b/generated/1.20/apis/supervisor/oauth/v1alpha1/doc.go @@ -0,0 +1,10 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen=package +// +k8s:defaulter-gen=TypeMeta +// +groupName=oauth.supervisor.pinniped.dev + +// Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. +package v1alpha1 diff --git a/generated/1.20/apis/supervisor/oauth/v1alpha1/register.go b/generated/1.20/apis/supervisor/oauth/v1alpha1/register.go new file mode 100644 index 00000000..37ae1fbf --- /dev/null +++ b/generated/1.20/apis/supervisor/oauth/v1alpha1/register.go @@ -0,0 +1,43 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "oauth.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = localSchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClient{}, + &OIDCClientList{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/generated/1.20/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.20/apis/supervisor/oauth/v1alpha1/types_oidcclient.go new file mode 100644 index 00000000..ee125443 --- /dev/null +++ b/generated/1.20/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -0,0 +1,84 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// OIDCClientSpec is a struct that describes an OIDC Client. +type OIDCClientSpec struct { + // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this + // client. Any other uris will be rejected. + // Must be https, unless it is a loopback. + // +kubebuilder:validation:UniqueItems=true + // +kubebuilder:validation:MinItems=1 + AllowedRedirectURIs []string `json:"allowedRedirectURIs"` + + // allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this + // client. + // + // Must only contain the following values: + // - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to + // authenticate users. This grant must always be listed. + // - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. + // This grant must be listed if allowedScopes lists offline_access. + // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, + // which is a step in the process to be able to get a cluster credential for the user. + // This grant must be listed if allowedScopes lists pinniped:request-audience. + // +kubebuilder:validation:UniqueItems=true + // +kubebuilder:validation:MinItems=1 + AllowedGrantTypes []string `json:"allowedGrantTypes"` + + // allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + // + // Must only contain the following values: + // - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). + // This scope must always be listed. + // - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. + // This scope must be listed if allowedGrantTypes lists refresh_token. + // - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, + // which is a step in the process to be able to get a cluster credential for the user. + // openid, username and groups scopes must be listed when this scope is present. + // This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. + // - username: The client is allowed to request that ID tokens contain the user's username. + // Without the username scope being requested and allowed, the ID token will not contain the user's username. + // - groups: The client is allowed to request that ID tokens contain the user's group membership, + // if their group membership is discoverable by the Supervisor. + // Without the groups scope being requested and allowed, the ID token will not contain groups. + // +kubebuilder:validation:UniqueItems=true + // +kubebuilder:validation:MinItems=1 + AllowedScopes []string `json:"allowedScopes"` +} + +// OIDCClientStatus is a struct that describes the actual state of an OIDC Client. +type OIDCClientStatus struct { +} + +// OIDCClient describes the configuration of an OIDC client. +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped +// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type OIDCClient struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec of the OIDC provider. + Spec OIDCClientSpec `json:"spec"` + + // Status of the OIDC provider. + Status OIDCClientStatus `json:"status,omitempty"` +} + +// List of OIDCClient objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []OIDCClient `json:"items"` +} diff --git a/generated/1.20/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.20/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go new file mode 100644 index 00000000..cb35cea5 --- /dev/null +++ b/generated/1.20/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go @@ -0,0 +1,121 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. +func (in *OIDCClient) DeepCopy() *OIDCClient { + if in == nil { + return nil + } + out := new(OIDCClient) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClient) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClient, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. +func (in *OIDCClientList) DeepCopy() *OIDCClientList { + if in == nil { + return nil + } + out := new(OIDCClientList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { + *out = *in + if in.AllowedRedirectURIs != nil { + in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.AllowedGrantTypes != nil { + in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.AllowedScopes != nil { + in, out := &in.AllowedScopes, &out.AllowedScopes + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. +func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { + if in == nil { + return nil + } + out := new(OIDCClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. +func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { + if in == nil { + return nil + } + out := new(OIDCClientStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.20/client/supervisor/clientset/versioned/clientset.go b/generated/1.20/client/supervisor/clientset/versioned/clientset.go index 47592892..ec78cd88 100644 --- a/generated/1.20/client/supervisor/clientset/versioned/clientset.go +++ b/generated/1.20/client/supervisor/clientset/versioned/clientset.go @@ -10,6 +10,7 @@ import ( configv1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned/typed/idp/v1alpha1" + oauthv1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" discovery "k8s.io/client-go/discovery" rest "k8s.io/client-go/rest" flowcontrol "k8s.io/client-go/util/flowcontrol" @@ -19,6 +20,7 @@ type Interface interface { Discovery() discovery.DiscoveryInterface ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface + OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface } // Clientset contains the clients for groups. Each group has exactly one @@ -27,6 +29,7 @@ type Clientset struct { *discovery.DiscoveryClient configV1alpha1 *configv1alpha1.ConfigV1alpha1Client iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client + oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client } // ConfigV1alpha1 retrieves the ConfigV1alpha1Client @@ -39,6 +42,11 @@ func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return c.iDPV1alpha1 } +// OauthV1alpha1 retrieves the OauthV1alpha1Client +func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { + return c.oauthV1alpha1 +} + // Discovery retrieves the DiscoveryClient func (c *Clientset) Discovery() discovery.DiscoveryInterface { if c == nil { @@ -68,6 +76,10 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { if err != nil { return nil, err } + cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfig(&configShallowCopy) + if err != nil { + return nil, err + } cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfig(&configShallowCopy) if err != nil { @@ -82,6 +94,7 @@ func NewForConfigOrDie(c *rest.Config) *Clientset { var cs Clientset cs.configV1alpha1 = configv1alpha1.NewForConfigOrDie(c) cs.iDPV1alpha1 = idpv1alpha1.NewForConfigOrDie(c) + cs.oauthV1alpha1 = oauthv1alpha1.NewForConfigOrDie(c) cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c) return &cs @@ -92,6 +105,7 @@ func New(c rest.Interface) *Clientset { var cs Clientset cs.configV1alpha1 = configv1alpha1.New(c) cs.iDPV1alpha1 = idpv1alpha1.New(c) + cs.oauthV1alpha1 = oauthv1alpha1.New(c) cs.DiscoveryClient = discovery.NewDiscoveryClient(c) return &cs diff --git a/generated/1.20/client/supervisor/clientset/versioned/fake/clientset_generated.go b/generated/1.20/client/supervisor/clientset/versioned/fake/clientset_generated.go index 4f710f0b..cee1ca0d 100644 --- a/generated/1.20/client/supervisor/clientset/versioned/fake/clientset_generated.go +++ b/generated/1.20/client/supervisor/clientset/versioned/fake/clientset_generated.go @@ -11,6 +11,8 @@ import ( fakeconfigv1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake" idpv1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned/typed/idp/v1alpha1" fakeidpv1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake" + oauthv1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" + fakeoauthv1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/watch" "k8s.io/client-go/discovery" @@ -74,3 +76,8 @@ func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake} } + +// OauthV1alpha1 retrieves the OauthV1alpha1Client +func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { + return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} +} diff --git a/generated/1.20/client/supervisor/clientset/versioned/fake/register.go b/generated/1.20/client/supervisor/clientset/versioned/fake/register.go index 7587d602..b9ea3ea8 100644 --- a/generated/1.20/client/supervisor/clientset/versioned/fake/register.go +++ b/generated/1.20/client/supervisor/clientset/versioned/fake/register.go @@ -8,6 +8,7 @@ package fake import ( configv1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/idp/v1alpha1" + oauthv1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -21,6 +22,7 @@ var codecs = serializer.NewCodecFactory(scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, + oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.20/client/supervisor/clientset/versioned/scheme/register.go b/generated/1.20/client/supervisor/clientset/versioned/scheme/register.go index af0ed68f..cd769223 100644 --- a/generated/1.20/client/supervisor/clientset/versioned/scheme/register.go +++ b/generated/1.20/client/supervisor/clientset/versioned/scheme/register.go @@ -8,6 +8,7 @@ package scheme import ( configv1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/idp/v1alpha1" + oauthv1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -21,6 +22,7 @@ var ParameterCodec = runtime.NewParameterCodec(Scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, + oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go new file mode 100644 index 00000000..e7a470b6 --- /dev/null +++ b/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated typed clients. +package v1alpha1 diff --git a/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go new file mode 100644 index 00000000..7906901b --- /dev/null +++ b/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// Package fake has the automatically generated clients. +package fake diff --git a/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go new file mode 100644 index 00000000..3bc1da70 --- /dev/null +++ b/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go @@ -0,0 +1,27 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + v1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" + rest "k8s.io/client-go/rest" + testing "k8s.io/client-go/testing" +) + +type FakeOauthV1alpha1 struct { + *testing.Fake +} + +func (c *FakeOauthV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { + return &FakeOIDCClients{c, namespace} +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { + var ret *rest.RESTClient + return ret +} diff --git a/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go b/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go new file mode 100644 index 00000000..38aac300 --- /dev/null +++ b/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go @@ -0,0 +1,129 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeOIDCClients implements OIDCClientInterface +type FakeOIDCClients struct { + Fake *FakeOauthV1alpha1 + ns string +} + +var oidcclientsResource = schema.GroupVersionResource{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} + +var oidcclientsKind = schema.GroupVersionKind{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} + +// Get takes name of the oIDCClient, and returns the corresponding oIDCClient object, and an error if there is any. +func (c *FakeOIDCClients) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(oidcclientsResource, c.ns, name), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// List takes label and field selectors, and returns the list of OIDCClients that match those selectors. +func (c *FakeOIDCClients) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.OIDCClientList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(oidcclientsResource, oidcclientsKind, c.ns, opts), &v1alpha1.OIDCClientList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.OIDCClientList{ListMeta: obj.(*v1alpha1.OIDCClientList).ListMeta} + for _, item := range obj.(*v1alpha1.OIDCClientList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested oIDCClients. +func (c *FakeOIDCClients) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(oidcclientsResource, c.ns, opts)) + +} + +// Create takes the representation of a oIDCClient and creates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *FakeOIDCClients) Create(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.CreateOptions) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(oidcclientsResource, c.ns, oIDCClient), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// Update takes the representation of a oIDCClient and updates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *FakeOIDCClients) Update(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(oidcclientsResource, c.ns, oIDCClient), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeOIDCClients) UpdateStatus(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (*v1alpha1.OIDCClient, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(oidcclientsResource, "status", c.ns, oIDCClient), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// Delete takes name of the oIDCClient and deletes it. Returns an error if one occurs. +func (c *FakeOIDCClients) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteAction(oidcclientsResource, c.ns, name), &v1alpha1.OIDCClient{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeOIDCClients) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(oidcclientsResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha1.OIDCClientList{}) + return err +} + +// Patch applies the patch and returns the patched oIDCClient. +func (c *FakeOIDCClients) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(oidcclientsResource, c.ns, name, pt, data, subresources...), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} diff --git a/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go new file mode 100644 index 00000000..87d22ea9 --- /dev/null +++ b/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go @@ -0,0 +1,8 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +type OIDCClientExpansion interface{} diff --git a/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go new file mode 100644 index 00000000..ca9d2cf5 --- /dev/null +++ b/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go @@ -0,0 +1,76 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/oauth/v1alpha1" + "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned/scheme" + rest "k8s.io/client-go/rest" +) + +type OauthV1alpha1Interface interface { + RESTClient() rest.Interface + OIDCClientsGetter +} + +// OauthV1alpha1Client is used to interact with features provided by the oauth.supervisor.pinniped.dev group. +type OauthV1alpha1Client struct { + restClient rest.Interface +} + +func (c *OauthV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { + return newOIDCClients(c, namespace) +} + +// NewForConfig creates a new OauthV1alpha1Client for the given config. +func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { + config := *c + if err := setConfigDefaults(&config); err != nil { + return nil, err + } + client, err := rest.RESTClientFor(&config) + if err != nil { + return nil, err + } + return &OauthV1alpha1Client{client}, nil +} + +// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { + client, err := NewForConfig(c) + if err != nil { + panic(err) + } + return client +} + +// New creates a new OauthV1alpha1Client for the given RESTClient. +func New(c rest.Interface) *OauthV1alpha1Client { + return &OauthV1alpha1Client{c} +} + +func setConfigDefaults(config *rest.Config) error { + gv := v1alpha1.SchemeGroupVersion + config.GroupVersion = &gv + config.APIPath = "/apis" + config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() + + if config.UserAgent == "" { + config.UserAgent = rest.DefaultKubernetesUserAgent() + } + + return nil +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *OauthV1alpha1Client) RESTClient() rest.Interface { + if c == nil { + return nil + } + return c.restClient +} diff --git a/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go b/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go new file mode 100644 index 00000000..32503911 --- /dev/null +++ b/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go @@ -0,0 +1,182 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + "time" + + v1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/oauth/v1alpha1" + scheme "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// OIDCClientsGetter has a method to return a OIDCClientInterface. +// A group's client should implement this interface. +type OIDCClientsGetter interface { + OIDCClients(namespace string) OIDCClientInterface +} + +// OIDCClientInterface has methods to work with OIDCClient resources. +type OIDCClientInterface interface { + Create(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.CreateOptions) (*v1alpha1.OIDCClient, error) + Update(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (*v1alpha1.OIDCClient, error) + UpdateStatus(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (*v1alpha1.OIDCClient, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.OIDCClient, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.OIDCClientList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCClient, err error) + OIDCClientExpansion +} + +// oIDCClients implements OIDCClientInterface +type oIDCClients struct { + client rest.Interface + ns string +} + +// newOIDCClients returns a OIDCClients +func newOIDCClients(c *OauthV1alpha1Client, namespace string) *oIDCClients { + return &oIDCClients{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the oIDCClient, and returns the corresponding oIDCClient object, and an error if there is any. +func (c *oIDCClients) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Get(). + Namespace(c.ns). + Resource("oidcclients"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of OIDCClients that match those selectors. +func (c *oIDCClients) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.OIDCClientList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.OIDCClientList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("oidcclients"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested oIDCClients. +func (c *oIDCClients) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("oidcclients"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a oIDCClient and creates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *oIDCClients) Create(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.CreateOptions) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Post(). + Namespace(c.ns). + Resource("oidcclients"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(oIDCClient). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a oIDCClient and updates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *oIDCClients) Update(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Put(). + Namespace(c.ns). + Resource("oidcclients"). + Name(oIDCClient.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(oIDCClient). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *oIDCClients) UpdateStatus(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Put(). + Namespace(c.ns). + Resource("oidcclients"). + Name(oIDCClient.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(oIDCClient). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the oIDCClient and deletes it. Returns an error if one occurs. +func (c *oIDCClients) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("oidcclients"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *oIDCClients) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("oidcclients"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched oIDCClient. +func (c *oIDCClients) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("oidcclients"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/generated/1.20/client/supervisor/informers/externalversions/factory.go b/generated/1.20/client/supervisor/informers/externalversions/factory.go index 60395f1f..6e6fffaa 100644 --- a/generated/1.20/client/supervisor/informers/externalversions/factory.go +++ b/generated/1.20/client/supervisor/informers/externalversions/factory.go @@ -14,6 +14,7 @@ import ( config "go.pinniped.dev/generated/1.20/client/supervisor/informers/externalversions/config" idp "go.pinniped.dev/generated/1.20/client/supervisor/informers/externalversions/idp" internalinterfaces "go.pinniped.dev/generated/1.20/client/supervisor/informers/externalversions/internalinterfaces" + oauth "go.pinniped.dev/generated/1.20/client/supervisor/informers/externalversions/oauth" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -162,6 +163,7 @@ type SharedInformerFactory interface { Config() config.Interface IDP() idp.Interface + Oauth() oauth.Interface } func (f *sharedInformerFactory) Config() config.Interface { @@ -171,3 +173,7 @@ func (f *sharedInformerFactory) Config() config.Interface { func (f *sharedInformerFactory) IDP() idp.Interface { return idp.New(f, f.namespace, f.tweakListOptions) } + +func (f *sharedInformerFactory) Oauth() oauth.Interface { + return oauth.New(f, f.namespace, f.tweakListOptions) +} diff --git a/generated/1.20/client/supervisor/informers/externalversions/generic.go b/generated/1.20/client/supervisor/informers/externalversions/generic.go index 0b11db8b..d541574e 100644 --- a/generated/1.20/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.20/client/supervisor/informers/externalversions/generic.go @@ -10,6 +10,7 @@ import ( v1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/idp/v1alpha1" + oauthv1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/oauth/v1alpha1" schema "k8s.io/apimachinery/pkg/runtime/schema" cache "k8s.io/client-go/tools/cache" ) @@ -52,6 +53,10 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().OIDCIdentityProviders().Informer()}, nil + // Group=oauth.supervisor.pinniped.dev, Version=v1alpha1 + case oauthv1alpha1.SchemeGroupVersion.WithResource("oidcclients"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Oauth().V1alpha1().OIDCClients().Informer()}, nil + } return nil, fmt.Errorf("no informer found for %v", resource) diff --git a/generated/1.20/client/supervisor/informers/externalversions/oauth/interface.go b/generated/1.20/client/supervisor/informers/externalversions/oauth/interface.go new file mode 100644 index 00000000..b4cc533e --- /dev/null +++ b/generated/1.20/client/supervisor/informers/externalversions/oauth/interface.go @@ -0,0 +1,33 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package oauth + +import ( + internalinterfaces "go.pinniped.dev/generated/1.20/client/supervisor/informers/externalversions/internalinterfaces" + v1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/informers/externalversions/oauth/v1alpha1" +) + +// Interface provides access to each of this group's versions. +type Interface interface { + // V1alpha1 provides access to shared informers for resources in V1alpha1. + V1alpha1() v1alpha1.Interface +} + +type group struct { + factory internalinterfaces.SharedInformerFactory + namespace string + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// New returns a new Interface. +func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { + return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} +} + +// V1alpha1 returns a new v1alpha1.Interface. +func (g *group) V1alpha1() v1alpha1.Interface { + return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions) +} diff --git a/generated/1.20/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go b/generated/1.20/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go new file mode 100644 index 00000000..ed7eacf5 --- /dev/null +++ b/generated/1.20/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go @@ -0,0 +1,32 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + internalinterfaces "go.pinniped.dev/generated/1.20/client/supervisor/informers/externalversions/internalinterfaces" +) + +// Interface provides access to all the informers in this group version. +type Interface interface { + // OIDCClients returns a OIDCClientInformer. + OIDCClients() OIDCClientInformer +} + +type version struct { + factory internalinterfaces.SharedInformerFactory + namespace string + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// New returns a new Interface. +func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { + return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} +} + +// OIDCClients returns a OIDCClientInformer. +func (v *version) OIDCClients() OIDCClientInformer { + return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} diff --git a/generated/1.20/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go b/generated/1.20/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go new file mode 100644 index 00000000..37efa298 --- /dev/null +++ b/generated/1.20/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go @@ -0,0 +1,77 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + time "time" + + oauthv1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/oauth/v1alpha1" + versioned "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned" + internalinterfaces "go.pinniped.dev/generated/1.20/client/supervisor/informers/externalversions/internalinterfaces" + v1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/listers/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// OIDCClientInformer provides access to a shared informer and lister for +// OIDCClients. +type OIDCClientInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.OIDCClientLister +} + +type oIDCClientInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewOIDCClientInformer constructs a new informer for OIDCClient type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewOIDCClientInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredOIDCClientInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredOIDCClientInformer constructs a new informer for OIDCClient type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredOIDCClientInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.OauthV1alpha1().OIDCClients(namespace).List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.OauthV1alpha1().OIDCClients(namespace).Watch(context.TODO(), options) + }, + }, + &oauthv1alpha1.OIDCClient{}, + resyncPeriod, + indexers, + ) +} + +func (f *oIDCClientInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredOIDCClientInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *oIDCClientInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&oauthv1alpha1.OIDCClient{}, f.defaultInformer) +} + +func (f *oIDCClientInformer) Lister() v1alpha1.OIDCClientLister { + return v1alpha1.NewOIDCClientLister(f.Informer().GetIndexer()) +} diff --git a/generated/1.20/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go b/generated/1.20/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go new file mode 100644 index 00000000..c19310da --- /dev/null +++ b/generated/1.20/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go @@ -0,0 +1,14 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +// OIDCClientListerExpansion allows custom methods to be added to +// OIDCClientLister. +type OIDCClientListerExpansion interface{} + +// OIDCClientNamespaceListerExpansion allows custom methods to be added to +// OIDCClientNamespaceLister. +type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/1.20/client/supervisor/listers/oauth/v1alpha1/oidcclient.go b/generated/1.20/client/supervisor/listers/oauth/v1alpha1/oidcclient.go new file mode 100644 index 00000000..9cb0fe48 --- /dev/null +++ b/generated/1.20/client/supervisor/listers/oauth/v1alpha1/oidcclient.go @@ -0,0 +1,86 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/oauth/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// OIDCClientLister helps list OIDCClients. +// All objects returned here must be treated as read-only. +type OIDCClientLister interface { + // List lists all OIDCClients in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) + // OIDCClients returns an object that can list and get OIDCClients. + OIDCClients(namespace string) OIDCClientNamespaceLister + OIDCClientListerExpansion +} + +// oIDCClientLister implements the OIDCClientLister interface. +type oIDCClientLister struct { + indexer cache.Indexer +} + +// NewOIDCClientLister returns a new OIDCClientLister. +func NewOIDCClientLister(indexer cache.Indexer) OIDCClientLister { + return &oIDCClientLister{indexer: indexer} +} + +// List lists all OIDCClients in the indexer. +func (s *oIDCClientLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.OIDCClient)) + }) + return ret, err +} + +// OIDCClients returns an object that can list and get OIDCClients. +func (s *oIDCClientLister) OIDCClients(namespace string) OIDCClientNamespaceLister { + return oIDCClientNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// OIDCClientNamespaceLister helps list and get OIDCClients. +// All objects returned here must be treated as read-only. +type OIDCClientNamespaceLister interface { + // List lists all OIDCClients in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) + // Get retrieves the OIDCClient from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha1.OIDCClient, error) + OIDCClientNamespaceListerExpansion +} + +// oIDCClientNamespaceLister implements the OIDCClientNamespaceLister +// interface. +type oIDCClientNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all OIDCClients in the indexer for a given namespace. +func (s oIDCClientNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.OIDCClient)) + }) + return ret, err +} + +// Get retrieves the OIDCClient from the indexer for a given namespace and name. +func (s oIDCClientNamespaceLister) Get(name string) (*v1alpha1.OIDCClient, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("oidcclient"), name) + } + return obj.(*v1alpha1.OIDCClient), nil +} diff --git a/generated/1.20/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.20/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml new file mode 100644 index 00000000..0b4ee157 --- /dev/null +++ b/generated/1.20/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -0,0 +1,121 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: oidcclients.oauth.supervisor.pinniped.dev +spec: + group: oauth.supervisor.pinniped.dev + names: + categories: + - pinniped + kind: OIDCClient + listKind: OIDCClientList + plural: oidcclients + singular: oidcclient + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}' + name: Privileged + type: boolean + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: OIDCClient describes the configuration of an OIDC client. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec of the OIDC provider. + properties: + allowedGrantTypes: + description: "allowedGrantTypes is a list of the allowed grant_type + param values that should be accepted during OIDC flows with this + client. \n Must only contain the following values: - authorization_code: + allows the client to perform the authorization code grant flow, + i.e. allows the webapp to authenticate users. This grant must always + be listed. - refresh_token: allows the client to perform refresh + grants for the user to extend the user's session. This grant must + be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: + allows the client to perform RFC8693 token exchange, which is a + step in the process to be able to get a cluster credential for the + user. This grant must be listed if allowedScopes lists pinniped:request-audience." + items: + type: string + minItems: 1 + type: array + uniqueItems: true + allowedRedirectURIs: + description: allowedRedirectURIs is a list of the allowed redirect_uri + param values that should be accepted during OIDC flows with this + client. Any other uris will be rejected. Must be https, unless it + is a loopback. + items: + type: string + minItems: 1 + type: array + uniqueItems: true + allowedScopes: + description: "allowedScopes is a list of the allowed scopes param + values that should be accepted during OIDC flows with this client. + \n Must only contain the following values: - openid: The client + is allowed to request ID tokens. ID tokens only include the required + claims by default (iss, sub, aud, exp, iat). This scope must always + be listed. - offline_access: The client is allowed to request an + initial refresh token during the authorization code grant flow. + This scope must be listed if allowedGrantTypes lists refresh_token. + - pinniped:request-audience: The client is allowed to request a + new audience value during a RFC8693 token exchange, which is a step + in the process to be able to get a cluster credential for the user. + openid, username and groups scopes must be listed when this scope + is present. This scope must be listed if allowedGrantTypes lists + urn:ietf:params:oauth:grant-type:token-exchange. - username: The + client is allowed to request that ID tokens contain the user's username. + Without the username scope being requested and allowed, the ID token + will not contain the user's username. - groups: The client is allowed + to request that ID tokens contain the user's group membership, if + their group membership is discoverable by the Supervisor. Without + the groups scope being requested and allowed, the ID token will + not contain groups." + items: + type: string + minItems: 1 + type: array + uniqueItems: true + required: + - allowedGrantTypes + - allowedRedirectURIs + - allowedScopes + type: object + status: + description: Status of the OIDC provider. + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/generated/1.21/README.adoc b/generated/1.21/README.adoc index 6abd6c4b..925391c3 100644 --- a/generated/1.21/README.adoc +++ b/generated/1.21/README.adoc @@ -12,6 +12,7 @@ - xref:{anchor_prefix}-identity-concierge-pinniped-dev-v1alpha1[$$identity.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1[$$idp.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$] +- xref:{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1[$$oauth.supervisor.pinniped.dev/v1alpha1$$] [id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"] @@ -1332,3 +1333,56 @@ TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned |=== + +[id="{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1"] +=== oauth.supervisor.pinniped.dev/v1alpha1 + +Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-oauth-v1alpha1-oidcclient"] +==== OIDCClient + +OIDCClient describes the configuration of an OIDC client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-oauth-v1alpha1-oidcclientlist[$$OIDCClientList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-oauth-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC provider. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-oauth-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC provider. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-oauth-v1alpha1-oidcclientspec"] +==== OIDCClientSpec + +OIDCClientSpec is a struct that describes an OIDC Client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-oauth-v1alpha1-oidcclient[$$OIDCClient$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. +| *`allowedGrantTypes`* __string array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. +| *`allowedScopes`* __string array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. +|=== + + + + diff --git a/generated/1.21/apis/supervisor/oauth/v1alpha1/doc.go b/generated/1.21/apis/supervisor/oauth/v1alpha1/doc.go new file mode 100644 index 00000000..75580481 --- /dev/null +++ b/generated/1.21/apis/supervisor/oauth/v1alpha1/doc.go @@ -0,0 +1,10 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen=package +// +k8s:defaulter-gen=TypeMeta +// +groupName=oauth.supervisor.pinniped.dev + +// Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. +package v1alpha1 diff --git a/generated/1.21/apis/supervisor/oauth/v1alpha1/register.go b/generated/1.21/apis/supervisor/oauth/v1alpha1/register.go new file mode 100644 index 00000000..37ae1fbf --- /dev/null +++ b/generated/1.21/apis/supervisor/oauth/v1alpha1/register.go @@ -0,0 +1,43 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "oauth.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = localSchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClient{}, + &OIDCClientList{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/generated/1.21/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.21/apis/supervisor/oauth/v1alpha1/types_oidcclient.go new file mode 100644 index 00000000..ee125443 --- /dev/null +++ b/generated/1.21/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -0,0 +1,84 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// OIDCClientSpec is a struct that describes an OIDC Client. +type OIDCClientSpec struct { + // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this + // client. Any other uris will be rejected. + // Must be https, unless it is a loopback. + // +kubebuilder:validation:UniqueItems=true + // +kubebuilder:validation:MinItems=1 + AllowedRedirectURIs []string `json:"allowedRedirectURIs"` + + // allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this + // client. + // + // Must only contain the following values: + // - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to + // authenticate users. This grant must always be listed. + // - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. + // This grant must be listed if allowedScopes lists offline_access. + // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, + // which is a step in the process to be able to get a cluster credential for the user. + // This grant must be listed if allowedScopes lists pinniped:request-audience. + // +kubebuilder:validation:UniqueItems=true + // +kubebuilder:validation:MinItems=1 + AllowedGrantTypes []string `json:"allowedGrantTypes"` + + // allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + // + // Must only contain the following values: + // - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). + // This scope must always be listed. + // - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. + // This scope must be listed if allowedGrantTypes lists refresh_token. + // - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, + // which is a step in the process to be able to get a cluster credential for the user. + // openid, username and groups scopes must be listed when this scope is present. + // This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. + // - username: The client is allowed to request that ID tokens contain the user's username. + // Without the username scope being requested and allowed, the ID token will not contain the user's username. + // - groups: The client is allowed to request that ID tokens contain the user's group membership, + // if their group membership is discoverable by the Supervisor. + // Without the groups scope being requested and allowed, the ID token will not contain groups. + // +kubebuilder:validation:UniqueItems=true + // +kubebuilder:validation:MinItems=1 + AllowedScopes []string `json:"allowedScopes"` +} + +// OIDCClientStatus is a struct that describes the actual state of an OIDC Client. +type OIDCClientStatus struct { +} + +// OIDCClient describes the configuration of an OIDC client. +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped +// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type OIDCClient struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec of the OIDC provider. + Spec OIDCClientSpec `json:"spec"` + + // Status of the OIDC provider. + Status OIDCClientStatus `json:"status,omitempty"` +} + +// List of OIDCClient objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []OIDCClient `json:"items"` +} diff --git a/generated/1.21/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.21/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go new file mode 100644 index 00000000..cb35cea5 --- /dev/null +++ b/generated/1.21/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go @@ -0,0 +1,121 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. +func (in *OIDCClient) DeepCopy() *OIDCClient { + if in == nil { + return nil + } + out := new(OIDCClient) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClient) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClient, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. +func (in *OIDCClientList) DeepCopy() *OIDCClientList { + if in == nil { + return nil + } + out := new(OIDCClientList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { + *out = *in + if in.AllowedRedirectURIs != nil { + in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.AllowedGrantTypes != nil { + in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.AllowedScopes != nil { + in, out := &in.AllowedScopes, &out.AllowedScopes + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. +func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { + if in == nil { + return nil + } + out := new(OIDCClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. +func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { + if in == nil { + return nil + } + out := new(OIDCClientStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.21/client/supervisor/clientset/versioned/clientset.go b/generated/1.21/client/supervisor/clientset/versioned/clientset.go index aa52f6ae..23d76422 100644 --- a/generated/1.21/client/supervisor/clientset/versioned/clientset.go +++ b/generated/1.21/client/supervisor/clientset/versioned/clientset.go @@ -10,6 +10,7 @@ import ( configv1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1" + oauthv1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" discovery "k8s.io/client-go/discovery" rest "k8s.io/client-go/rest" flowcontrol "k8s.io/client-go/util/flowcontrol" @@ -19,6 +20,7 @@ type Interface interface { Discovery() discovery.DiscoveryInterface ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface + OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface } // Clientset contains the clients for groups. Each group has exactly one @@ -27,6 +29,7 @@ type Clientset struct { *discovery.DiscoveryClient configV1alpha1 *configv1alpha1.ConfigV1alpha1Client iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client + oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client } // ConfigV1alpha1 retrieves the ConfigV1alpha1Client @@ -39,6 +42,11 @@ func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return c.iDPV1alpha1 } +// OauthV1alpha1 retrieves the OauthV1alpha1Client +func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { + return c.oauthV1alpha1 +} + // Discovery retrieves the DiscoveryClient func (c *Clientset) Discovery() discovery.DiscoveryInterface { if c == nil { @@ -68,6 +76,10 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { if err != nil { return nil, err } + cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfig(&configShallowCopy) + if err != nil { + return nil, err + } cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfig(&configShallowCopy) if err != nil { @@ -82,6 +94,7 @@ func NewForConfigOrDie(c *rest.Config) *Clientset { var cs Clientset cs.configV1alpha1 = configv1alpha1.NewForConfigOrDie(c) cs.iDPV1alpha1 = idpv1alpha1.NewForConfigOrDie(c) + cs.oauthV1alpha1 = oauthv1alpha1.NewForConfigOrDie(c) cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c) return &cs @@ -92,6 +105,7 @@ func New(c rest.Interface) *Clientset { var cs Clientset cs.configV1alpha1 = configv1alpha1.New(c) cs.iDPV1alpha1 = idpv1alpha1.New(c) + cs.oauthV1alpha1 = oauthv1alpha1.New(c) cs.DiscoveryClient = discovery.NewDiscoveryClient(c) return &cs diff --git a/generated/1.21/client/supervisor/clientset/versioned/fake/clientset_generated.go b/generated/1.21/client/supervisor/clientset/versioned/fake/clientset_generated.go index 31bf30c1..6a40aa3e 100644 --- a/generated/1.21/client/supervisor/clientset/versioned/fake/clientset_generated.go +++ b/generated/1.21/client/supervisor/clientset/versioned/fake/clientset_generated.go @@ -11,6 +11,8 @@ import ( fakeconfigv1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake" idpv1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1" fakeidpv1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake" + oauthv1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" + fakeoauthv1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/watch" "k8s.io/client-go/discovery" @@ -74,3 +76,8 @@ func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake} } + +// OauthV1alpha1 retrieves the OauthV1alpha1Client +func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { + return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} +} diff --git a/generated/1.21/client/supervisor/clientset/versioned/fake/register.go b/generated/1.21/client/supervisor/clientset/versioned/fake/register.go index 3a9d6a18..8fb2f241 100644 --- a/generated/1.21/client/supervisor/clientset/versioned/fake/register.go +++ b/generated/1.21/client/supervisor/clientset/versioned/fake/register.go @@ -8,6 +8,7 @@ package fake import ( configv1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/idp/v1alpha1" + oauthv1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -21,6 +22,7 @@ var codecs = serializer.NewCodecFactory(scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, + oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.21/client/supervisor/clientset/versioned/scheme/register.go b/generated/1.21/client/supervisor/clientset/versioned/scheme/register.go index 0629cdd4..ca3c854a 100644 --- a/generated/1.21/client/supervisor/clientset/versioned/scheme/register.go +++ b/generated/1.21/client/supervisor/clientset/versioned/scheme/register.go @@ -8,6 +8,7 @@ package scheme import ( configv1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/idp/v1alpha1" + oauthv1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -21,6 +22,7 @@ var ParameterCodec = runtime.NewParameterCodec(Scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, + oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go new file mode 100644 index 00000000..e7a470b6 --- /dev/null +++ b/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated typed clients. +package v1alpha1 diff --git a/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go new file mode 100644 index 00000000..7906901b --- /dev/null +++ b/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// Package fake has the automatically generated clients. +package fake diff --git a/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go new file mode 100644 index 00000000..8e56072b --- /dev/null +++ b/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go @@ -0,0 +1,27 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + v1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" + rest "k8s.io/client-go/rest" + testing "k8s.io/client-go/testing" +) + +type FakeOauthV1alpha1 struct { + *testing.Fake +} + +func (c *FakeOauthV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { + return &FakeOIDCClients{c, namespace} +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { + var ret *rest.RESTClient + return ret +} diff --git a/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go b/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go new file mode 100644 index 00000000..cdd06d71 --- /dev/null +++ b/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go @@ -0,0 +1,129 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeOIDCClients implements OIDCClientInterface +type FakeOIDCClients struct { + Fake *FakeOauthV1alpha1 + ns string +} + +var oidcclientsResource = schema.GroupVersionResource{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} + +var oidcclientsKind = schema.GroupVersionKind{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} + +// Get takes name of the oIDCClient, and returns the corresponding oIDCClient object, and an error if there is any. +func (c *FakeOIDCClients) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(oidcclientsResource, c.ns, name), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// List takes label and field selectors, and returns the list of OIDCClients that match those selectors. +func (c *FakeOIDCClients) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.OIDCClientList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(oidcclientsResource, oidcclientsKind, c.ns, opts), &v1alpha1.OIDCClientList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.OIDCClientList{ListMeta: obj.(*v1alpha1.OIDCClientList).ListMeta} + for _, item := range obj.(*v1alpha1.OIDCClientList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested oIDCClients. +func (c *FakeOIDCClients) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(oidcclientsResource, c.ns, opts)) + +} + +// Create takes the representation of a oIDCClient and creates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *FakeOIDCClients) Create(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.CreateOptions) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(oidcclientsResource, c.ns, oIDCClient), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// Update takes the representation of a oIDCClient and updates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *FakeOIDCClients) Update(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(oidcclientsResource, c.ns, oIDCClient), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeOIDCClients) UpdateStatus(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (*v1alpha1.OIDCClient, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(oidcclientsResource, "status", c.ns, oIDCClient), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// Delete takes name of the oIDCClient and deletes it. Returns an error if one occurs. +func (c *FakeOIDCClients) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteAction(oidcclientsResource, c.ns, name), &v1alpha1.OIDCClient{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeOIDCClients) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(oidcclientsResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha1.OIDCClientList{}) + return err +} + +// Patch applies the patch and returns the patched oIDCClient. +func (c *FakeOIDCClients) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(oidcclientsResource, c.ns, name, pt, data, subresources...), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} diff --git a/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go new file mode 100644 index 00000000..87d22ea9 --- /dev/null +++ b/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go @@ -0,0 +1,8 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +type OIDCClientExpansion interface{} diff --git a/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go new file mode 100644 index 00000000..259f1b10 --- /dev/null +++ b/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go @@ -0,0 +1,76 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/oauth/v1alpha1" + "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/scheme" + rest "k8s.io/client-go/rest" +) + +type OauthV1alpha1Interface interface { + RESTClient() rest.Interface + OIDCClientsGetter +} + +// OauthV1alpha1Client is used to interact with features provided by the oauth.supervisor.pinniped.dev group. +type OauthV1alpha1Client struct { + restClient rest.Interface +} + +func (c *OauthV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { + return newOIDCClients(c, namespace) +} + +// NewForConfig creates a new OauthV1alpha1Client for the given config. +func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { + config := *c + if err := setConfigDefaults(&config); err != nil { + return nil, err + } + client, err := rest.RESTClientFor(&config) + if err != nil { + return nil, err + } + return &OauthV1alpha1Client{client}, nil +} + +// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { + client, err := NewForConfig(c) + if err != nil { + panic(err) + } + return client +} + +// New creates a new OauthV1alpha1Client for the given RESTClient. +func New(c rest.Interface) *OauthV1alpha1Client { + return &OauthV1alpha1Client{c} +} + +func setConfigDefaults(config *rest.Config) error { + gv := v1alpha1.SchemeGroupVersion + config.GroupVersion = &gv + config.APIPath = "/apis" + config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() + + if config.UserAgent == "" { + config.UserAgent = rest.DefaultKubernetesUserAgent() + } + + return nil +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *OauthV1alpha1Client) RESTClient() rest.Interface { + if c == nil { + return nil + } + return c.restClient +} diff --git a/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go b/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go new file mode 100644 index 00000000..c7e2f82b --- /dev/null +++ b/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go @@ -0,0 +1,182 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + "time" + + v1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/oauth/v1alpha1" + scheme "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// OIDCClientsGetter has a method to return a OIDCClientInterface. +// A group's client should implement this interface. +type OIDCClientsGetter interface { + OIDCClients(namespace string) OIDCClientInterface +} + +// OIDCClientInterface has methods to work with OIDCClient resources. +type OIDCClientInterface interface { + Create(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.CreateOptions) (*v1alpha1.OIDCClient, error) + Update(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (*v1alpha1.OIDCClient, error) + UpdateStatus(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (*v1alpha1.OIDCClient, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.OIDCClient, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.OIDCClientList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCClient, err error) + OIDCClientExpansion +} + +// oIDCClients implements OIDCClientInterface +type oIDCClients struct { + client rest.Interface + ns string +} + +// newOIDCClients returns a OIDCClients +func newOIDCClients(c *OauthV1alpha1Client, namespace string) *oIDCClients { + return &oIDCClients{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the oIDCClient, and returns the corresponding oIDCClient object, and an error if there is any. +func (c *oIDCClients) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Get(). + Namespace(c.ns). + Resource("oidcclients"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of OIDCClients that match those selectors. +func (c *oIDCClients) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.OIDCClientList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.OIDCClientList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("oidcclients"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested oIDCClients. +func (c *oIDCClients) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("oidcclients"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a oIDCClient and creates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *oIDCClients) Create(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.CreateOptions) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Post(). + Namespace(c.ns). + Resource("oidcclients"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(oIDCClient). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a oIDCClient and updates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *oIDCClients) Update(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Put(). + Namespace(c.ns). + Resource("oidcclients"). + Name(oIDCClient.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(oIDCClient). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *oIDCClients) UpdateStatus(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Put(). + Namespace(c.ns). + Resource("oidcclients"). + Name(oIDCClient.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(oIDCClient). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the oIDCClient and deletes it. Returns an error if one occurs. +func (c *oIDCClients) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("oidcclients"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *oIDCClients) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("oidcclients"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched oIDCClient. +func (c *oIDCClients) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("oidcclients"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/generated/1.21/client/supervisor/informers/externalversions/factory.go b/generated/1.21/client/supervisor/informers/externalversions/factory.go index 09200fa1..5f2301a2 100644 --- a/generated/1.21/client/supervisor/informers/externalversions/factory.go +++ b/generated/1.21/client/supervisor/informers/externalversions/factory.go @@ -14,6 +14,7 @@ import ( config "go.pinniped.dev/generated/1.21/client/supervisor/informers/externalversions/config" idp "go.pinniped.dev/generated/1.21/client/supervisor/informers/externalversions/idp" internalinterfaces "go.pinniped.dev/generated/1.21/client/supervisor/informers/externalversions/internalinterfaces" + oauth "go.pinniped.dev/generated/1.21/client/supervisor/informers/externalversions/oauth" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -162,6 +163,7 @@ type SharedInformerFactory interface { Config() config.Interface IDP() idp.Interface + Oauth() oauth.Interface } func (f *sharedInformerFactory) Config() config.Interface { @@ -171,3 +173,7 @@ func (f *sharedInformerFactory) Config() config.Interface { func (f *sharedInformerFactory) IDP() idp.Interface { return idp.New(f, f.namespace, f.tweakListOptions) } + +func (f *sharedInformerFactory) Oauth() oauth.Interface { + return oauth.New(f, f.namespace, f.tweakListOptions) +} diff --git a/generated/1.21/client/supervisor/informers/externalversions/generic.go b/generated/1.21/client/supervisor/informers/externalversions/generic.go index 1ccbd3e6..d08e96cf 100644 --- a/generated/1.21/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.21/client/supervisor/informers/externalversions/generic.go @@ -10,6 +10,7 @@ import ( v1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/idp/v1alpha1" + oauthv1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/oauth/v1alpha1" schema "k8s.io/apimachinery/pkg/runtime/schema" cache "k8s.io/client-go/tools/cache" ) @@ -52,6 +53,10 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().OIDCIdentityProviders().Informer()}, nil + // Group=oauth.supervisor.pinniped.dev, Version=v1alpha1 + case oauthv1alpha1.SchemeGroupVersion.WithResource("oidcclients"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Oauth().V1alpha1().OIDCClients().Informer()}, nil + } return nil, fmt.Errorf("no informer found for %v", resource) diff --git a/generated/1.21/client/supervisor/informers/externalversions/oauth/interface.go b/generated/1.21/client/supervisor/informers/externalversions/oauth/interface.go new file mode 100644 index 00000000..d734d0d3 --- /dev/null +++ b/generated/1.21/client/supervisor/informers/externalversions/oauth/interface.go @@ -0,0 +1,33 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package oauth + +import ( + internalinterfaces "go.pinniped.dev/generated/1.21/client/supervisor/informers/externalversions/internalinterfaces" + v1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/informers/externalversions/oauth/v1alpha1" +) + +// Interface provides access to each of this group's versions. +type Interface interface { + // V1alpha1 provides access to shared informers for resources in V1alpha1. + V1alpha1() v1alpha1.Interface +} + +type group struct { + factory internalinterfaces.SharedInformerFactory + namespace string + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// New returns a new Interface. +func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { + return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} +} + +// V1alpha1 returns a new v1alpha1.Interface. +func (g *group) V1alpha1() v1alpha1.Interface { + return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions) +} diff --git a/generated/1.21/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go b/generated/1.21/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go new file mode 100644 index 00000000..05ad0a58 --- /dev/null +++ b/generated/1.21/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go @@ -0,0 +1,32 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + internalinterfaces "go.pinniped.dev/generated/1.21/client/supervisor/informers/externalversions/internalinterfaces" +) + +// Interface provides access to all the informers in this group version. +type Interface interface { + // OIDCClients returns a OIDCClientInformer. + OIDCClients() OIDCClientInformer +} + +type version struct { + factory internalinterfaces.SharedInformerFactory + namespace string + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// New returns a new Interface. +func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { + return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} +} + +// OIDCClients returns a OIDCClientInformer. +func (v *version) OIDCClients() OIDCClientInformer { + return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} diff --git a/generated/1.21/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go b/generated/1.21/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go new file mode 100644 index 00000000..f56b83db --- /dev/null +++ b/generated/1.21/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go @@ -0,0 +1,77 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + time "time" + + oauthv1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/oauth/v1alpha1" + versioned "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned" + internalinterfaces "go.pinniped.dev/generated/1.21/client/supervisor/informers/externalversions/internalinterfaces" + v1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/listers/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// OIDCClientInformer provides access to a shared informer and lister for +// OIDCClients. +type OIDCClientInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.OIDCClientLister +} + +type oIDCClientInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewOIDCClientInformer constructs a new informer for OIDCClient type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewOIDCClientInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredOIDCClientInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredOIDCClientInformer constructs a new informer for OIDCClient type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredOIDCClientInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.OauthV1alpha1().OIDCClients(namespace).List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.OauthV1alpha1().OIDCClients(namespace).Watch(context.TODO(), options) + }, + }, + &oauthv1alpha1.OIDCClient{}, + resyncPeriod, + indexers, + ) +} + +func (f *oIDCClientInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredOIDCClientInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *oIDCClientInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&oauthv1alpha1.OIDCClient{}, f.defaultInformer) +} + +func (f *oIDCClientInformer) Lister() v1alpha1.OIDCClientLister { + return v1alpha1.NewOIDCClientLister(f.Informer().GetIndexer()) +} diff --git a/generated/1.21/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go b/generated/1.21/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go new file mode 100644 index 00000000..c19310da --- /dev/null +++ b/generated/1.21/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go @@ -0,0 +1,14 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +// OIDCClientListerExpansion allows custom methods to be added to +// OIDCClientLister. +type OIDCClientListerExpansion interface{} + +// OIDCClientNamespaceListerExpansion allows custom methods to be added to +// OIDCClientNamespaceLister. +type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/1.21/client/supervisor/listers/oauth/v1alpha1/oidcclient.go b/generated/1.21/client/supervisor/listers/oauth/v1alpha1/oidcclient.go new file mode 100644 index 00000000..ac6047cd --- /dev/null +++ b/generated/1.21/client/supervisor/listers/oauth/v1alpha1/oidcclient.go @@ -0,0 +1,86 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/oauth/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// OIDCClientLister helps list OIDCClients. +// All objects returned here must be treated as read-only. +type OIDCClientLister interface { + // List lists all OIDCClients in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) + // OIDCClients returns an object that can list and get OIDCClients. + OIDCClients(namespace string) OIDCClientNamespaceLister + OIDCClientListerExpansion +} + +// oIDCClientLister implements the OIDCClientLister interface. +type oIDCClientLister struct { + indexer cache.Indexer +} + +// NewOIDCClientLister returns a new OIDCClientLister. +func NewOIDCClientLister(indexer cache.Indexer) OIDCClientLister { + return &oIDCClientLister{indexer: indexer} +} + +// List lists all OIDCClients in the indexer. +func (s *oIDCClientLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.OIDCClient)) + }) + return ret, err +} + +// OIDCClients returns an object that can list and get OIDCClients. +func (s *oIDCClientLister) OIDCClients(namespace string) OIDCClientNamespaceLister { + return oIDCClientNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// OIDCClientNamespaceLister helps list and get OIDCClients. +// All objects returned here must be treated as read-only. +type OIDCClientNamespaceLister interface { + // List lists all OIDCClients in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) + // Get retrieves the OIDCClient from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha1.OIDCClient, error) + OIDCClientNamespaceListerExpansion +} + +// oIDCClientNamespaceLister implements the OIDCClientNamespaceLister +// interface. +type oIDCClientNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all OIDCClients in the indexer for a given namespace. +func (s oIDCClientNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.OIDCClient)) + }) + return ret, err +} + +// Get retrieves the OIDCClient from the indexer for a given namespace and name. +func (s oIDCClientNamespaceLister) Get(name string) (*v1alpha1.OIDCClient, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("oidcclient"), name) + } + return obj.(*v1alpha1.OIDCClient), nil +} diff --git a/generated/1.21/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.21/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml new file mode 100644 index 00000000..0b4ee157 --- /dev/null +++ b/generated/1.21/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -0,0 +1,121 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: oidcclients.oauth.supervisor.pinniped.dev +spec: + group: oauth.supervisor.pinniped.dev + names: + categories: + - pinniped + kind: OIDCClient + listKind: OIDCClientList + plural: oidcclients + singular: oidcclient + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}' + name: Privileged + type: boolean + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: OIDCClient describes the configuration of an OIDC client. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec of the OIDC provider. + properties: + allowedGrantTypes: + description: "allowedGrantTypes is a list of the allowed grant_type + param values that should be accepted during OIDC flows with this + client. \n Must only contain the following values: - authorization_code: + allows the client to perform the authorization code grant flow, + i.e. allows the webapp to authenticate users. This grant must always + be listed. - refresh_token: allows the client to perform refresh + grants for the user to extend the user's session. This grant must + be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: + allows the client to perform RFC8693 token exchange, which is a + step in the process to be able to get a cluster credential for the + user. This grant must be listed if allowedScopes lists pinniped:request-audience." + items: + type: string + minItems: 1 + type: array + uniqueItems: true + allowedRedirectURIs: + description: allowedRedirectURIs is a list of the allowed redirect_uri + param values that should be accepted during OIDC flows with this + client. Any other uris will be rejected. Must be https, unless it + is a loopback. + items: + type: string + minItems: 1 + type: array + uniqueItems: true + allowedScopes: + description: "allowedScopes is a list of the allowed scopes param + values that should be accepted during OIDC flows with this client. + \n Must only contain the following values: - openid: The client + is allowed to request ID tokens. ID tokens only include the required + claims by default (iss, sub, aud, exp, iat). This scope must always + be listed. - offline_access: The client is allowed to request an + initial refresh token during the authorization code grant flow. + This scope must be listed if allowedGrantTypes lists refresh_token. + - pinniped:request-audience: The client is allowed to request a + new audience value during a RFC8693 token exchange, which is a step + in the process to be able to get a cluster credential for the user. + openid, username and groups scopes must be listed when this scope + is present. This scope must be listed if allowedGrantTypes lists + urn:ietf:params:oauth:grant-type:token-exchange. - username: The + client is allowed to request that ID tokens contain the user's username. + Without the username scope being requested and allowed, the ID token + will not contain the user's username. - groups: The client is allowed + to request that ID tokens contain the user's group membership, if + their group membership is discoverable by the Supervisor. Without + the groups scope being requested and allowed, the ID token will + not contain groups." + items: + type: string + minItems: 1 + type: array + uniqueItems: true + required: + - allowedGrantTypes + - allowedRedirectURIs + - allowedScopes + type: object + status: + description: Status of the OIDC provider. + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/generated/1.22/README.adoc b/generated/1.22/README.adoc index 46e9a2e5..51cf7c07 100644 --- a/generated/1.22/README.adoc +++ b/generated/1.22/README.adoc @@ -12,6 +12,7 @@ - xref:{anchor_prefix}-identity-concierge-pinniped-dev-v1alpha1[$$identity.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1[$$idp.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$] +- xref:{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1[$$oauth.supervisor.pinniped.dev/v1alpha1$$] [id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"] @@ -1332,3 +1333,56 @@ TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned |=== + +[id="{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1"] +=== oauth.supervisor.pinniped.dev/v1alpha1 + +Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-oauth-v1alpha1-oidcclient"] +==== OIDCClient + +OIDCClient describes the configuration of an OIDC client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-oauth-v1alpha1-oidcclientlist[$$OIDCClientList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-oauth-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC provider. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-oauth-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC provider. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-oauth-v1alpha1-oidcclientspec"] +==== OIDCClientSpec + +OIDCClientSpec is a struct that describes an OIDC Client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-oauth-v1alpha1-oidcclient[$$OIDCClient$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. +| *`allowedGrantTypes`* __string array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. +| *`allowedScopes`* __string array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. +|=== + + + + diff --git a/generated/1.22/apis/supervisor/oauth/v1alpha1/doc.go b/generated/1.22/apis/supervisor/oauth/v1alpha1/doc.go new file mode 100644 index 00000000..75580481 --- /dev/null +++ b/generated/1.22/apis/supervisor/oauth/v1alpha1/doc.go @@ -0,0 +1,10 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen=package +// +k8s:defaulter-gen=TypeMeta +// +groupName=oauth.supervisor.pinniped.dev + +// Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. +package v1alpha1 diff --git a/generated/1.22/apis/supervisor/oauth/v1alpha1/register.go b/generated/1.22/apis/supervisor/oauth/v1alpha1/register.go new file mode 100644 index 00000000..37ae1fbf --- /dev/null +++ b/generated/1.22/apis/supervisor/oauth/v1alpha1/register.go @@ -0,0 +1,43 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "oauth.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = localSchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClient{}, + &OIDCClientList{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/generated/1.22/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.22/apis/supervisor/oauth/v1alpha1/types_oidcclient.go new file mode 100644 index 00000000..ee125443 --- /dev/null +++ b/generated/1.22/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -0,0 +1,84 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// OIDCClientSpec is a struct that describes an OIDC Client. +type OIDCClientSpec struct { + // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this + // client. Any other uris will be rejected. + // Must be https, unless it is a loopback. + // +kubebuilder:validation:UniqueItems=true + // +kubebuilder:validation:MinItems=1 + AllowedRedirectURIs []string `json:"allowedRedirectURIs"` + + // allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this + // client. + // + // Must only contain the following values: + // - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to + // authenticate users. This grant must always be listed. + // - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. + // This grant must be listed if allowedScopes lists offline_access. + // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, + // which is a step in the process to be able to get a cluster credential for the user. + // This grant must be listed if allowedScopes lists pinniped:request-audience. + // +kubebuilder:validation:UniqueItems=true + // +kubebuilder:validation:MinItems=1 + AllowedGrantTypes []string `json:"allowedGrantTypes"` + + // allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + // + // Must only contain the following values: + // - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). + // This scope must always be listed. + // - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. + // This scope must be listed if allowedGrantTypes lists refresh_token. + // - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, + // which is a step in the process to be able to get a cluster credential for the user. + // openid, username and groups scopes must be listed when this scope is present. + // This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. + // - username: The client is allowed to request that ID tokens contain the user's username. + // Without the username scope being requested and allowed, the ID token will not contain the user's username. + // - groups: The client is allowed to request that ID tokens contain the user's group membership, + // if their group membership is discoverable by the Supervisor. + // Without the groups scope being requested and allowed, the ID token will not contain groups. + // +kubebuilder:validation:UniqueItems=true + // +kubebuilder:validation:MinItems=1 + AllowedScopes []string `json:"allowedScopes"` +} + +// OIDCClientStatus is a struct that describes the actual state of an OIDC Client. +type OIDCClientStatus struct { +} + +// OIDCClient describes the configuration of an OIDC client. +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped +// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type OIDCClient struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec of the OIDC provider. + Spec OIDCClientSpec `json:"spec"` + + // Status of the OIDC provider. + Status OIDCClientStatus `json:"status,omitempty"` +} + +// List of OIDCClient objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []OIDCClient `json:"items"` +} diff --git a/generated/1.22/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.22/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go new file mode 100644 index 00000000..cb35cea5 --- /dev/null +++ b/generated/1.22/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go @@ -0,0 +1,121 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. +func (in *OIDCClient) DeepCopy() *OIDCClient { + if in == nil { + return nil + } + out := new(OIDCClient) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClient) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClient, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. +func (in *OIDCClientList) DeepCopy() *OIDCClientList { + if in == nil { + return nil + } + out := new(OIDCClientList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { + *out = *in + if in.AllowedRedirectURIs != nil { + in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.AllowedGrantTypes != nil { + in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.AllowedScopes != nil { + in, out := &in.AllowedScopes, &out.AllowedScopes + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. +func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { + if in == nil { + return nil + } + out := new(OIDCClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. +func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { + if in == nil { + return nil + } + out := new(OIDCClientStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.22/client/supervisor/clientset/versioned/clientset.go b/generated/1.22/client/supervisor/clientset/versioned/clientset.go index b110aa5d..dcdcab22 100644 --- a/generated/1.22/client/supervisor/clientset/versioned/clientset.go +++ b/generated/1.22/client/supervisor/clientset/versioned/clientset.go @@ -10,6 +10,7 @@ import ( configv1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1" + oauthv1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" discovery "k8s.io/client-go/discovery" rest "k8s.io/client-go/rest" flowcontrol "k8s.io/client-go/util/flowcontrol" @@ -19,6 +20,7 @@ type Interface interface { Discovery() discovery.DiscoveryInterface ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface + OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface } // Clientset contains the clients for groups. Each group has exactly one @@ -27,6 +29,7 @@ type Clientset struct { *discovery.DiscoveryClient configV1alpha1 *configv1alpha1.ConfigV1alpha1Client iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client + oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client } // ConfigV1alpha1 retrieves the ConfigV1alpha1Client @@ -39,6 +42,11 @@ func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return c.iDPV1alpha1 } +// OauthV1alpha1 retrieves the OauthV1alpha1Client +func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { + return c.oauthV1alpha1 +} + // Discovery retrieves the DiscoveryClient func (c *Clientset) Discovery() discovery.DiscoveryInterface { if c == nil { @@ -68,6 +76,10 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { if err != nil { return nil, err } + cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfig(&configShallowCopy) + if err != nil { + return nil, err + } cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfig(&configShallowCopy) if err != nil { @@ -82,6 +94,7 @@ func NewForConfigOrDie(c *rest.Config) *Clientset { var cs Clientset cs.configV1alpha1 = configv1alpha1.NewForConfigOrDie(c) cs.iDPV1alpha1 = idpv1alpha1.NewForConfigOrDie(c) + cs.oauthV1alpha1 = oauthv1alpha1.NewForConfigOrDie(c) cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c) return &cs @@ -92,6 +105,7 @@ func New(c rest.Interface) *Clientset { var cs Clientset cs.configV1alpha1 = configv1alpha1.New(c) cs.iDPV1alpha1 = idpv1alpha1.New(c) + cs.oauthV1alpha1 = oauthv1alpha1.New(c) cs.DiscoveryClient = discovery.NewDiscoveryClient(c) return &cs diff --git a/generated/1.22/client/supervisor/clientset/versioned/fake/clientset_generated.go b/generated/1.22/client/supervisor/clientset/versioned/fake/clientset_generated.go index 919b66cf..492217cf 100644 --- a/generated/1.22/client/supervisor/clientset/versioned/fake/clientset_generated.go +++ b/generated/1.22/client/supervisor/clientset/versioned/fake/clientset_generated.go @@ -11,6 +11,8 @@ import ( fakeconfigv1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake" idpv1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1" fakeidpv1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake" + oauthv1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" + fakeoauthv1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/watch" "k8s.io/client-go/discovery" @@ -77,3 +79,8 @@ func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake} } + +// OauthV1alpha1 retrieves the OauthV1alpha1Client +func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { + return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} +} diff --git a/generated/1.22/client/supervisor/clientset/versioned/fake/register.go b/generated/1.22/client/supervisor/clientset/versioned/fake/register.go index 38fb0501..690d6ee3 100644 --- a/generated/1.22/client/supervisor/clientset/versioned/fake/register.go +++ b/generated/1.22/client/supervisor/clientset/versioned/fake/register.go @@ -8,6 +8,7 @@ package fake import ( configv1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/idp/v1alpha1" + oauthv1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -21,6 +22,7 @@ var codecs = serializer.NewCodecFactory(scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, + oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.22/client/supervisor/clientset/versioned/scheme/register.go b/generated/1.22/client/supervisor/clientset/versioned/scheme/register.go index 1fdb17cd..99bafb85 100644 --- a/generated/1.22/client/supervisor/clientset/versioned/scheme/register.go +++ b/generated/1.22/client/supervisor/clientset/versioned/scheme/register.go @@ -8,6 +8,7 @@ package scheme import ( configv1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/idp/v1alpha1" + oauthv1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -21,6 +22,7 @@ var ParameterCodec = runtime.NewParameterCodec(Scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, + oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go new file mode 100644 index 00000000..e7a470b6 --- /dev/null +++ b/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated typed clients. +package v1alpha1 diff --git a/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go new file mode 100644 index 00000000..7906901b --- /dev/null +++ b/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// Package fake has the automatically generated clients. +package fake diff --git a/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go new file mode 100644 index 00000000..7f7620ad --- /dev/null +++ b/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go @@ -0,0 +1,27 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + v1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" + rest "k8s.io/client-go/rest" + testing "k8s.io/client-go/testing" +) + +type FakeOauthV1alpha1 struct { + *testing.Fake +} + +func (c *FakeOauthV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { + return &FakeOIDCClients{c, namespace} +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { + var ret *rest.RESTClient + return ret +} diff --git a/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go b/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go new file mode 100644 index 00000000..afddba32 --- /dev/null +++ b/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go @@ -0,0 +1,129 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeOIDCClients implements OIDCClientInterface +type FakeOIDCClients struct { + Fake *FakeOauthV1alpha1 + ns string +} + +var oidcclientsResource = schema.GroupVersionResource{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} + +var oidcclientsKind = schema.GroupVersionKind{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} + +// Get takes name of the oIDCClient, and returns the corresponding oIDCClient object, and an error if there is any. +func (c *FakeOIDCClients) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(oidcclientsResource, c.ns, name), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// List takes label and field selectors, and returns the list of OIDCClients that match those selectors. +func (c *FakeOIDCClients) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.OIDCClientList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(oidcclientsResource, oidcclientsKind, c.ns, opts), &v1alpha1.OIDCClientList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.OIDCClientList{ListMeta: obj.(*v1alpha1.OIDCClientList).ListMeta} + for _, item := range obj.(*v1alpha1.OIDCClientList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested oIDCClients. +func (c *FakeOIDCClients) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(oidcclientsResource, c.ns, opts)) + +} + +// Create takes the representation of a oIDCClient and creates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *FakeOIDCClients) Create(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.CreateOptions) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(oidcclientsResource, c.ns, oIDCClient), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// Update takes the representation of a oIDCClient and updates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *FakeOIDCClients) Update(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(oidcclientsResource, c.ns, oIDCClient), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeOIDCClients) UpdateStatus(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (*v1alpha1.OIDCClient, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(oidcclientsResource, "status", c.ns, oIDCClient), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// Delete takes name of the oIDCClient and deletes it. Returns an error if one occurs. +func (c *FakeOIDCClients) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteAction(oidcclientsResource, c.ns, name), &v1alpha1.OIDCClient{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeOIDCClients) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(oidcclientsResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha1.OIDCClientList{}) + return err +} + +// Patch applies the patch and returns the patched oIDCClient. +func (c *FakeOIDCClients) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(oidcclientsResource, c.ns, name, pt, data, subresources...), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} diff --git a/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go new file mode 100644 index 00000000..87d22ea9 --- /dev/null +++ b/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go @@ -0,0 +1,8 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +type OIDCClientExpansion interface{} diff --git a/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go new file mode 100644 index 00000000..1bf4eb28 --- /dev/null +++ b/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go @@ -0,0 +1,76 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/oauth/v1alpha1" + "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned/scheme" + rest "k8s.io/client-go/rest" +) + +type OauthV1alpha1Interface interface { + RESTClient() rest.Interface + OIDCClientsGetter +} + +// OauthV1alpha1Client is used to interact with features provided by the oauth.supervisor.pinniped.dev group. +type OauthV1alpha1Client struct { + restClient rest.Interface +} + +func (c *OauthV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { + return newOIDCClients(c, namespace) +} + +// NewForConfig creates a new OauthV1alpha1Client for the given config. +func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { + config := *c + if err := setConfigDefaults(&config); err != nil { + return nil, err + } + client, err := rest.RESTClientFor(&config) + if err != nil { + return nil, err + } + return &OauthV1alpha1Client{client}, nil +} + +// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { + client, err := NewForConfig(c) + if err != nil { + panic(err) + } + return client +} + +// New creates a new OauthV1alpha1Client for the given RESTClient. +func New(c rest.Interface) *OauthV1alpha1Client { + return &OauthV1alpha1Client{c} +} + +func setConfigDefaults(config *rest.Config) error { + gv := v1alpha1.SchemeGroupVersion + config.GroupVersion = &gv + config.APIPath = "/apis" + config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() + + if config.UserAgent == "" { + config.UserAgent = rest.DefaultKubernetesUserAgent() + } + + return nil +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *OauthV1alpha1Client) RESTClient() rest.Interface { + if c == nil { + return nil + } + return c.restClient +} diff --git a/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go b/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go new file mode 100644 index 00000000..be9f6246 --- /dev/null +++ b/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go @@ -0,0 +1,182 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + "time" + + v1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/oauth/v1alpha1" + scheme "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// OIDCClientsGetter has a method to return a OIDCClientInterface. +// A group's client should implement this interface. +type OIDCClientsGetter interface { + OIDCClients(namespace string) OIDCClientInterface +} + +// OIDCClientInterface has methods to work with OIDCClient resources. +type OIDCClientInterface interface { + Create(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.CreateOptions) (*v1alpha1.OIDCClient, error) + Update(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (*v1alpha1.OIDCClient, error) + UpdateStatus(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (*v1alpha1.OIDCClient, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.OIDCClient, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.OIDCClientList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCClient, err error) + OIDCClientExpansion +} + +// oIDCClients implements OIDCClientInterface +type oIDCClients struct { + client rest.Interface + ns string +} + +// newOIDCClients returns a OIDCClients +func newOIDCClients(c *OauthV1alpha1Client, namespace string) *oIDCClients { + return &oIDCClients{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the oIDCClient, and returns the corresponding oIDCClient object, and an error if there is any. +func (c *oIDCClients) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Get(). + Namespace(c.ns). + Resource("oidcclients"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of OIDCClients that match those selectors. +func (c *oIDCClients) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.OIDCClientList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.OIDCClientList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("oidcclients"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested oIDCClients. +func (c *oIDCClients) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("oidcclients"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a oIDCClient and creates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *oIDCClients) Create(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.CreateOptions) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Post(). + Namespace(c.ns). + Resource("oidcclients"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(oIDCClient). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a oIDCClient and updates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *oIDCClients) Update(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Put(). + Namespace(c.ns). + Resource("oidcclients"). + Name(oIDCClient.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(oIDCClient). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *oIDCClients) UpdateStatus(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Put(). + Namespace(c.ns). + Resource("oidcclients"). + Name(oIDCClient.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(oIDCClient). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the oIDCClient and deletes it. Returns an error if one occurs. +func (c *oIDCClients) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("oidcclients"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *oIDCClients) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("oidcclients"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched oIDCClient. +func (c *oIDCClients) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("oidcclients"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/generated/1.22/client/supervisor/informers/externalversions/factory.go b/generated/1.22/client/supervisor/informers/externalversions/factory.go index 1686a18c..b1a59943 100644 --- a/generated/1.22/client/supervisor/informers/externalversions/factory.go +++ b/generated/1.22/client/supervisor/informers/externalversions/factory.go @@ -14,6 +14,7 @@ import ( config "go.pinniped.dev/generated/1.22/client/supervisor/informers/externalversions/config" idp "go.pinniped.dev/generated/1.22/client/supervisor/informers/externalversions/idp" internalinterfaces "go.pinniped.dev/generated/1.22/client/supervisor/informers/externalversions/internalinterfaces" + oauth "go.pinniped.dev/generated/1.22/client/supervisor/informers/externalversions/oauth" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -162,6 +163,7 @@ type SharedInformerFactory interface { Config() config.Interface IDP() idp.Interface + Oauth() oauth.Interface } func (f *sharedInformerFactory) Config() config.Interface { @@ -171,3 +173,7 @@ func (f *sharedInformerFactory) Config() config.Interface { func (f *sharedInformerFactory) IDP() idp.Interface { return idp.New(f, f.namespace, f.tweakListOptions) } + +func (f *sharedInformerFactory) Oauth() oauth.Interface { + return oauth.New(f, f.namespace, f.tweakListOptions) +} diff --git a/generated/1.22/client/supervisor/informers/externalversions/generic.go b/generated/1.22/client/supervisor/informers/externalversions/generic.go index 9d595d85..0380a5b8 100644 --- a/generated/1.22/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.22/client/supervisor/informers/externalversions/generic.go @@ -10,6 +10,7 @@ import ( v1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/idp/v1alpha1" + oauthv1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/oauth/v1alpha1" schema "k8s.io/apimachinery/pkg/runtime/schema" cache "k8s.io/client-go/tools/cache" ) @@ -52,6 +53,10 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().OIDCIdentityProviders().Informer()}, nil + // Group=oauth.supervisor.pinniped.dev, Version=v1alpha1 + case oauthv1alpha1.SchemeGroupVersion.WithResource("oidcclients"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Oauth().V1alpha1().OIDCClients().Informer()}, nil + } return nil, fmt.Errorf("no informer found for %v", resource) diff --git a/generated/1.22/client/supervisor/informers/externalversions/oauth/interface.go b/generated/1.22/client/supervisor/informers/externalversions/oauth/interface.go new file mode 100644 index 00000000..97090c7c --- /dev/null +++ b/generated/1.22/client/supervisor/informers/externalversions/oauth/interface.go @@ -0,0 +1,33 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package oauth + +import ( + internalinterfaces "go.pinniped.dev/generated/1.22/client/supervisor/informers/externalversions/internalinterfaces" + v1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/informers/externalversions/oauth/v1alpha1" +) + +// Interface provides access to each of this group's versions. +type Interface interface { + // V1alpha1 provides access to shared informers for resources in V1alpha1. + V1alpha1() v1alpha1.Interface +} + +type group struct { + factory internalinterfaces.SharedInformerFactory + namespace string + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// New returns a new Interface. +func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { + return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} +} + +// V1alpha1 returns a new v1alpha1.Interface. +func (g *group) V1alpha1() v1alpha1.Interface { + return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions) +} diff --git a/generated/1.22/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go b/generated/1.22/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go new file mode 100644 index 00000000..19d5ccb1 --- /dev/null +++ b/generated/1.22/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go @@ -0,0 +1,32 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + internalinterfaces "go.pinniped.dev/generated/1.22/client/supervisor/informers/externalversions/internalinterfaces" +) + +// Interface provides access to all the informers in this group version. +type Interface interface { + // OIDCClients returns a OIDCClientInformer. + OIDCClients() OIDCClientInformer +} + +type version struct { + factory internalinterfaces.SharedInformerFactory + namespace string + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// New returns a new Interface. +func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { + return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} +} + +// OIDCClients returns a OIDCClientInformer. +func (v *version) OIDCClients() OIDCClientInformer { + return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} diff --git a/generated/1.22/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go b/generated/1.22/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go new file mode 100644 index 00000000..73fd8a10 --- /dev/null +++ b/generated/1.22/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go @@ -0,0 +1,77 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + time "time" + + oauthv1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/oauth/v1alpha1" + versioned "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned" + internalinterfaces "go.pinniped.dev/generated/1.22/client/supervisor/informers/externalversions/internalinterfaces" + v1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/listers/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// OIDCClientInformer provides access to a shared informer and lister for +// OIDCClients. +type OIDCClientInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.OIDCClientLister +} + +type oIDCClientInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewOIDCClientInformer constructs a new informer for OIDCClient type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewOIDCClientInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredOIDCClientInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredOIDCClientInformer constructs a new informer for OIDCClient type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredOIDCClientInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.OauthV1alpha1().OIDCClients(namespace).List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.OauthV1alpha1().OIDCClients(namespace).Watch(context.TODO(), options) + }, + }, + &oauthv1alpha1.OIDCClient{}, + resyncPeriod, + indexers, + ) +} + +func (f *oIDCClientInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredOIDCClientInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *oIDCClientInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&oauthv1alpha1.OIDCClient{}, f.defaultInformer) +} + +func (f *oIDCClientInformer) Lister() v1alpha1.OIDCClientLister { + return v1alpha1.NewOIDCClientLister(f.Informer().GetIndexer()) +} diff --git a/generated/1.22/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go b/generated/1.22/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go new file mode 100644 index 00000000..c19310da --- /dev/null +++ b/generated/1.22/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go @@ -0,0 +1,14 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +// OIDCClientListerExpansion allows custom methods to be added to +// OIDCClientLister. +type OIDCClientListerExpansion interface{} + +// OIDCClientNamespaceListerExpansion allows custom methods to be added to +// OIDCClientNamespaceLister. +type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/1.22/client/supervisor/listers/oauth/v1alpha1/oidcclient.go b/generated/1.22/client/supervisor/listers/oauth/v1alpha1/oidcclient.go new file mode 100644 index 00000000..e73a2114 --- /dev/null +++ b/generated/1.22/client/supervisor/listers/oauth/v1alpha1/oidcclient.go @@ -0,0 +1,86 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/oauth/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// OIDCClientLister helps list OIDCClients. +// All objects returned here must be treated as read-only. +type OIDCClientLister interface { + // List lists all OIDCClients in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) + // OIDCClients returns an object that can list and get OIDCClients. + OIDCClients(namespace string) OIDCClientNamespaceLister + OIDCClientListerExpansion +} + +// oIDCClientLister implements the OIDCClientLister interface. +type oIDCClientLister struct { + indexer cache.Indexer +} + +// NewOIDCClientLister returns a new OIDCClientLister. +func NewOIDCClientLister(indexer cache.Indexer) OIDCClientLister { + return &oIDCClientLister{indexer: indexer} +} + +// List lists all OIDCClients in the indexer. +func (s *oIDCClientLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.OIDCClient)) + }) + return ret, err +} + +// OIDCClients returns an object that can list and get OIDCClients. +func (s *oIDCClientLister) OIDCClients(namespace string) OIDCClientNamespaceLister { + return oIDCClientNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// OIDCClientNamespaceLister helps list and get OIDCClients. +// All objects returned here must be treated as read-only. +type OIDCClientNamespaceLister interface { + // List lists all OIDCClients in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) + // Get retrieves the OIDCClient from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha1.OIDCClient, error) + OIDCClientNamespaceListerExpansion +} + +// oIDCClientNamespaceLister implements the OIDCClientNamespaceLister +// interface. +type oIDCClientNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all OIDCClients in the indexer for a given namespace. +func (s oIDCClientNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.OIDCClient)) + }) + return ret, err +} + +// Get retrieves the OIDCClient from the indexer for a given namespace and name. +func (s oIDCClientNamespaceLister) Get(name string) (*v1alpha1.OIDCClient, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("oidcclient"), name) + } + return obj.(*v1alpha1.OIDCClient), nil +} diff --git a/generated/1.22/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.22/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml new file mode 100644 index 00000000..0b4ee157 --- /dev/null +++ b/generated/1.22/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -0,0 +1,121 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: oidcclients.oauth.supervisor.pinniped.dev +spec: + group: oauth.supervisor.pinniped.dev + names: + categories: + - pinniped + kind: OIDCClient + listKind: OIDCClientList + plural: oidcclients + singular: oidcclient + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}' + name: Privileged + type: boolean + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: OIDCClient describes the configuration of an OIDC client. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec of the OIDC provider. + properties: + allowedGrantTypes: + description: "allowedGrantTypes is a list of the allowed grant_type + param values that should be accepted during OIDC flows with this + client. \n Must only contain the following values: - authorization_code: + allows the client to perform the authorization code grant flow, + i.e. allows the webapp to authenticate users. This grant must always + be listed. - refresh_token: allows the client to perform refresh + grants for the user to extend the user's session. This grant must + be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: + allows the client to perform RFC8693 token exchange, which is a + step in the process to be able to get a cluster credential for the + user. This grant must be listed if allowedScopes lists pinniped:request-audience." + items: + type: string + minItems: 1 + type: array + uniqueItems: true + allowedRedirectURIs: + description: allowedRedirectURIs is a list of the allowed redirect_uri + param values that should be accepted during OIDC flows with this + client. Any other uris will be rejected. Must be https, unless it + is a loopback. + items: + type: string + minItems: 1 + type: array + uniqueItems: true + allowedScopes: + description: "allowedScopes is a list of the allowed scopes param + values that should be accepted during OIDC flows with this client. + \n Must only contain the following values: - openid: The client + is allowed to request ID tokens. ID tokens only include the required + claims by default (iss, sub, aud, exp, iat). This scope must always + be listed. - offline_access: The client is allowed to request an + initial refresh token during the authorization code grant flow. + This scope must be listed if allowedGrantTypes lists refresh_token. + - pinniped:request-audience: The client is allowed to request a + new audience value during a RFC8693 token exchange, which is a step + in the process to be able to get a cluster credential for the user. + openid, username and groups scopes must be listed when this scope + is present. This scope must be listed if allowedGrantTypes lists + urn:ietf:params:oauth:grant-type:token-exchange. - username: The + client is allowed to request that ID tokens contain the user's username. + Without the username scope being requested and allowed, the ID token + will not contain the user's username. - groups: The client is allowed + to request that ID tokens contain the user's group membership, if + their group membership is discoverable by the Supervisor. Without + the groups scope being requested and allowed, the ID token will + not contain groups." + items: + type: string + minItems: 1 + type: array + uniqueItems: true + required: + - allowedGrantTypes + - allowedRedirectURIs + - allowedScopes + type: object + status: + description: Status of the OIDC provider. + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/generated/1.23/README.adoc b/generated/1.23/README.adoc index 9d67cb25..b7eddf16 100644 --- a/generated/1.23/README.adoc +++ b/generated/1.23/README.adoc @@ -12,6 +12,7 @@ - xref:{anchor_prefix}-identity-concierge-pinniped-dev-v1alpha1[$$identity.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1[$$idp.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$] +- xref:{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1[$$oauth.supervisor.pinniped.dev/v1alpha1$$] [id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"] @@ -1332,3 +1333,56 @@ TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned |=== + +[id="{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1"] +=== oauth.supervisor.pinniped.dev/v1alpha1 + +Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-oauth-v1alpha1-oidcclient"] +==== OIDCClient + +OIDCClient describes the configuration of an OIDC client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-oauth-v1alpha1-oidcclientlist[$$OIDCClientList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-oauth-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC provider. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-oauth-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC provider. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-oauth-v1alpha1-oidcclientspec"] +==== OIDCClientSpec + +OIDCClientSpec is a struct that describes an OIDC Client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-oauth-v1alpha1-oidcclient[$$OIDCClient$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. +| *`allowedGrantTypes`* __string array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. +| *`allowedScopes`* __string array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. +|=== + + + + diff --git a/generated/1.23/apis/supervisor/oauth/v1alpha1/doc.go b/generated/1.23/apis/supervisor/oauth/v1alpha1/doc.go new file mode 100644 index 00000000..75580481 --- /dev/null +++ b/generated/1.23/apis/supervisor/oauth/v1alpha1/doc.go @@ -0,0 +1,10 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen=package +// +k8s:defaulter-gen=TypeMeta +// +groupName=oauth.supervisor.pinniped.dev + +// Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. +package v1alpha1 diff --git a/generated/1.23/apis/supervisor/oauth/v1alpha1/register.go b/generated/1.23/apis/supervisor/oauth/v1alpha1/register.go new file mode 100644 index 00000000..37ae1fbf --- /dev/null +++ b/generated/1.23/apis/supervisor/oauth/v1alpha1/register.go @@ -0,0 +1,43 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "oauth.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = localSchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClient{}, + &OIDCClientList{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/generated/1.23/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.23/apis/supervisor/oauth/v1alpha1/types_oidcclient.go new file mode 100644 index 00000000..ee125443 --- /dev/null +++ b/generated/1.23/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -0,0 +1,84 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// OIDCClientSpec is a struct that describes an OIDC Client. +type OIDCClientSpec struct { + // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this + // client. Any other uris will be rejected. + // Must be https, unless it is a loopback. + // +kubebuilder:validation:UniqueItems=true + // +kubebuilder:validation:MinItems=1 + AllowedRedirectURIs []string `json:"allowedRedirectURIs"` + + // allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this + // client. + // + // Must only contain the following values: + // - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to + // authenticate users. This grant must always be listed. + // - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. + // This grant must be listed if allowedScopes lists offline_access. + // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, + // which is a step in the process to be able to get a cluster credential for the user. + // This grant must be listed if allowedScopes lists pinniped:request-audience. + // +kubebuilder:validation:UniqueItems=true + // +kubebuilder:validation:MinItems=1 + AllowedGrantTypes []string `json:"allowedGrantTypes"` + + // allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + // + // Must only contain the following values: + // - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). + // This scope must always be listed. + // - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. + // This scope must be listed if allowedGrantTypes lists refresh_token. + // - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, + // which is a step in the process to be able to get a cluster credential for the user. + // openid, username and groups scopes must be listed when this scope is present. + // This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. + // - username: The client is allowed to request that ID tokens contain the user's username. + // Without the username scope being requested and allowed, the ID token will not contain the user's username. + // - groups: The client is allowed to request that ID tokens contain the user's group membership, + // if their group membership is discoverable by the Supervisor. + // Without the groups scope being requested and allowed, the ID token will not contain groups. + // +kubebuilder:validation:UniqueItems=true + // +kubebuilder:validation:MinItems=1 + AllowedScopes []string `json:"allowedScopes"` +} + +// OIDCClientStatus is a struct that describes the actual state of an OIDC Client. +type OIDCClientStatus struct { +} + +// OIDCClient describes the configuration of an OIDC client. +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped +// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type OIDCClient struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec of the OIDC provider. + Spec OIDCClientSpec `json:"spec"` + + // Status of the OIDC provider. + Status OIDCClientStatus `json:"status,omitempty"` +} + +// List of OIDCClient objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []OIDCClient `json:"items"` +} diff --git a/generated/1.23/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.23/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go new file mode 100644 index 00000000..cb35cea5 --- /dev/null +++ b/generated/1.23/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go @@ -0,0 +1,121 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. +func (in *OIDCClient) DeepCopy() *OIDCClient { + if in == nil { + return nil + } + out := new(OIDCClient) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClient) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClient, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. +func (in *OIDCClientList) DeepCopy() *OIDCClientList { + if in == nil { + return nil + } + out := new(OIDCClientList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { + *out = *in + if in.AllowedRedirectURIs != nil { + in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.AllowedGrantTypes != nil { + in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.AllowedScopes != nil { + in, out := &in.AllowedScopes, &out.AllowedScopes + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. +func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { + if in == nil { + return nil + } + out := new(OIDCClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. +func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { + if in == nil { + return nil + } + out := new(OIDCClientStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.23/client/supervisor/clientset/versioned/clientset.go b/generated/1.23/client/supervisor/clientset/versioned/clientset.go index b36adb5b..b0f81c08 100644 --- a/generated/1.23/client/supervisor/clientset/versioned/clientset.go +++ b/generated/1.23/client/supervisor/clientset/versioned/clientset.go @@ -11,6 +11,7 @@ import ( configv1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1" + oauthv1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" discovery "k8s.io/client-go/discovery" rest "k8s.io/client-go/rest" flowcontrol "k8s.io/client-go/util/flowcontrol" @@ -20,6 +21,7 @@ type Interface interface { Discovery() discovery.DiscoveryInterface ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface + OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface } // Clientset contains the clients for groups. Each group has exactly one @@ -28,6 +30,7 @@ type Clientset struct { *discovery.DiscoveryClient configV1alpha1 *configv1alpha1.ConfigV1alpha1Client iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client + oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client } // ConfigV1alpha1 retrieves the ConfigV1alpha1Client @@ -40,6 +43,11 @@ func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return c.iDPV1alpha1 } +// OauthV1alpha1 retrieves the OauthV1alpha1Client +func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { + return c.oauthV1alpha1 +} + // Discovery retrieves the DiscoveryClient func (c *Clientset) Discovery() discovery.DiscoveryInterface { if c == nil { @@ -88,6 +96,10 @@ func NewForConfigAndClient(c *rest.Config, httpClient *http.Client) (*Clientset, if err != nil { return nil, err } + cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfigAndClient(&configShallowCopy, httpClient) + if err != nil { + return nil, err + } cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfigAndClient(&configShallowCopy, httpClient) if err != nil { @@ -111,6 +123,7 @@ func New(c rest.Interface) *Clientset { var cs Clientset cs.configV1alpha1 = configv1alpha1.New(c) cs.iDPV1alpha1 = idpv1alpha1.New(c) + cs.oauthV1alpha1 = oauthv1alpha1.New(c) cs.DiscoveryClient = discovery.NewDiscoveryClient(c) return &cs diff --git a/generated/1.23/client/supervisor/clientset/versioned/fake/clientset_generated.go b/generated/1.23/client/supervisor/clientset/versioned/fake/clientset_generated.go index 0c53ef8d..26e5ff04 100644 --- a/generated/1.23/client/supervisor/clientset/versioned/fake/clientset_generated.go +++ b/generated/1.23/client/supervisor/clientset/versioned/fake/clientset_generated.go @@ -11,6 +11,8 @@ import ( fakeconfigv1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake" idpv1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1" fakeidpv1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake" + oauthv1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" + fakeoauthv1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/watch" "k8s.io/client-go/discovery" @@ -77,3 +79,8 @@ func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake} } + +// OauthV1alpha1 retrieves the OauthV1alpha1Client +func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { + return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} +} diff --git a/generated/1.23/client/supervisor/clientset/versioned/fake/register.go b/generated/1.23/client/supervisor/clientset/versioned/fake/register.go index f46c7432..328aca4e 100644 --- a/generated/1.23/client/supervisor/clientset/versioned/fake/register.go +++ b/generated/1.23/client/supervisor/clientset/versioned/fake/register.go @@ -8,6 +8,7 @@ package fake import ( configv1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/idp/v1alpha1" + oauthv1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -21,6 +22,7 @@ var codecs = serializer.NewCodecFactory(scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, + oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.23/client/supervisor/clientset/versioned/scheme/register.go b/generated/1.23/client/supervisor/clientset/versioned/scheme/register.go index b251a20d..5d908f2e 100644 --- a/generated/1.23/client/supervisor/clientset/versioned/scheme/register.go +++ b/generated/1.23/client/supervisor/clientset/versioned/scheme/register.go @@ -8,6 +8,7 @@ package scheme import ( configv1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/idp/v1alpha1" + oauthv1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -21,6 +22,7 @@ var ParameterCodec = runtime.NewParameterCodec(Scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, + oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go new file mode 100644 index 00000000..e7a470b6 --- /dev/null +++ b/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated typed clients. +package v1alpha1 diff --git a/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go new file mode 100644 index 00000000..7906901b --- /dev/null +++ b/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// Package fake has the automatically generated clients. +package fake diff --git a/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go new file mode 100644 index 00000000..c5ce6f9b --- /dev/null +++ b/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go @@ -0,0 +1,27 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + v1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" + rest "k8s.io/client-go/rest" + testing "k8s.io/client-go/testing" +) + +type FakeOauthV1alpha1 struct { + *testing.Fake +} + +func (c *FakeOauthV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { + return &FakeOIDCClients{c, namespace} +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { + var ret *rest.RESTClient + return ret +} diff --git a/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go b/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go new file mode 100644 index 00000000..34cf2735 --- /dev/null +++ b/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go @@ -0,0 +1,129 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeOIDCClients implements OIDCClientInterface +type FakeOIDCClients struct { + Fake *FakeOauthV1alpha1 + ns string +} + +var oidcclientsResource = schema.GroupVersionResource{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} + +var oidcclientsKind = schema.GroupVersionKind{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} + +// Get takes name of the oIDCClient, and returns the corresponding oIDCClient object, and an error if there is any. +func (c *FakeOIDCClients) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(oidcclientsResource, c.ns, name), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// List takes label and field selectors, and returns the list of OIDCClients that match those selectors. +func (c *FakeOIDCClients) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.OIDCClientList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(oidcclientsResource, oidcclientsKind, c.ns, opts), &v1alpha1.OIDCClientList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.OIDCClientList{ListMeta: obj.(*v1alpha1.OIDCClientList).ListMeta} + for _, item := range obj.(*v1alpha1.OIDCClientList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested oIDCClients. +func (c *FakeOIDCClients) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(oidcclientsResource, c.ns, opts)) + +} + +// Create takes the representation of a oIDCClient and creates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *FakeOIDCClients) Create(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.CreateOptions) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(oidcclientsResource, c.ns, oIDCClient), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// Update takes the representation of a oIDCClient and updates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *FakeOIDCClients) Update(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(oidcclientsResource, c.ns, oIDCClient), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeOIDCClients) UpdateStatus(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (*v1alpha1.OIDCClient, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(oidcclientsResource, "status", c.ns, oIDCClient), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// Delete takes name of the oIDCClient and deletes it. Returns an error if one occurs. +func (c *FakeOIDCClients) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteActionWithOptions(oidcclientsResource, c.ns, name, opts), &v1alpha1.OIDCClient{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeOIDCClients) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(oidcclientsResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha1.OIDCClientList{}) + return err +} + +// Patch applies the patch and returns the patched oIDCClient. +func (c *FakeOIDCClients) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(oidcclientsResource, c.ns, name, pt, data, subresources...), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} diff --git a/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go new file mode 100644 index 00000000..87d22ea9 --- /dev/null +++ b/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go @@ -0,0 +1,8 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +type OIDCClientExpansion interface{} diff --git a/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go new file mode 100644 index 00000000..7891e154 --- /dev/null +++ b/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go @@ -0,0 +1,94 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "net/http" + + v1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/oauth/v1alpha1" + "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned/scheme" + rest "k8s.io/client-go/rest" +) + +type OauthV1alpha1Interface interface { + RESTClient() rest.Interface + OIDCClientsGetter +} + +// OauthV1alpha1Client is used to interact with features provided by the oauth.supervisor.pinniped.dev group. +type OauthV1alpha1Client struct { + restClient rest.Interface +} + +func (c *OauthV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { + return newOIDCClients(c, namespace) +} + +// NewForConfig creates a new OauthV1alpha1Client for the given config. +// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient), +// where httpClient was generated with rest.HTTPClientFor(c). +func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { + config := *c + if err := setConfigDefaults(&config); err != nil { + return nil, err + } + httpClient, err := rest.HTTPClientFor(&config) + if err != nil { + return nil, err + } + return NewForConfigAndClient(&config, httpClient) +} + +// NewForConfigAndClient creates a new OauthV1alpha1Client for the given config and http client. +// Note the http client provided takes precedence over the configured transport values. +func NewForConfigAndClient(c *rest.Config, h *http.Client) (*OauthV1alpha1Client, error) { + config := *c + if err := setConfigDefaults(&config); err != nil { + return nil, err + } + client, err := rest.RESTClientForConfigAndClient(&config, h) + if err != nil { + return nil, err + } + return &OauthV1alpha1Client{client}, nil +} + +// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { + client, err := NewForConfig(c) + if err != nil { + panic(err) + } + return client +} + +// New creates a new OauthV1alpha1Client for the given RESTClient. +func New(c rest.Interface) *OauthV1alpha1Client { + return &OauthV1alpha1Client{c} +} + +func setConfigDefaults(config *rest.Config) error { + gv := v1alpha1.SchemeGroupVersion + config.GroupVersion = &gv + config.APIPath = "/apis" + config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() + + if config.UserAgent == "" { + config.UserAgent = rest.DefaultKubernetesUserAgent() + } + + return nil +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *OauthV1alpha1Client) RESTClient() rest.Interface { + if c == nil { + return nil + } + return c.restClient +} diff --git a/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go b/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go new file mode 100644 index 00000000..18287fd4 --- /dev/null +++ b/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go @@ -0,0 +1,182 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + "time" + + v1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/oauth/v1alpha1" + scheme "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// OIDCClientsGetter has a method to return a OIDCClientInterface. +// A group's client should implement this interface. +type OIDCClientsGetter interface { + OIDCClients(namespace string) OIDCClientInterface +} + +// OIDCClientInterface has methods to work with OIDCClient resources. +type OIDCClientInterface interface { + Create(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.CreateOptions) (*v1alpha1.OIDCClient, error) + Update(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (*v1alpha1.OIDCClient, error) + UpdateStatus(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (*v1alpha1.OIDCClient, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.OIDCClient, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.OIDCClientList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCClient, err error) + OIDCClientExpansion +} + +// oIDCClients implements OIDCClientInterface +type oIDCClients struct { + client rest.Interface + ns string +} + +// newOIDCClients returns a OIDCClients +func newOIDCClients(c *OauthV1alpha1Client, namespace string) *oIDCClients { + return &oIDCClients{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the oIDCClient, and returns the corresponding oIDCClient object, and an error if there is any. +func (c *oIDCClients) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Get(). + Namespace(c.ns). + Resource("oidcclients"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of OIDCClients that match those selectors. +func (c *oIDCClients) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.OIDCClientList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.OIDCClientList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("oidcclients"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested oIDCClients. +func (c *oIDCClients) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("oidcclients"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a oIDCClient and creates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *oIDCClients) Create(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.CreateOptions) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Post(). + Namespace(c.ns). + Resource("oidcclients"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(oIDCClient). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a oIDCClient and updates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *oIDCClients) Update(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Put(). + Namespace(c.ns). + Resource("oidcclients"). + Name(oIDCClient.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(oIDCClient). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *oIDCClients) UpdateStatus(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Put(). + Namespace(c.ns). + Resource("oidcclients"). + Name(oIDCClient.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(oIDCClient). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the oIDCClient and deletes it. Returns an error if one occurs. +func (c *oIDCClients) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("oidcclients"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *oIDCClients) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("oidcclients"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched oIDCClient. +func (c *oIDCClients) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("oidcclients"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/generated/1.23/client/supervisor/informers/externalversions/factory.go b/generated/1.23/client/supervisor/informers/externalversions/factory.go index 25a2ea38..690cfe62 100644 --- a/generated/1.23/client/supervisor/informers/externalversions/factory.go +++ b/generated/1.23/client/supervisor/informers/externalversions/factory.go @@ -14,6 +14,7 @@ import ( config "go.pinniped.dev/generated/1.23/client/supervisor/informers/externalversions/config" idp "go.pinniped.dev/generated/1.23/client/supervisor/informers/externalversions/idp" internalinterfaces "go.pinniped.dev/generated/1.23/client/supervisor/informers/externalversions/internalinterfaces" + oauth "go.pinniped.dev/generated/1.23/client/supervisor/informers/externalversions/oauth" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -162,6 +163,7 @@ type SharedInformerFactory interface { Config() config.Interface IDP() idp.Interface + Oauth() oauth.Interface } func (f *sharedInformerFactory) Config() config.Interface { @@ -171,3 +173,7 @@ func (f *sharedInformerFactory) Config() config.Interface { func (f *sharedInformerFactory) IDP() idp.Interface { return idp.New(f, f.namespace, f.tweakListOptions) } + +func (f *sharedInformerFactory) Oauth() oauth.Interface { + return oauth.New(f, f.namespace, f.tweakListOptions) +} diff --git a/generated/1.23/client/supervisor/informers/externalversions/generic.go b/generated/1.23/client/supervisor/informers/externalversions/generic.go index efeda809..da434169 100644 --- a/generated/1.23/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.23/client/supervisor/informers/externalversions/generic.go @@ -10,6 +10,7 @@ import ( v1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/idp/v1alpha1" + oauthv1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/oauth/v1alpha1" schema "k8s.io/apimachinery/pkg/runtime/schema" cache "k8s.io/client-go/tools/cache" ) @@ -52,6 +53,10 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().OIDCIdentityProviders().Informer()}, nil + // Group=oauth.supervisor.pinniped.dev, Version=v1alpha1 + case oauthv1alpha1.SchemeGroupVersion.WithResource("oidcclients"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Oauth().V1alpha1().OIDCClients().Informer()}, nil + } return nil, fmt.Errorf("no informer found for %v", resource) diff --git a/generated/1.23/client/supervisor/informers/externalversions/oauth/interface.go b/generated/1.23/client/supervisor/informers/externalversions/oauth/interface.go new file mode 100644 index 00000000..f5bbdc54 --- /dev/null +++ b/generated/1.23/client/supervisor/informers/externalversions/oauth/interface.go @@ -0,0 +1,33 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package oauth + +import ( + internalinterfaces "go.pinniped.dev/generated/1.23/client/supervisor/informers/externalversions/internalinterfaces" + v1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/informers/externalversions/oauth/v1alpha1" +) + +// Interface provides access to each of this group's versions. +type Interface interface { + // V1alpha1 provides access to shared informers for resources in V1alpha1. + V1alpha1() v1alpha1.Interface +} + +type group struct { + factory internalinterfaces.SharedInformerFactory + namespace string + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// New returns a new Interface. +func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { + return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} +} + +// V1alpha1 returns a new v1alpha1.Interface. +func (g *group) V1alpha1() v1alpha1.Interface { + return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions) +} diff --git a/generated/1.23/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go b/generated/1.23/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go new file mode 100644 index 00000000..6d128bf0 --- /dev/null +++ b/generated/1.23/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go @@ -0,0 +1,32 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + internalinterfaces "go.pinniped.dev/generated/1.23/client/supervisor/informers/externalversions/internalinterfaces" +) + +// Interface provides access to all the informers in this group version. +type Interface interface { + // OIDCClients returns a OIDCClientInformer. + OIDCClients() OIDCClientInformer +} + +type version struct { + factory internalinterfaces.SharedInformerFactory + namespace string + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// New returns a new Interface. +func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { + return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} +} + +// OIDCClients returns a OIDCClientInformer. +func (v *version) OIDCClients() OIDCClientInformer { + return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} diff --git a/generated/1.23/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go b/generated/1.23/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go new file mode 100644 index 00000000..a7fdc001 --- /dev/null +++ b/generated/1.23/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go @@ -0,0 +1,77 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + time "time" + + oauthv1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/oauth/v1alpha1" + versioned "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned" + internalinterfaces "go.pinniped.dev/generated/1.23/client/supervisor/informers/externalversions/internalinterfaces" + v1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/listers/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// OIDCClientInformer provides access to a shared informer and lister for +// OIDCClients. +type OIDCClientInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.OIDCClientLister +} + +type oIDCClientInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewOIDCClientInformer constructs a new informer for OIDCClient type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewOIDCClientInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredOIDCClientInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredOIDCClientInformer constructs a new informer for OIDCClient type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredOIDCClientInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.OauthV1alpha1().OIDCClients(namespace).List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.OauthV1alpha1().OIDCClients(namespace).Watch(context.TODO(), options) + }, + }, + &oauthv1alpha1.OIDCClient{}, + resyncPeriod, + indexers, + ) +} + +func (f *oIDCClientInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredOIDCClientInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *oIDCClientInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&oauthv1alpha1.OIDCClient{}, f.defaultInformer) +} + +func (f *oIDCClientInformer) Lister() v1alpha1.OIDCClientLister { + return v1alpha1.NewOIDCClientLister(f.Informer().GetIndexer()) +} diff --git a/generated/1.23/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go b/generated/1.23/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go new file mode 100644 index 00000000..c19310da --- /dev/null +++ b/generated/1.23/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go @@ -0,0 +1,14 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +// OIDCClientListerExpansion allows custom methods to be added to +// OIDCClientLister. +type OIDCClientListerExpansion interface{} + +// OIDCClientNamespaceListerExpansion allows custom methods to be added to +// OIDCClientNamespaceLister. +type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/1.23/client/supervisor/listers/oauth/v1alpha1/oidcclient.go b/generated/1.23/client/supervisor/listers/oauth/v1alpha1/oidcclient.go new file mode 100644 index 00000000..28d81d93 --- /dev/null +++ b/generated/1.23/client/supervisor/listers/oauth/v1alpha1/oidcclient.go @@ -0,0 +1,86 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/oauth/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// OIDCClientLister helps list OIDCClients. +// All objects returned here must be treated as read-only. +type OIDCClientLister interface { + // List lists all OIDCClients in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) + // OIDCClients returns an object that can list and get OIDCClients. + OIDCClients(namespace string) OIDCClientNamespaceLister + OIDCClientListerExpansion +} + +// oIDCClientLister implements the OIDCClientLister interface. +type oIDCClientLister struct { + indexer cache.Indexer +} + +// NewOIDCClientLister returns a new OIDCClientLister. +func NewOIDCClientLister(indexer cache.Indexer) OIDCClientLister { + return &oIDCClientLister{indexer: indexer} +} + +// List lists all OIDCClients in the indexer. +func (s *oIDCClientLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.OIDCClient)) + }) + return ret, err +} + +// OIDCClients returns an object that can list and get OIDCClients. +func (s *oIDCClientLister) OIDCClients(namespace string) OIDCClientNamespaceLister { + return oIDCClientNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// OIDCClientNamespaceLister helps list and get OIDCClients. +// All objects returned here must be treated as read-only. +type OIDCClientNamespaceLister interface { + // List lists all OIDCClients in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) + // Get retrieves the OIDCClient from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha1.OIDCClient, error) + OIDCClientNamespaceListerExpansion +} + +// oIDCClientNamespaceLister implements the OIDCClientNamespaceLister +// interface. +type oIDCClientNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all OIDCClients in the indexer for a given namespace. +func (s oIDCClientNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.OIDCClient)) + }) + return ret, err +} + +// Get retrieves the OIDCClient from the indexer for a given namespace and name. +func (s oIDCClientNamespaceLister) Get(name string) (*v1alpha1.OIDCClient, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("oidcclient"), name) + } + return obj.(*v1alpha1.OIDCClient), nil +} diff --git a/generated/1.23/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.23/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml new file mode 100644 index 00000000..0b4ee157 --- /dev/null +++ b/generated/1.23/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -0,0 +1,121 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: oidcclients.oauth.supervisor.pinniped.dev +spec: + group: oauth.supervisor.pinniped.dev + names: + categories: + - pinniped + kind: OIDCClient + listKind: OIDCClientList + plural: oidcclients + singular: oidcclient + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}' + name: Privileged + type: boolean + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: OIDCClient describes the configuration of an OIDC client. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec of the OIDC provider. + properties: + allowedGrantTypes: + description: "allowedGrantTypes is a list of the allowed grant_type + param values that should be accepted during OIDC flows with this + client. \n Must only contain the following values: - authorization_code: + allows the client to perform the authorization code grant flow, + i.e. allows the webapp to authenticate users. This grant must always + be listed. - refresh_token: allows the client to perform refresh + grants for the user to extend the user's session. This grant must + be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: + allows the client to perform RFC8693 token exchange, which is a + step in the process to be able to get a cluster credential for the + user. This grant must be listed if allowedScopes lists pinniped:request-audience." + items: + type: string + minItems: 1 + type: array + uniqueItems: true + allowedRedirectURIs: + description: allowedRedirectURIs is a list of the allowed redirect_uri + param values that should be accepted during OIDC flows with this + client. Any other uris will be rejected. Must be https, unless it + is a loopback. + items: + type: string + minItems: 1 + type: array + uniqueItems: true + allowedScopes: + description: "allowedScopes is a list of the allowed scopes param + values that should be accepted during OIDC flows with this client. + \n Must only contain the following values: - openid: The client + is allowed to request ID tokens. ID tokens only include the required + claims by default (iss, sub, aud, exp, iat). This scope must always + be listed. - offline_access: The client is allowed to request an + initial refresh token during the authorization code grant flow. + This scope must be listed if allowedGrantTypes lists refresh_token. + - pinniped:request-audience: The client is allowed to request a + new audience value during a RFC8693 token exchange, which is a step + in the process to be able to get a cluster credential for the user. + openid, username and groups scopes must be listed when this scope + is present. This scope must be listed if allowedGrantTypes lists + urn:ietf:params:oauth:grant-type:token-exchange. - username: The + client is allowed to request that ID tokens contain the user's username. + Without the username scope being requested and allowed, the ID token + will not contain the user's username. - groups: The client is allowed + to request that ID tokens contain the user's group membership, if + their group membership is discoverable by the Supervisor. Without + the groups scope being requested and allowed, the ID token will + not contain groups." + items: + type: string + minItems: 1 + type: array + uniqueItems: true + required: + - allowedGrantTypes + - allowedRedirectURIs + - allowedScopes + type: object + status: + description: Status of the OIDC provider. + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/generated/latest/apis/supervisor/oauth/v1alpha1/doc.go b/generated/latest/apis/supervisor/oauth/v1alpha1/doc.go new file mode 100644 index 00000000..75580481 --- /dev/null +++ b/generated/latest/apis/supervisor/oauth/v1alpha1/doc.go @@ -0,0 +1,10 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen=package +// +k8s:defaulter-gen=TypeMeta +// +groupName=oauth.supervisor.pinniped.dev + +// Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. +package v1alpha1 diff --git a/generated/latest/apis/supervisor/oauth/v1alpha1/register.go b/generated/latest/apis/supervisor/oauth/v1alpha1/register.go new file mode 100644 index 00000000..37ae1fbf --- /dev/null +++ b/generated/latest/apis/supervisor/oauth/v1alpha1/register.go @@ -0,0 +1,43 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "oauth.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = localSchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClient{}, + &OIDCClientList{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/generated/latest/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/latest/apis/supervisor/oauth/v1alpha1/types_oidcclient.go new file mode 100644 index 00000000..ee125443 --- /dev/null +++ b/generated/latest/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -0,0 +1,84 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// OIDCClientSpec is a struct that describes an OIDC Client. +type OIDCClientSpec struct { + // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this + // client. Any other uris will be rejected. + // Must be https, unless it is a loopback. + // +kubebuilder:validation:UniqueItems=true + // +kubebuilder:validation:MinItems=1 + AllowedRedirectURIs []string `json:"allowedRedirectURIs"` + + // allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this + // client. + // + // Must only contain the following values: + // - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to + // authenticate users. This grant must always be listed. + // - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. + // This grant must be listed if allowedScopes lists offline_access. + // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, + // which is a step in the process to be able to get a cluster credential for the user. + // This grant must be listed if allowedScopes lists pinniped:request-audience. + // +kubebuilder:validation:UniqueItems=true + // +kubebuilder:validation:MinItems=1 + AllowedGrantTypes []string `json:"allowedGrantTypes"` + + // allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + // + // Must only contain the following values: + // - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). + // This scope must always be listed. + // - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. + // This scope must be listed if allowedGrantTypes lists refresh_token. + // - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, + // which is a step in the process to be able to get a cluster credential for the user. + // openid, username and groups scopes must be listed when this scope is present. + // This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. + // - username: The client is allowed to request that ID tokens contain the user's username. + // Without the username scope being requested and allowed, the ID token will not contain the user's username. + // - groups: The client is allowed to request that ID tokens contain the user's group membership, + // if their group membership is discoverable by the Supervisor. + // Without the groups scope being requested and allowed, the ID token will not contain groups. + // +kubebuilder:validation:UniqueItems=true + // +kubebuilder:validation:MinItems=1 + AllowedScopes []string `json:"allowedScopes"` +} + +// OIDCClientStatus is a struct that describes the actual state of an OIDC Client. +type OIDCClientStatus struct { +} + +// OIDCClient describes the configuration of an OIDC client. +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped +// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type OIDCClient struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec of the OIDC provider. + Spec OIDCClientSpec `json:"spec"` + + // Status of the OIDC provider. + Status OIDCClientStatus `json:"status,omitempty"` +} + +// List of OIDCClient objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []OIDCClient `json:"items"` +} diff --git a/generated/latest/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/latest/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go new file mode 100644 index 00000000..cb35cea5 --- /dev/null +++ b/generated/latest/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go @@ -0,0 +1,121 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. +func (in *OIDCClient) DeepCopy() *OIDCClient { + if in == nil { + return nil + } + out := new(OIDCClient) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClient) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClient, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. +func (in *OIDCClientList) DeepCopy() *OIDCClientList { + if in == nil { + return nil + } + out := new(OIDCClientList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { + *out = *in + if in.AllowedRedirectURIs != nil { + in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.AllowedGrantTypes != nil { + in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.AllowedScopes != nil { + in, out := &in.AllowedScopes, &out.AllowedScopes + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. +func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { + if in == nil { + return nil + } + out := new(OIDCClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. +func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { + if in == nil { + return nil + } + out := new(OIDCClientStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/latest/client/supervisor/clientset/versioned/clientset.go b/generated/latest/client/supervisor/clientset/versioned/clientset.go index 7e617419..04429897 100644 --- a/generated/latest/client/supervisor/clientset/versioned/clientset.go +++ b/generated/latest/client/supervisor/clientset/versioned/clientset.go @@ -11,6 +11,7 @@ import ( configv1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1" + oauthv1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" discovery "k8s.io/client-go/discovery" rest "k8s.io/client-go/rest" flowcontrol "k8s.io/client-go/util/flowcontrol" @@ -20,6 +21,7 @@ type Interface interface { Discovery() discovery.DiscoveryInterface ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface + OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface } // Clientset contains the clients for groups. Each group has exactly one @@ -28,6 +30,7 @@ type Clientset struct { *discovery.DiscoveryClient configV1alpha1 *configv1alpha1.ConfigV1alpha1Client iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client + oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client } // ConfigV1alpha1 retrieves the ConfigV1alpha1Client @@ -40,6 +43,11 @@ func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return c.iDPV1alpha1 } +// OauthV1alpha1 retrieves the OauthV1alpha1Client +func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { + return c.oauthV1alpha1 +} + // Discovery retrieves the DiscoveryClient func (c *Clientset) Discovery() discovery.DiscoveryInterface { if c == nil { @@ -88,6 +96,10 @@ func NewForConfigAndClient(c *rest.Config, httpClient *http.Client) (*Clientset, if err != nil { return nil, err } + cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfigAndClient(&configShallowCopy, httpClient) + if err != nil { + return nil, err + } cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfigAndClient(&configShallowCopy, httpClient) if err != nil { @@ -111,6 +123,7 @@ func New(c rest.Interface) *Clientset { var cs Clientset cs.configV1alpha1 = configv1alpha1.New(c) cs.iDPV1alpha1 = idpv1alpha1.New(c) + cs.oauthV1alpha1 = oauthv1alpha1.New(c) cs.DiscoveryClient = discovery.NewDiscoveryClient(c) return &cs diff --git a/generated/latest/client/supervisor/clientset/versioned/fake/clientset_generated.go b/generated/latest/client/supervisor/clientset/versioned/fake/clientset_generated.go index 783ec35f..6b73fc47 100644 --- a/generated/latest/client/supervisor/clientset/versioned/fake/clientset_generated.go +++ b/generated/latest/client/supervisor/clientset/versioned/fake/clientset_generated.go @@ -11,6 +11,8 @@ import ( fakeconfigv1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake" idpv1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1" fakeidpv1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake" + oauthv1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" + fakeoauthv1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/watch" "k8s.io/client-go/discovery" @@ -77,3 +79,8 @@ func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake} } + +// OauthV1alpha1 retrieves the OauthV1alpha1Client +func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { + return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} +} diff --git a/generated/latest/client/supervisor/clientset/versioned/fake/register.go b/generated/latest/client/supervisor/clientset/versioned/fake/register.go index 4d84f079..db9bb1a4 100644 --- a/generated/latest/client/supervisor/clientset/versioned/fake/register.go +++ b/generated/latest/client/supervisor/clientset/versioned/fake/register.go @@ -8,6 +8,7 @@ package fake import ( configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" + oauthv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -21,6 +22,7 @@ var codecs = serializer.NewCodecFactory(scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, + oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/latest/client/supervisor/clientset/versioned/scheme/register.go b/generated/latest/client/supervisor/clientset/versioned/scheme/register.go index 7b874df0..9456d619 100644 --- a/generated/latest/client/supervisor/clientset/versioned/scheme/register.go +++ b/generated/latest/client/supervisor/clientset/versioned/scheme/register.go @@ -8,6 +8,7 @@ package scheme import ( configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" + oauthv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -21,6 +22,7 @@ var ParameterCodec = runtime.NewParameterCodec(Scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, + oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go new file mode 100644 index 00000000..e7a470b6 --- /dev/null +++ b/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated typed clients. +package v1alpha1 diff --git a/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go new file mode 100644 index 00000000..7906901b --- /dev/null +++ b/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// Package fake has the automatically generated clients. +package fake diff --git a/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go new file mode 100644 index 00000000..abcc6a0c --- /dev/null +++ b/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go @@ -0,0 +1,27 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + v1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" + rest "k8s.io/client-go/rest" + testing "k8s.io/client-go/testing" +) + +type FakeOauthV1alpha1 struct { + *testing.Fake +} + +func (c *FakeOauthV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { + return &FakeOIDCClients{c, namespace} +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { + var ret *rest.RESTClient + return ret +} diff --git a/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go b/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go new file mode 100644 index 00000000..89568d1a --- /dev/null +++ b/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go @@ -0,0 +1,129 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeOIDCClients implements OIDCClientInterface +type FakeOIDCClients struct { + Fake *FakeOauthV1alpha1 + ns string +} + +var oidcclientsResource = schema.GroupVersionResource{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} + +var oidcclientsKind = schema.GroupVersionKind{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} + +// Get takes name of the oIDCClient, and returns the corresponding oIDCClient object, and an error if there is any. +func (c *FakeOIDCClients) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(oidcclientsResource, c.ns, name), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// List takes label and field selectors, and returns the list of OIDCClients that match those selectors. +func (c *FakeOIDCClients) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.OIDCClientList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(oidcclientsResource, oidcclientsKind, c.ns, opts), &v1alpha1.OIDCClientList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.OIDCClientList{ListMeta: obj.(*v1alpha1.OIDCClientList).ListMeta} + for _, item := range obj.(*v1alpha1.OIDCClientList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested oIDCClients. +func (c *FakeOIDCClients) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(oidcclientsResource, c.ns, opts)) + +} + +// Create takes the representation of a oIDCClient and creates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *FakeOIDCClients) Create(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.CreateOptions) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(oidcclientsResource, c.ns, oIDCClient), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// Update takes the representation of a oIDCClient and updates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *FakeOIDCClients) Update(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(oidcclientsResource, c.ns, oIDCClient), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeOIDCClients) UpdateStatus(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (*v1alpha1.OIDCClient, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(oidcclientsResource, "status", c.ns, oIDCClient), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// Delete takes name of the oIDCClient and deletes it. Returns an error if one occurs. +func (c *FakeOIDCClients) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteActionWithOptions(oidcclientsResource, c.ns, name, opts), &v1alpha1.OIDCClient{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeOIDCClients) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(oidcclientsResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha1.OIDCClientList{}) + return err +} + +// Patch applies the patch and returns the patched oIDCClient. +func (c *FakeOIDCClients) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(oidcclientsResource, c.ns, name, pt, data, subresources...), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} diff --git a/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go new file mode 100644 index 00000000..87d22ea9 --- /dev/null +++ b/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go @@ -0,0 +1,8 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +type OIDCClientExpansion interface{} diff --git a/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go new file mode 100644 index 00000000..80077607 --- /dev/null +++ b/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go @@ -0,0 +1,94 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "net/http" + + v1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/oauth/v1alpha1" + "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/scheme" + rest "k8s.io/client-go/rest" +) + +type OauthV1alpha1Interface interface { + RESTClient() rest.Interface + OIDCClientsGetter +} + +// OauthV1alpha1Client is used to interact with features provided by the oauth.supervisor.pinniped.dev group. +type OauthV1alpha1Client struct { + restClient rest.Interface +} + +func (c *OauthV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { + return newOIDCClients(c, namespace) +} + +// NewForConfig creates a new OauthV1alpha1Client for the given config. +// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient), +// where httpClient was generated with rest.HTTPClientFor(c). +func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { + config := *c + if err := setConfigDefaults(&config); err != nil { + return nil, err + } + httpClient, err := rest.HTTPClientFor(&config) + if err != nil { + return nil, err + } + return NewForConfigAndClient(&config, httpClient) +} + +// NewForConfigAndClient creates a new OauthV1alpha1Client for the given config and http client. +// Note the http client provided takes precedence over the configured transport values. +func NewForConfigAndClient(c *rest.Config, h *http.Client) (*OauthV1alpha1Client, error) { + config := *c + if err := setConfigDefaults(&config); err != nil { + return nil, err + } + client, err := rest.RESTClientForConfigAndClient(&config, h) + if err != nil { + return nil, err + } + return &OauthV1alpha1Client{client}, nil +} + +// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { + client, err := NewForConfig(c) + if err != nil { + panic(err) + } + return client +} + +// New creates a new OauthV1alpha1Client for the given RESTClient. +func New(c rest.Interface) *OauthV1alpha1Client { + return &OauthV1alpha1Client{c} +} + +func setConfigDefaults(config *rest.Config) error { + gv := v1alpha1.SchemeGroupVersion + config.GroupVersion = &gv + config.APIPath = "/apis" + config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() + + if config.UserAgent == "" { + config.UserAgent = rest.DefaultKubernetesUserAgent() + } + + return nil +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *OauthV1alpha1Client) RESTClient() rest.Interface { + if c == nil { + return nil + } + return c.restClient +} diff --git a/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go b/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go new file mode 100644 index 00000000..888c2a7e --- /dev/null +++ b/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go @@ -0,0 +1,182 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + "time" + + v1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/oauth/v1alpha1" + scheme "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// OIDCClientsGetter has a method to return a OIDCClientInterface. +// A group's client should implement this interface. +type OIDCClientsGetter interface { + OIDCClients(namespace string) OIDCClientInterface +} + +// OIDCClientInterface has methods to work with OIDCClient resources. +type OIDCClientInterface interface { + Create(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.CreateOptions) (*v1alpha1.OIDCClient, error) + Update(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (*v1alpha1.OIDCClient, error) + UpdateStatus(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (*v1alpha1.OIDCClient, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.OIDCClient, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.OIDCClientList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCClient, err error) + OIDCClientExpansion +} + +// oIDCClients implements OIDCClientInterface +type oIDCClients struct { + client rest.Interface + ns string +} + +// newOIDCClients returns a OIDCClients +func newOIDCClients(c *OauthV1alpha1Client, namespace string) *oIDCClients { + return &oIDCClients{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the oIDCClient, and returns the corresponding oIDCClient object, and an error if there is any. +func (c *oIDCClients) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Get(). + Namespace(c.ns). + Resource("oidcclients"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of OIDCClients that match those selectors. +func (c *oIDCClients) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.OIDCClientList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.OIDCClientList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("oidcclients"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested oIDCClients. +func (c *oIDCClients) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("oidcclients"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a oIDCClient and creates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *oIDCClients) Create(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.CreateOptions) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Post(). + Namespace(c.ns). + Resource("oidcclients"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(oIDCClient). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a oIDCClient and updates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *oIDCClients) Update(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Put(). + Namespace(c.ns). + Resource("oidcclients"). + Name(oIDCClient.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(oIDCClient). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *oIDCClients) UpdateStatus(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Put(). + Namespace(c.ns). + Resource("oidcclients"). + Name(oIDCClient.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(oIDCClient). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the oIDCClient and deletes it. Returns an error if one occurs. +func (c *oIDCClients) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("oidcclients"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *oIDCClients) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("oidcclients"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched oIDCClient. +func (c *oIDCClients) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("oidcclients"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/generated/latest/client/supervisor/informers/externalversions/factory.go b/generated/latest/client/supervisor/informers/externalversions/factory.go index 252195d3..d3c714e7 100644 --- a/generated/latest/client/supervisor/informers/externalversions/factory.go +++ b/generated/latest/client/supervisor/informers/externalversions/factory.go @@ -14,6 +14,7 @@ import ( config "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/config" idp "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/idp" internalinterfaces "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/internalinterfaces" + oauth "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/oauth" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -162,6 +163,7 @@ type SharedInformerFactory interface { Config() config.Interface IDP() idp.Interface + Oauth() oauth.Interface } func (f *sharedInformerFactory) Config() config.Interface { @@ -171,3 +173,7 @@ func (f *sharedInformerFactory) Config() config.Interface { func (f *sharedInformerFactory) IDP() idp.Interface { return idp.New(f, f.namespace, f.tweakListOptions) } + +func (f *sharedInformerFactory) Oauth() oauth.Interface { + return oauth.New(f, f.namespace, f.tweakListOptions) +} diff --git a/generated/latest/client/supervisor/informers/externalversions/generic.go b/generated/latest/client/supervisor/informers/externalversions/generic.go index f36794e6..ba708933 100644 --- a/generated/latest/client/supervisor/informers/externalversions/generic.go +++ b/generated/latest/client/supervisor/informers/externalversions/generic.go @@ -10,6 +10,7 @@ import ( v1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" + oauthv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/oauth/v1alpha1" schema "k8s.io/apimachinery/pkg/runtime/schema" cache "k8s.io/client-go/tools/cache" ) @@ -52,6 +53,10 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().OIDCIdentityProviders().Informer()}, nil + // Group=oauth.supervisor.pinniped.dev, Version=v1alpha1 + case oauthv1alpha1.SchemeGroupVersion.WithResource("oidcclients"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Oauth().V1alpha1().OIDCClients().Informer()}, nil + } return nil, fmt.Errorf("no informer found for %v", resource) diff --git a/generated/latest/client/supervisor/informers/externalversions/oauth/interface.go b/generated/latest/client/supervisor/informers/externalversions/oauth/interface.go new file mode 100644 index 00000000..b0c7105b --- /dev/null +++ b/generated/latest/client/supervisor/informers/externalversions/oauth/interface.go @@ -0,0 +1,33 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package oauth + +import ( + internalinterfaces "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/internalinterfaces" + v1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/oauth/v1alpha1" +) + +// Interface provides access to each of this group's versions. +type Interface interface { + // V1alpha1 provides access to shared informers for resources in V1alpha1. + V1alpha1() v1alpha1.Interface +} + +type group struct { + factory internalinterfaces.SharedInformerFactory + namespace string + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// New returns a new Interface. +func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { + return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} +} + +// V1alpha1 returns a new v1alpha1.Interface. +func (g *group) V1alpha1() v1alpha1.Interface { + return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions) +} diff --git a/generated/latest/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go b/generated/latest/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go new file mode 100644 index 00000000..48e12497 --- /dev/null +++ b/generated/latest/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go @@ -0,0 +1,32 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + internalinterfaces "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/internalinterfaces" +) + +// Interface provides access to all the informers in this group version. +type Interface interface { + // OIDCClients returns a OIDCClientInformer. + OIDCClients() OIDCClientInformer +} + +type version struct { + factory internalinterfaces.SharedInformerFactory + namespace string + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// New returns a new Interface. +func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { + return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} +} + +// OIDCClients returns a OIDCClientInformer. +func (v *version) OIDCClients() OIDCClientInformer { + return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} diff --git a/generated/latest/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go b/generated/latest/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go new file mode 100644 index 00000000..d3eec3d2 --- /dev/null +++ b/generated/latest/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go @@ -0,0 +1,77 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + time "time" + + oauthv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/oauth/v1alpha1" + versioned "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" + internalinterfaces "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/internalinterfaces" + v1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/listers/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// OIDCClientInformer provides access to a shared informer and lister for +// OIDCClients. +type OIDCClientInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.OIDCClientLister +} + +type oIDCClientInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewOIDCClientInformer constructs a new informer for OIDCClient type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewOIDCClientInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredOIDCClientInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredOIDCClientInformer constructs a new informer for OIDCClient type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredOIDCClientInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.OauthV1alpha1().OIDCClients(namespace).List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.OauthV1alpha1().OIDCClients(namespace).Watch(context.TODO(), options) + }, + }, + &oauthv1alpha1.OIDCClient{}, + resyncPeriod, + indexers, + ) +} + +func (f *oIDCClientInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredOIDCClientInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *oIDCClientInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&oauthv1alpha1.OIDCClient{}, f.defaultInformer) +} + +func (f *oIDCClientInformer) Lister() v1alpha1.OIDCClientLister { + return v1alpha1.NewOIDCClientLister(f.Informer().GetIndexer()) +} diff --git a/generated/latest/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go b/generated/latest/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go new file mode 100644 index 00000000..c19310da --- /dev/null +++ b/generated/latest/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go @@ -0,0 +1,14 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +// OIDCClientListerExpansion allows custom methods to be added to +// OIDCClientLister. +type OIDCClientListerExpansion interface{} + +// OIDCClientNamespaceListerExpansion allows custom methods to be added to +// OIDCClientNamespaceLister. +type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/latest/client/supervisor/listers/oauth/v1alpha1/oidcclient.go b/generated/latest/client/supervisor/listers/oauth/v1alpha1/oidcclient.go new file mode 100644 index 00000000..189936b6 --- /dev/null +++ b/generated/latest/client/supervisor/listers/oauth/v1alpha1/oidcclient.go @@ -0,0 +1,86 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/oauth/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// OIDCClientLister helps list OIDCClients. +// All objects returned here must be treated as read-only. +type OIDCClientLister interface { + // List lists all OIDCClients in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) + // OIDCClients returns an object that can list and get OIDCClients. + OIDCClients(namespace string) OIDCClientNamespaceLister + OIDCClientListerExpansion +} + +// oIDCClientLister implements the OIDCClientLister interface. +type oIDCClientLister struct { + indexer cache.Indexer +} + +// NewOIDCClientLister returns a new OIDCClientLister. +func NewOIDCClientLister(indexer cache.Indexer) OIDCClientLister { + return &oIDCClientLister{indexer: indexer} +} + +// List lists all OIDCClients in the indexer. +func (s *oIDCClientLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.OIDCClient)) + }) + return ret, err +} + +// OIDCClients returns an object that can list and get OIDCClients. +func (s *oIDCClientLister) OIDCClients(namespace string) OIDCClientNamespaceLister { + return oIDCClientNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// OIDCClientNamespaceLister helps list and get OIDCClients. +// All objects returned here must be treated as read-only. +type OIDCClientNamespaceLister interface { + // List lists all OIDCClients in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) + // Get retrieves the OIDCClient from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha1.OIDCClient, error) + OIDCClientNamespaceListerExpansion +} + +// oIDCClientNamespaceLister implements the OIDCClientNamespaceLister +// interface. +type oIDCClientNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all OIDCClients in the indexer for a given namespace. +func (s oIDCClientNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.OIDCClient)) + }) + return ret, err +} + +// Get retrieves the OIDCClient from the indexer for a given namespace and name. +func (s oIDCClientNamespaceLister) Get(name string) (*v1alpha1.OIDCClient, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("oidcclient"), name) + } + return obj.(*v1alpha1.OIDCClient), nil +} diff --git a/hack/lib/update-codegen.sh b/hack/lib/update-codegen.sh index c1480011..a31a38d7 100755 --- a/hack/lib/update-codegen.sh +++ b/hack/lib/update-codegen.sh @@ -123,7 +123,7 @@ echo "generating API-related code for our public API groups..." "deepcopy" \ "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/apis" \ "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/apis" \ - "supervisor/config:v1alpha1 supervisor/idp:v1alpha1 concierge/config:v1alpha1 concierge/authentication:v1alpha1 concierge/login:v1alpha1 concierge/identity:v1alpha1" \ + "supervisor/config:v1alpha1 supervisor/idp:v1alpha1 supervisor/oauth:v1alpha1 concierge/config:v1alpha1 concierge/authentication:v1alpha1 concierge/login:v1alpha1 concierge/identity:v1alpha1" \ --go-header-file "${ROOT}/hack/boilerplate.go.txt" -v "$debug_level" 2>&1 | sed "s|^|gen-api > |" ) @@ -159,7 +159,7 @@ echo "generating client code for our public API groups..." "client,lister,informer" \ "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/client/supervisor" \ "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/apis" \ - "supervisor/config:v1alpha1 supervisor/idp:v1alpha1" \ + "supervisor/config:v1alpha1 supervisor/idp:v1alpha1 supervisor/oauth:v1alpha1" \ --go-header-file "${ROOT}/hack/boilerplate.go.txt" -v "$debug_level" 2>&1 | sed "s|^|gen-client > |" ) @@ -180,6 +180,7 @@ crd-ref-docs \ (cd apis && controller-gen paths=./supervisor/config/v1alpha1 crd output:crd:artifacts:config=../crds && controller-gen paths=./supervisor/idp/v1alpha1 crd output:crd:artifacts:config=../crds && + controller-gen paths=./supervisor/oauth/v1alpha1 crd output:crd:artifacts:config=../crds && controller-gen paths=./concierge/config/v1alpha1 crd output:crd:artifacts:config=../crds && controller-gen paths=./concierge/authentication/v1alpha1 crd output:crd:artifacts:config=../crds ) From ca3da0bc90e073693c999e7a5c10f2d7ad00a3eb Mon Sep 17 00:00:00 2001 From: Margo Crawford Date: Sat, 4 Jun 2022 21:04:40 -0700 Subject: [PATCH 03/61] Fix some disallowed kubebuilder annotations, fix kube api discovery test Signed-off-by: Margo Crawford --- .../oauth/v1alpha1/types_oidcclient.go.tmpl | 4 -- ...h.supervisor.pinniped.dev_oidcclients.yaml | 6 --- .../oauth/v1alpha1/types_oidcclient.go | 4 -- ...h.supervisor.pinniped.dev_oidcclients.yaml | 6 --- .../oauth/v1alpha1/types_oidcclient.go | 4 -- ...h.supervisor.pinniped.dev_oidcclients.yaml | 6 --- .../oauth/v1alpha1/types_oidcclient.go | 4 -- ...h.supervisor.pinniped.dev_oidcclients.yaml | 6 --- .../oauth/v1alpha1/types_oidcclient.go | 4 -- ...h.supervisor.pinniped.dev_oidcclients.yaml | 6 --- .../oauth/v1alpha1/types_oidcclient.go | 4 -- ...h.supervisor.pinniped.dev_oidcclients.yaml | 6 --- .../oauth/v1alpha1/types_oidcclient.go | 4 -- ...h.supervisor.pinniped.dev_oidcclients.yaml | 6 --- .../oauth/v1alpha1/types_oidcclient.go | 4 -- ...h.supervisor.pinniped.dev_oidcclients.yaml | 6 --- .../oauth/v1alpha1/types_oidcclient.go | 4 -- test/integration/kube_api_discovery_test.go | 43 ++++++++++++++++++- 18 files changed, 41 insertions(+), 86 deletions(-) diff --git a/apis/supervisor/oauth/v1alpha1/types_oidcclient.go.tmpl b/apis/supervisor/oauth/v1alpha1/types_oidcclient.go.tmpl index ee125443..abae5f2c 100644 --- a/apis/supervisor/oauth/v1alpha1/types_oidcclient.go.tmpl +++ b/apis/supervisor/oauth/v1alpha1/types_oidcclient.go.tmpl @@ -12,7 +12,6 @@ type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // client. Any other uris will be rejected. // Must be https, unless it is a loopback. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedRedirectURIs []string `json:"allowedRedirectURIs"` @@ -27,7 +26,6 @@ type OIDCClientSpec struct { // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedGrantTypes []string `json:"allowedGrantTypes"` @@ -47,7 +45,6 @@ type OIDCClientSpec struct { // - groups: The client is allowed to request that ID tokens contain the user's group membership, // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedScopes []string `json:"allowedScopes"` } @@ -60,7 +57,6 @@ type OIDCClientStatus struct { // +genclient // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:resource:categories=pinniped -// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}` // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` // +kubebuilder:subresource:status type OIDCClient struct { diff --git a/deploy/supervisor/oauth.supervisor.pinniped.dev_oidcclients.yaml b/deploy/supervisor/oauth.supervisor.pinniped.dev_oidcclients.yaml index 0b4ee157..e5b2d932 100644 --- a/deploy/supervisor/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/deploy/supervisor/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -18,9 +18,6 @@ spec: scope: Namespaced versions: - additionalPrinterColumns: - - jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}' - name: Privileged - type: boolean - jsonPath: .metadata.creationTimestamp name: Age type: date @@ -60,7 +57,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true allowedRedirectURIs: description: allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this @@ -70,7 +66,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true allowedScopes: description: "allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. @@ -97,7 +92,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true required: - allowedGrantTypes - allowedRedirectURIs diff --git a/generated/1.17/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.17/apis/supervisor/oauth/v1alpha1/types_oidcclient.go index ee125443..abae5f2c 100644 --- a/generated/1.17/apis/supervisor/oauth/v1alpha1/types_oidcclient.go +++ b/generated/1.17/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -12,7 +12,6 @@ type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // client. Any other uris will be rejected. // Must be https, unless it is a loopback. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedRedirectURIs []string `json:"allowedRedirectURIs"` @@ -27,7 +26,6 @@ type OIDCClientSpec struct { // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedGrantTypes []string `json:"allowedGrantTypes"` @@ -47,7 +45,6 @@ type OIDCClientSpec struct { // - groups: The client is allowed to request that ID tokens contain the user's group membership, // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedScopes []string `json:"allowedScopes"` } @@ -60,7 +57,6 @@ type OIDCClientStatus struct { // +genclient // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:resource:categories=pinniped -// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}` // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` // +kubebuilder:subresource:status type OIDCClient struct { diff --git a/generated/1.17/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.17/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml index 0b4ee157..e5b2d932 100644 --- a/generated/1.17/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.17/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -18,9 +18,6 @@ spec: scope: Namespaced versions: - additionalPrinterColumns: - - jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}' - name: Privileged - type: boolean - jsonPath: .metadata.creationTimestamp name: Age type: date @@ -60,7 +57,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true allowedRedirectURIs: description: allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this @@ -70,7 +66,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true allowedScopes: description: "allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. @@ -97,7 +92,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true required: - allowedGrantTypes - allowedRedirectURIs diff --git a/generated/1.18/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.18/apis/supervisor/oauth/v1alpha1/types_oidcclient.go index ee125443..abae5f2c 100644 --- a/generated/1.18/apis/supervisor/oauth/v1alpha1/types_oidcclient.go +++ b/generated/1.18/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -12,7 +12,6 @@ type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // client. Any other uris will be rejected. // Must be https, unless it is a loopback. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedRedirectURIs []string `json:"allowedRedirectURIs"` @@ -27,7 +26,6 @@ type OIDCClientSpec struct { // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedGrantTypes []string `json:"allowedGrantTypes"` @@ -47,7 +45,6 @@ type OIDCClientSpec struct { // - groups: The client is allowed to request that ID tokens contain the user's group membership, // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedScopes []string `json:"allowedScopes"` } @@ -60,7 +57,6 @@ type OIDCClientStatus struct { // +genclient // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:resource:categories=pinniped -// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}` // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` // +kubebuilder:subresource:status type OIDCClient struct { diff --git a/generated/1.18/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.18/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml index 0b4ee157..e5b2d932 100644 --- a/generated/1.18/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.18/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -18,9 +18,6 @@ spec: scope: Namespaced versions: - additionalPrinterColumns: - - jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}' - name: Privileged - type: boolean - jsonPath: .metadata.creationTimestamp name: Age type: date @@ -60,7 +57,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true allowedRedirectURIs: description: allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this @@ -70,7 +66,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true allowedScopes: description: "allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. @@ -97,7 +92,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true required: - allowedGrantTypes - allowedRedirectURIs diff --git a/generated/1.19/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.19/apis/supervisor/oauth/v1alpha1/types_oidcclient.go index ee125443..abae5f2c 100644 --- a/generated/1.19/apis/supervisor/oauth/v1alpha1/types_oidcclient.go +++ b/generated/1.19/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -12,7 +12,6 @@ type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // client. Any other uris will be rejected. // Must be https, unless it is a loopback. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedRedirectURIs []string `json:"allowedRedirectURIs"` @@ -27,7 +26,6 @@ type OIDCClientSpec struct { // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedGrantTypes []string `json:"allowedGrantTypes"` @@ -47,7 +45,6 @@ type OIDCClientSpec struct { // - groups: The client is allowed to request that ID tokens contain the user's group membership, // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedScopes []string `json:"allowedScopes"` } @@ -60,7 +57,6 @@ type OIDCClientStatus struct { // +genclient // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:resource:categories=pinniped -// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}` // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` // +kubebuilder:subresource:status type OIDCClient struct { diff --git a/generated/1.19/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.19/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml index 0b4ee157..e5b2d932 100644 --- a/generated/1.19/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.19/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -18,9 +18,6 @@ spec: scope: Namespaced versions: - additionalPrinterColumns: - - jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}' - name: Privileged - type: boolean - jsonPath: .metadata.creationTimestamp name: Age type: date @@ -60,7 +57,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true allowedRedirectURIs: description: allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this @@ -70,7 +66,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true allowedScopes: description: "allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. @@ -97,7 +92,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true required: - allowedGrantTypes - allowedRedirectURIs diff --git a/generated/1.20/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.20/apis/supervisor/oauth/v1alpha1/types_oidcclient.go index ee125443..abae5f2c 100644 --- a/generated/1.20/apis/supervisor/oauth/v1alpha1/types_oidcclient.go +++ b/generated/1.20/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -12,7 +12,6 @@ type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // client. Any other uris will be rejected. // Must be https, unless it is a loopback. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedRedirectURIs []string `json:"allowedRedirectURIs"` @@ -27,7 +26,6 @@ type OIDCClientSpec struct { // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedGrantTypes []string `json:"allowedGrantTypes"` @@ -47,7 +45,6 @@ type OIDCClientSpec struct { // - groups: The client is allowed to request that ID tokens contain the user's group membership, // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedScopes []string `json:"allowedScopes"` } @@ -60,7 +57,6 @@ type OIDCClientStatus struct { // +genclient // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:resource:categories=pinniped -// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}` // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` // +kubebuilder:subresource:status type OIDCClient struct { diff --git a/generated/1.20/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.20/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml index 0b4ee157..e5b2d932 100644 --- a/generated/1.20/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.20/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -18,9 +18,6 @@ spec: scope: Namespaced versions: - additionalPrinterColumns: - - jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}' - name: Privileged - type: boolean - jsonPath: .metadata.creationTimestamp name: Age type: date @@ -60,7 +57,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true allowedRedirectURIs: description: allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this @@ -70,7 +66,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true allowedScopes: description: "allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. @@ -97,7 +92,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true required: - allowedGrantTypes - allowedRedirectURIs diff --git a/generated/1.21/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.21/apis/supervisor/oauth/v1alpha1/types_oidcclient.go index ee125443..abae5f2c 100644 --- a/generated/1.21/apis/supervisor/oauth/v1alpha1/types_oidcclient.go +++ b/generated/1.21/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -12,7 +12,6 @@ type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // client. Any other uris will be rejected. // Must be https, unless it is a loopback. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedRedirectURIs []string `json:"allowedRedirectURIs"` @@ -27,7 +26,6 @@ type OIDCClientSpec struct { // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedGrantTypes []string `json:"allowedGrantTypes"` @@ -47,7 +45,6 @@ type OIDCClientSpec struct { // - groups: The client is allowed to request that ID tokens contain the user's group membership, // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedScopes []string `json:"allowedScopes"` } @@ -60,7 +57,6 @@ type OIDCClientStatus struct { // +genclient // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:resource:categories=pinniped -// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}` // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` // +kubebuilder:subresource:status type OIDCClient struct { diff --git a/generated/1.21/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.21/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml index 0b4ee157..e5b2d932 100644 --- a/generated/1.21/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.21/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -18,9 +18,6 @@ spec: scope: Namespaced versions: - additionalPrinterColumns: - - jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}' - name: Privileged - type: boolean - jsonPath: .metadata.creationTimestamp name: Age type: date @@ -60,7 +57,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true allowedRedirectURIs: description: allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this @@ -70,7 +66,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true allowedScopes: description: "allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. @@ -97,7 +92,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true required: - allowedGrantTypes - allowedRedirectURIs diff --git a/generated/1.22/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.22/apis/supervisor/oauth/v1alpha1/types_oidcclient.go index ee125443..abae5f2c 100644 --- a/generated/1.22/apis/supervisor/oauth/v1alpha1/types_oidcclient.go +++ b/generated/1.22/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -12,7 +12,6 @@ type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // client. Any other uris will be rejected. // Must be https, unless it is a loopback. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedRedirectURIs []string `json:"allowedRedirectURIs"` @@ -27,7 +26,6 @@ type OIDCClientSpec struct { // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedGrantTypes []string `json:"allowedGrantTypes"` @@ -47,7 +45,6 @@ type OIDCClientSpec struct { // - groups: The client is allowed to request that ID tokens contain the user's group membership, // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedScopes []string `json:"allowedScopes"` } @@ -60,7 +57,6 @@ type OIDCClientStatus struct { // +genclient // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:resource:categories=pinniped -// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}` // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` // +kubebuilder:subresource:status type OIDCClient struct { diff --git a/generated/1.22/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.22/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml index 0b4ee157..e5b2d932 100644 --- a/generated/1.22/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.22/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -18,9 +18,6 @@ spec: scope: Namespaced versions: - additionalPrinterColumns: - - jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}' - name: Privileged - type: boolean - jsonPath: .metadata.creationTimestamp name: Age type: date @@ -60,7 +57,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true allowedRedirectURIs: description: allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this @@ -70,7 +66,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true allowedScopes: description: "allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. @@ -97,7 +92,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true required: - allowedGrantTypes - allowedRedirectURIs diff --git a/generated/1.23/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.23/apis/supervisor/oauth/v1alpha1/types_oidcclient.go index ee125443..abae5f2c 100644 --- a/generated/1.23/apis/supervisor/oauth/v1alpha1/types_oidcclient.go +++ b/generated/1.23/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -12,7 +12,6 @@ type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // client. Any other uris will be rejected. // Must be https, unless it is a loopback. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedRedirectURIs []string `json:"allowedRedirectURIs"` @@ -27,7 +26,6 @@ type OIDCClientSpec struct { // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedGrantTypes []string `json:"allowedGrantTypes"` @@ -47,7 +45,6 @@ type OIDCClientSpec struct { // - groups: The client is allowed to request that ID tokens contain the user's group membership, // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedScopes []string `json:"allowedScopes"` } @@ -60,7 +57,6 @@ type OIDCClientStatus struct { // +genclient // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:resource:categories=pinniped -// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}` // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` // +kubebuilder:subresource:status type OIDCClient struct { diff --git a/generated/1.23/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.23/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml index 0b4ee157..e5b2d932 100644 --- a/generated/1.23/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.23/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -18,9 +18,6 @@ spec: scope: Namespaced versions: - additionalPrinterColumns: - - jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}' - name: Privileged - type: boolean - jsonPath: .metadata.creationTimestamp name: Age type: date @@ -60,7 +57,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true allowedRedirectURIs: description: allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this @@ -70,7 +66,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true allowedScopes: description: "allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. @@ -97,7 +92,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true required: - allowedGrantTypes - allowedRedirectURIs diff --git a/generated/latest/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/latest/apis/supervisor/oauth/v1alpha1/types_oidcclient.go index ee125443..abae5f2c 100644 --- a/generated/latest/apis/supervisor/oauth/v1alpha1/types_oidcclient.go +++ b/generated/latest/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -12,7 +12,6 @@ type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // client. Any other uris will be rejected. // Must be https, unless it is a loopback. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedRedirectURIs []string `json:"allowedRedirectURIs"` @@ -27,7 +26,6 @@ type OIDCClientSpec struct { // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedGrantTypes []string `json:"allowedGrantTypes"` @@ -47,7 +45,6 @@ type OIDCClientSpec struct { // - groups: The client is allowed to request that ID tokens contain the user's group membership, // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedScopes []string `json:"allowedScopes"` } @@ -60,7 +57,6 @@ type OIDCClientStatus struct { // +genclient // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:resource:categories=pinniped -// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}` // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` // +kubebuilder:subresource:status type OIDCClient struct { diff --git a/test/integration/kube_api_discovery_test.go b/test/integration/kube_api_discovery_test.go index eec88808..c0d243cf 100644 --- a/test/integration/kube_api_discovery_test.go +++ b/test/integration/kube_api_discovery_test.go @@ -1,4 +1,4 @@ -// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package integration @@ -53,6 +53,7 @@ func TestGetAPIResourceList(t *testing.T) { configConciergeGV := makeGV("config", "concierge") idpSupervisorGV := makeGV("idp", "supervisor") configSupervisorGV := makeGV("config", "supervisor") + oauthSupervisorGV := makeGV("oauth", "supervisor") tests := []struct { group metav1.APIGroup @@ -143,6 +144,39 @@ func TestGetAPIResourceList(t *testing.T) { }, }, }, + { + group: metav1.APIGroup{ + Name: oauthSupervisorGV.Group, + Versions: []metav1.GroupVersionForDiscovery{ + { + GroupVersion: oauthSupervisorGV.String(), + Version: oauthSupervisorGV.Version, + }, + }, + PreferredVersion: metav1.GroupVersionForDiscovery{ + GroupVersion: oauthSupervisorGV.String(), + Version: oauthSupervisorGV.Version, + }, + }, + resourceByVersion: map[string][]metav1.APIResource{ + oauthSupervisorGV.String(): { + { + Name: "oidcclients", + SingularName: "oidcclient", + Namespaced: true, + Kind: "OIDCClient", + Verbs: []string{"delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"}, + Categories: []string{"pinniped"}, + }, + { + Name: "oidcclients/status", + Namespaced: true, + Kind: "OIDCClient", + Verbs: []string{"get", "patch", "update"}, + }, + }, + }, + }, { group: metav1.APIGroup{ Name: idpSupervisorGV.Group, @@ -484,10 +518,15 @@ func TestCRDAdditionalPrinterColumns_Parallel(t *testing.T) { {Name: "Age", Type: "date", JSONPath: ".metadata.creationTimestamp"}, }, }, + addSuffix("oidcclients.oauth.supervisor"): { + "v1alpha1": []apiextensionsv1.CustomResourceColumnDefinition{ + {Name: "Age", Type: "date", JSONPath: ".metadata.creationTimestamp"}, + }, + }, } actualPinnipedCRDCount := 0 - expectedPinnipedCRDCount := 7 // the current number of CRDs that we ship as part of Pinniped + expectedPinnipedCRDCount := 8 // the current number of CRDs that we ship as part of Pinniped for _, crd := range crdList.Items { if !strings.Contains(crd.Spec.Group, env.APIGroupSuffix) { From 3cacb5b022bc69a88af34094f37eb4c9849771dd Mon Sep 17 00:00:00 2001 From: Margo Crawford Date: Mon, 6 Jun 2022 07:38:57 -0700 Subject: [PATCH 04/61] Fix typo in oidcclient spec and status descriptions Signed-off-by: Margo Crawford --- apis/supervisor/oauth/v1alpha1/types_oidcclient.go.tmpl | 4 ++-- .../supervisor/oauth.supervisor.pinniped.dev_oidcclients.yaml | 4 ++-- generated/1.17/README.adoc | 4 ++-- .../1.17/apis/supervisor/oauth/v1alpha1/types_oidcclient.go | 4 ++-- .../1.17/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml | 4 ++-- generated/1.18/README.adoc | 4 ++-- .../1.18/apis/supervisor/oauth/v1alpha1/types_oidcclient.go | 4 ++-- .../1.18/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml | 4 ++-- generated/1.19/README.adoc | 4 ++-- .../1.19/apis/supervisor/oauth/v1alpha1/types_oidcclient.go | 4 ++-- .../1.19/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml | 4 ++-- generated/1.20/README.adoc | 4 ++-- .../1.20/apis/supervisor/oauth/v1alpha1/types_oidcclient.go | 4 ++-- .../1.20/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml | 4 ++-- generated/1.21/README.adoc | 4 ++-- .../1.21/apis/supervisor/oauth/v1alpha1/types_oidcclient.go | 4 ++-- .../1.21/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml | 4 ++-- generated/1.22/README.adoc | 4 ++-- .../1.22/apis/supervisor/oauth/v1alpha1/types_oidcclient.go | 4 ++-- .../1.22/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml | 4 ++-- generated/1.23/README.adoc | 4 ++-- .../1.23/apis/supervisor/oauth/v1alpha1/types_oidcclient.go | 4 ++-- .../1.23/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml | 4 ++-- .../latest/apis/supervisor/oauth/v1alpha1/types_oidcclient.go | 4 ++-- 24 files changed, 48 insertions(+), 48 deletions(-) diff --git a/apis/supervisor/oauth/v1alpha1/types_oidcclient.go.tmpl b/apis/supervisor/oauth/v1alpha1/types_oidcclient.go.tmpl index abae5f2c..b4aaf275 100644 --- a/apis/supervisor/oauth/v1alpha1/types_oidcclient.go.tmpl +++ b/apis/supervisor/oauth/v1alpha1/types_oidcclient.go.tmpl @@ -63,10 +63,10 @@ type OIDCClient struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // Spec of the OIDC provider. + // Spec of the OIDC client. Spec OIDCClientSpec `json:"spec"` - // Status of the OIDC provider. + // Status of the OIDC client. Status OIDCClientStatus `json:"status,omitempty"` } diff --git a/deploy/supervisor/oauth.supervisor.pinniped.dev_oidcclients.yaml b/deploy/supervisor/oauth.supervisor.pinniped.dev_oidcclients.yaml index e5b2d932..802234ed 100644 --- a/deploy/supervisor/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/deploy/supervisor/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -39,7 +39,7 @@ spec: metadata: type: object spec: - description: Spec of the OIDC provider. + description: Spec of the OIDC client. properties: allowedGrantTypes: description: "allowedGrantTypes is a list of the allowed grant_type @@ -98,7 +98,7 @@ spec: - allowedScopes type: object status: - description: Status of the OIDC provider. + description: Status of the OIDC client. type: object required: - spec diff --git a/generated/1.17/README.adoc b/generated/1.17/README.adoc index a7396f25..994dc3e8 100644 --- a/generated/1.17/README.adoc +++ b/generated/1.17/README.adoc @@ -1356,8 +1356,8 @@ OIDCClient describes the configuration of an OIDC client. | Field | Description | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. -| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-oauth-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC provider. -| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-oauth-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC provider. +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-oauth-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC client. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-oauth-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC client. |=== diff --git a/generated/1.17/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.17/apis/supervisor/oauth/v1alpha1/types_oidcclient.go index abae5f2c..b4aaf275 100644 --- a/generated/1.17/apis/supervisor/oauth/v1alpha1/types_oidcclient.go +++ b/generated/1.17/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -63,10 +63,10 @@ type OIDCClient struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // Spec of the OIDC provider. + // Spec of the OIDC client. Spec OIDCClientSpec `json:"spec"` - // Status of the OIDC provider. + // Status of the OIDC client. Status OIDCClientStatus `json:"status,omitempty"` } diff --git a/generated/1.17/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.17/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml index e5b2d932..802234ed 100644 --- a/generated/1.17/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.17/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -39,7 +39,7 @@ spec: metadata: type: object spec: - description: Spec of the OIDC provider. + description: Spec of the OIDC client. properties: allowedGrantTypes: description: "allowedGrantTypes is a list of the allowed grant_type @@ -98,7 +98,7 @@ spec: - allowedScopes type: object status: - description: Status of the OIDC provider. + description: Status of the OIDC client. type: object required: - spec diff --git a/generated/1.18/README.adoc b/generated/1.18/README.adoc index 53a3a986..fc6c1311 100644 --- a/generated/1.18/README.adoc +++ b/generated/1.18/README.adoc @@ -1356,8 +1356,8 @@ OIDCClient describes the configuration of an OIDC client. | Field | Description | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. -| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-oauth-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC provider. -| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-oauth-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC provider. +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-oauth-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC client. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-oauth-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC client. |=== diff --git a/generated/1.18/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.18/apis/supervisor/oauth/v1alpha1/types_oidcclient.go index abae5f2c..b4aaf275 100644 --- a/generated/1.18/apis/supervisor/oauth/v1alpha1/types_oidcclient.go +++ b/generated/1.18/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -63,10 +63,10 @@ type OIDCClient struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // Spec of the OIDC provider. + // Spec of the OIDC client. Spec OIDCClientSpec `json:"spec"` - // Status of the OIDC provider. + // Status of the OIDC client. Status OIDCClientStatus `json:"status,omitempty"` } diff --git a/generated/1.18/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.18/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml index e5b2d932..802234ed 100644 --- a/generated/1.18/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.18/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -39,7 +39,7 @@ spec: metadata: type: object spec: - description: Spec of the OIDC provider. + description: Spec of the OIDC client. properties: allowedGrantTypes: description: "allowedGrantTypes is a list of the allowed grant_type @@ -98,7 +98,7 @@ spec: - allowedScopes type: object status: - description: Status of the OIDC provider. + description: Status of the OIDC client. type: object required: - spec diff --git a/generated/1.19/README.adoc b/generated/1.19/README.adoc index a8dd26ee..bbfcf79c 100644 --- a/generated/1.19/README.adoc +++ b/generated/1.19/README.adoc @@ -1356,8 +1356,8 @@ OIDCClient describes the configuration of an OIDC client. | Field | Description | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. -| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-oauth-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC provider. -| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-oauth-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC provider. +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-oauth-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC client. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-oauth-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC client. |=== diff --git a/generated/1.19/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.19/apis/supervisor/oauth/v1alpha1/types_oidcclient.go index abae5f2c..b4aaf275 100644 --- a/generated/1.19/apis/supervisor/oauth/v1alpha1/types_oidcclient.go +++ b/generated/1.19/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -63,10 +63,10 @@ type OIDCClient struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // Spec of the OIDC provider. + // Spec of the OIDC client. Spec OIDCClientSpec `json:"spec"` - // Status of the OIDC provider. + // Status of the OIDC client. Status OIDCClientStatus `json:"status,omitempty"` } diff --git a/generated/1.19/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.19/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml index e5b2d932..802234ed 100644 --- a/generated/1.19/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.19/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -39,7 +39,7 @@ spec: metadata: type: object spec: - description: Spec of the OIDC provider. + description: Spec of the OIDC client. properties: allowedGrantTypes: description: "allowedGrantTypes is a list of the allowed grant_type @@ -98,7 +98,7 @@ spec: - allowedScopes type: object status: - description: Status of the OIDC provider. + description: Status of the OIDC client. type: object required: - spec diff --git a/generated/1.20/README.adoc b/generated/1.20/README.adoc index 5d419a80..eb390ef4 100644 --- a/generated/1.20/README.adoc +++ b/generated/1.20/README.adoc @@ -1356,8 +1356,8 @@ OIDCClient describes the configuration of an OIDC client. | Field | Description | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.2/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. -| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-oauth-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC provider. -| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-oauth-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC provider. +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-oauth-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC client. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-oauth-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC client. |=== diff --git a/generated/1.20/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.20/apis/supervisor/oauth/v1alpha1/types_oidcclient.go index abae5f2c..b4aaf275 100644 --- a/generated/1.20/apis/supervisor/oauth/v1alpha1/types_oidcclient.go +++ b/generated/1.20/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -63,10 +63,10 @@ type OIDCClient struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // Spec of the OIDC provider. + // Spec of the OIDC client. Spec OIDCClientSpec `json:"spec"` - // Status of the OIDC provider. + // Status of the OIDC client. Status OIDCClientStatus `json:"status,omitempty"` } diff --git a/generated/1.20/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.20/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml index e5b2d932..802234ed 100644 --- a/generated/1.20/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.20/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -39,7 +39,7 @@ spec: metadata: type: object spec: - description: Spec of the OIDC provider. + description: Spec of the OIDC client. properties: allowedGrantTypes: description: "allowedGrantTypes is a list of the allowed grant_type @@ -98,7 +98,7 @@ spec: - allowedScopes type: object status: - description: Status of the OIDC provider. + description: Status of the OIDC client. type: object required: - spec diff --git a/generated/1.21/README.adoc b/generated/1.21/README.adoc index 925391c3..92407eff 100644 --- a/generated/1.21/README.adoc +++ b/generated/1.21/README.adoc @@ -1356,8 +1356,8 @@ OIDCClient describes the configuration of an OIDC client. | Field | Description | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. -| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-oauth-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC provider. -| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-oauth-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC provider. +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-oauth-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC client. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-oauth-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC client. |=== diff --git a/generated/1.21/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.21/apis/supervisor/oauth/v1alpha1/types_oidcclient.go index abae5f2c..b4aaf275 100644 --- a/generated/1.21/apis/supervisor/oauth/v1alpha1/types_oidcclient.go +++ b/generated/1.21/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -63,10 +63,10 @@ type OIDCClient struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // Spec of the OIDC provider. + // Spec of the OIDC client. Spec OIDCClientSpec `json:"spec"` - // Status of the OIDC provider. + // Status of the OIDC client. Status OIDCClientStatus `json:"status,omitempty"` } diff --git a/generated/1.21/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.21/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml index e5b2d932..802234ed 100644 --- a/generated/1.21/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.21/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -39,7 +39,7 @@ spec: metadata: type: object spec: - description: Spec of the OIDC provider. + description: Spec of the OIDC client. properties: allowedGrantTypes: description: "allowedGrantTypes is a list of the allowed grant_type @@ -98,7 +98,7 @@ spec: - allowedScopes type: object status: - description: Status of the OIDC provider. + description: Status of the OIDC client. type: object required: - spec diff --git a/generated/1.22/README.adoc b/generated/1.22/README.adoc index 51cf7c07..6a1281fb 100644 --- a/generated/1.22/README.adoc +++ b/generated/1.22/README.adoc @@ -1356,8 +1356,8 @@ OIDCClient describes the configuration of an OIDC client. | Field | Description | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. -| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-oauth-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC provider. -| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-oauth-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC provider. +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-oauth-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC client. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-oauth-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC client. |=== diff --git a/generated/1.22/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.22/apis/supervisor/oauth/v1alpha1/types_oidcclient.go index abae5f2c..b4aaf275 100644 --- a/generated/1.22/apis/supervisor/oauth/v1alpha1/types_oidcclient.go +++ b/generated/1.22/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -63,10 +63,10 @@ type OIDCClient struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // Spec of the OIDC provider. + // Spec of the OIDC client. Spec OIDCClientSpec `json:"spec"` - // Status of the OIDC provider. + // Status of the OIDC client. Status OIDCClientStatus `json:"status,omitempty"` } diff --git a/generated/1.22/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.22/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml index e5b2d932..802234ed 100644 --- a/generated/1.22/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.22/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -39,7 +39,7 @@ spec: metadata: type: object spec: - description: Spec of the OIDC provider. + description: Spec of the OIDC client. properties: allowedGrantTypes: description: "allowedGrantTypes is a list of the allowed grant_type @@ -98,7 +98,7 @@ spec: - allowedScopes type: object status: - description: Status of the OIDC provider. + description: Status of the OIDC client. type: object required: - spec diff --git a/generated/1.23/README.adoc b/generated/1.23/README.adoc index b7eddf16..80a89a56 100644 --- a/generated/1.23/README.adoc +++ b/generated/1.23/README.adoc @@ -1356,8 +1356,8 @@ OIDCClient describes the configuration of an OIDC client. | Field | Description | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. -| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-oauth-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC provider. -| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-oauth-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC provider. +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-oauth-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC client. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-oauth-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC client. |=== diff --git a/generated/1.23/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.23/apis/supervisor/oauth/v1alpha1/types_oidcclient.go index abae5f2c..b4aaf275 100644 --- a/generated/1.23/apis/supervisor/oauth/v1alpha1/types_oidcclient.go +++ b/generated/1.23/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -63,10 +63,10 @@ type OIDCClient struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // Spec of the OIDC provider. + // Spec of the OIDC client. Spec OIDCClientSpec `json:"spec"` - // Status of the OIDC provider. + // Status of the OIDC client. Status OIDCClientStatus `json:"status,omitempty"` } diff --git a/generated/1.23/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.23/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml index e5b2d932..802234ed 100644 --- a/generated/1.23/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.23/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -39,7 +39,7 @@ spec: metadata: type: object spec: - description: Spec of the OIDC provider. + description: Spec of the OIDC client. properties: allowedGrantTypes: description: "allowedGrantTypes is a list of the allowed grant_type @@ -98,7 +98,7 @@ spec: - allowedScopes type: object status: - description: Status of the OIDC provider. + description: Status of the OIDC client. type: object required: - spec diff --git a/generated/latest/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/latest/apis/supervisor/oauth/v1alpha1/types_oidcclient.go index abae5f2c..b4aaf275 100644 --- a/generated/latest/apis/supervisor/oauth/v1alpha1/types_oidcclient.go +++ b/generated/latest/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -63,10 +63,10 @@ type OIDCClient struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // Spec of the OIDC provider. + // Spec of the OIDC client. Spec OIDCClientSpec `json:"spec"` - // Status of the OIDC provider. + // Status of the OIDC client. Status OIDCClientStatus `json:"status,omitempty"` } From 0dec2eee32e8ec951e6688d60647ac80a8b09a6c Mon Sep 17 00:00:00 2001 From: Margo Crawford Date: Mon, 6 Jun 2022 10:15:25 -0700 Subject: [PATCH 05/61] Add enum validation for scopes and grant types Signed-off-by: Margo Crawford --- .../oauth/v1alpha1/types_oidcclient.go.tmpl | 10 ++++++++-- .../oauth.supervisor.pinniped.dev_oidcclients.yaml | 10 ++++++++++ deploy/supervisor/z0_crd_overlay.yaml | 11 ++++++++++- generated/1.17/README.adoc | 4 ++-- .../supervisor/oauth/v1alpha1/types_oidcclient.go | 10 ++++++++-- .../oauth/v1alpha1/zz_generated.deepcopy.go | 4 ++-- .../oauth.supervisor.pinniped.dev_oidcclients.yaml | 10 ++++++++++ generated/1.18/README.adoc | 4 ++-- .../supervisor/oauth/v1alpha1/types_oidcclient.go | 10 ++++++++-- .../oauth/v1alpha1/zz_generated.deepcopy.go | 4 ++-- .../oauth.supervisor.pinniped.dev_oidcclients.yaml | 10 ++++++++++ generated/1.19/README.adoc | 4 ++-- .../supervisor/oauth/v1alpha1/types_oidcclient.go | 10 ++++++++-- .../oauth/v1alpha1/zz_generated.deepcopy.go | 4 ++-- .../oauth.supervisor.pinniped.dev_oidcclients.yaml | 10 ++++++++++ generated/1.20/README.adoc | 4 ++-- .../supervisor/oauth/v1alpha1/types_oidcclient.go | 10 ++++++++-- .../oauth/v1alpha1/zz_generated.deepcopy.go | 4 ++-- .../oauth.supervisor.pinniped.dev_oidcclients.yaml | 10 ++++++++++ generated/1.21/README.adoc | 4 ++-- .../supervisor/oauth/v1alpha1/types_oidcclient.go | 10 ++++++++-- .../oauth/v1alpha1/zz_generated.deepcopy.go | 4 ++-- .../oauth.supervisor.pinniped.dev_oidcclients.yaml | 10 ++++++++++ generated/1.22/README.adoc | 4 ++-- .../supervisor/oauth/v1alpha1/types_oidcclient.go | 10 ++++++++-- .../oauth/v1alpha1/zz_generated.deepcopy.go | 4 ++-- .../oauth.supervisor.pinniped.dev_oidcclients.yaml | 10 ++++++++++ generated/1.23/README.adoc | 4 ++-- .../supervisor/oauth/v1alpha1/types_oidcclient.go | 10 ++++++++-- .../oauth/v1alpha1/zz_generated.deepcopy.go | 4 ++-- .../oauth.supervisor.pinniped.dev_oidcclients.yaml | 10 ++++++++++ .../supervisor/oauth/v1alpha1/types_oidcclient.go | 10 ++++++++-- .../oauth/v1alpha1/zz_generated.deepcopy.go | 4 ++-- 33 files changed, 192 insertions(+), 49 deletions(-) diff --git a/apis/supervisor/oauth/v1alpha1/types_oidcclient.go.tmpl b/apis/supervisor/oauth/v1alpha1/types_oidcclient.go.tmpl index b4aaf275..e905c61a 100644 --- a/apis/supervisor/oauth/v1alpha1/types_oidcclient.go.tmpl +++ b/apis/supervisor/oauth/v1alpha1/types_oidcclient.go.tmpl @@ -7,6 +7,12 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) +// +kubebuilder:validation:Enum="authorization_code";"refresh_token";"urn:ietf:params:oauth:grant-type:token-exchange" +type GrantType string + +// +kubebuilder:validation:Enum="openid";"offline_access";"username";"groups";"pinniped:request-audience" +type Scope string + // OIDCClientSpec is a struct that describes an OIDC Client. type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this @@ -27,7 +33,7 @@ type OIDCClientSpec struct { // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. // +kubebuilder:validation:MinItems=1 - AllowedGrantTypes []string `json:"allowedGrantTypes"` + AllowedGrantTypes []GrantType `json:"allowedGrantTypes"` // allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. // @@ -46,7 +52,7 @@ type OIDCClientSpec struct { // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. // +kubebuilder:validation:MinItems=1 - AllowedScopes []string `json:"allowedScopes"` + AllowedScopes []Scope `json:"allowedScopes"` } // OIDCClientStatus is a struct that describes the actual state of an OIDC Client. diff --git a/deploy/supervisor/oauth.supervisor.pinniped.dev_oidcclients.yaml b/deploy/supervisor/oauth.supervisor.pinniped.dev_oidcclients.yaml index 802234ed..589a9154 100644 --- a/deploy/supervisor/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/deploy/supervisor/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -54,6 +54,10 @@ spec: step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience." items: + enum: + - authorization_code + - refresh_token + - urn:ietf:params:oauth:grant-type:token-exchange type: string minItems: 1 type: array @@ -89,6 +93,12 @@ spec: the groups scope being requested and allowed, the ID token will not contain groups." items: + enum: + - openid + - offline_access + - username + - groups + - pinniped:request-audience type: string minItems: 1 type: array diff --git a/deploy/supervisor/z0_crd_overlay.yaml b/deploy/supervisor/z0_crd_overlay.yaml index 7596975d..130f780d 100644 --- a/deploy/supervisor/z0_crd_overlay.yaml +++ b/deploy/supervisor/z0_crd_overlay.yaml @@ -1,4 +1,4 @@ -#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. +#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. #! SPDX-License-Identifier: Apache-2.0 #@ load("@ytt:overlay", "overlay") @@ -40,3 +40,12 @@ metadata: name: #@ pinnipedDevAPIGroupWithPrefix("activedirectoryidentityproviders.idp.supervisor") spec: group: #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor") + +#@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"oidcclients.oauth.supervisor.pinniped.dev"}}), expects=1 +--- +metadata: + #@overlay/match missing_ok=True + labels: #@ labels() + name: #@ pinnipedDevAPIGroupWithPrefix("oidcclients.oauth.supervisor") +spec: + group: #@ pinnipedDevAPIGroupWithPrefix("oauth.supervisor") diff --git a/generated/1.17/README.adoc b/generated/1.17/README.adoc index 994dc3e8..06dd963e 100644 --- a/generated/1.17/README.adoc +++ b/generated/1.17/README.adoc @@ -1377,9 +1377,9 @@ OIDCClientSpec is a struct that describes an OIDC Client. |=== | Field | Description | *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. -| *`allowedGrantTypes`* __string array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. +| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. -| *`allowedScopes`* __string array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. +| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. |=== diff --git a/generated/1.17/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.17/apis/supervisor/oauth/v1alpha1/types_oidcclient.go index b4aaf275..e905c61a 100644 --- a/generated/1.17/apis/supervisor/oauth/v1alpha1/types_oidcclient.go +++ b/generated/1.17/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -7,6 +7,12 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) +// +kubebuilder:validation:Enum="authorization_code";"refresh_token";"urn:ietf:params:oauth:grant-type:token-exchange" +type GrantType string + +// +kubebuilder:validation:Enum="openid";"offline_access";"username";"groups";"pinniped:request-audience" +type Scope string + // OIDCClientSpec is a struct that describes an OIDC Client. type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this @@ -27,7 +33,7 @@ type OIDCClientSpec struct { // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. // +kubebuilder:validation:MinItems=1 - AllowedGrantTypes []string `json:"allowedGrantTypes"` + AllowedGrantTypes []GrantType `json:"allowedGrantTypes"` // allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. // @@ -46,7 +52,7 @@ type OIDCClientSpec struct { // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. // +kubebuilder:validation:MinItems=1 - AllowedScopes []string `json:"allowedScopes"` + AllowedScopes []Scope `json:"allowedScopes"` } // OIDCClientStatus is a struct that describes the actual state of an OIDC Client. diff --git a/generated/1.17/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.17/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go index cb35cea5..1aba8aea 100644 --- a/generated/1.17/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.17/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go @@ -83,12 +83,12 @@ func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { } if in.AllowedGrantTypes != nil { in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes - *out = make([]string, len(*in)) + *out = make([]GrantType, len(*in)) copy(*out, *in) } if in.AllowedScopes != nil { in, out := &in.AllowedScopes, &out.AllowedScopes - *out = make([]string, len(*in)) + *out = make([]Scope, len(*in)) copy(*out, *in) } return diff --git a/generated/1.17/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.17/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml index 802234ed..589a9154 100644 --- a/generated/1.17/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.17/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -54,6 +54,10 @@ spec: step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience." items: + enum: + - authorization_code + - refresh_token + - urn:ietf:params:oauth:grant-type:token-exchange type: string minItems: 1 type: array @@ -89,6 +93,12 @@ spec: the groups scope being requested and allowed, the ID token will not contain groups." items: + enum: + - openid + - offline_access + - username + - groups + - pinniped:request-audience type: string minItems: 1 type: array diff --git a/generated/1.18/README.adoc b/generated/1.18/README.adoc index fc6c1311..3cdade3a 100644 --- a/generated/1.18/README.adoc +++ b/generated/1.18/README.adoc @@ -1377,9 +1377,9 @@ OIDCClientSpec is a struct that describes an OIDC Client. |=== | Field | Description | *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. -| *`allowedGrantTypes`* __string array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. +| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. -| *`allowedScopes`* __string array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. +| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. |=== diff --git a/generated/1.18/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.18/apis/supervisor/oauth/v1alpha1/types_oidcclient.go index b4aaf275..e905c61a 100644 --- a/generated/1.18/apis/supervisor/oauth/v1alpha1/types_oidcclient.go +++ b/generated/1.18/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -7,6 +7,12 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) +// +kubebuilder:validation:Enum="authorization_code";"refresh_token";"urn:ietf:params:oauth:grant-type:token-exchange" +type GrantType string + +// +kubebuilder:validation:Enum="openid";"offline_access";"username";"groups";"pinniped:request-audience" +type Scope string + // OIDCClientSpec is a struct that describes an OIDC Client. type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this @@ -27,7 +33,7 @@ type OIDCClientSpec struct { // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. // +kubebuilder:validation:MinItems=1 - AllowedGrantTypes []string `json:"allowedGrantTypes"` + AllowedGrantTypes []GrantType `json:"allowedGrantTypes"` // allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. // @@ -46,7 +52,7 @@ type OIDCClientSpec struct { // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. // +kubebuilder:validation:MinItems=1 - AllowedScopes []string `json:"allowedScopes"` + AllowedScopes []Scope `json:"allowedScopes"` } // OIDCClientStatus is a struct that describes the actual state of an OIDC Client. diff --git a/generated/1.18/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.18/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go index cb35cea5..1aba8aea 100644 --- a/generated/1.18/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.18/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go @@ -83,12 +83,12 @@ func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { } if in.AllowedGrantTypes != nil { in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes - *out = make([]string, len(*in)) + *out = make([]GrantType, len(*in)) copy(*out, *in) } if in.AllowedScopes != nil { in, out := &in.AllowedScopes, &out.AllowedScopes - *out = make([]string, len(*in)) + *out = make([]Scope, len(*in)) copy(*out, *in) } return diff --git a/generated/1.18/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.18/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml index 802234ed..589a9154 100644 --- a/generated/1.18/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.18/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -54,6 +54,10 @@ spec: step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience." items: + enum: + - authorization_code + - refresh_token + - urn:ietf:params:oauth:grant-type:token-exchange type: string minItems: 1 type: array @@ -89,6 +93,12 @@ spec: the groups scope being requested and allowed, the ID token will not contain groups." items: + enum: + - openid + - offline_access + - username + - groups + - pinniped:request-audience type: string minItems: 1 type: array diff --git a/generated/1.19/README.adoc b/generated/1.19/README.adoc index bbfcf79c..41377c38 100644 --- a/generated/1.19/README.adoc +++ b/generated/1.19/README.adoc @@ -1377,9 +1377,9 @@ OIDCClientSpec is a struct that describes an OIDC Client. |=== | Field | Description | *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. -| *`allowedGrantTypes`* __string array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. +| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. -| *`allowedScopes`* __string array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. +| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. |=== diff --git a/generated/1.19/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.19/apis/supervisor/oauth/v1alpha1/types_oidcclient.go index b4aaf275..e905c61a 100644 --- a/generated/1.19/apis/supervisor/oauth/v1alpha1/types_oidcclient.go +++ b/generated/1.19/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -7,6 +7,12 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) +// +kubebuilder:validation:Enum="authorization_code";"refresh_token";"urn:ietf:params:oauth:grant-type:token-exchange" +type GrantType string + +// +kubebuilder:validation:Enum="openid";"offline_access";"username";"groups";"pinniped:request-audience" +type Scope string + // OIDCClientSpec is a struct that describes an OIDC Client. type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this @@ -27,7 +33,7 @@ type OIDCClientSpec struct { // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. // +kubebuilder:validation:MinItems=1 - AllowedGrantTypes []string `json:"allowedGrantTypes"` + AllowedGrantTypes []GrantType `json:"allowedGrantTypes"` // allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. // @@ -46,7 +52,7 @@ type OIDCClientSpec struct { // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. // +kubebuilder:validation:MinItems=1 - AllowedScopes []string `json:"allowedScopes"` + AllowedScopes []Scope `json:"allowedScopes"` } // OIDCClientStatus is a struct that describes the actual state of an OIDC Client. diff --git a/generated/1.19/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.19/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go index cb35cea5..1aba8aea 100644 --- a/generated/1.19/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.19/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go @@ -83,12 +83,12 @@ func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { } if in.AllowedGrantTypes != nil { in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes - *out = make([]string, len(*in)) + *out = make([]GrantType, len(*in)) copy(*out, *in) } if in.AllowedScopes != nil { in, out := &in.AllowedScopes, &out.AllowedScopes - *out = make([]string, len(*in)) + *out = make([]Scope, len(*in)) copy(*out, *in) } return diff --git a/generated/1.19/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.19/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml index 802234ed..589a9154 100644 --- a/generated/1.19/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.19/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -54,6 +54,10 @@ spec: step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience." items: + enum: + - authorization_code + - refresh_token + - urn:ietf:params:oauth:grant-type:token-exchange type: string minItems: 1 type: array @@ -89,6 +93,12 @@ spec: the groups scope being requested and allowed, the ID token will not contain groups." items: + enum: + - openid + - offline_access + - username + - groups + - pinniped:request-audience type: string minItems: 1 type: array diff --git a/generated/1.20/README.adoc b/generated/1.20/README.adoc index eb390ef4..26266ced 100644 --- a/generated/1.20/README.adoc +++ b/generated/1.20/README.adoc @@ -1377,9 +1377,9 @@ OIDCClientSpec is a struct that describes an OIDC Client. |=== | Field | Description | *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. -| *`allowedGrantTypes`* __string array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. +| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. -| *`allowedScopes`* __string array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. +| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. |=== diff --git a/generated/1.20/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.20/apis/supervisor/oauth/v1alpha1/types_oidcclient.go index b4aaf275..e905c61a 100644 --- a/generated/1.20/apis/supervisor/oauth/v1alpha1/types_oidcclient.go +++ b/generated/1.20/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -7,6 +7,12 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) +// +kubebuilder:validation:Enum="authorization_code";"refresh_token";"urn:ietf:params:oauth:grant-type:token-exchange" +type GrantType string + +// +kubebuilder:validation:Enum="openid";"offline_access";"username";"groups";"pinniped:request-audience" +type Scope string + // OIDCClientSpec is a struct that describes an OIDC Client. type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this @@ -27,7 +33,7 @@ type OIDCClientSpec struct { // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. // +kubebuilder:validation:MinItems=1 - AllowedGrantTypes []string `json:"allowedGrantTypes"` + AllowedGrantTypes []GrantType `json:"allowedGrantTypes"` // allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. // @@ -46,7 +52,7 @@ type OIDCClientSpec struct { // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. // +kubebuilder:validation:MinItems=1 - AllowedScopes []string `json:"allowedScopes"` + AllowedScopes []Scope `json:"allowedScopes"` } // OIDCClientStatus is a struct that describes the actual state of an OIDC Client. diff --git a/generated/1.20/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.20/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go index cb35cea5..1aba8aea 100644 --- a/generated/1.20/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.20/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go @@ -83,12 +83,12 @@ func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { } if in.AllowedGrantTypes != nil { in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes - *out = make([]string, len(*in)) + *out = make([]GrantType, len(*in)) copy(*out, *in) } if in.AllowedScopes != nil { in, out := &in.AllowedScopes, &out.AllowedScopes - *out = make([]string, len(*in)) + *out = make([]Scope, len(*in)) copy(*out, *in) } return diff --git a/generated/1.20/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.20/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml index 802234ed..589a9154 100644 --- a/generated/1.20/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.20/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -54,6 +54,10 @@ spec: step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience." items: + enum: + - authorization_code + - refresh_token + - urn:ietf:params:oauth:grant-type:token-exchange type: string minItems: 1 type: array @@ -89,6 +93,12 @@ spec: the groups scope being requested and allowed, the ID token will not contain groups." items: + enum: + - openid + - offline_access + - username + - groups + - pinniped:request-audience type: string minItems: 1 type: array diff --git a/generated/1.21/README.adoc b/generated/1.21/README.adoc index 92407eff..d6feec77 100644 --- a/generated/1.21/README.adoc +++ b/generated/1.21/README.adoc @@ -1377,9 +1377,9 @@ OIDCClientSpec is a struct that describes an OIDC Client. |=== | Field | Description | *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. -| *`allowedGrantTypes`* __string array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. +| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. -| *`allowedScopes`* __string array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. +| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. |=== diff --git a/generated/1.21/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.21/apis/supervisor/oauth/v1alpha1/types_oidcclient.go index b4aaf275..e905c61a 100644 --- a/generated/1.21/apis/supervisor/oauth/v1alpha1/types_oidcclient.go +++ b/generated/1.21/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -7,6 +7,12 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) +// +kubebuilder:validation:Enum="authorization_code";"refresh_token";"urn:ietf:params:oauth:grant-type:token-exchange" +type GrantType string + +// +kubebuilder:validation:Enum="openid";"offline_access";"username";"groups";"pinniped:request-audience" +type Scope string + // OIDCClientSpec is a struct that describes an OIDC Client. type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this @@ -27,7 +33,7 @@ type OIDCClientSpec struct { // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. // +kubebuilder:validation:MinItems=1 - AllowedGrantTypes []string `json:"allowedGrantTypes"` + AllowedGrantTypes []GrantType `json:"allowedGrantTypes"` // allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. // @@ -46,7 +52,7 @@ type OIDCClientSpec struct { // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. // +kubebuilder:validation:MinItems=1 - AllowedScopes []string `json:"allowedScopes"` + AllowedScopes []Scope `json:"allowedScopes"` } // OIDCClientStatus is a struct that describes the actual state of an OIDC Client. diff --git a/generated/1.21/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.21/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go index cb35cea5..1aba8aea 100644 --- a/generated/1.21/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.21/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go @@ -83,12 +83,12 @@ func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { } if in.AllowedGrantTypes != nil { in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes - *out = make([]string, len(*in)) + *out = make([]GrantType, len(*in)) copy(*out, *in) } if in.AllowedScopes != nil { in, out := &in.AllowedScopes, &out.AllowedScopes - *out = make([]string, len(*in)) + *out = make([]Scope, len(*in)) copy(*out, *in) } return diff --git a/generated/1.21/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.21/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml index 802234ed..589a9154 100644 --- a/generated/1.21/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.21/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -54,6 +54,10 @@ spec: step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience." items: + enum: + - authorization_code + - refresh_token + - urn:ietf:params:oauth:grant-type:token-exchange type: string minItems: 1 type: array @@ -89,6 +93,12 @@ spec: the groups scope being requested and allowed, the ID token will not contain groups." items: + enum: + - openid + - offline_access + - username + - groups + - pinniped:request-audience type: string minItems: 1 type: array diff --git a/generated/1.22/README.adoc b/generated/1.22/README.adoc index 6a1281fb..5d37f884 100644 --- a/generated/1.22/README.adoc +++ b/generated/1.22/README.adoc @@ -1377,9 +1377,9 @@ OIDCClientSpec is a struct that describes an OIDC Client. |=== | Field | Description | *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. -| *`allowedGrantTypes`* __string array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. +| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. -| *`allowedScopes`* __string array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. +| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. |=== diff --git a/generated/1.22/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.22/apis/supervisor/oauth/v1alpha1/types_oidcclient.go index b4aaf275..e905c61a 100644 --- a/generated/1.22/apis/supervisor/oauth/v1alpha1/types_oidcclient.go +++ b/generated/1.22/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -7,6 +7,12 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) +// +kubebuilder:validation:Enum="authorization_code";"refresh_token";"urn:ietf:params:oauth:grant-type:token-exchange" +type GrantType string + +// +kubebuilder:validation:Enum="openid";"offline_access";"username";"groups";"pinniped:request-audience" +type Scope string + // OIDCClientSpec is a struct that describes an OIDC Client. type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this @@ -27,7 +33,7 @@ type OIDCClientSpec struct { // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. // +kubebuilder:validation:MinItems=1 - AllowedGrantTypes []string `json:"allowedGrantTypes"` + AllowedGrantTypes []GrantType `json:"allowedGrantTypes"` // allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. // @@ -46,7 +52,7 @@ type OIDCClientSpec struct { // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. // +kubebuilder:validation:MinItems=1 - AllowedScopes []string `json:"allowedScopes"` + AllowedScopes []Scope `json:"allowedScopes"` } // OIDCClientStatus is a struct that describes the actual state of an OIDC Client. diff --git a/generated/1.22/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.22/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go index cb35cea5..1aba8aea 100644 --- a/generated/1.22/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.22/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go @@ -83,12 +83,12 @@ func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { } if in.AllowedGrantTypes != nil { in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes - *out = make([]string, len(*in)) + *out = make([]GrantType, len(*in)) copy(*out, *in) } if in.AllowedScopes != nil { in, out := &in.AllowedScopes, &out.AllowedScopes - *out = make([]string, len(*in)) + *out = make([]Scope, len(*in)) copy(*out, *in) } return diff --git a/generated/1.22/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.22/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml index 802234ed..589a9154 100644 --- a/generated/1.22/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.22/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -54,6 +54,10 @@ spec: step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience." items: + enum: + - authorization_code + - refresh_token + - urn:ietf:params:oauth:grant-type:token-exchange type: string minItems: 1 type: array @@ -89,6 +93,12 @@ spec: the groups scope being requested and allowed, the ID token will not contain groups." items: + enum: + - openid + - offline_access + - username + - groups + - pinniped:request-audience type: string minItems: 1 type: array diff --git a/generated/1.23/README.adoc b/generated/1.23/README.adoc index 80a89a56..9f71c489 100644 --- a/generated/1.23/README.adoc +++ b/generated/1.23/README.adoc @@ -1377,9 +1377,9 @@ OIDCClientSpec is a struct that describes an OIDC Client. |=== | Field | Description | *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. -| *`allowedGrantTypes`* __string array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. +| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. -| *`allowedScopes`* __string array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. +| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. |=== diff --git a/generated/1.23/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.23/apis/supervisor/oauth/v1alpha1/types_oidcclient.go index b4aaf275..e905c61a 100644 --- a/generated/1.23/apis/supervisor/oauth/v1alpha1/types_oidcclient.go +++ b/generated/1.23/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -7,6 +7,12 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) +// +kubebuilder:validation:Enum="authorization_code";"refresh_token";"urn:ietf:params:oauth:grant-type:token-exchange" +type GrantType string + +// +kubebuilder:validation:Enum="openid";"offline_access";"username";"groups";"pinniped:request-audience" +type Scope string + // OIDCClientSpec is a struct that describes an OIDC Client. type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this @@ -27,7 +33,7 @@ type OIDCClientSpec struct { // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. // +kubebuilder:validation:MinItems=1 - AllowedGrantTypes []string `json:"allowedGrantTypes"` + AllowedGrantTypes []GrantType `json:"allowedGrantTypes"` // allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. // @@ -46,7 +52,7 @@ type OIDCClientSpec struct { // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. // +kubebuilder:validation:MinItems=1 - AllowedScopes []string `json:"allowedScopes"` + AllowedScopes []Scope `json:"allowedScopes"` } // OIDCClientStatus is a struct that describes the actual state of an OIDC Client. diff --git a/generated/1.23/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.23/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go index cb35cea5..1aba8aea 100644 --- a/generated/1.23/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.23/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go @@ -83,12 +83,12 @@ func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { } if in.AllowedGrantTypes != nil { in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes - *out = make([]string, len(*in)) + *out = make([]GrantType, len(*in)) copy(*out, *in) } if in.AllowedScopes != nil { in, out := &in.AllowedScopes, &out.AllowedScopes - *out = make([]string, len(*in)) + *out = make([]Scope, len(*in)) copy(*out, *in) } return diff --git a/generated/1.23/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.23/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml index 802234ed..589a9154 100644 --- a/generated/1.23/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.23/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -54,6 +54,10 @@ spec: step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience." items: + enum: + - authorization_code + - refresh_token + - urn:ietf:params:oauth:grant-type:token-exchange type: string minItems: 1 type: array @@ -89,6 +93,12 @@ spec: the groups scope being requested and allowed, the ID token will not contain groups." items: + enum: + - openid + - offline_access + - username + - groups + - pinniped:request-audience type: string minItems: 1 type: array diff --git a/generated/latest/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/latest/apis/supervisor/oauth/v1alpha1/types_oidcclient.go index b4aaf275..e905c61a 100644 --- a/generated/latest/apis/supervisor/oauth/v1alpha1/types_oidcclient.go +++ b/generated/latest/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -7,6 +7,12 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) +// +kubebuilder:validation:Enum="authorization_code";"refresh_token";"urn:ietf:params:oauth:grant-type:token-exchange" +type GrantType string + +// +kubebuilder:validation:Enum="openid";"offline_access";"username";"groups";"pinniped:request-audience" +type Scope string + // OIDCClientSpec is a struct that describes an OIDC Client. type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this @@ -27,7 +33,7 @@ type OIDCClientSpec struct { // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. // +kubebuilder:validation:MinItems=1 - AllowedGrantTypes []string `json:"allowedGrantTypes"` + AllowedGrantTypes []GrantType `json:"allowedGrantTypes"` // allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. // @@ -46,7 +52,7 @@ type OIDCClientSpec struct { // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. // +kubebuilder:validation:MinItems=1 - AllowedScopes []string `json:"allowedScopes"` + AllowedScopes []Scope `json:"allowedScopes"` } // OIDCClientStatus is a struct that describes the actual state of an OIDC Client. diff --git a/generated/latest/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/latest/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go index cb35cea5..1aba8aea 100644 --- a/generated/latest/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go +++ b/generated/latest/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go @@ -83,12 +83,12 @@ func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { } if in.AllowedGrantTypes != nil { in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes - *out = make([]string, len(*in)) + *out = make([]GrantType, len(*in)) copy(*out, *in) } if in.AllowedScopes != nil { in, out := &in.AllowedScopes, &out.AllowedScopes - *out = make([]string, len(*in)) + *out = make([]Scope, len(*in)) copy(*out, *in) } return From ea45e5dfef0f3c2224be67c3a9740d745690f96d Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Tue, 7 Jun 2022 16:32:19 -0700 Subject: [PATCH 06/61] Disallow certain requested audience strings in token exchange --- internal/oidc/token/token_handler_test.go | 21 ++++++ internal/oidc/token_exchange.go | 21 +++++- test/integration/supervisor_login_test.go | 80 +++++++++++++++++++++-- 3 files changed, 116 insertions(+), 6 deletions(-) diff --git a/internal/oidc/token/token_handler_test.go b/internal/oidc/token/token_handler_test.go index ea0d9290..e3d70952 100644 --- a/internal/oidc/token/token_handler_test.go +++ b/internal/oidc/token/token_handler_test.go @@ -666,6 +666,27 @@ func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn wantStatus: http.StatusBadRequest, wantResponseBodyContains: "missing audience parameter", }, + { + name: "bad requested audience when it looks like the name of an OIDCClient CR", + authcodeExchange: doValidAuthCodeExchange, + requestedAudience: "client.oauth.pinniped.dev-some-client-abc123", + wantStatus: http.StatusBadRequest, + wantResponseBodyContains: "requested audience cannot contain '.oauth.pinniped.dev'", + }, + { + name: "bad requested audience when it contains the substring .oauth.pinniped.dev because it is reserved for potential future usage", + authcodeExchange: doValidAuthCodeExchange, + requestedAudience: "something.oauth.pinniped.dev/some_aud", + wantStatus: http.StatusBadRequest, + wantResponseBodyContains: "requested audience cannot contain '.oauth.pinniped.dev'", + }, + { + name: "bad requested audience when it is the same name as the static public client pinniped-cli", + authcodeExchange: doValidAuthCodeExchange, + requestedAudience: "pinniped-cli", + wantStatus: http.StatusBadRequest, + wantResponseBodyContains: "requested audience cannot equal 'pinniped-cli'", + }, { name: "missing subject_token", authcodeExchange: doValidAuthCodeExchange, diff --git a/internal/oidc/token_exchange.go b/internal/oidc/token_exchange.go index d6dc2d29..94c37c74 100644 --- a/internal/oidc/token_exchange.go +++ b/internal/oidc/token_exchange.go @@ -1,4 +1,4 @@ -// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package oidc @@ -6,6 +6,7 @@ package oidc import ( "context" "net/url" + "strings" "github.com/coreos/go-oidc/v3/oidc" "github.com/ory/fosite" @@ -127,6 +128,24 @@ func (t *TokenExchangeHandler) validateParams(params url.Values) (*stsParams, er } } + // Validate that the requested audience is not one of the reserved strings. All possible requested audience strings + // are subdivided into these classifications: + // 1. pinniped-cli is reserved for the statically defined OAuth client, which is disallowed for this token exchange. + // 2. clients.oauth.pinniped.dev-* is reserved to be the names of user-defined dynamic OAuth clients, which is also + // disallowed for this token exchange. + // 3. Anything else matching *.oauth.pinniped.dev* is reserved for future use, in case we want to create more + // buckets of names some day, e.g. something.oauth.pinniped.dev/*. These names are also disallowed for this + // token exchange. + // 4. Any other string is reserved to conceptually mean the name of a workload cluster (technically, it's the + // configured audience of its Concierge JWTAuthenticator or other OIDC JWT validator). These are the only + // allowed values for this token exchange. + if strings.Contains(result.requestedAudience, ".oauth.pinniped.dev") { + return nil, fosite.ErrInvalidRequest.WithHintf("requested audience cannot contain '.oauth.pinniped.dev'") + } + if result.requestedAudience == "pinniped-cli" { + return nil, fosite.ErrInvalidRequest.WithHintf("requested audience cannot equal 'pinniped-cli'") + } + return &result, nil } diff --git a/test/integration/supervisor_login_test.go b/test/integration/supervisor_login_test.go index 3713175a..6ccae9a3 100644 --- a/test/integration/supervisor_login_test.go +++ b/test/integration/supervisor_login_test.go @@ -167,12 +167,14 @@ func TestSupervisorLogin_Browser(t *testing.T) { deleteTestUser func(t *testing.T, username string) requestAuthorization func(t *testing.T, downstreamIssuer, downstreamAuthorizeURL, downstreamCallbackURL, username, password string, httpClient *http.Client) createIDP func(t *testing.T) string + requestTokenExchangeAud string wantLocalhostCallbackToNeverHappen bool wantDownstreamIDTokenSubjectToMatch string wantDownstreamIDTokenUsernameToMatch func(username string) string wantDownstreamIDTokenGroups []string wantErrorDescription string wantErrorType string + wantTokenExchangeResponse func(t *testing.T, status int, body string) // Either revoke the user's session on the upstream provider, or manipulate the user's session // data in such a way that it should cause the next upstream refresh attempt to fail. @@ -1115,6 +1117,48 @@ func TestSupervisorLogin_Browser(t *testing.T) { }, wantDownstreamIDTokenGroups: env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs, }, + { + name: "disallowed requested audience using reserved substring on token exchange results in token exchange error", + maybeSkip: skipNever, + createIDP: func(t *testing.T) string { + return testlib.CreateTestOIDCIdentityProvider(t, basicOIDCIdentityProviderSpec(), idpv1alpha1.PhaseReady).Name + }, + requestAuthorization: requestAuthorizationUsingBrowserAuthcodeFlowOIDC, + requestTokenExchangeAud: "contains-disallowed-substring.oauth.pinniped.dev-something", // .oauth.pinniped.dev substring is not allowed + // the ID token Subject should include the upstream user ID after the upstream issuer name + wantDownstreamIDTokenSubjectToMatch: "^" + regexp.QuoteMeta(env.SupervisorUpstreamOIDC.Issuer+"?sub=") + ".+", + // the ID token Username should include the upstream user ID after the upstream issuer name + wantDownstreamIDTokenUsernameToMatch: func(_ string) string { return "^" + regexp.QuoteMeta(env.SupervisorUpstreamOIDC.Issuer+"?sub=") + ".+" }, + wantTokenExchangeResponse: func(t *testing.T, status int, body string) { + require.Equal(t, http.StatusBadRequest, status) + require.Equal(t, + `{"error":"invalid_request","error_description":"The request is missing a required parameter, `+ + `includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. `+ + `requested audience cannot contain '.oauth.pinniped.dev'"}`, + body) + }, + }, + { + name: "disallowed requested audience pinniped-cli on token exchange results in token exchange error", + maybeSkip: skipNever, + createIDP: func(t *testing.T) string { + return testlib.CreateTestOIDCIdentityProvider(t, basicOIDCIdentityProviderSpec(), idpv1alpha1.PhaseReady).Name + }, + requestAuthorization: requestAuthorizationUsingBrowserAuthcodeFlowOIDC, + requestTokenExchangeAud: "pinniped-cli", // pinniped-cli is not allowed + // the ID token Subject should include the upstream user ID after the upstream issuer name + wantDownstreamIDTokenSubjectToMatch: "^" + regexp.QuoteMeta(env.SupervisorUpstreamOIDC.Issuer+"?sub=") + ".+", + // the ID token Username should include the upstream user ID after the upstream issuer name + wantDownstreamIDTokenUsernameToMatch: func(_ string) string { return "^" + regexp.QuoteMeta(env.SupervisorUpstreamOIDC.Issuer+"?sub=") + ".+" }, + wantTokenExchangeResponse: func(t *testing.T, status int, body string) { + require.Equal(t, http.StatusBadRequest, status) + require.Equal(t, + `{"error":"invalid_request","error_description":"The request is missing a required parameter, `+ + `includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. `+ + `requested audience cannot equal 'pinniped-cli'"}`, + body) + }, + }, } for _, test := range tests { tt := test @@ -1128,12 +1172,14 @@ func TestSupervisorLogin_Browser(t *testing.T) { tt.breakRefreshSessionData, tt.createTestUser, tt.deleteTestUser, + tt.requestTokenExchangeAud, tt.wantLocalhostCallbackToNeverHappen, tt.wantDownstreamIDTokenSubjectToMatch, tt.wantDownstreamIDTokenUsernameToMatch, tt.wantDownstreamIDTokenGroups, tt.wantErrorDescription, tt.wantErrorType, + tt.wantTokenExchangeResponse, ) }) } @@ -1265,12 +1311,14 @@ func testSupervisorLogin( breakRefreshSessionData func(t *testing.T, pinnipedSession *psession.PinnipedSession, idpName, username string), createTestUser func(t *testing.T) (string, string), deleteTestUser func(t *testing.T, username string), + requestTokenExchangeAud string, wantLocalhostCallbackToNeverHappen bool, wantDownstreamIDTokenSubjectToMatch string, wantDownstreamIDTokenUsernameToMatch func(username string) string, wantDownstreamIDTokenGroups []string, wantErrorDescription string, wantErrorType string, + wantTokenExchangeResponse func(t *testing.T, status int, body string), ) { env := testlib.IntegrationEnv(t) @@ -1438,7 +1486,10 @@ func testSupervisorLogin( expectedIDTokenClaims, wantDownstreamIDTokenSubjectToMatch, wantDownstreamIDTokenUsernameToMatch(username), wantDownstreamIDTokenGroups) // token exchange on the original token - doTokenExchange(t, &downstreamOAuth2Config, tokenResponse, httpClient, discovery) + if requestTokenExchangeAud == "" { + requestTokenExchangeAud = "some-cluster-123" // use a default test value + } + doTokenExchange(t, requestTokenExchangeAud, &downstreamOAuth2Config, tokenResponse, httpClient, discovery, wantTokenExchangeResponse) refreshedGroups := wantDownstreamIDTokenGroups if editRefreshSessionDataWithoutBreaking != nil { @@ -1479,7 +1530,7 @@ func testSupervisorLogin( require.NotEqual(t, tokenResponse.Extra("id_token"), refreshedTokenResponse.Extra("id_token")) // token exchange on the refreshed token - doTokenExchange(t, &downstreamOAuth2Config, refreshedTokenResponse, httpClient, discovery) + doTokenExchange(t, requestTokenExchangeAud, &downstreamOAuth2Config, refreshedTokenResponse, httpClient, discovery, wantTokenExchangeResponse) // Now that we have successfully performed a refresh, let's test what happens when an // upstream refresh fails during the next downstream refresh. @@ -1768,14 +1819,22 @@ func (s *localCallbackServer) waitForCallback(timeout time.Duration) (*http.Requ } } -func doTokenExchange(t *testing.T, config *oauth2.Config, tokenResponse *oauth2.Token, httpClient *http.Client, provider *coreosoidc.Provider) { +func doTokenExchange( + t *testing.T, + requestTokenExchangeAud string, + config *oauth2.Config, + tokenResponse *oauth2.Token, + httpClient *http.Client, + provider *coreosoidc.Provider, + wantTokenExchangeResponse func(t *testing.T, status int, body string), +) { ctx, cancel := context.WithTimeout(context.Background(), time.Minute) defer cancel() // Form the HTTP POST request with the parameters specified by RFC8693. reqBody := strings.NewReader(url.Values{ "grant_type": []string{"urn:ietf:params:oauth:grant-type:token-exchange"}, - "audience": []string{"cluster-1234"}, + "audience": []string{requestTokenExchangeAud}, "client_id": []string{config.ClientID}, "subject_token": []string{tokenResponse.AccessToken}, "subject_token_type": []string{"urn:ietf:params:oauth:token-type:access_token"}, @@ -1787,7 +1846,18 @@ func doTokenExchange(t *testing.T, config *oauth2.Config, tokenResponse *oauth2. resp, err := httpClient.Do(req) require.NoError(t, err) + + // If a function was passed, call it, so it can make the desired assertions. + if wantTokenExchangeResponse != nil { + body, err := ioutil.ReadAll(resp.Body) + require.NoError(t, err) + wantTokenExchangeResponse(t, resp.StatusCode, string(body)) + return // the above call should have made all desired assertions about the response, so return + } + + // Else, want a successful response. require.Equal(t, resp.StatusCode, http.StatusOK) + defer func() { _ = resp.Body.Close() }() var respBody struct { AccessToken string `json:"access_token"` @@ -1796,7 +1866,7 @@ func doTokenExchange(t *testing.T, config *oauth2.Config, tokenResponse *oauth2. } require.NoError(t, json.NewDecoder(resp.Body).Decode(&respBody)) - var clusterVerifier = provider.Verifier(&coreosoidc.Config{ClientID: "cluster-1234"}) + var clusterVerifier = provider.Verifier(&coreosoidc.Config{ClientID: requestTokenExchangeAud}) exchangedToken, err := clusterVerifier.Verify(ctx, respBody.AccessToken) require.NoError(t, err) From 77f37b5a573bc418cfe2599df59e357cae99cf68 Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Wed, 8 Jun 2022 09:41:35 -0700 Subject: [PATCH 07/61] run codegen --- generated/1.17/README.adoc | 4 +- generated/1.18/README.adoc | 4 +- generated/1.19/README.adoc | 4 +- generated/1.20/README.adoc | 4 +- generated/1.21/README.adoc | 4 +- generated/1.22/README.adoc | 4 +- generated/1.23/README.adoc | 4 +- generated/1.24/README.adoc | 54 ++++++ .../apis/supervisor/oauth/v1alpha1/doc.go | 10 + .../supervisor/oauth/v1alpha1/register.go | 43 +++++ .../oauth/v1alpha1/types_oidcclient.go | 86 +++++++++ .../oauth/v1alpha1/zz_generated.deepcopy.go | 121 ++++++++++++ .../clientset/versioned/clientset.go | 13 ++ .../versioned/fake/clientset_generated.go | 7 + .../clientset/versioned/fake/register.go | 2 + .../clientset/versioned/scheme/register.go | 2 + .../versioned/typed/oauth/v1alpha1/doc.go | 7 + .../typed/oauth/v1alpha1/fake/doc.go | 7 + .../oauth/v1alpha1/fake/fake_oauth_client.go | 27 +++ .../oauth/v1alpha1/fake/fake_oidcclient.go | 129 +++++++++++++ .../oauth/v1alpha1/generated_expansion.go | 8 + .../typed/oauth/v1alpha1/oauth_client.go | 94 +++++++++ .../typed/oauth/v1alpha1/oidcclient.go | 182 ++++++++++++++++++ .../informers/externalversions/factory.go | 6 + .../informers/externalversions/generic.go | 5 + .../externalversions/oauth/interface.go | 33 ++++ .../oauth/v1alpha1/interface.go | 32 +++ .../oauth/v1alpha1/oidcclient.go | 77 ++++++++ .../oauth/v1alpha1/expansion_generated.go | 14 ++ .../listers/oauth/v1alpha1/oidcclient.go | 86 +++++++++ ...h.supervisor.pinniped.dev_oidcclients.yaml | 125 ++++++++++++ 31 files changed, 1184 insertions(+), 14 deletions(-) create mode 100644 generated/1.24/apis/supervisor/oauth/v1alpha1/doc.go create mode 100644 generated/1.24/apis/supervisor/oauth/v1alpha1/register.go create mode 100644 generated/1.24/apis/supervisor/oauth/v1alpha1/types_oidcclient.go create mode 100644 generated/1.24/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go create mode 100644 generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go create mode 100644 generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go create mode 100644 generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go create mode 100644 generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go create mode 100644 generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go create mode 100644 generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go create mode 100644 generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go create mode 100644 generated/1.24/client/supervisor/informers/externalversions/oauth/interface.go create mode 100644 generated/1.24/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go create mode 100644 generated/1.24/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go create mode 100644 generated/1.24/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go create mode 100644 generated/1.24/client/supervisor/listers/oauth/v1alpha1/oidcclient.go create mode 100644 generated/1.24/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml diff --git a/generated/1.17/README.adoc b/generated/1.17/README.adoc index 06dd963e..693d8d6b 100644 --- a/generated/1.17/README.adoc +++ b/generated/1.17/README.adoc @@ -1378,9 +1378,9 @@ OIDCClientSpec is a struct that describes an OIDC Client. | Field | Description | *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. | *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. | *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. |=== diff --git a/generated/1.18/README.adoc b/generated/1.18/README.adoc index 3cdade3a..f2346ef6 100644 --- a/generated/1.18/README.adoc +++ b/generated/1.18/README.adoc @@ -1378,9 +1378,9 @@ OIDCClientSpec is a struct that describes an OIDC Client. | Field | Description | *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. | *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. | *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. |=== diff --git a/generated/1.19/README.adoc b/generated/1.19/README.adoc index 41377c38..6cd1eaa0 100644 --- a/generated/1.19/README.adoc +++ b/generated/1.19/README.adoc @@ -1378,9 +1378,9 @@ OIDCClientSpec is a struct that describes an OIDC Client. | Field | Description | *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. | *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. | *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. |=== diff --git a/generated/1.20/README.adoc b/generated/1.20/README.adoc index 26266ced..1c559c9e 100644 --- a/generated/1.20/README.adoc +++ b/generated/1.20/README.adoc @@ -1378,9 +1378,9 @@ OIDCClientSpec is a struct that describes an OIDC Client. | Field | Description | *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. | *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. | *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. |=== diff --git a/generated/1.21/README.adoc b/generated/1.21/README.adoc index d6feec77..2a9ca757 100644 --- a/generated/1.21/README.adoc +++ b/generated/1.21/README.adoc @@ -1378,9 +1378,9 @@ OIDCClientSpec is a struct that describes an OIDC Client. | Field | Description | *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. | *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. | *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. |=== diff --git a/generated/1.22/README.adoc b/generated/1.22/README.adoc index 5d37f884..78e1cd46 100644 --- a/generated/1.22/README.adoc +++ b/generated/1.22/README.adoc @@ -1378,9 +1378,9 @@ OIDCClientSpec is a struct that describes an OIDC Client. | Field | Description | *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. | *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. | *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. |=== diff --git a/generated/1.23/README.adoc b/generated/1.23/README.adoc index 9f71c489..d858f07a 100644 --- a/generated/1.23/README.adoc +++ b/generated/1.23/README.adoc @@ -1378,9 +1378,9 @@ OIDCClientSpec is a struct that describes an OIDC Client. | Field | Description | *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. | *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. | *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. |=== diff --git a/generated/1.24/README.adoc b/generated/1.24/README.adoc index c59924cd..381b2f7e 100644 --- a/generated/1.24/README.adoc +++ b/generated/1.24/README.adoc @@ -12,6 +12,7 @@ - xref:{anchor_prefix}-identity-concierge-pinniped-dev-v1alpha1[$$identity.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1[$$idp.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$] +- xref:{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1[$$oauth.supervisor.pinniped.dev/v1alpha1$$] [id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"] @@ -1332,3 +1333,56 @@ TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned |=== + +[id="{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1"] +=== oauth.supervisor.pinniped.dev/v1alpha1 + +Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-oauth-v1alpha1-oidcclient"] +==== OIDCClient + +OIDCClient describes the configuration of an OIDC client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-oauth-v1alpha1-oidcclientlist[$$OIDCClientList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-oauth-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC client. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-oauth-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC client. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-oauth-v1alpha1-oidcclientspec"] +==== OIDCClientSpec + +OIDCClientSpec is a struct that describes an OIDC Client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-oauth-v1alpha1-oidcclient[$$OIDCClient$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. +| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. +| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. +|=== + + + + diff --git a/generated/1.24/apis/supervisor/oauth/v1alpha1/doc.go b/generated/1.24/apis/supervisor/oauth/v1alpha1/doc.go new file mode 100644 index 00000000..75580481 --- /dev/null +++ b/generated/1.24/apis/supervisor/oauth/v1alpha1/doc.go @@ -0,0 +1,10 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen=package +// +k8s:defaulter-gen=TypeMeta +// +groupName=oauth.supervisor.pinniped.dev + +// Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. +package v1alpha1 diff --git a/generated/1.24/apis/supervisor/oauth/v1alpha1/register.go b/generated/1.24/apis/supervisor/oauth/v1alpha1/register.go new file mode 100644 index 00000000..37ae1fbf --- /dev/null +++ b/generated/1.24/apis/supervisor/oauth/v1alpha1/register.go @@ -0,0 +1,43 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "oauth.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = localSchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClient{}, + &OIDCClientList{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/generated/1.24/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.24/apis/supervisor/oauth/v1alpha1/types_oidcclient.go new file mode 100644 index 00000000..e905c61a --- /dev/null +++ b/generated/1.24/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -0,0 +1,86 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// +kubebuilder:validation:Enum="authorization_code";"refresh_token";"urn:ietf:params:oauth:grant-type:token-exchange" +type GrantType string + +// +kubebuilder:validation:Enum="openid";"offline_access";"username";"groups";"pinniped:request-audience" +type Scope string + +// OIDCClientSpec is a struct that describes an OIDC Client. +type OIDCClientSpec struct { + // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this + // client. Any other uris will be rejected. + // Must be https, unless it is a loopback. + // +kubebuilder:validation:MinItems=1 + AllowedRedirectURIs []string `json:"allowedRedirectURIs"` + + // allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this + // client. + // + // Must only contain the following values: + // - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to + // authenticate users. This grant must always be listed. + // - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. + // This grant must be listed if allowedScopes lists offline_access. + // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, + // which is a step in the process to be able to get a cluster credential for the user. + // This grant must be listed if allowedScopes lists pinniped:request-audience. + // +kubebuilder:validation:MinItems=1 + AllowedGrantTypes []GrantType `json:"allowedGrantTypes"` + + // allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + // + // Must only contain the following values: + // - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). + // This scope must always be listed. + // - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. + // This scope must be listed if allowedGrantTypes lists refresh_token. + // - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, + // which is a step in the process to be able to get a cluster credential for the user. + // openid, username and groups scopes must be listed when this scope is present. + // This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. + // - username: The client is allowed to request that ID tokens contain the user's username. + // Without the username scope being requested and allowed, the ID token will not contain the user's username. + // - groups: The client is allowed to request that ID tokens contain the user's group membership, + // if their group membership is discoverable by the Supervisor. + // Without the groups scope being requested and allowed, the ID token will not contain groups. + // +kubebuilder:validation:MinItems=1 + AllowedScopes []Scope `json:"allowedScopes"` +} + +// OIDCClientStatus is a struct that describes the actual state of an OIDC Client. +type OIDCClientStatus struct { +} + +// OIDCClient describes the configuration of an OIDC client. +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type OIDCClient struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec of the OIDC client. + Spec OIDCClientSpec `json:"spec"` + + // Status of the OIDC client. + Status OIDCClientStatus `json:"status,omitempty"` +} + +// List of OIDCClient objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []OIDCClient `json:"items"` +} diff --git a/generated/1.24/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.24/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go new file mode 100644 index 00000000..1aba8aea --- /dev/null +++ b/generated/1.24/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go @@ -0,0 +1,121 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. +func (in *OIDCClient) DeepCopy() *OIDCClient { + if in == nil { + return nil + } + out := new(OIDCClient) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClient) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClient, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. +func (in *OIDCClientList) DeepCopy() *OIDCClientList { + if in == nil { + return nil + } + out := new(OIDCClientList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { + *out = *in + if in.AllowedRedirectURIs != nil { + in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.AllowedGrantTypes != nil { + in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes + *out = make([]GrantType, len(*in)) + copy(*out, *in) + } + if in.AllowedScopes != nil { + in, out := &in.AllowedScopes, &out.AllowedScopes + *out = make([]Scope, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. +func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { + if in == nil { + return nil + } + out := new(OIDCClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. +func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { + if in == nil { + return nil + } + out := new(OIDCClientStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.24/client/supervisor/clientset/versioned/clientset.go b/generated/1.24/client/supervisor/clientset/versioned/clientset.go index 39ee1be5..faf9359f 100644 --- a/generated/1.24/client/supervisor/clientset/versioned/clientset.go +++ b/generated/1.24/client/supervisor/clientset/versioned/clientset.go @@ -11,6 +11,7 @@ import ( configv1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1" + oauthv1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" discovery "k8s.io/client-go/discovery" rest "k8s.io/client-go/rest" flowcontrol "k8s.io/client-go/util/flowcontrol" @@ -20,6 +21,7 @@ type Interface interface { Discovery() discovery.DiscoveryInterface ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface + OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface } // Clientset contains the clients for groups. Each group has exactly one @@ -28,6 +30,7 @@ type Clientset struct { *discovery.DiscoveryClient configV1alpha1 *configv1alpha1.ConfigV1alpha1Client iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client + oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client } // ConfigV1alpha1 retrieves the ConfigV1alpha1Client @@ -40,6 +43,11 @@ func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return c.iDPV1alpha1 } +// OauthV1alpha1 retrieves the OauthV1alpha1Client +func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { + return c.oauthV1alpha1 +} + // Discovery retrieves the DiscoveryClient func (c *Clientset) Discovery() discovery.DiscoveryInterface { if c == nil { @@ -92,6 +100,10 @@ func NewForConfigAndClient(c *rest.Config, httpClient *http.Client) (*Clientset, if err != nil { return nil, err } + cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfigAndClient(&configShallowCopy, httpClient) + if err != nil { + return nil, err + } cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfigAndClient(&configShallowCopy, httpClient) if err != nil { @@ -115,6 +127,7 @@ func New(c rest.Interface) *Clientset { var cs Clientset cs.configV1alpha1 = configv1alpha1.New(c) cs.iDPV1alpha1 = idpv1alpha1.New(c) + cs.oauthV1alpha1 = oauthv1alpha1.New(c) cs.DiscoveryClient = discovery.NewDiscoveryClient(c) return &cs diff --git a/generated/1.24/client/supervisor/clientset/versioned/fake/clientset_generated.go b/generated/1.24/client/supervisor/clientset/versioned/fake/clientset_generated.go index f613b900..3784bd68 100644 --- a/generated/1.24/client/supervisor/clientset/versioned/fake/clientset_generated.go +++ b/generated/1.24/client/supervisor/clientset/versioned/fake/clientset_generated.go @@ -11,6 +11,8 @@ import ( fakeconfigv1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake" idpv1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1" fakeidpv1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake" + oauthv1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" + fakeoauthv1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/watch" "k8s.io/client-go/discovery" @@ -77,3 +79,8 @@ func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake} } + +// OauthV1alpha1 retrieves the OauthV1alpha1Client +func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { + return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} +} diff --git a/generated/1.24/client/supervisor/clientset/versioned/fake/register.go b/generated/1.24/client/supervisor/clientset/versioned/fake/register.go index e74fd77e..3ac8970f 100644 --- a/generated/1.24/client/supervisor/clientset/versioned/fake/register.go +++ b/generated/1.24/client/supervisor/clientset/versioned/fake/register.go @@ -8,6 +8,7 @@ package fake import ( configv1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/idp/v1alpha1" + oauthv1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -21,6 +22,7 @@ var codecs = serializer.NewCodecFactory(scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, + oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.24/client/supervisor/clientset/versioned/scheme/register.go b/generated/1.24/client/supervisor/clientset/versioned/scheme/register.go index 4e2cb90f..696c9bcc 100644 --- a/generated/1.24/client/supervisor/clientset/versioned/scheme/register.go +++ b/generated/1.24/client/supervisor/clientset/versioned/scheme/register.go @@ -8,6 +8,7 @@ package scheme import ( configv1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/idp/v1alpha1" + oauthv1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -21,6 +22,7 @@ var ParameterCodec = runtime.NewParameterCodec(Scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, + oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go new file mode 100644 index 00000000..e7a470b6 --- /dev/null +++ b/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated typed clients. +package v1alpha1 diff --git a/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go new file mode 100644 index 00000000..7906901b --- /dev/null +++ b/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// Package fake has the automatically generated clients. +package fake diff --git a/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go new file mode 100644 index 00000000..f35814e2 --- /dev/null +++ b/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go @@ -0,0 +1,27 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + v1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" + rest "k8s.io/client-go/rest" + testing "k8s.io/client-go/testing" +) + +type FakeOauthV1alpha1 struct { + *testing.Fake +} + +func (c *FakeOauthV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { + return &FakeOIDCClients{c, namespace} +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { + var ret *rest.RESTClient + return ret +} diff --git a/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go b/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go new file mode 100644 index 00000000..ec6ea5cd --- /dev/null +++ b/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go @@ -0,0 +1,129 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeOIDCClients implements OIDCClientInterface +type FakeOIDCClients struct { + Fake *FakeOauthV1alpha1 + ns string +} + +var oidcclientsResource = schema.GroupVersionResource{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} + +var oidcclientsKind = schema.GroupVersionKind{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} + +// Get takes name of the oIDCClient, and returns the corresponding oIDCClient object, and an error if there is any. +func (c *FakeOIDCClients) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(oidcclientsResource, c.ns, name), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// List takes label and field selectors, and returns the list of OIDCClients that match those selectors. +func (c *FakeOIDCClients) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.OIDCClientList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(oidcclientsResource, oidcclientsKind, c.ns, opts), &v1alpha1.OIDCClientList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.OIDCClientList{ListMeta: obj.(*v1alpha1.OIDCClientList).ListMeta} + for _, item := range obj.(*v1alpha1.OIDCClientList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested oIDCClients. +func (c *FakeOIDCClients) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(oidcclientsResource, c.ns, opts)) + +} + +// Create takes the representation of a oIDCClient and creates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *FakeOIDCClients) Create(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.CreateOptions) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(oidcclientsResource, c.ns, oIDCClient), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// Update takes the representation of a oIDCClient and updates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *FakeOIDCClients) Update(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(oidcclientsResource, c.ns, oIDCClient), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeOIDCClients) UpdateStatus(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (*v1alpha1.OIDCClient, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(oidcclientsResource, "status", c.ns, oIDCClient), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// Delete takes name of the oIDCClient and deletes it. Returns an error if one occurs. +func (c *FakeOIDCClients) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteActionWithOptions(oidcclientsResource, c.ns, name, opts), &v1alpha1.OIDCClient{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeOIDCClients) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(oidcclientsResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha1.OIDCClientList{}) + return err +} + +// Patch applies the patch and returns the patched oIDCClient. +func (c *FakeOIDCClients) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(oidcclientsResource, c.ns, name, pt, data, subresources...), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} diff --git a/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go new file mode 100644 index 00000000..87d22ea9 --- /dev/null +++ b/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go @@ -0,0 +1,8 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +type OIDCClientExpansion interface{} diff --git a/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go new file mode 100644 index 00000000..3f71b07e --- /dev/null +++ b/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go @@ -0,0 +1,94 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "net/http" + + v1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/oauth/v1alpha1" + "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/scheme" + rest "k8s.io/client-go/rest" +) + +type OauthV1alpha1Interface interface { + RESTClient() rest.Interface + OIDCClientsGetter +} + +// OauthV1alpha1Client is used to interact with features provided by the oauth.supervisor.pinniped.dev group. +type OauthV1alpha1Client struct { + restClient rest.Interface +} + +func (c *OauthV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { + return newOIDCClients(c, namespace) +} + +// NewForConfig creates a new OauthV1alpha1Client for the given config. +// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient), +// where httpClient was generated with rest.HTTPClientFor(c). +func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { + config := *c + if err := setConfigDefaults(&config); err != nil { + return nil, err + } + httpClient, err := rest.HTTPClientFor(&config) + if err != nil { + return nil, err + } + return NewForConfigAndClient(&config, httpClient) +} + +// NewForConfigAndClient creates a new OauthV1alpha1Client for the given config and http client. +// Note the http client provided takes precedence over the configured transport values. +func NewForConfigAndClient(c *rest.Config, h *http.Client) (*OauthV1alpha1Client, error) { + config := *c + if err := setConfigDefaults(&config); err != nil { + return nil, err + } + client, err := rest.RESTClientForConfigAndClient(&config, h) + if err != nil { + return nil, err + } + return &OauthV1alpha1Client{client}, nil +} + +// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { + client, err := NewForConfig(c) + if err != nil { + panic(err) + } + return client +} + +// New creates a new OauthV1alpha1Client for the given RESTClient. +func New(c rest.Interface) *OauthV1alpha1Client { + return &OauthV1alpha1Client{c} +} + +func setConfigDefaults(config *rest.Config) error { + gv := v1alpha1.SchemeGroupVersion + config.GroupVersion = &gv + config.APIPath = "/apis" + config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() + + if config.UserAgent == "" { + config.UserAgent = rest.DefaultKubernetesUserAgent() + } + + return nil +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *OauthV1alpha1Client) RESTClient() rest.Interface { + if c == nil { + return nil + } + return c.restClient +} diff --git a/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go b/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go new file mode 100644 index 00000000..cdbc0f4a --- /dev/null +++ b/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go @@ -0,0 +1,182 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + "time" + + v1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/oauth/v1alpha1" + scheme "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// OIDCClientsGetter has a method to return a OIDCClientInterface. +// A group's client should implement this interface. +type OIDCClientsGetter interface { + OIDCClients(namespace string) OIDCClientInterface +} + +// OIDCClientInterface has methods to work with OIDCClient resources. +type OIDCClientInterface interface { + Create(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.CreateOptions) (*v1alpha1.OIDCClient, error) + Update(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (*v1alpha1.OIDCClient, error) + UpdateStatus(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (*v1alpha1.OIDCClient, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.OIDCClient, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.OIDCClientList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCClient, err error) + OIDCClientExpansion +} + +// oIDCClients implements OIDCClientInterface +type oIDCClients struct { + client rest.Interface + ns string +} + +// newOIDCClients returns a OIDCClients +func newOIDCClients(c *OauthV1alpha1Client, namespace string) *oIDCClients { + return &oIDCClients{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the oIDCClient, and returns the corresponding oIDCClient object, and an error if there is any. +func (c *oIDCClients) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Get(). + Namespace(c.ns). + Resource("oidcclients"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of OIDCClients that match those selectors. +func (c *oIDCClients) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.OIDCClientList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.OIDCClientList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("oidcclients"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested oIDCClients. +func (c *oIDCClients) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("oidcclients"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a oIDCClient and creates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *oIDCClients) Create(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.CreateOptions) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Post(). + Namespace(c.ns). + Resource("oidcclients"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(oIDCClient). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a oIDCClient and updates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *oIDCClients) Update(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Put(). + Namespace(c.ns). + Resource("oidcclients"). + Name(oIDCClient.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(oIDCClient). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *oIDCClients) UpdateStatus(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Put(). + Namespace(c.ns). + Resource("oidcclients"). + Name(oIDCClient.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(oIDCClient). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the oIDCClient and deletes it. Returns an error if one occurs. +func (c *oIDCClients) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("oidcclients"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *oIDCClients) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("oidcclients"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched oIDCClient. +func (c *oIDCClients) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("oidcclients"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/generated/1.24/client/supervisor/informers/externalversions/factory.go b/generated/1.24/client/supervisor/informers/externalversions/factory.go index cd409f8c..1160af22 100644 --- a/generated/1.24/client/supervisor/informers/externalversions/factory.go +++ b/generated/1.24/client/supervisor/informers/externalversions/factory.go @@ -14,6 +14,7 @@ import ( config "go.pinniped.dev/generated/1.24/client/supervisor/informers/externalversions/config" idp "go.pinniped.dev/generated/1.24/client/supervisor/informers/externalversions/idp" internalinterfaces "go.pinniped.dev/generated/1.24/client/supervisor/informers/externalversions/internalinterfaces" + oauth "go.pinniped.dev/generated/1.24/client/supervisor/informers/externalversions/oauth" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -162,6 +163,7 @@ type SharedInformerFactory interface { Config() config.Interface IDP() idp.Interface + Oauth() oauth.Interface } func (f *sharedInformerFactory) Config() config.Interface { @@ -171,3 +173,7 @@ func (f *sharedInformerFactory) Config() config.Interface { func (f *sharedInformerFactory) IDP() idp.Interface { return idp.New(f, f.namespace, f.tweakListOptions) } + +func (f *sharedInformerFactory) Oauth() oauth.Interface { + return oauth.New(f, f.namespace, f.tweakListOptions) +} diff --git a/generated/1.24/client/supervisor/informers/externalversions/generic.go b/generated/1.24/client/supervisor/informers/externalversions/generic.go index 667b7dfe..cff2d5db 100644 --- a/generated/1.24/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.24/client/supervisor/informers/externalversions/generic.go @@ -10,6 +10,7 @@ import ( v1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/idp/v1alpha1" + oauthv1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/oauth/v1alpha1" schema "k8s.io/apimachinery/pkg/runtime/schema" cache "k8s.io/client-go/tools/cache" ) @@ -52,6 +53,10 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().OIDCIdentityProviders().Informer()}, nil + // Group=oauth.supervisor.pinniped.dev, Version=v1alpha1 + case oauthv1alpha1.SchemeGroupVersion.WithResource("oidcclients"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Oauth().V1alpha1().OIDCClients().Informer()}, nil + } return nil, fmt.Errorf("no informer found for %v", resource) diff --git a/generated/1.24/client/supervisor/informers/externalversions/oauth/interface.go b/generated/1.24/client/supervisor/informers/externalversions/oauth/interface.go new file mode 100644 index 00000000..de6a600c --- /dev/null +++ b/generated/1.24/client/supervisor/informers/externalversions/oauth/interface.go @@ -0,0 +1,33 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package oauth + +import ( + internalinterfaces "go.pinniped.dev/generated/1.24/client/supervisor/informers/externalversions/internalinterfaces" + v1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/informers/externalversions/oauth/v1alpha1" +) + +// Interface provides access to each of this group's versions. +type Interface interface { + // V1alpha1 provides access to shared informers for resources in V1alpha1. + V1alpha1() v1alpha1.Interface +} + +type group struct { + factory internalinterfaces.SharedInformerFactory + namespace string + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// New returns a new Interface. +func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { + return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} +} + +// V1alpha1 returns a new v1alpha1.Interface. +func (g *group) V1alpha1() v1alpha1.Interface { + return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions) +} diff --git a/generated/1.24/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go b/generated/1.24/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go new file mode 100644 index 00000000..7abf7d4f --- /dev/null +++ b/generated/1.24/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go @@ -0,0 +1,32 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + internalinterfaces "go.pinniped.dev/generated/1.24/client/supervisor/informers/externalversions/internalinterfaces" +) + +// Interface provides access to all the informers in this group version. +type Interface interface { + // OIDCClients returns a OIDCClientInformer. + OIDCClients() OIDCClientInformer +} + +type version struct { + factory internalinterfaces.SharedInformerFactory + namespace string + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// New returns a new Interface. +func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { + return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} +} + +// OIDCClients returns a OIDCClientInformer. +func (v *version) OIDCClients() OIDCClientInformer { + return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} diff --git a/generated/1.24/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go b/generated/1.24/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go new file mode 100644 index 00000000..51bc882d --- /dev/null +++ b/generated/1.24/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go @@ -0,0 +1,77 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + time "time" + + oauthv1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/oauth/v1alpha1" + versioned "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned" + internalinterfaces "go.pinniped.dev/generated/1.24/client/supervisor/informers/externalversions/internalinterfaces" + v1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/listers/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// OIDCClientInformer provides access to a shared informer and lister for +// OIDCClients. +type OIDCClientInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.OIDCClientLister +} + +type oIDCClientInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewOIDCClientInformer constructs a new informer for OIDCClient type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewOIDCClientInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredOIDCClientInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredOIDCClientInformer constructs a new informer for OIDCClient type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredOIDCClientInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.OauthV1alpha1().OIDCClients(namespace).List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.OauthV1alpha1().OIDCClients(namespace).Watch(context.TODO(), options) + }, + }, + &oauthv1alpha1.OIDCClient{}, + resyncPeriod, + indexers, + ) +} + +func (f *oIDCClientInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredOIDCClientInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *oIDCClientInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&oauthv1alpha1.OIDCClient{}, f.defaultInformer) +} + +func (f *oIDCClientInformer) Lister() v1alpha1.OIDCClientLister { + return v1alpha1.NewOIDCClientLister(f.Informer().GetIndexer()) +} diff --git a/generated/1.24/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go b/generated/1.24/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go new file mode 100644 index 00000000..c19310da --- /dev/null +++ b/generated/1.24/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go @@ -0,0 +1,14 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +// OIDCClientListerExpansion allows custom methods to be added to +// OIDCClientLister. +type OIDCClientListerExpansion interface{} + +// OIDCClientNamespaceListerExpansion allows custom methods to be added to +// OIDCClientNamespaceLister. +type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/1.24/client/supervisor/listers/oauth/v1alpha1/oidcclient.go b/generated/1.24/client/supervisor/listers/oauth/v1alpha1/oidcclient.go new file mode 100644 index 00000000..a969aa96 --- /dev/null +++ b/generated/1.24/client/supervisor/listers/oauth/v1alpha1/oidcclient.go @@ -0,0 +1,86 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/oauth/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// OIDCClientLister helps list OIDCClients. +// All objects returned here must be treated as read-only. +type OIDCClientLister interface { + // List lists all OIDCClients in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) + // OIDCClients returns an object that can list and get OIDCClients. + OIDCClients(namespace string) OIDCClientNamespaceLister + OIDCClientListerExpansion +} + +// oIDCClientLister implements the OIDCClientLister interface. +type oIDCClientLister struct { + indexer cache.Indexer +} + +// NewOIDCClientLister returns a new OIDCClientLister. +func NewOIDCClientLister(indexer cache.Indexer) OIDCClientLister { + return &oIDCClientLister{indexer: indexer} +} + +// List lists all OIDCClients in the indexer. +func (s *oIDCClientLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.OIDCClient)) + }) + return ret, err +} + +// OIDCClients returns an object that can list and get OIDCClients. +func (s *oIDCClientLister) OIDCClients(namespace string) OIDCClientNamespaceLister { + return oIDCClientNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// OIDCClientNamespaceLister helps list and get OIDCClients. +// All objects returned here must be treated as read-only. +type OIDCClientNamespaceLister interface { + // List lists all OIDCClients in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) + // Get retrieves the OIDCClient from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha1.OIDCClient, error) + OIDCClientNamespaceListerExpansion +} + +// oIDCClientNamespaceLister implements the OIDCClientNamespaceLister +// interface. +type oIDCClientNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all OIDCClients in the indexer for a given namespace. +func (s oIDCClientNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.OIDCClient)) + }) + return ret, err +} + +// Get retrieves the OIDCClient from the indexer for a given namespace and name. +func (s oIDCClientNamespaceLister) Get(name string) (*v1alpha1.OIDCClient, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("oidcclient"), name) + } + return obj.(*v1alpha1.OIDCClient), nil +} diff --git a/generated/1.24/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.24/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml new file mode 100644 index 00000000..589a9154 --- /dev/null +++ b/generated/1.24/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -0,0 +1,125 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: oidcclients.oauth.supervisor.pinniped.dev +spec: + group: oauth.supervisor.pinniped.dev + names: + categories: + - pinniped + kind: OIDCClient + listKind: OIDCClientList + plural: oidcclients + singular: oidcclient + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: OIDCClient describes the configuration of an OIDC client. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec of the OIDC client. + properties: + allowedGrantTypes: + description: "allowedGrantTypes is a list of the allowed grant_type + param values that should be accepted during OIDC flows with this + client. \n Must only contain the following values: - authorization_code: + allows the client to perform the authorization code grant flow, + i.e. allows the webapp to authenticate users. This grant must always + be listed. - refresh_token: allows the client to perform refresh + grants for the user to extend the user's session. This grant must + be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: + allows the client to perform RFC8693 token exchange, which is a + step in the process to be able to get a cluster credential for the + user. This grant must be listed if allowedScopes lists pinniped:request-audience." + items: + enum: + - authorization_code + - refresh_token + - urn:ietf:params:oauth:grant-type:token-exchange + type: string + minItems: 1 + type: array + allowedRedirectURIs: + description: allowedRedirectURIs is a list of the allowed redirect_uri + param values that should be accepted during OIDC flows with this + client. Any other uris will be rejected. Must be https, unless it + is a loopback. + items: + type: string + minItems: 1 + type: array + allowedScopes: + description: "allowedScopes is a list of the allowed scopes param + values that should be accepted during OIDC flows with this client. + \n Must only contain the following values: - openid: The client + is allowed to request ID tokens. ID tokens only include the required + claims by default (iss, sub, aud, exp, iat). This scope must always + be listed. - offline_access: The client is allowed to request an + initial refresh token during the authorization code grant flow. + This scope must be listed if allowedGrantTypes lists refresh_token. + - pinniped:request-audience: The client is allowed to request a + new audience value during a RFC8693 token exchange, which is a step + in the process to be able to get a cluster credential for the user. + openid, username and groups scopes must be listed when this scope + is present. This scope must be listed if allowedGrantTypes lists + urn:ietf:params:oauth:grant-type:token-exchange. - username: The + client is allowed to request that ID tokens contain the user's username. + Without the username scope being requested and allowed, the ID token + will not contain the user's username. - groups: The client is allowed + to request that ID tokens contain the user's group membership, if + their group membership is discoverable by the Supervisor. Without + the groups scope being requested and allowed, the ID token will + not contain groups." + items: + enum: + - openid + - offline_access + - username + - groups + - pinniped:request-audience + type: string + minItems: 1 + type: array + required: + - allowedGrantTypes + - allowedRedirectURIs + - allowedScopes + type: object + status: + description: Status of the OIDC client. + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] From 889348e9997a6cbd37e2c13a2803ca42ca3d6f6f Mon Sep 17 00:00:00 2001 From: Margo Crawford Date: Thu, 9 Jun 2022 13:45:21 -0700 Subject: [PATCH 08/61] WIP aggregated api for oidcclientsecretrequest Signed-off-by: Margo Crawford --- apis/supervisor/virtual/oauth/doc.go.tmpl | 8 + .../supervisor/virtual/oauth/register.go.tmpl | 37 ++++ .../types_oidcclientsecretrequest.go.tmpl | 25 +++ .../virtual/oauth/v1alpha1/conversion.go.tmpl | 4 + .../virtual/oauth/v1alpha1/defaults.go.tmpl | 12 ++ .../virtual/oauth/v1alpha1/doc.go.tmpl | 11 ++ .../virtual/oauth/v1alpha1/register.go.tmpl | 42 ++++ .../types_oidcclientsecretrequest.go.tmpl | 28 +++ deploy/supervisor/deployment.yaml | 35 ++++ deploy/supervisor/helpers.lib.yaml | 1 + deploy/supervisor/rbac.yaml | 97 +++++++++- generated/1.17/README.adoc | 94 +++++++++ .../1.17/apis/supervisor/virtual/oauth/doc.go | 8 + .../apis/supervisor/virtual/oauth/register.go | 37 ++++ .../oauth/types_oidcclientsecretrequest.go | 25 +++ .../virtual/oauth/v1alpha1/conversion.go | 4 + .../virtual/oauth/v1alpha1/defaults.go | 12 ++ .../supervisor/virtual/oauth/v1alpha1/doc.go | 11 ++ .../virtual/oauth/v1alpha1/register.go | 42 ++++ .../v1alpha1/types_oidcclientsecretrequest.go | 28 +++ .../oauth/v1alpha1/zz_generated.conversion.go | 131 +++++++++++++ .../oauth/v1alpha1/zz_generated.deepcopy.go | 73 +++++++ .../oauth/v1alpha1/zz_generated.defaults.go | 20 ++ .../virtual/oauth/zz_generated.deepcopy.go | 73 +++++++ .../virtual/clientset/versioned/clientset.go | 84 ++++++++ .../virtual/clientset/versioned/doc.go | 7 + .../versioned/fake/clientset_generated.go | 69 +++++++ .../virtual/clientset/versioned/fake/doc.go | 7 + .../clientset/versioned/fake/register.go | 43 +++++ .../virtual/clientset/versioned/scheme/doc.go | 7 + .../clientset/versioned/scheme/register.go | 43 +++++ .../versioned/typed/oauth/v1alpha1/doc.go | 7 + .../typed/oauth/v1alpha1/fake/doc.go | 7 + .../oauth/v1alpha1/fake/fake_oauth_client.go | 27 +++ .../fake/fake_oidcclientsecretrequest.go | 33 ++++ .../oauth/v1alpha1/generated_expansion.go | 8 + .../typed/oauth/v1alpha1/oauth_client.go | 76 ++++++++ .../oauth/v1alpha1/oidcclientsecretrequest.go | 49 +++++ generated/1.18/README.adoc | 94 +++++++++ .../1.18/apis/supervisor/virtual/oauth/doc.go | 8 + .../apis/supervisor/virtual/oauth/register.go | 37 ++++ .../oauth/types_oidcclientsecretrequest.go | 25 +++ .../virtual/oauth/v1alpha1/conversion.go | 4 + .../virtual/oauth/v1alpha1/defaults.go | 12 ++ .../supervisor/virtual/oauth/v1alpha1/doc.go | 11 ++ .../virtual/oauth/v1alpha1/register.go | 42 ++++ .../v1alpha1/types_oidcclientsecretrequest.go | 28 +++ .../oauth/v1alpha1/zz_generated.conversion.go | 131 +++++++++++++ .../oauth/v1alpha1/zz_generated.deepcopy.go | 73 +++++++ .../oauth/v1alpha1/zz_generated.defaults.go | 20 ++ .../virtual/oauth/zz_generated.deepcopy.go | 73 +++++++ .../virtual/clientset/versioned/clientset.go | 84 ++++++++ .../virtual/clientset/versioned/doc.go | 7 + .../versioned/fake/clientset_generated.go | 69 +++++++ .../virtual/clientset/versioned/fake/doc.go | 7 + .../clientset/versioned/fake/register.go | 43 +++++ .../virtual/clientset/versioned/scheme/doc.go | 7 + .../clientset/versioned/scheme/register.go | 43 +++++ .../versioned/typed/oauth/v1alpha1/doc.go | 7 + .../typed/oauth/v1alpha1/fake/doc.go | 7 + .../oauth/v1alpha1/fake/fake_oauth_client.go | 27 +++ .../fake/fake_oidcclientsecretrequest.go | 36 ++++ .../oauth/v1alpha1/generated_expansion.go | 8 + .../typed/oauth/v1alpha1/oauth_client.go | 76 ++++++++ .../oauth/v1alpha1/oidcclientsecretrequest.go | 54 ++++++ generated/1.19/README.adoc | 94 +++++++++ .../1.19/apis/supervisor/virtual/oauth/doc.go | 8 + .../apis/supervisor/virtual/oauth/register.go | 37 ++++ .../oauth/types_oidcclientsecretrequest.go | 25 +++ .../virtual/oauth/v1alpha1/conversion.go | 4 + .../virtual/oauth/v1alpha1/defaults.go | 12 ++ .../supervisor/virtual/oauth/v1alpha1/doc.go | 11 ++ .../virtual/oauth/v1alpha1/register.go | 42 ++++ .../v1alpha1/types_oidcclientsecretrequest.go | 28 +++ .../oauth/v1alpha1/zz_generated.conversion.go | 131 +++++++++++++ .../oauth/v1alpha1/zz_generated.deepcopy.go | 73 +++++++ .../oauth/v1alpha1/zz_generated.defaults.go | 20 ++ .../virtual/oauth/zz_generated.deepcopy.go | 73 +++++++ .../virtual/clientset/versioned/clientset.go | 84 ++++++++ .../virtual/clientset/versioned/doc.go | 7 + .../versioned/fake/clientset_generated.go | 69 +++++++ .../virtual/clientset/versioned/fake/doc.go | 7 + .../clientset/versioned/fake/register.go | 43 +++++ .../virtual/clientset/versioned/scheme/doc.go | 7 + .../clientset/versioned/scheme/register.go | 43 +++++ .../versioned/typed/oauth/v1alpha1/doc.go | 7 + .../typed/oauth/v1alpha1/fake/doc.go | 7 + .../oauth/v1alpha1/fake/fake_oauth_client.go | 27 +++ .../fake/fake_oidcclientsecretrequest.go | 36 ++++ .../oauth/v1alpha1/generated_expansion.go | 8 + .../typed/oauth/v1alpha1/oauth_client.go | 76 ++++++++ .../oauth/v1alpha1/oidcclientsecretrequest.go | 54 ++++++ generated/1.20/README.adoc | 94 +++++++++ .../1.20/apis/supervisor/virtual/oauth/doc.go | 8 + .../apis/supervisor/virtual/oauth/register.go | 37 ++++ .../oauth/types_oidcclientsecretrequest.go | 25 +++ .../virtual/oauth/v1alpha1/conversion.go | 4 + .../virtual/oauth/v1alpha1/defaults.go | 12 ++ .../supervisor/virtual/oauth/v1alpha1/doc.go | 11 ++ .../virtual/oauth/v1alpha1/register.go | 42 ++++ .../v1alpha1/types_oidcclientsecretrequest.go | 28 +++ .../oauth/v1alpha1/zz_generated.conversion.go | 131 +++++++++++++ .../oauth/v1alpha1/zz_generated.deepcopy.go | 73 +++++++ .../oauth/v1alpha1/zz_generated.defaults.go | 20 ++ .../virtual/oauth/zz_generated.deepcopy.go | 73 +++++++ .../virtual/clientset/versioned/clientset.go | 84 ++++++++ .../virtual/clientset/versioned/doc.go | 7 + .../versioned/fake/clientset_generated.go | 69 +++++++ .../virtual/clientset/versioned/fake/doc.go | 7 + .../clientset/versioned/fake/register.go | 43 +++++ .../virtual/clientset/versioned/scheme/doc.go | 7 + .../clientset/versioned/scheme/register.go | 43 +++++ .../versioned/typed/oauth/v1alpha1/doc.go | 7 + .../typed/oauth/v1alpha1/fake/doc.go | 7 + .../oauth/v1alpha1/fake/fake_oauth_client.go | 27 +++ .../fake/fake_oidcclientsecretrequest.go | 36 ++++ .../oauth/v1alpha1/generated_expansion.go | 8 + .../typed/oauth/v1alpha1/oauth_client.go | 76 ++++++++ .../oauth/v1alpha1/oidcclientsecretrequest.go | 54 ++++++ generated/1.21/README.adoc | 94 +++++++++ .../1.21/apis/supervisor/virtual/oauth/doc.go | 8 + .../apis/supervisor/virtual/oauth/register.go | 37 ++++ .../oauth/types_oidcclientsecretrequest.go | 25 +++ .../virtual/oauth/v1alpha1/conversion.go | 4 + .../virtual/oauth/v1alpha1/defaults.go | 12 ++ .../supervisor/virtual/oauth/v1alpha1/doc.go | 11 ++ .../virtual/oauth/v1alpha1/register.go | 42 ++++ .../v1alpha1/types_oidcclientsecretrequest.go | 28 +++ .../oauth/v1alpha1/zz_generated.conversion.go | 131 +++++++++++++ .../oauth/v1alpha1/zz_generated.deepcopy.go | 73 +++++++ .../oauth/v1alpha1/zz_generated.defaults.go | 20 ++ .../virtual/oauth/zz_generated.deepcopy.go | 73 +++++++ .../virtual/clientset/versioned/clientset.go | 84 ++++++++ .../virtual/clientset/versioned/doc.go | 7 + .../versioned/fake/clientset_generated.go | 69 +++++++ .../virtual/clientset/versioned/fake/doc.go | 7 + .../clientset/versioned/fake/register.go | 43 +++++ .../virtual/clientset/versioned/scheme/doc.go | 7 + .../clientset/versioned/scheme/register.go | 43 +++++ .../versioned/typed/oauth/v1alpha1/doc.go | 7 + .../typed/oauth/v1alpha1/fake/doc.go | 7 + .../oauth/v1alpha1/fake/fake_oauth_client.go | 27 +++ .../fake/fake_oidcclientsecretrequest.go | 36 ++++ .../oauth/v1alpha1/generated_expansion.go | 8 + .../typed/oauth/v1alpha1/oauth_client.go | 76 ++++++++ .../oauth/v1alpha1/oidcclientsecretrequest.go | 54 ++++++ generated/1.22/README.adoc | 94 +++++++++ .../1.22/apis/supervisor/virtual/oauth/doc.go | 8 + .../apis/supervisor/virtual/oauth/register.go | 37 ++++ .../oauth/types_oidcclientsecretrequest.go | 25 +++ .../virtual/oauth/v1alpha1/conversion.go | 4 + .../virtual/oauth/v1alpha1/defaults.go | 12 ++ .../supervisor/virtual/oauth/v1alpha1/doc.go | 11 ++ .../virtual/oauth/v1alpha1/register.go | 42 ++++ .../v1alpha1/types_oidcclientsecretrequest.go | 28 +++ .../oauth/v1alpha1/zz_generated.conversion.go | 131 +++++++++++++ .../oauth/v1alpha1/zz_generated.deepcopy.go | 73 +++++++ .../oauth/v1alpha1/zz_generated.defaults.go | 20 ++ .../virtual/oauth/zz_generated.deepcopy.go | 73 +++++++ .../virtual/clientset/versioned/clientset.go | 84 ++++++++ .../virtual/clientset/versioned/doc.go | 7 + .../versioned/fake/clientset_generated.go | 72 +++++++ .../virtual/clientset/versioned/fake/doc.go | 7 + .../clientset/versioned/fake/register.go | 43 +++++ .../virtual/clientset/versioned/scheme/doc.go | 7 + .../clientset/versioned/scheme/register.go | 43 +++++ .../versioned/typed/oauth/v1alpha1/doc.go | 7 + .../typed/oauth/v1alpha1/fake/doc.go | 7 + .../oauth/v1alpha1/fake/fake_oauth_client.go | 27 +++ .../fake/fake_oidcclientsecretrequest.go | 36 ++++ .../oauth/v1alpha1/generated_expansion.go | 8 + .../typed/oauth/v1alpha1/oauth_client.go | 76 ++++++++ .../oauth/v1alpha1/oidcclientsecretrequest.go | 54 ++++++ generated/1.23/README.adoc | 94 +++++++++ .../1.23/apis/supervisor/virtual/oauth/doc.go | 8 + .../apis/supervisor/virtual/oauth/register.go | 37 ++++ .../oauth/types_oidcclientsecretrequest.go | 25 +++ .../virtual/oauth/v1alpha1/conversion.go | 4 + .../virtual/oauth/v1alpha1/defaults.go | 12 ++ .../supervisor/virtual/oauth/v1alpha1/doc.go | 11 ++ .../virtual/oauth/v1alpha1/register.go | 42 ++++ .../v1alpha1/types_oidcclientsecretrequest.go | 28 +++ .../oauth/v1alpha1/zz_generated.conversion.go | 131 +++++++++++++ .../oauth/v1alpha1/zz_generated.deepcopy.go | 73 +++++++ .../oauth/v1alpha1/zz_generated.defaults.go | 20 ++ .../virtual/oauth/zz_generated.deepcopy.go | 73 +++++++ .../virtual/clientset/versioned/clientset.go | 104 ++++++++++ .../virtual/clientset/versioned/doc.go | 7 + .../versioned/fake/clientset_generated.go | 72 +++++++ .../virtual/clientset/versioned/fake/doc.go | 7 + .../clientset/versioned/fake/register.go | 43 +++++ .../virtual/clientset/versioned/scheme/doc.go | 7 + .../clientset/versioned/scheme/register.go | 43 +++++ .../versioned/typed/oauth/v1alpha1/doc.go | 7 + .../typed/oauth/v1alpha1/fake/doc.go | 7 + .../oauth/v1alpha1/fake/fake_oauth_client.go | 27 +++ .../fake/fake_oidcclientsecretrequest.go | 36 ++++ .../oauth/v1alpha1/generated_expansion.go | 8 + .../typed/oauth/v1alpha1/oauth_client.go | 94 +++++++++ .../oauth/v1alpha1/oidcclientsecretrequest.go | 54 ++++++ .../apis/supervisor/virtual/oauth/doc.go | 8 + .../apis/supervisor/virtual/oauth/register.go | 37 ++++ .../oauth/types_oidcclientsecretrequest.go | 25 +++ .../virtual/oauth/v1alpha1/conversion.go | 4 + .../virtual/oauth/v1alpha1/defaults.go | 12 ++ .../supervisor/virtual/oauth/v1alpha1/doc.go | 11 ++ .../virtual/oauth/v1alpha1/register.go | 42 ++++ .../v1alpha1/types_oidcclientsecretrequest.go | 28 +++ .../oauth/v1alpha1/zz_generated.conversion.go | 131 +++++++++++++ .../oauth/v1alpha1/zz_generated.deepcopy.go | 73 +++++++ .../oauth/v1alpha1/zz_generated.defaults.go | 20 ++ .../virtual/oauth/zz_generated.deepcopy.go | 73 +++++++ .../virtual/clientset/versioned/clientset.go | 104 ++++++++++ .../virtual/clientset/versioned/doc.go | 7 + .../versioned/fake/clientset_generated.go | 72 +++++++ .../virtual/clientset/versioned/fake/doc.go | 7 + .../clientset/versioned/fake/register.go | 43 +++++ .../virtual/clientset/versioned/scheme/doc.go | 7 + .../clientset/versioned/scheme/register.go | 43 +++++ .../versioned/typed/oauth/v1alpha1/doc.go | 7 + .../typed/oauth/v1alpha1/fake/doc.go | 7 + .../oauth/v1alpha1/fake/fake_oauth_client.go | 27 +++ .../fake/fake_oidcclientsecretrequest.go | 36 ++++ .../oauth/v1alpha1/generated_expansion.go | 8 + .../typed/oauth/v1alpha1/oauth_client.go | 94 +++++++++ .../oauth/v1alpha1/oidcclientsecretrequest.go | 54 ++++++ hack/lib/update-codegen.sh | 13 +- internal/config/supervisor/types.go | 1 + internal/groupsuffix/groupdata.go | 16 +- internal/registry/clientsecretrequest/rest.go | 83 ++++++++ internal/supervisor/apiserver/apiserver.go | 139 ++++++++++++++ internal/supervisor/scheme/scheme.go | 91 +++++++++ internal/supervisor/scheme/scheme_test.go | 139 ++++++++++++++ internal/supervisor/server/server.go | 179 ++++++++++++++++-- test/integration/kube_api_discovery_test.go | 34 +++- 235 files changed, 9218 insertions(+), 24 deletions(-) create mode 100644 apis/supervisor/virtual/oauth/doc.go.tmpl create mode 100644 apis/supervisor/virtual/oauth/register.go.tmpl create mode 100644 apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go.tmpl create mode 100644 apis/supervisor/virtual/oauth/v1alpha1/conversion.go.tmpl create mode 100644 apis/supervisor/virtual/oauth/v1alpha1/defaults.go.tmpl create mode 100644 apis/supervisor/virtual/oauth/v1alpha1/doc.go.tmpl create mode 100644 apis/supervisor/virtual/oauth/v1alpha1/register.go.tmpl create mode 100644 apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go.tmpl create mode 100644 generated/1.17/apis/supervisor/virtual/oauth/doc.go create mode 100644 generated/1.17/apis/supervisor/virtual/oauth/register.go create mode 100644 generated/1.17/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go create mode 100644 generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/conversion.go create mode 100644 generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/defaults.go create mode 100644 generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/doc.go create mode 100644 generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/register.go create mode 100644 generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go create mode 100644 generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go create mode 100644 generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go create mode 100644 generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go create mode 100644 generated/1.17/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go create mode 100644 generated/1.17/client/supervisor/virtual/clientset/versioned/clientset.go create mode 100644 generated/1.17/client/supervisor/virtual/clientset/versioned/doc.go create mode 100644 generated/1.17/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go create mode 100644 generated/1.17/client/supervisor/virtual/clientset/versioned/fake/doc.go create mode 100644 generated/1.17/client/supervisor/virtual/clientset/versioned/fake/register.go create mode 100644 generated/1.17/client/supervisor/virtual/clientset/versioned/scheme/doc.go create mode 100644 generated/1.17/client/supervisor/virtual/clientset/versioned/scheme/register.go create mode 100644 generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go create mode 100644 generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go create mode 100644 generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go create mode 100644 generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go create mode 100644 generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go create mode 100644 generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go create mode 100644 generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go create mode 100644 generated/1.18/apis/supervisor/virtual/oauth/doc.go create mode 100644 generated/1.18/apis/supervisor/virtual/oauth/register.go create mode 100644 generated/1.18/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go create mode 100644 generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/conversion.go create mode 100644 generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/defaults.go create mode 100644 generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/doc.go create mode 100644 generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/register.go create mode 100644 generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go create mode 100644 generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go create mode 100644 generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go create mode 100644 generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go create mode 100644 generated/1.18/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go create mode 100644 generated/1.18/client/supervisor/virtual/clientset/versioned/clientset.go create mode 100644 generated/1.18/client/supervisor/virtual/clientset/versioned/doc.go create mode 100644 generated/1.18/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go create mode 100644 generated/1.18/client/supervisor/virtual/clientset/versioned/fake/doc.go create mode 100644 generated/1.18/client/supervisor/virtual/clientset/versioned/fake/register.go create mode 100644 generated/1.18/client/supervisor/virtual/clientset/versioned/scheme/doc.go create mode 100644 generated/1.18/client/supervisor/virtual/clientset/versioned/scheme/register.go create mode 100644 generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go create mode 100644 generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go create mode 100644 generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go create mode 100644 generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go create mode 100644 generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go create mode 100644 generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go create mode 100644 generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go create mode 100644 generated/1.19/apis/supervisor/virtual/oauth/doc.go create mode 100644 generated/1.19/apis/supervisor/virtual/oauth/register.go create mode 100644 generated/1.19/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go create mode 100644 generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/conversion.go create mode 100644 generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/defaults.go create mode 100644 generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/doc.go create mode 100644 generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/register.go create mode 100644 generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go create mode 100644 generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go create mode 100644 generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go create mode 100644 generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go create mode 100644 generated/1.19/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go create mode 100644 generated/1.19/client/supervisor/virtual/clientset/versioned/clientset.go create mode 100644 generated/1.19/client/supervisor/virtual/clientset/versioned/doc.go create mode 100644 generated/1.19/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go create mode 100644 generated/1.19/client/supervisor/virtual/clientset/versioned/fake/doc.go create mode 100644 generated/1.19/client/supervisor/virtual/clientset/versioned/fake/register.go create mode 100644 generated/1.19/client/supervisor/virtual/clientset/versioned/scheme/doc.go create mode 100644 generated/1.19/client/supervisor/virtual/clientset/versioned/scheme/register.go create mode 100644 generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go create mode 100644 generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go create mode 100644 generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go create mode 100644 generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go create mode 100644 generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go create mode 100644 generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go create mode 100644 generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go create mode 100644 generated/1.20/apis/supervisor/virtual/oauth/doc.go create mode 100644 generated/1.20/apis/supervisor/virtual/oauth/register.go create mode 100644 generated/1.20/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go create mode 100644 generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/conversion.go create mode 100644 generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/defaults.go create mode 100644 generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/doc.go create mode 100644 generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/register.go create mode 100644 generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go create mode 100644 generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go create mode 100644 generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go create mode 100644 generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go create mode 100644 generated/1.20/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go create mode 100644 generated/1.20/client/supervisor/virtual/clientset/versioned/clientset.go create mode 100644 generated/1.20/client/supervisor/virtual/clientset/versioned/doc.go create mode 100644 generated/1.20/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go create mode 100644 generated/1.20/client/supervisor/virtual/clientset/versioned/fake/doc.go create mode 100644 generated/1.20/client/supervisor/virtual/clientset/versioned/fake/register.go create mode 100644 generated/1.20/client/supervisor/virtual/clientset/versioned/scheme/doc.go create mode 100644 generated/1.20/client/supervisor/virtual/clientset/versioned/scheme/register.go create mode 100644 generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go create mode 100644 generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go create mode 100644 generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go create mode 100644 generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go create mode 100644 generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go create mode 100644 generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go create mode 100644 generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go create mode 100644 generated/1.21/apis/supervisor/virtual/oauth/doc.go create mode 100644 generated/1.21/apis/supervisor/virtual/oauth/register.go create mode 100644 generated/1.21/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go create mode 100644 generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/conversion.go create mode 100644 generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/defaults.go create mode 100644 generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/doc.go create mode 100644 generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/register.go create mode 100644 generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go create mode 100644 generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go create mode 100644 generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go create mode 100644 generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go create mode 100644 generated/1.21/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go create mode 100644 generated/1.21/client/supervisor/virtual/clientset/versioned/clientset.go create mode 100644 generated/1.21/client/supervisor/virtual/clientset/versioned/doc.go create mode 100644 generated/1.21/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go create mode 100644 generated/1.21/client/supervisor/virtual/clientset/versioned/fake/doc.go create mode 100644 generated/1.21/client/supervisor/virtual/clientset/versioned/fake/register.go create mode 100644 generated/1.21/client/supervisor/virtual/clientset/versioned/scheme/doc.go create mode 100644 generated/1.21/client/supervisor/virtual/clientset/versioned/scheme/register.go create mode 100644 generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go create mode 100644 generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go create mode 100644 generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go create mode 100644 generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go create mode 100644 generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go create mode 100644 generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go create mode 100644 generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go create mode 100644 generated/1.22/apis/supervisor/virtual/oauth/doc.go create mode 100644 generated/1.22/apis/supervisor/virtual/oauth/register.go create mode 100644 generated/1.22/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go create mode 100644 generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/conversion.go create mode 100644 generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/defaults.go create mode 100644 generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/doc.go create mode 100644 generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/register.go create mode 100644 generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go create mode 100644 generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go create mode 100644 generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go create mode 100644 generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go create mode 100644 generated/1.22/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go create mode 100644 generated/1.22/client/supervisor/virtual/clientset/versioned/clientset.go create mode 100644 generated/1.22/client/supervisor/virtual/clientset/versioned/doc.go create mode 100644 generated/1.22/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go create mode 100644 generated/1.22/client/supervisor/virtual/clientset/versioned/fake/doc.go create mode 100644 generated/1.22/client/supervisor/virtual/clientset/versioned/fake/register.go create mode 100644 generated/1.22/client/supervisor/virtual/clientset/versioned/scheme/doc.go create mode 100644 generated/1.22/client/supervisor/virtual/clientset/versioned/scheme/register.go create mode 100644 generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go create mode 100644 generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go create mode 100644 generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go create mode 100644 generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go create mode 100644 generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go create mode 100644 generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go create mode 100644 generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go create mode 100644 generated/1.23/apis/supervisor/virtual/oauth/doc.go create mode 100644 generated/1.23/apis/supervisor/virtual/oauth/register.go create mode 100644 generated/1.23/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go create mode 100644 generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/conversion.go create mode 100644 generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/defaults.go create mode 100644 generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/doc.go create mode 100644 generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/register.go create mode 100644 generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go create mode 100644 generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go create mode 100644 generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go create mode 100644 generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go create mode 100644 generated/1.23/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go create mode 100644 generated/1.23/client/supervisor/virtual/clientset/versioned/clientset.go create mode 100644 generated/1.23/client/supervisor/virtual/clientset/versioned/doc.go create mode 100644 generated/1.23/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go create mode 100644 generated/1.23/client/supervisor/virtual/clientset/versioned/fake/doc.go create mode 100644 generated/1.23/client/supervisor/virtual/clientset/versioned/fake/register.go create mode 100644 generated/1.23/client/supervisor/virtual/clientset/versioned/scheme/doc.go create mode 100644 generated/1.23/client/supervisor/virtual/clientset/versioned/scheme/register.go create mode 100644 generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go create mode 100644 generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go create mode 100644 generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go create mode 100644 generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go create mode 100644 generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go create mode 100644 generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go create mode 100644 generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go create mode 100644 generated/latest/apis/supervisor/virtual/oauth/doc.go create mode 100644 generated/latest/apis/supervisor/virtual/oauth/register.go create mode 100644 generated/latest/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go create mode 100644 generated/latest/apis/supervisor/virtual/oauth/v1alpha1/conversion.go create mode 100644 generated/latest/apis/supervisor/virtual/oauth/v1alpha1/defaults.go create mode 100644 generated/latest/apis/supervisor/virtual/oauth/v1alpha1/doc.go create mode 100644 generated/latest/apis/supervisor/virtual/oauth/v1alpha1/register.go create mode 100644 generated/latest/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go create mode 100644 generated/latest/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go create mode 100644 generated/latest/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go create mode 100644 generated/latest/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go create mode 100644 generated/latest/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go create mode 100644 generated/latest/client/supervisor/virtual/clientset/versioned/clientset.go create mode 100644 generated/latest/client/supervisor/virtual/clientset/versioned/doc.go create mode 100644 generated/latest/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go create mode 100644 generated/latest/client/supervisor/virtual/clientset/versioned/fake/doc.go create mode 100644 generated/latest/client/supervisor/virtual/clientset/versioned/fake/register.go create mode 100644 generated/latest/client/supervisor/virtual/clientset/versioned/scheme/doc.go create mode 100644 generated/latest/client/supervisor/virtual/clientset/versioned/scheme/register.go create mode 100644 generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go create mode 100644 generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go create mode 100644 generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go create mode 100644 generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go create mode 100644 generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go create mode 100644 generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go create mode 100644 generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go create mode 100644 internal/registry/clientsecretrequest/rest.go create mode 100644 internal/supervisor/apiserver/apiserver.go create mode 100644 internal/supervisor/scheme/scheme.go create mode 100644 internal/supervisor/scheme/scheme_test.go diff --git a/apis/supervisor/virtual/oauth/doc.go.tmpl b/apis/supervisor/virtual/oauth/doc.go.tmpl new file mode 100644 index 00000000..ca4e9a63 --- /dev/null +++ b/apis/supervisor/virtual/oauth/doc.go.tmpl @@ -0,0 +1,8 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:deepcopy-gen=package +// +groupName=oauth.virtual.supervisor.pinniped.dev + +// Package oauth is the internal version of the Pinniped virtual oauth API. +package oauth diff --git a/apis/supervisor/virtual/oauth/register.go.tmpl b/apis/supervisor/virtual/oauth/register.go.tmpl new file mode 100644 index 00000000..a238d85f --- /dev/null +++ b/apis/supervisor/virtual/oauth/register.go.tmpl @@ -0,0 +1,37 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package oauth + +import ( + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "oauth.virtual.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal} + +// Kind takes an unqualified kind and returns back a Group qualified GroupKind. +func Kind(kind string) schema.GroupKind { + return SchemeGroupVersion.WithKind(kind).GroupKind() +} + +// Resource takes an unqualified resource and returns back a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} + +var ( + SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) + AddToScheme = SchemeBuilder.AddToScheme +) + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClientSecretRequest{}, + ) + return nil +} diff --git a/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go.tmpl b/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go.tmpl new file mode 100644 index 00000000..ac54a93c --- /dev/null +++ b/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go.tmpl @@ -0,0 +1,25 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package oauth + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +type OIDCClientSecretRequestSpec struct { + GenerateNewSecret bool `json:"generateNewSecret"` + RevokeOldSecrets bool `json:"revokeOldSecrets"` +} + +type OIDCClientSecretRequestStatus struct { + GeneratedSecret string `json:"generatedSecret,omitempty"` + TotalClientSecrets int `json:"totalClientSecrets"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequest struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID + + Spec OIDCClientSecretRequestSpec `json:"spec"` + Status OIDCClientSecretRequestStatus `json:"status"` +} diff --git a/apis/supervisor/virtual/oauth/v1alpha1/conversion.go.tmpl b/apis/supervisor/virtual/oauth/v1alpha1/conversion.go.tmpl new file mode 100644 index 00000000..fcf4e82f --- /dev/null +++ b/apis/supervisor/virtual/oauth/v1alpha1/conversion.go.tmpl @@ -0,0 +1,4 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 diff --git a/apis/supervisor/virtual/oauth/v1alpha1/defaults.go.tmpl b/apis/supervisor/virtual/oauth/v1alpha1/defaults.go.tmpl new file mode 100644 index 00000000..d4f5a9e8 --- /dev/null +++ b/apis/supervisor/virtual/oauth/v1alpha1/defaults.go.tmpl @@ -0,0 +1,12 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + "k8s.io/apimachinery/pkg/runtime" +) + +func addDefaultingFuncs(scheme *runtime.Scheme) error { + return RegisterDefaults(scheme) +} diff --git a/apis/supervisor/virtual/oauth/v1alpha1/doc.go.tmpl b/apis/supervisor/virtual/oauth/v1alpha1/doc.go.tmpl new file mode 100644 index 00000000..c94cc7b7 --- /dev/null +++ b/apis/supervisor/virtual/oauth/v1alpha1/doc.go.tmpl @@ -0,0 +1,11 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen=package +// +k8s:conversion-gen=go.pinniped.dev/GENERATED_PKG/apis/supervisor/virtual/oauth +// +k8s:defaulter-gen=TypeMeta +// +groupName=oauth.virtual.supervisor.pinniped.dev + +// Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API. +package v1alpha1 diff --git a/apis/supervisor/virtual/oauth/v1alpha1/register.go.tmpl b/apis/supervisor/virtual/oauth/v1alpha1/register.go.tmpl new file mode 100644 index 00000000..ecc75a08 --- /dev/null +++ b/apis/supervisor/virtual/oauth/v1alpha1/register.go.tmpl @@ -0,0 +1,42 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "oauth.virtual.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = SchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClientSecretRequest{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns back a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go.tmpl b/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go.tmpl new file mode 100644 index 00000000..dda2f3bb --- /dev/null +++ b/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go.tmpl @@ -0,0 +1,28 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +type OIDCClientSecretRequestSpec struct { + GenerateNewSecret bool `json:"generateNewSecret"` + RevokeOldSecrets bool `json:"revokeOldSecrets"` +} + +type OIDCClientSecretRequestStatus struct { + GeneratedSecret string `json:"generatedSecret,omitempty"` + TotalClientSecrets int `json:"totalClientSecrets"` +} + +// +genclient +// +genclient:onlyVerbs=create +// +kubebuilder:subresource:status +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequest struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID + + Spec OIDCClientSecretRequestSpec `json:"spec"` + Status OIDCClientSecretRequestStatus `json:"status"` +} diff --git a/deploy/supervisor/deployment.yaml b/deploy/supervisor/deployment.yaml index b4c60ec2..e125771a 100644 --- a/deploy/supervisor/deployment.yaml +++ b/deploy/supervisor/deployment.yaml @@ -10,6 +10,7 @@ #@ "namespace", #@ "defaultResourceName", #@ "defaultResourceNameWithSuffix", +#@ "pinnipedDevAPIGroupWithPrefix", #@ "getPinnipedConfigMapData", #@ "hasUnixNetworkEndpoint", #@ ) @@ -174,3 +175,37 @@ spec: labelSelector: matchLabels: #@ deploymentPodLabel() topologyKey: kubernetes.io/hostname +--- +apiVersion: v1 +kind: Service +metadata: + #! If name is changed, must also change names.apiService in the ConfigMap above and spec.service.name in the APIService below. + name: #@ defaultResourceNameWithSuffix("api") + namespace: #@ namespace() + labels: #@ labels() + #! prevent kapp from altering the selector of our services to match kubectl behavior + annotations: + kapp.k14s.io/disable-default-label-scoping-rules: "" +spec: + type: ClusterIP + selector: #@ deploymentPodLabel() + ports: + - protocol: TCP + port: 443 + targetPort: 10250 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: #@ pinnipedDevAPIGroupWithPrefix("v1alpha1.oauth.virtual.supervisor") + labels: #@ labels() +spec: + version: v1alpha1 + group: #@ pinnipedDevAPIGroupWithPrefix("oauth.virtual.supervisor") + groupPriorityMinimum: 9900 + versionPriority: 15 + #! caBundle: Do not include this key here. Starts out null, will be updated/owned by the golang code. + service: + name: #@ defaultResourceNameWithSuffix("api") + namespace: #@ namespace() + port: 443 diff --git a/deploy/supervisor/helpers.lib.yaml b/deploy/supervisor/helpers.lib.yaml index d759e874..fbb60a2d 100644 --- a/deploy/supervisor/helpers.lib.yaml +++ b/deploy/supervisor/helpers.lib.yaml @@ -50,6 +50,7 @@ _: #@ template.replace(data.values.custom_labels) #@ "apiGroupSuffix": data.values.api_group_suffix, #@ "names": { #@ "defaultTLSCertificateSecret": defaultResourceNameWithSuffix("default-tls-certificate"), +#@ "apiService": defaultResourceNameWithSuffix("api"), #@ }, #@ "labels": labels(), #@ "insecureAcceptExternalUnencryptedHttpRequests": data.values.deprecated_insecure_accept_external_unencrypted_http_requests diff --git a/deploy/supervisor/rbac.yaml b/deploy/supervisor/rbac.yaml index f980a92f..8fe7e58d 100644 --- a/deploy/supervisor/rbac.yaml +++ b/deploy/supervisor/rbac.yaml @@ -1,4 +1,4 @@ -#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. +#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. #! SPDX-License-Identifier: Apache-2.0 #@ load("@ytt:data", "data") @@ -74,3 +74,98 @@ roleRef: kind: Role name: #@ defaultResourceName() apiGroup: rbac.authorization.k8s.io + +#! Give permissions for a special configmap of CA bundles that is needed by aggregated api servers +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: #@ defaultResourceNameWithSuffix("extension-apiserver-authentication-reader") + namespace: kube-system + labels: #@ labels() +subjects: + - kind: ServiceAccount + name: #@ defaultResourceName() + namespace: #@ namespace() +roleRef: + kind: Role + name: extension-apiserver-authentication-reader + apiGroup: rbac.authorization.k8s.io + +#! Give permission to list and watch ConfigMaps in kube-public +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: #@ defaultResourceNameWithSuffix("cluster-info-lister-watcher") + namespace: kube-public + labels: #@ labels() +rules: + - apiGroups: [ "" ] + resources: [ configmaps ] + verbs: [ list, watch ] +#! Give permissions for subjectaccessreviews, tokenreview that is needed by aggregated api servers +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: #@ defaultResourceName() + labels: #@ labels() +subjects: + - kind: ServiceAccount + name: #@ defaultResourceName() + namespace: #@ namespace() +roleRef: + kind: ClusterRole + name: system:auth-delegator + apiGroup: rbac.authorization.k8s.io +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: #@ defaultResourceNameWithSuffix("cluster-info-lister-watcher") + namespace: kube-public + labels: #@ labels() +subjects: + - kind: ServiceAccount + name: #@ defaultResourceName() + namespace: #@ namespace() +roleRef: + kind: Role + name: #@ defaultResourceNameWithSuffix("cluster-info-lister-watcher") + apiGroup: rbac.authorization.k8s.io + +#! Give permission to various cluster-scoped objects +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: #@ defaultResourceNameWithSuffix("aggregated-api-server") + labels: #@ labels() +rules: + - apiGroups: [ "" ] + resources: [ namespaces ] + verbs: [ get, list, watch ] + - apiGroups: [ apiregistration.k8s.io ] + resources: [ apiservices ] + verbs: [ get, list, patch, update, watch ] + - apiGroups: [ admissionregistration.k8s.io ] + resources: [ validatingwebhookconfigurations, mutatingwebhookconfigurations ] + verbs: [ get, list, watch ] + - apiGroups: [ flowcontrol.apiserver.k8s.io ] + resources: [ flowschemas, prioritylevelconfigurations ] + verbs: [ get, list, watch ] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: #@ defaultResourceNameWithSuffix("aggregated-api-server") + labels: #@ labels() +subjects: + - kind: ServiceAccount + name: #@ defaultResourceName() + namespace: #@ namespace() +roleRef: + kind: ClusterRole + name: #@ defaultResourceNameWithSuffix("aggregated-api-server") + apiGroup: rbac.authorization.k8s.io diff --git a/generated/1.17/README.adoc b/generated/1.17/README.adoc index 693d8d6b..0b90292d 100644 --- a/generated/1.17/README.adoc +++ b/generated/1.17/README.adoc @@ -13,6 +13,8 @@ - xref:{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1[$$idp.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1[$$oauth.supervisor.pinniped.dev/v1alpha1$$] +- xref:{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-oauth[$$oauth.virtual.supervisor.pinniped.dev/oauth$$] +- xref:{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-v1alpha1[$$oauth.virtual.supervisor.pinniped.dev/v1alpha1$$] [id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"] @@ -1386,3 +1388,95 @@ OIDCClientSpec is a struct that describes an OIDC Client. + +[id="{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-oauth"] +=== oauth.virtual.supervisor.pinniped.dev/oauth + +Package oauth is the internal version of the Pinniped virtual oauth API. + + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-virtual-oauth-oidcclientsecretrequestspec"] +==== OIDCClientSecretRequestSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-virtual-oauth-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generateNewSecret`* __boolean__ | +| *`revokeOldSecrets`* __boolean__ | +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-virtual-oauth-oidcclientsecretrequeststatus"] +==== OIDCClientSecretRequestStatus + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-virtual-oauth-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generatedSecret`* __string__ | +| *`totalClientSecrets`* __integer__ | +|=== + + + +[id="{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-v1alpha1"] +=== oauth.virtual.supervisor.pinniped.dev/v1alpha1 + +Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API. + + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequestspec"] +==== OIDCClientSecretRequestSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generateNewSecret`* __boolean__ | +| *`revokeOldSecrets`* __boolean__ | +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequeststatus"] +==== OIDCClientSecretRequestStatus + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generatedSecret`* __string__ | +| *`totalClientSecrets`* __integer__ | +|=== + + diff --git a/generated/1.17/apis/supervisor/virtual/oauth/doc.go b/generated/1.17/apis/supervisor/virtual/oauth/doc.go new file mode 100644 index 00000000..ca4e9a63 --- /dev/null +++ b/generated/1.17/apis/supervisor/virtual/oauth/doc.go @@ -0,0 +1,8 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:deepcopy-gen=package +// +groupName=oauth.virtual.supervisor.pinniped.dev + +// Package oauth is the internal version of the Pinniped virtual oauth API. +package oauth diff --git a/generated/1.17/apis/supervisor/virtual/oauth/register.go b/generated/1.17/apis/supervisor/virtual/oauth/register.go new file mode 100644 index 00000000..a238d85f --- /dev/null +++ b/generated/1.17/apis/supervisor/virtual/oauth/register.go @@ -0,0 +1,37 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package oauth + +import ( + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "oauth.virtual.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal} + +// Kind takes an unqualified kind and returns back a Group qualified GroupKind. +func Kind(kind string) schema.GroupKind { + return SchemeGroupVersion.WithKind(kind).GroupKind() +} + +// Resource takes an unqualified resource and returns back a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} + +var ( + SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) + AddToScheme = SchemeBuilder.AddToScheme +) + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClientSecretRequest{}, + ) + return nil +} diff --git a/generated/1.17/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go b/generated/1.17/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go new file mode 100644 index 00000000..ac54a93c --- /dev/null +++ b/generated/1.17/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go @@ -0,0 +1,25 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package oauth + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +type OIDCClientSecretRequestSpec struct { + GenerateNewSecret bool `json:"generateNewSecret"` + RevokeOldSecrets bool `json:"revokeOldSecrets"` +} + +type OIDCClientSecretRequestStatus struct { + GeneratedSecret string `json:"generatedSecret,omitempty"` + TotalClientSecrets int `json:"totalClientSecrets"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequest struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID + + Spec OIDCClientSecretRequestSpec `json:"spec"` + Status OIDCClientSecretRequestStatus `json:"status"` +} diff --git a/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/conversion.go b/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/conversion.go new file mode 100644 index 00000000..fcf4e82f --- /dev/null +++ b/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/conversion.go @@ -0,0 +1,4 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 diff --git a/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/defaults.go b/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/defaults.go new file mode 100644 index 00000000..d4f5a9e8 --- /dev/null +++ b/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/defaults.go @@ -0,0 +1,12 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + "k8s.io/apimachinery/pkg/runtime" +) + +func addDefaultingFuncs(scheme *runtime.Scheme) error { + return RegisterDefaults(scheme) +} diff --git a/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/doc.go b/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/doc.go new file mode 100644 index 00000000..6437db4d --- /dev/null +++ b/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/doc.go @@ -0,0 +1,11 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen=package +// +k8s:conversion-gen=go.pinniped.dev/generated/1.17/apis/supervisor/virtual/oauth +// +k8s:defaulter-gen=TypeMeta +// +groupName=oauth.virtual.supervisor.pinniped.dev + +// Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API. +package v1alpha1 diff --git a/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/register.go b/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/register.go new file mode 100644 index 00000000..ecc75a08 --- /dev/null +++ b/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/register.go @@ -0,0 +1,42 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "oauth.virtual.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = SchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClientSecretRequest{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns back a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go b/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go new file mode 100644 index 00000000..dda2f3bb --- /dev/null +++ b/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go @@ -0,0 +1,28 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +type OIDCClientSecretRequestSpec struct { + GenerateNewSecret bool `json:"generateNewSecret"` + RevokeOldSecrets bool `json:"revokeOldSecrets"` +} + +type OIDCClientSecretRequestStatus struct { + GeneratedSecret string `json:"generatedSecret,omitempty"` + TotalClientSecrets int `json:"totalClientSecrets"` +} + +// +genclient +// +genclient:onlyVerbs=create +// +kubebuilder:subresource:status +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequest struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID + + Spec OIDCClientSecretRequestSpec `json:"spec"` + Status OIDCClientSecretRequestStatus `json:"status"` +} diff --git a/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go b/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go new file mode 100644 index 00000000..b4f28183 --- /dev/null +++ b/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go @@ -0,0 +1,131 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by conversion-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + oauth "go.pinniped.dev/generated/1.17/apis/supervisor/virtual/oauth" + conversion "k8s.io/apimachinery/pkg/conversion" + runtime "k8s.io/apimachinery/pkg/runtime" +) + +func init() { + localSchemeBuilder.Register(RegisterConversions) +} + +// RegisterConversions adds conversion functions to the given scheme. +// Public to allow building arbitrary schemes. +func RegisterConversions(s *runtime.Scheme) error { + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequest)(nil), (*oauth.OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(a.(*OIDCClientSecretRequest), b.(*oauth.OIDCClientSecretRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequest)(nil), (*OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(a.(*oauth.OIDCClientSecretRequest), b.(*OIDCClientSecretRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*oauth.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*oauth.OIDCClientSecretRequestSpec), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequestSpec)(nil), (*OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(a.(*oauth.OIDCClientSecretRequestSpec), b.(*OIDCClientSecretRequestSpec), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestStatus)(nil), (*oauth.OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(a.(*OIDCClientSecretRequestStatus), b.(*oauth.OIDCClientSecretRequestStatus), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequestStatus)(nil), (*OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(a.(*oauth.OIDCClientSecretRequestStatus), b.(*OIDCClientSecretRequestStatus), scope) + }); err != nil { + return err + } + return nil +} + +func autoConvert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *oauth.OIDCClientSecretRequest, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { + return err + } + if err := Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *oauth.OIDCClientSecretRequest, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in, out, s) +} + +func autoConvert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *oauth.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { + return err + } + if err := Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest is an autogenerated conversion function. +func Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *oauth.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { + return autoConvert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s) +} + +func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *oauth.OIDCClientSecretRequestSpec, s conversion.Scope) error { + out.GenerateNewSecret = in.GenerateNewSecret + out.RevokeOldSecrets = in.RevokeOldSecrets + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *oauth.OIDCClientSecretRequestSpec, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in, out, s) +} + +func autoConvert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *oauth.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { + out.GenerateNewSecret = in.GenerateNewSecret + out.RevokeOldSecrets = in.RevokeOldSecrets + return nil +} + +// Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec is an autogenerated conversion function. +func Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *oauth.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { + return autoConvert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in, out, s) +} + +func autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *oauth.OIDCClientSecretRequestStatus, s conversion.Scope) error { + out.GeneratedSecret = in.GeneratedSecret + out.TotalClientSecrets = in.TotalClientSecrets + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *oauth.OIDCClientSecretRequestStatus, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in, out, s) +} + +func autoConvert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *oauth.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { + out.GeneratedSecret = in.GeneratedSecret + out.TotalClientSecrets = in.TotalClientSecrets + return nil +} + +// Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus is an autogenerated conversion function. +func Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *oauth.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { + return autoConvert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in, out, s) +} diff --git a/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go new file mode 100644 index 00000000..e4fce842 --- /dev/null +++ b/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go @@ -0,0 +1,73 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequest) DeepCopyInto(out *OIDCClientSecretRequest) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + out.Spec = in.Spec + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequest. +func (in *OIDCClientSecretRequest) DeepCopy() *OIDCClientSecretRequest { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequest) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestSpec. +func (in *OIDCClientSecretRequestSpec) DeepCopy() *OIDCClientSecretRequestSpec { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestStatus) DeepCopyInto(out *OIDCClientSecretRequestStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestStatus. +func (in *OIDCClientSecretRequestStatus) DeepCopy() *OIDCClientSecretRequestStatus { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go b/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go new file mode 100644 index 00000000..9097a935 --- /dev/null +++ b/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go @@ -0,0 +1,20 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by defaulter-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// RegisterDefaults adds defaulters functions to the given scheme. +// Public to allow building arbitrary schemes. +// All generated defaulters are covering - they call all nested defaulters. +func RegisterDefaults(scheme *runtime.Scheme) error { + return nil +} diff --git a/generated/1.17/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go b/generated/1.17/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go new file mode 100644 index 00000000..24b58e7b --- /dev/null +++ b/generated/1.17/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go @@ -0,0 +1,73 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package oauth + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequest) DeepCopyInto(out *OIDCClientSecretRequest) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + out.Spec = in.Spec + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequest. +func (in *OIDCClientSecretRequest) DeepCopy() *OIDCClientSecretRequest { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequest) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestSpec. +func (in *OIDCClientSecretRequestSpec) DeepCopy() *OIDCClientSecretRequestSpec { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestStatus) DeepCopyInto(out *OIDCClientSecretRequestStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestStatus. +func (in *OIDCClientSecretRequestStatus) DeepCopy() *OIDCClientSecretRequestStatus { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.17/client/supervisor/virtual/clientset/versioned/clientset.go b/generated/1.17/client/supervisor/virtual/clientset/versioned/clientset.go new file mode 100644 index 00000000..61281edb --- /dev/null +++ b/generated/1.17/client/supervisor/virtual/clientset/versioned/clientset.go @@ -0,0 +1,84 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package versioned + +import ( + "fmt" + + oauthv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" + discovery "k8s.io/client-go/discovery" + rest "k8s.io/client-go/rest" + flowcontrol "k8s.io/client-go/util/flowcontrol" +) + +type Interface interface { + Discovery() discovery.DiscoveryInterface + OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface +} + +// Clientset contains the clients for groups. Each group has exactly one +// version included in a Clientset. +type Clientset struct { + *discovery.DiscoveryClient + oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client +} + +// OauthV1alpha1 retrieves the OauthV1alpha1Client +func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { + return c.oauthV1alpha1 +} + +// Discovery retrieves the DiscoveryClient +func (c *Clientset) Discovery() discovery.DiscoveryInterface { + if c == nil { + return nil + } + return c.DiscoveryClient +} + +// NewForConfig creates a new Clientset for the given config. +// If config's RateLimiter is not set and QPS and Burst are acceptable, +// NewForConfig will generate a rate-limiter in configShallowCopy. +func NewForConfig(c *rest.Config) (*Clientset, error) { + configShallowCopy := *c + if configShallowCopy.RateLimiter == nil && configShallowCopy.QPS > 0 { + if configShallowCopy.Burst <= 0 { + return nil, fmt.Errorf("Burst is required to be greater than 0 when RateLimiter is not set and QPS is set to greater than 0") + } + configShallowCopy.RateLimiter = flowcontrol.NewTokenBucketRateLimiter(configShallowCopy.QPS, configShallowCopy.Burst) + } + var cs Clientset + var err error + cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfig(&configShallowCopy) + if err != nil { + return nil, err + } + + cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfig(&configShallowCopy) + if err != nil { + return nil, err + } + return &cs, nil +} + +// NewForConfigOrDie creates a new Clientset for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *Clientset { + var cs Clientset + cs.oauthV1alpha1 = oauthv1alpha1.NewForConfigOrDie(c) + + cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c) + return &cs +} + +// New creates a new Clientset for the given RESTClient. +func New(c rest.Interface) *Clientset { + var cs Clientset + cs.oauthV1alpha1 = oauthv1alpha1.New(c) + + cs.DiscoveryClient = discovery.NewDiscoveryClient(c) + return &cs +} diff --git a/generated/1.17/client/supervisor/virtual/clientset/versioned/doc.go b/generated/1.17/client/supervisor/virtual/clientset/versioned/doc.go new file mode 100644 index 00000000..5dc02e6e --- /dev/null +++ b/generated/1.17/client/supervisor/virtual/clientset/versioned/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated clientset. +package versioned diff --git a/generated/1.17/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go b/generated/1.17/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go new file mode 100644 index 00000000..40b8c342 --- /dev/null +++ b/generated/1.17/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go @@ -0,0 +1,69 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + clientset "go.pinniped.dev/generated/1.17/client/supervisor/virtual/clientset/versioned" + oauthv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" + fakeoauthv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/watch" + "k8s.io/client-go/discovery" + fakediscovery "k8s.io/client-go/discovery/fake" + "k8s.io/client-go/testing" +) + +// NewSimpleClientset returns a clientset that will respond with the provided objects. +// It's backed by a very simple object tracker that processes creates, updates and deletions as-is, +// without applying any validations and/or defaults. It shouldn't be considered a replacement +// for a real clientset and is mostly useful in simple unit tests. +func NewSimpleClientset(objects ...runtime.Object) *Clientset { + o := testing.NewObjectTracker(scheme, codecs.UniversalDecoder()) + for _, obj := range objects { + if err := o.Add(obj); err != nil { + panic(err) + } + } + + cs := &Clientset{tracker: o} + cs.discovery = &fakediscovery.FakeDiscovery{Fake: &cs.Fake} + cs.AddReactor("*", "*", testing.ObjectReaction(o)) + cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) { + gvr := action.GetResource() + ns := action.GetNamespace() + watch, err := o.Watch(gvr, ns) + if err != nil { + return false, nil, err + } + return true, watch, nil + }) + + return cs +} + +// Clientset implements clientset.Interface. Meant to be embedded into a +// struct to get a default implementation. This makes faking out just the method +// you want to test easier. +type Clientset struct { + testing.Fake + discovery *fakediscovery.FakeDiscovery + tracker testing.ObjectTracker +} + +func (c *Clientset) Discovery() discovery.DiscoveryInterface { + return c.discovery +} + +func (c *Clientset) Tracker() testing.ObjectTracker { + return c.tracker +} + +var _ clientset.Interface = &Clientset{} + +// OauthV1alpha1 retrieves the OauthV1alpha1Client +func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { + return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} +} diff --git a/generated/1.17/client/supervisor/virtual/clientset/versioned/fake/doc.go b/generated/1.17/client/supervisor/virtual/clientset/versioned/fake/doc.go new file mode 100644 index 00000000..7c9538fd --- /dev/null +++ b/generated/1.17/client/supervisor/virtual/clientset/versioned/fake/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated fake clientset. +package fake diff --git a/generated/1.17/client/supervisor/virtual/clientset/versioned/fake/register.go b/generated/1.17/client/supervisor/virtual/clientset/versioned/fake/register.go new file mode 100644 index 00000000..675d744f --- /dev/null +++ b/generated/1.17/client/supervisor/virtual/clientset/versioned/fake/register.go @@ -0,0 +1,43 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + oauthv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + schema "k8s.io/apimachinery/pkg/runtime/schema" + serializer "k8s.io/apimachinery/pkg/runtime/serializer" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" +) + +var scheme = runtime.NewScheme() +var codecs = serializer.NewCodecFactory(scheme) +var parameterCodec = runtime.NewParameterCodec(scheme) +var localSchemeBuilder = runtime.SchemeBuilder{ + oauthv1alpha1.AddToScheme, +} + +// AddToScheme adds all types of this clientset into the given scheme. This allows composition +// of clientsets, like in: +// +// import ( +// "k8s.io/client-go/kubernetes" +// clientsetscheme "k8s.io/client-go/kubernetes/scheme" +// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" +// ) +// +// kclientset, _ := kubernetes.NewForConfig(c) +// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) +// +// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types +// correctly. +var AddToScheme = localSchemeBuilder.AddToScheme + +func init() { + v1.AddToGroupVersion(scheme, schema.GroupVersion{Version: "v1"}) + utilruntime.Must(AddToScheme(scheme)) +} diff --git a/generated/1.17/client/supervisor/virtual/clientset/versioned/scheme/doc.go b/generated/1.17/client/supervisor/virtual/clientset/versioned/scheme/doc.go new file mode 100644 index 00000000..cc02f1d3 --- /dev/null +++ b/generated/1.17/client/supervisor/virtual/clientset/versioned/scheme/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package contains the scheme of the automatically generated clientset. +package scheme diff --git a/generated/1.17/client/supervisor/virtual/clientset/versioned/scheme/register.go b/generated/1.17/client/supervisor/virtual/clientset/versioned/scheme/register.go new file mode 100644 index 00000000..f027d173 --- /dev/null +++ b/generated/1.17/client/supervisor/virtual/clientset/versioned/scheme/register.go @@ -0,0 +1,43 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package scheme + +import ( + oauthv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + schema "k8s.io/apimachinery/pkg/runtime/schema" + serializer "k8s.io/apimachinery/pkg/runtime/serializer" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" +) + +var Scheme = runtime.NewScheme() +var Codecs = serializer.NewCodecFactory(Scheme) +var ParameterCodec = runtime.NewParameterCodec(Scheme) +var localSchemeBuilder = runtime.SchemeBuilder{ + oauthv1alpha1.AddToScheme, +} + +// AddToScheme adds all types of this clientset into the given scheme. This allows composition +// of clientsets, like in: +// +// import ( +// "k8s.io/client-go/kubernetes" +// clientsetscheme "k8s.io/client-go/kubernetes/scheme" +// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" +// ) +// +// kclientset, _ := kubernetes.NewForConfig(c) +// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) +// +// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types +// correctly. +var AddToScheme = localSchemeBuilder.AddToScheme + +func init() { + v1.AddToGroupVersion(Scheme, schema.GroupVersion{Version: "v1"}) + utilruntime.Must(AddToScheme(Scheme)) +} diff --git a/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go new file mode 100644 index 00000000..e7a470b6 --- /dev/null +++ b/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated typed clients. +package v1alpha1 diff --git a/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go new file mode 100644 index 00000000..7906901b --- /dev/null +++ b/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// Package fake has the automatically generated clients. +package fake diff --git a/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go new file mode 100644 index 00000000..97afc436 --- /dev/null +++ b/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go @@ -0,0 +1,27 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + v1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" + rest "k8s.io/client-go/rest" + testing "k8s.io/client-go/testing" +) + +type FakeOauthV1alpha1 struct { + *testing.Fake +} + +func (c *FakeOauthV1alpha1) OIDCClientSecretRequests(namespace string) v1alpha1.OIDCClientSecretRequestInterface { + return &FakeOIDCClientSecretRequests{c, namespace} +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { + var ret *rest.RESTClient + return ret +} diff --git a/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go b/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go new file mode 100644 index 00000000..f2450f9b --- /dev/null +++ b/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go @@ -0,0 +1,33 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1" + schema "k8s.io/apimachinery/pkg/runtime/schema" + testing "k8s.io/client-go/testing" +) + +// FakeOIDCClientSecretRequests implements OIDCClientSecretRequestInterface +type FakeOIDCClientSecretRequests struct { + Fake *FakeOauthV1alpha1 + ns string +} + +var oidcclientsecretrequestsResource = schema.GroupVersionResource{Group: "oauth.virtual.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclientsecretrequests"} + +var oidcclientsecretrequestsKind = schema.GroupVersionKind{Group: "oauth.virtual.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClientSecretRequest"} + +// Create takes the representation of a oIDCClientSecretRequest and creates it. Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any. +func (c *FakeOIDCClientSecretRequests) Create(oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest) (result *v1alpha1.OIDCClientSecretRequest, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(oidcclientsecretrequestsResource, c.ns, oIDCClientSecretRequest), &v1alpha1.OIDCClientSecretRequest{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClientSecretRequest), err +} diff --git a/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go new file mode 100644 index 00000000..427a2ad8 --- /dev/null +++ b/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go @@ -0,0 +1,8 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +type OIDCClientSecretRequestExpansion interface{} diff --git a/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go new file mode 100644 index 00000000..b3a80cae --- /dev/null +++ b/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go @@ -0,0 +1,76 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1" + "go.pinniped.dev/generated/1.17/client/supervisor/virtual/clientset/versioned/scheme" + rest "k8s.io/client-go/rest" +) + +type OauthV1alpha1Interface interface { + RESTClient() rest.Interface + OIDCClientSecretRequestsGetter +} + +// OauthV1alpha1Client is used to interact with features provided by the oauth.virtual.supervisor.pinniped.dev group. +type OauthV1alpha1Client struct { + restClient rest.Interface +} + +func (c *OauthV1alpha1Client) OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface { + return newOIDCClientSecretRequests(c, namespace) +} + +// NewForConfig creates a new OauthV1alpha1Client for the given config. +func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { + config := *c + if err := setConfigDefaults(&config); err != nil { + return nil, err + } + client, err := rest.RESTClientFor(&config) + if err != nil { + return nil, err + } + return &OauthV1alpha1Client{client}, nil +} + +// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { + client, err := NewForConfig(c) + if err != nil { + panic(err) + } + return client +} + +// New creates a new OauthV1alpha1Client for the given RESTClient. +func New(c rest.Interface) *OauthV1alpha1Client { + return &OauthV1alpha1Client{c} +} + +func setConfigDefaults(config *rest.Config) error { + gv := v1alpha1.SchemeGroupVersion + config.GroupVersion = &gv + config.APIPath = "/apis" + config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() + + if config.UserAgent == "" { + config.UserAgent = rest.DefaultKubernetesUserAgent() + } + + return nil +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *OauthV1alpha1Client) RESTClient() rest.Interface { + if c == nil { + return nil + } + return c.restClient +} diff --git a/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go b/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go new file mode 100644 index 00000000..97031447 --- /dev/null +++ b/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go @@ -0,0 +1,49 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1" + rest "k8s.io/client-go/rest" +) + +// OIDCClientSecretRequestsGetter has a method to return a OIDCClientSecretRequestInterface. +// A group's client should implement this interface. +type OIDCClientSecretRequestsGetter interface { + OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface +} + +// OIDCClientSecretRequestInterface has methods to work with OIDCClientSecretRequest resources. +type OIDCClientSecretRequestInterface interface { + Create(*v1alpha1.OIDCClientSecretRequest) (*v1alpha1.OIDCClientSecretRequest, error) + OIDCClientSecretRequestExpansion +} + +// oIDCClientSecretRequests implements OIDCClientSecretRequestInterface +type oIDCClientSecretRequests struct { + client rest.Interface + ns string +} + +// newOIDCClientSecretRequests returns a OIDCClientSecretRequests +func newOIDCClientSecretRequests(c *OauthV1alpha1Client, namespace string) *oIDCClientSecretRequests { + return &oIDCClientSecretRequests{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Create takes the representation of a oIDCClientSecretRequest and creates it. Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any. +func (c *oIDCClientSecretRequests) Create(oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest) (result *v1alpha1.OIDCClientSecretRequest, err error) { + result = &v1alpha1.OIDCClientSecretRequest{} + err = c.client.Post(). + Namespace(c.ns). + Resource("oidcclientsecretrequests"). + Body(oIDCClientSecretRequest). + Do(). + Into(result) + return +} diff --git a/generated/1.18/README.adoc b/generated/1.18/README.adoc index f2346ef6..db96bb48 100644 --- a/generated/1.18/README.adoc +++ b/generated/1.18/README.adoc @@ -13,6 +13,8 @@ - xref:{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1[$$idp.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1[$$oauth.supervisor.pinniped.dev/v1alpha1$$] +- xref:{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-oauth[$$oauth.virtual.supervisor.pinniped.dev/oauth$$] +- xref:{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-v1alpha1[$$oauth.virtual.supervisor.pinniped.dev/v1alpha1$$] [id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"] @@ -1386,3 +1388,95 @@ OIDCClientSpec is a struct that describes an OIDC Client. + +[id="{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-oauth"] +=== oauth.virtual.supervisor.pinniped.dev/oauth + +Package oauth is the internal version of the Pinniped virtual oauth API. + + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-virtual-oauth-oidcclientsecretrequestspec"] +==== OIDCClientSecretRequestSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-virtual-oauth-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generateNewSecret`* __boolean__ | +| *`revokeOldSecrets`* __boolean__ | +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-virtual-oauth-oidcclientsecretrequeststatus"] +==== OIDCClientSecretRequestStatus + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-virtual-oauth-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generatedSecret`* __string__ | +| *`totalClientSecrets`* __integer__ | +|=== + + + +[id="{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-v1alpha1"] +=== oauth.virtual.supervisor.pinniped.dev/v1alpha1 + +Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API. + + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequestspec"] +==== OIDCClientSecretRequestSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generateNewSecret`* __boolean__ | +| *`revokeOldSecrets`* __boolean__ | +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequeststatus"] +==== OIDCClientSecretRequestStatus + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generatedSecret`* __string__ | +| *`totalClientSecrets`* __integer__ | +|=== + + diff --git a/generated/1.18/apis/supervisor/virtual/oauth/doc.go b/generated/1.18/apis/supervisor/virtual/oauth/doc.go new file mode 100644 index 00000000..ca4e9a63 --- /dev/null +++ b/generated/1.18/apis/supervisor/virtual/oauth/doc.go @@ -0,0 +1,8 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:deepcopy-gen=package +// +groupName=oauth.virtual.supervisor.pinniped.dev + +// Package oauth is the internal version of the Pinniped virtual oauth API. +package oauth diff --git a/generated/1.18/apis/supervisor/virtual/oauth/register.go b/generated/1.18/apis/supervisor/virtual/oauth/register.go new file mode 100644 index 00000000..a238d85f --- /dev/null +++ b/generated/1.18/apis/supervisor/virtual/oauth/register.go @@ -0,0 +1,37 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package oauth + +import ( + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "oauth.virtual.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal} + +// Kind takes an unqualified kind and returns back a Group qualified GroupKind. +func Kind(kind string) schema.GroupKind { + return SchemeGroupVersion.WithKind(kind).GroupKind() +} + +// Resource takes an unqualified resource and returns back a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} + +var ( + SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) + AddToScheme = SchemeBuilder.AddToScheme +) + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClientSecretRequest{}, + ) + return nil +} diff --git a/generated/1.18/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go b/generated/1.18/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go new file mode 100644 index 00000000..ac54a93c --- /dev/null +++ b/generated/1.18/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go @@ -0,0 +1,25 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package oauth + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +type OIDCClientSecretRequestSpec struct { + GenerateNewSecret bool `json:"generateNewSecret"` + RevokeOldSecrets bool `json:"revokeOldSecrets"` +} + +type OIDCClientSecretRequestStatus struct { + GeneratedSecret string `json:"generatedSecret,omitempty"` + TotalClientSecrets int `json:"totalClientSecrets"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequest struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID + + Spec OIDCClientSecretRequestSpec `json:"spec"` + Status OIDCClientSecretRequestStatus `json:"status"` +} diff --git a/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/conversion.go b/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/conversion.go new file mode 100644 index 00000000..fcf4e82f --- /dev/null +++ b/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/conversion.go @@ -0,0 +1,4 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 diff --git a/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/defaults.go b/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/defaults.go new file mode 100644 index 00000000..d4f5a9e8 --- /dev/null +++ b/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/defaults.go @@ -0,0 +1,12 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + "k8s.io/apimachinery/pkg/runtime" +) + +func addDefaultingFuncs(scheme *runtime.Scheme) error { + return RegisterDefaults(scheme) +} diff --git a/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/doc.go b/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/doc.go new file mode 100644 index 00000000..215e4edf --- /dev/null +++ b/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/doc.go @@ -0,0 +1,11 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen=package +// +k8s:conversion-gen=go.pinniped.dev/generated/1.18/apis/supervisor/virtual/oauth +// +k8s:defaulter-gen=TypeMeta +// +groupName=oauth.virtual.supervisor.pinniped.dev + +// Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API. +package v1alpha1 diff --git a/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/register.go b/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/register.go new file mode 100644 index 00000000..ecc75a08 --- /dev/null +++ b/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/register.go @@ -0,0 +1,42 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "oauth.virtual.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = SchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClientSecretRequest{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns back a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go b/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go new file mode 100644 index 00000000..dda2f3bb --- /dev/null +++ b/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go @@ -0,0 +1,28 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +type OIDCClientSecretRequestSpec struct { + GenerateNewSecret bool `json:"generateNewSecret"` + RevokeOldSecrets bool `json:"revokeOldSecrets"` +} + +type OIDCClientSecretRequestStatus struct { + GeneratedSecret string `json:"generatedSecret,omitempty"` + TotalClientSecrets int `json:"totalClientSecrets"` +} + +// +genclient +// +genclient:onlyVerbs=create +// +kubebuilder:subresource:status +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequest struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID + + Spec OIDCClientSecretRequestSpec `json:"spec"` + Status OIDCClientSecretRequestStatus `json:"status"` +} diff --git a/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go b/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go new file mode 100644 index 00000000..d71f1e76 --- /dev/null +++ b/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go @@ -0,0 +1,131 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by conversion-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + oauth "go.pinniped.dev/generated/1.18/apis/supervisor/virtual/oauth" + conversion "k8s.io/apimachinery/pkg/conversion" + runtime "k8s.io/apimachinery/pkg/runtime" +) + +func init() { + localSchemeBuilder.Register(RegisterConversions) +} + +// RegisterConversions adds conversion functions to the given scheme. +// Public to allow building arbitrary schemes. +func RegisterConversions(s *runtime.Scheme) error { + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequest)(nil), (*oauth.OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(a.(*OIDCClientSecretRequest), b.(*oauth.OIDCClientSecretRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequest)(nil), (*OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(a.(*oauth.OIDCClientSecretRequest), b.(*OIDCClientSecretRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*oauth.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*oauth.OIDCClientSecretRequestSpec), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequestSpec)(nil), (*OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(a.(*oauth.OIDCClientSecretRequestSpec), b.(*OIDCClientSecretRequestSpec), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestStatus)(nil), (*oauth.OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(a.(*OIDCClientSecretRequestStatus), b.(*oauth.OIDCClientSecretRequestStatus), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequestStatus)(nil), (*OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(a.(*oauth.OIDCClientSecretRequestStatus), b.(*OIDCClientSecretRequestStatus), scope) + }); err != nil { + return err + } + return nil +} + +func autoConvert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *oauth.OIDCClientSecretRequest, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { + return err + } + if err := Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *oauth.OIDCClientSecretRequest, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in, out, s) +} + +func autoConvert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *oauth.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { + return err + } + if err := Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest is an autogenerated conversion function. +func Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *oauth.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { + return autoConvert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s) +} + +func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *oauth.OIDCClientSecretRequestSpec, s conversion.Scope) error { + out.GenerateNewSecret = in.GenerateNewSecret + out.RevokeOldSecrets = in.RevokeOldSecrets + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *oauth.OIDCClientSecretRequestSpec, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in, out, s) +} + +func autoConvert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *oauth.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { + out.GenerateNewSecret = in.GenerateNewSecret + out.RevokeOldSecrets = in.RevokeOldSecrets + return nil +} + +// Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec is an autogenerated conversion function. +func Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *oauth.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { + return autoConvert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in, out, s) +} + +func autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *oauth.OIDCClientSecretRequestStatus, s conversion.Scope) error { + out.GeneratedSecret = in.GeneratedSecret + out.TotalClientSecrets = in.TotalClientSecrets + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *oauth.OIDCClientSecretRequestStatus, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in, out, s) +} + +func autoConvert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *oauth.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { + out.GeneratedSecret = in.GeneratedSecret + out.TotalClientSecrets = in.TotalClientSecrets + return nil +} + +// Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus is an autogenerated conversion function. +func Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *oauth.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { + return autoConvert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in, out, s) +} diff --git a/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go new file mode 100644 index 00000000..e4fce842 --- /dev/null +++ b/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go @@ -0,0 +1,73 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequest) DeepCopyInto(out *OIDCClientSecretRequest) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + out.Spec = in.Spec + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequest. +func (in *OIDCClientSecretRequest) DeepCopy() *OIDCClientSecretRequest { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequest) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestSpec. +func (in *OIDCClientSecretRequestSpec) DeepCopy() *OIDCClientSecretRequestSpec { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestStatus) DeepCopyInto(out *OIDCClientSecretRequestStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestStatus. +func (in *OIDCClientSecretRequestStatus) DeepCopy() *OIDCClientSecretRequestStatus { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go b/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go new file mode 100644 index 00000000..9097a935 --- /dev/null +++ b/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go @@ -0,0 +1,20 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by defaulter-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// RegisterDefaults adds defaulters functions to the given scheme. +// Public to allow building arbitrary schemes. +// All generated defaulters are covering - they call all nested defaulters. +func RegisterDefaults(scheme *runtime.Scheme) error { + return nil +} diff --git a/generated/1.18/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go b/generated/1.18/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go new file mode 100644 index 00000000..24b58e7b --- /dev/null +++ b/generated/1.18/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go @@ -0,0 +1,73 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package oauth + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequest) DeepCopyInto(out *OIDCClientSecretRequest) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + out.Spec = in.Spec + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequest. +func (in *OIDCClientSecretRequest) DeepCopy() *OIDCClientSecretRequest { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequest) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestSpec. +func (in *OIDCClientSecretRequestSpec) DeepCopy() *OIDCClientSecretRequestSpec { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestStatus) DeepCopyInto(out *OIDCClientSecretRequestStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestStatus. +func (in *OIDCClientSecretRequestStatus) DeepCopy() *OIDCClientSecretRequestStatus { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.18/client/supervisor/virtual/clientset/versioned/clientset.go b/generated/1.18/client/supervisor/virtual/clientset/versioned/clientset.go new file mode 100644 index 00000000..f5038211 --- /dev/null +++ b/generated/1.18/client/supervisor/virtual/clientset/versioned/clientset.go @@ -0,0 +1,84 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package versioned + +import ( + "fmt" + + oauthv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" + discovery "k8s.io/client-go/discovery" + rest "k8s.io/client-go/rest" + flowcontrol "k8s.io/client-go/util/flowcontrol" +) + +type Interface interface { + Discovery() discovery.DiscoveryInterface + OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface +} + +// Clientset contains the clients for groups. Each group has exactly one +// version included in a Clientset. +type Clientset struct { + *discovery.DiscoveryClient + oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client +} + +// OauthV1alpha1 retrieves the OauthV1alpha1Client +func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { + return c.oauthV1alpha1 +} + +// Discovery retrieves the DiscoveryClient +func (c *Clientset) Discovery() discovery.DiscoveryInterface { + if c == nil { + return nil + } + return c.DiscoveryClient +} + +// NewForConfig creates a new Clientset for the given config. +// If config's RateLimiter is not set and QPS and Burst are acceptable, +// NewForConfig will generate a rate-limiter in configShallowCopy. +func NewForConfig(c *rest.Config) (*Clientset, error) { + configShallowCopy := *c + if configShallowCopy.RateLimiter == nil && configShallowCopy.QPS > 0 { + if configShallowCopy.Burst <= 0 { + return nil, fmt.Errorf("burst is required to be greater than 0 when RateLimiter is not set and QPS is set to greater than 0") + } + configShallowCopy.RateLimiter = flowcontrol.NewTokenBucketRateLimiter(configShallowCopy.QPS, configShallowCopy.Burst) + } + var cs Clientset + var err error + cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfig(&configShallowCopy) + if err != nil { + return nil, err + } + + cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfig(&configShallowCopy) + if err != nil { + return nil, err + } + return &cs, nil +} + +// NewForConfigOrDie creates a new Clientset for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *Clientset { + var cs Clientset + cs.oauthV1alpha1 = oauthv1alpha1.NewForConfigOrDie(c) + + cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c) + return &cs +} + +// New creates a new Clientset for the given RESTClient. +func New(c rest.Interface) *Clientset { + var cs Clientset + cs.oauthV1alpha1 = oauthv1alpha1.New(c) + + cs.DiscoveryClient = discovery.NewDiscoveryClient(c) + return &cs +} diff --git a/generated/1.18/client/supervisor/virtual/clientset/versioned/doc.go b/generated/1.18/client/supervisor/virtual/clientset/versioned/doc.go new file mode 100644 index 00000000..5dc02e6e --- /dev/null +++ b/generated/1.18/client/supervisor/virtual/clientset/versioned/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated clientset. +package versioned diff --git a/generated/1.18/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go b/generated/1.18/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go new file mode 100644 index 00000000..11c90feb --- /dev/null +++ b/generated/1.18/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go @@ -0,0 +1,69 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + clientset "go.pinniped.dev/generated/1.18/client/supervisor/virtual/clientset/versioned" + oauthv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" + fakeoauthv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/watch" + "k8s.io/client-go/discovery" + fakediscovery "k8s.io/client-go/discovery/fake" + "k8s.io/client-go/testing" +) + +// NewSimpleClientset returns a clientset that will respond with the provided objects. +// It's backed by a very simple object tracker that processes creates, updates and deletions as-is, +// without applying any validations and/or defaults. It shouldn't be considered a replacement +// for a real clientset and is mostly useful in simple unit tests. +func NewSimpleClientset(objects ...runtime.Object) *Clientset { + o := testing.NewObjectTracker(scheme, codecs.UniversalDecoder()) + for _, obj := range objects { + if err := o.Add(obj); err != nil { + panic(err) + } + } + + cs := &Clientset{tracker: o} + cs.discovery = &fakediscovery.FakeDiscovery{Fake: &cs.Fake} + cs.AddReactor("*", "*", testing.ObjectReaction(o)) + cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) { + gvr := action.GetResource() + ns := action.GetNamespace() + watch, err := o.Watch(gvr, ns) + if err != nil { + return false, nil, err + } + return true, watch, nil + }) + + return cs +} + +// Clientset implements clientset.Interface. Meant to be embedded into a +// struct to get a default implementation. This makes faking out just the method +// you want to test easier. +type Clientset struct { + testing.Fake + discovery *fakediscovery.FakeDiscovery + tracker testing.ObjectTracker +} + +func (c *Clientset) Discovery() discovery.DiscoveryInterface { + return c.discovery +} + +func (c *Clientset) Tracker() testing.ObjectTracker { + return c.tracker +} + +var _ clientset.Interface = &Clientset{} + +// OauthV1alpha1 retrieves the OauthV1alpha1Client +func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { + return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} +} diff --git a/generated/1.18/client/supervisor/virtual/clientset/versioned/fake/doc.go b/generated/1.18/client/supervisor/virtual/clientset/versioned/fake/doc.go new file mode 100644 index 00000000..7c9538fd --- /dev/null +++ b/generated/1.18/client/supervisor/virtual/clientset/versioned/fake/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated fake clientset. +package fake diff --git a/generated/1.18/client/supervisor/virtual/clientset/versioned/fake/register.go b/generated/1.18/client/supervisor/virtual/clientset/versioned/fake/register.go new file mode 100644 index 00000000..5a912824 --- /dev/null +++ b/generated/1.18/client/supervisor/virtual/clientset/versioned/fake/register.go @@ -0,0 +1,43 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + oauthv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + schema "k8s.io/apimachinery/pkg/runtime/schema" + serializer "k8s.io/apimachinery/pkg/runtime/serializer" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" +) + +var scheme = runtime.NewScheme() +var codecs = serializer.NewCodecFactory(scheme) +var parameterCodec = runtime.NewParameterCodec(scheme) +var localSchemeBuilder = runtime.SchemeBuilder{ + oauthv1alpha1.AddToScheme, +} + +// AddToScheme adds all types of this clientset into the given scheme. This allows composition +// of clientsets, like in: +// +// import ( +// "k8s.io/client-go/kubernetes" +// clientsetscheme "k8s.io/client-go/kubernetes/scheme" +// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" +// ) +// +// kclientset, _ := kubernetes.NewForConfig(c) +// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) +// +// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types +// correctly. +var AddToScheme = localSchemeBuilder.AddToScheme + +func init() { + v1.AddToGroupVersion(scheme, schema.GroupVersion{Version: "v1"}) + utilruntime.Must(AddToScheme(scheme)) +} diff --git a/generated/1.18/client/supervisor/virtual/clientset/versioned/scheme/doc.go b/generated/1.18/client/supervisor/virtual/clientset/versioned/scheme/doc.go new file mode 100644 index 00000000..cc02f1d3 --- /dev/null +++ b/generated/1.18/client/supervisor/virtual/clientset/versioned/scheme/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package contains the scheme of the automatically generated clientset. +package scheme diff --git a/generated/1.18/client/supervisor/virtual/clientset/versioned/scheme/register.go b/generated/1.18/client/supervisor/virtual/clientset/versioned/scheme/register.go new file mode 100644 index 00000000..81e95f84 --- /dev/null +++ b/generated/1.18/client/supervisor/virtual/clientset/versioned/scheme/register.go @@ -0,0 +1,43 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package scheme + +import ( + oauthv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + schema "k8s.io/apimachinery/pkg/runtime/schema" + serializer "k8s.io/apimachinery/pkg/runtime/serializer" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" +) + +var Scheme = runtime.NewScheme() +var Codecs = serializer.NewCodecFactory(Scheme) +var ParameterCodec = runtime.NewParameterCodec(Scheme) +var localSchemeBuilder = runtime.SchemeBuilder{ + oauthv1alpha1.AddToScheme, +} + +// AddToScheme adds all types of this clientset into the given scheme. This allows composition +// of clientsets, like in: +// +// import ( +// "k8s.io/client-go/kubernetes" +// clientsetscheme "k8s.io/client-go/kubernetes/scheme" +// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" +// ) +// +// kclientset, _ := kubernetes.NewForConfig(c) +// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) +// +// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types +// correctly. +var AddToScheme = localSchemeBuilder.AddToScheme + +func init() { + v1.AddToGroupVersion(Scheme, schema.GroupVersion{Version: "v1"}) + utilruntime.Must(AddToScheme(Scheme)) +} diff --git a/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go new file mode 100644 index 00000000..e7a470b6 --- /dev/null +++ b/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated typed clients. +package v1alpha1 diff --git a/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go new file mode 100644 index 00000000..7906901b --- /dev/null +++ b/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// Package fake has the automatically generated clients. +package fake diff --git a/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go new file mode 100644 index 00000000..99987eec --- /dev/null +++ b/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go @@ -0,0 +1,27 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + v1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" + rest "k8s.io/client-go/rest" + testing "k8s.io/client-go/testing" +) + +type FakeOauthV1alpha1 struct { + *testing.Fake +} + +func (c *FakeOauthV1alpha1) OIDCClientSecretRequests(namespace string) v1alpha1.OIDCClientSecretRequestInterface { + return &FakeOIDCClientSecretRequests{c, namespace} +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { + var ret *rest.RESTClient + return ret +} diff --git a/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go b/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go new file mode 100644 index 00000000..8094fcf0 --- /dev/null +++ b/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go @@ -0,0 +1,36 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + schema "k8s.io/apimachinery/pkg/runtime/schema" + testing "k8s.io/client-go/testing" +) + +// FakeOIDCClientSecretRequests implements OIDCClientSecretRequestInterface +type FakeOIDCClientSecretRequests struct { + Fake *FakeOauthV1alpha1 + ns string +} + +var oidcclientsecretrequestsResource = schema.GroupVersionResource{Group: "oauth.virtual.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclientsecretrequests"} + +var oidcclientsecretrequestsKind = schema.GroupVersionKind{Group: "oauth.virtual.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClientSecretRequest"} + +// Create takes the representation of a oIDCClientSecretRequest and creates it. Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any. +func (c *FakeOIDCClientSecretRequests) Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (result *v1alpha1.OIDCClientSecretRequest, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(oidcclientsecretrequestsResource, c.ns, oIDCClientSecretRequest), &v1alpha1.OIDCClientSecretRequest{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClientSecretRequest), err +} diff --git a/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go new file mode 100644 index 00000000..427a2ad8 --- /dev/null +++ b/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go @@ -0,0 +1,8 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +type OIDCClientSecretRequestExpansion interface{} diff --git a/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go new file mode 100644 index 00000000..9d839dfb --- /dev/null +++ b/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go @@ -0,0 +1,76 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1" + "go.pinniped.dev/generated/1.18/client/supervisor/virtual/clientset/versioned/scheme" + rest "k8s.io/client-go/rest" +) + +type OauthV1alpha1Interface interface { + RESTClient() rest.Interface + OIDCClientSecretRequestsGetter +} + +// OauthV1alpha1Client is used to interact with features provided by the oauth.virtual.supervisor.pinniped.dev group. +type OauthV1alpha1Client struct { + restClient rest.Interface +} + +func (c *OauthV1alpha1Client) OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface { + return newOIDCClientSecretRequests(c, namespace) +} + +// NewForConfig creates a new OauthV1alpha1Client for the given config. +func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { + config := *c + if err := setConfigDefaults(&config); err != nil { + return nil, err + } + client, err := rest.RESTClientFor(&config) + if err != nil { + return nil, err + } + return &OauthV1alpha1Client{client}, nil +} + +// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { + client, err := NewForConfig(c) + if err != nil { + panic(err) + } + return client +} + +// New creates a new OauthV1alpha1Client for the given RESTClient. +func New(c rest.Interface) *OauthV1alpha1Client { + return &OauthV1alpha1Client{c} +} + +func setConfigDefaults(config *rest.Config) error { + gv := v1alpha1.SchemeGroupVersion + config.GroupVersion = &gv + config.APIPath = "/apis" + config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() + + if config.UserAgent == "" { + config.UserAgent = rest.DefaultKubernetesUserAgent() + } + + return nil +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *OauthV1alpha1Client) RESTClient() rest.Interface { + if c == nil { + return nil + } + return c.restClient +} diff --git a/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go b/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go new file mode 100644 index 00000000..c4382045 --- /dev/null +++ b/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go @@ -0,0 +1,54 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1" + scheme "go.pinniped.dev/generated/1.18/client/supervisor/virtual/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + rest "k8s.io/client-go/rest" +) + +// OIDCClientSecretRequestsGetter has a method to return a OIDCClientSecretRequestInterface. +// A group's client should implement this interface. +type OIDCClientSecretRequestsGetter interface { + OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface +} + +// OIDCClientSecretRequestInterface has methods to work with OIDCClientSecretRequest resources. +type OIDCClientSecretRequestInterface interface { + Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (*v1alpha1.OIDCClientSecretRequest, error) + OIDCClientSecretRequestExpansion +} + +// oIDCClientSecretRequests implements OIDCClientSecretRequestInterface +type oIDCClientSecretRequests struct { + client rest.Interface + ns string +} + +// newOIDCClientSecretRequests returns a OIDCClientSecretRequests +func newOIDCClientSecretRequests(c *OauthV1alpha1Client, namespace string) *oIDCClientSecretRequests { + return &oIDCClientSecretRequests{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Create takes the representation of a oIDCClientSecretRequest and creates it. Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any. +func (c *oIDCClientSecretRequests) Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (result *v1alpha1.OIDCClientSecretRequest, err error) { + result = &v1alpha1.OIDCClientSecretRequest{} + err = c.client.Post(). + Namespace(c.ns). + Resource("oidcclientsecretrequests"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(oIDCClientSecretRequest). + Do(ctx). + Into(result) + return +} diff --git a/generated/1.19/README.adoc b/generated/1.19/README.adoc index 6cd1eaa0..29d52abb 100644 --- a/generated/1.19/README.adoc +++ b/generated/1.19/README.adoc @@ -13,6 +13,8 @@ - xref:{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1[$$idp.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1[$$oauth.supervisor.pinniped.dev/v1alpha1$$] +- xref:{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-oauth[$$oauth.virtual.supervisor.pinniped.dev/oauth$$] +- xref:{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-v1alpha1[$$oauth.virtual.supervisor.pinniped.dev/v1alpha1$$] [id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"] @@ -1386,3 +1388,95 @@ OIDCClientSpec is a struct that describes an OIDC Client. + +[id="{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-oauth"] +=== oauth.virtual.supervisor.pinniped.dev/oauth + +Package oauth is the internal version of the Pinniped virtual oauth API. + + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-virtual-oauth-oidcclientsecretrequestspec"] +==== OIDCClientSecretRequestSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-virtual-oauth-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generateNewSecret`* __boolean__ | +| *`revokeOldSecrets`* __boolean__ | +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-virtual-oauth-oidcclientsecretrequeststatus"] +==== OIDCClientSecretRequestStatus + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-virtual-oauth-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generatedSecret`* __string__ | +| *`totalClientSecrets`* __integer__ | +|=== + + + +[id="{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-v1alpha1"] +=== oauth.virtual.supervisor.pinniped.dev/v1alpha1 + +Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API. + + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequestspec"] +==== OIDCClientSecretRequestSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generateNewSecret`* __boolean__ | +| *`revokeOldSecrets`* __boolean__ | +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequeststatus"] +==== OIDCClientSecretRequestStatus + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generatedSecret`* __string__ | +| *`totalClientSecrets`* __integer__ | +|=== + + diff --git a/generated/1.19/apis/supervisor/virtual/oauth/doc.go b/generated/1.19/apis/supervisor/virtual/oauth/doc.go new file mode 100644 index 00000000..ca4e9a63 --- /dev/null +++ b/generated/1.19/apis/supervisor/virtual/oauth/doc.go @@ -0,0 +1,8 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:deepcopy-gen=package +// +groupName=oauth.virtual.supervisor.pinniped.dev + +// Package oauth is the internal version of the Pinniped virtual oauth API. +package oauth diff --git a/generated/1.19/apis/supervisor/virtual/oauth/register.go b/generated/1.19/apis/supervisor/virtual/oauth/register.go new file mode 100644 index 00000000..a238d85f --- /dev/null +++ b/generated/1.19/apis/supervisor/virtual/oauth/register.go @@ -0,0 +1,37 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package oauth + +import ( + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "oauth.virtual.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal} + +// Kind takes an unqualified kind and returns back a Group qualified GroupKind. +func Kind(kind string) schema.GroupKind { + return SchemeGroupVersion.WithKind(kind).GroupKind() +} + +// Resource takes an unqualified resource and returns back a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} + +var ( + SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) + AddToScheme = SchemeBuilder.AddToScheme +) + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClientSecretRequest{}, + ) + return nil +} diff --git a/generated/1.19/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go b/generated/1.19/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go new file mode 100644 index 00000000..ac54a93c --- /dev/null +++ b/generated/1.19/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go @@ -0,0 +1,25 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package oauth + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +type OIDCClientSecretRequestSpec struct { + GenerateNewSecret bool `json:"generateNewSecret"` + RevokeOldSecrets bool `json:"revokeOldSecrets"` +} + +type OIDCClientSecretRequestStatus struct { + GeneratedSecret string `json:"generatedSecret,omitempty"` + TotalClientSecrets int `json:"totalClientSecrets"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequest struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID + + Spec OIDCClientSecretRequestSpec `json:"spec"` + Status OIDCClientSecretRequestStatus `json:"status"` +} diff --git a/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/conversion.go b/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/conversion.go new file mode 100644 index 00000000..fcf4e82f --- /dev/null +++ b/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/conversion.go @@ -0,0 +1,4 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 diff --git a/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/defaults.go b/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/defaults.go new file mode 100644 index 00000000..d4f5a9e8 --- /dev/null +++ b/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/defaults.go @@ -0,0 +1,12 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + "k8s.io/apimachinery/pkg/runtime" +) + +func addDefaultingFuncs(scheme *runtime.Scheme) error { + return RegisterDefaults(scheme) +} diff --git a/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/doc.go b/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/doc.go new file mode 100644 index 00000000..49c85a15 --- /dev/null +++ b/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/doc.go @@ -0,0 +1,11 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen=package +// +k8s:conversion-gen=go.pinniped.dev/generated/1.19/apis/supervisor/virtual/oauth +// +k8s:defaulter-gen=TypeMeta +// +groupName=oauth.virtual.supervisor.pinniped.dev + +// Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API. +package v1alpha1 diff --git a/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/register.go b/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/register.go new file mode 100644 index 00000000..ecc75a08 --- /dev/null +++ b/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/register.go @@ -0,0 +1,42 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "oauth.virtual.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = SchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClientSecretRequest{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns back a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go b/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go new file mode 100644 index 00000000..dda2f3bb --- /dev/null +++ b/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go @@ -0,0 +1,28 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +type OIDCClientSecretRequestSpec struct { + GenerateNewSecret bool `json:"generateNewSecret"` + RevokeOldSecrets bool `json:"revokeOldSecrets"` +} + +type OIDCClientSecretRequestStatus struct { + GeneratedSecret string `json:"generatedSecret,omitempty"` + TotalClientSecrets int `json:"totalClientSecrets"` +} + +// +genclient +// +genclient:onlyVerbs=create +// +kubebuilder:subresource:status +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequest struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID + + Spec OIDCClientSecretRequestSpec `json:"spec"` + Status OIDCClientSecretRequestStatus `json:"status"` +} diff --git a/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go b/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go new file mode 100644 index 00000000..ae93108c --- /dev/null +++ b/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go @@ -0,0 +1,131 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by conversion-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + oauth "go.pinniped.dev/generated/1.19/apis/supervisor/virtual/oauth" + conversion "k8s.io/apimachinery/pkg/conversion" + runtime "k8s.io/apimachinery/pkg/runtime" +) + +func init() { + localSchemeBuilder.Register(RegisterConversions) +} + +// RegisterConversions adds conversion functions to the given scheme. +// Public to allow building arbitrary schemes. +func RegisterConversions(s *runtime.Scheme) error { + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequest)(nil), (*oauth.OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(a.(*OIDCClientSecretRequest), b.(*oauth.OIDCClientSecretRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequest)(nil), (*OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(a.(*oauth.OIDCClientSecretRequest), b.(*OIDCClientSecretRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*oauth.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*oauth.OIDCClientSecretRequestSpec), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequestSpec)(nil), (*OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(a.(*oauth.OIDCClientSecretRequestSpec), b.(*OIDCClientSecretRequestSpec), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestStatus)(nil), (*oauth.OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(a.(*OIDCClientSecretRequestStatus), b.(*oauth.OIDCClientSecretRequestStatus), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequestStatus)(nil), (*OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(a.(*oauth.OIDCClientSecretRequestStatus), b.(*OIDCClientSecretRequestStatus), scope) + }); err != nil { + return err + } + return nil +} + +func autoConvert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *oauth.OIDCClientSecretRequest, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { + return err + } + if err := Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *oauth.OIDCClientSecretRequest, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in, out, s) +} + +func autoConvert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *oauth.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { + return err + } + if err := Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest is an autogenerated conversion function. +func Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *oauth.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { + return autoConvert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s) +} + +func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *oauth.OIDCClientSecretRequestSpec, s conversion.Scope) error { + out.GenerateNewSecret = in.GenerateNewSecret + out.RevokeOldSecrets = in.RevokeOldSecrets + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *oauth.OIDCClientSecretRequestSpec, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in, out, s) +} + +func autoConvert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *oauth.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { + out.GenerateNewSecret = in.GenerateNewSecret + out.RevokeOldSecrets = in.RevokeOldSecrets + return nil +} + +// Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec is an autogenerated conversion function. +func Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *oauth.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { + return autoConvert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in, out, s) +} + +func autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *oauth.OIDCClientSecretRequestStatus, s conversion.Scope) error { + out.GeneratedSecret = in.GeneratedSecret + out.TotalClientSecrets = in.TotalClientSecrets + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *oauth.OIDCClientSecretRequestStatus, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in, out, s) +} + +func autoConvert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *oauth.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { + out.GeneratedSecret = in.GeneratedSecret + out.TotalClientSecrets = in.TotalClientSecrets + return nil +} + +// Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus is an autogenerated conversion function. +func Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *oauth.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { + return autoConvert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in, out, s) +} diff --git a/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go new file mode 100644 index 00000000..e4fce842 --- /dev/null +++ b/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go @@ -0,0 +1,73 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequest) DeepCopyInto(out *OIDCClientSecretRequest) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + out.Spec = in.Spec + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequest. +func (in *OIDCClientSecretRequest) DeepCopy() *OIDCClientSecretRequest { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequest) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestSpec. +func (in *OIDCClientSecretRequestSpec) DeepCopy() *OIDCClientSecretRequestSpec { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestStatus) DeepCopyInto(out *OIDCClientSecretRequestStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestStatus. +func (in *OIDCClientSecretRequestStatus) DeepCopy() *OIDCClientSecretRequestStatus { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go b/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go new file mode 100644 index 00000000..9097a935 --- /dev/null +++ b/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go @@ -0,0 +1,20 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by defaulter-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// RegisterDefaults adds defaulters functions to the given scheme. +// Public to allow building arbitrary schemes. +// All generated defaulters are covering - they call all nested defaulters. +func RegisterDefaults(scheme *runtime.Scheme) error { + return nil +} diff --git a/generated/1.19/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go b/generated/1.19/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go new file mode 100644 index 00000000..24b58e7b --- /dev/null +++ b/generated/1.19/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go @@ -0,0 +1,73 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package oauth + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequest) DeepCopyInto(out *OIDCClientSecretRequest) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + out.Spec = in.Spec + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequest. +func (in *OIDCClientSecretRequest) DeepCopy() *OIDCClientSecretRequest { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequest) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestSpec. +func (in *OIDCClientSecretRequestSpec) DeepCopy() *OIDCClientSecretRequestSpec { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestStatus) DeepCopyInto(out *OIDCClientSecretRequestStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestStatus. +func (in *OIDCClientSecretRequestStatus) DeepCopy() *OIDCClientSecretRequestStatus { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.19/client/supervisor/virtual/clientset/versioned/clientset.go b/generated/1.19/client/supervisor/virtual/clientset/versioned/clientset.go new file mode 100644 index 00000000..b4890903 --- /dev/null +++ b/generated/1.19/client/supervisor/virtual/clientset/versioned/clientset.go @@ -0,0 +1,84 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package versioned + +import ( + "fmt" + + oauthv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" + discovery "k8s.io/client-go/discovery" + rest "k8s.io/client-go/rest" + flowcontrol "k8s.io/client-go/util/flowcontrol" +) + +type Interface interface { + Discovery() discovery.DiscoveryInterface + OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface +} + +// Clientset contains the clients for groups. Each group has exactly one +// version included in a Clientset. +type Clientset struct { + *discovery.DiscoveryClient + oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client +} + +// OauthV1alpha1 retrieves the OauthV1alpha1Client +func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { + return c.oauthV1alpha1 +} + +// Discovery retrieves the DiscoveryClient +func (c *Clientset) Discovery() discovery.DiscoveryInterface { + if c == nil { + return nil + } + return c.DiscoveryClient +} + +// NewForConfig creates a new Clientset for the given config. +// If config's RateLimiter is not set and QPS and Burst are acceptable, +// NewForConfig will generate a rate-limiter in configShallowCopy. +func NewForConfig(c *rest.Config) (*Clientset, error) { + configShallowCopy := *c + if configShallowCopy.RateLimiter == nil && configShallowCopy.QPS > 0 { + if configShallowCopy.Burst <= 0 { + return nil, fmt.Errorf("burst is required to be greater than 0 when RateLimiter is not set and QPS is set to greater than 0") + } + configShallowCopy.RateLimiter = flowcontrol.NewTokenBucketRateLimiter(configShallowCopy.QPS, configShallowCopy.Burst) + } + var cs Clientset + var err error + cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfig(&configShallowCopy) + if err != nil { + return nil, err + } + + cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfig(&configShallowCopy) + if err != nil { + return nil, err + } + return &cs, nil +} + +// NewForConfigOrDie creates a new Clientset for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *Clientset { + var cs Clientset + cs.oauthV1alpha1 = oauthv1alpha1.NewForConfigOrDie(c) + + cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c) + return &cs +} + +// New creates a new Clientset for the given RESTClient. +func New(c rest.Interface) *Clientset { + var cs Clientset + cs.oauthV1alpha1 = oauthv1alpha1.New(c) + + cs.DiscoveryClient = discovery.NewDiscoveryClient(c) + return &cs +} diff --git a/generated/1.19/client/supervisor/virtual/clientset/versioned/doc.go b/generated/1.19/client/supervisor/virtual/clientset/versioned/doc.go new file mode 100644 index 00000000..5dc02e6e --- /dev/null +++ b/generated/1.19/client/supervisor/virtual/clientset/versioned/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated clientset. +package versioned diff --git a/generated/1.19/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go b/generated/1.19/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go new file mode 100644 index 00000000..3686b807 --- /dev/null +++ b/generated/1.19/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go @@ -0,0 +1,69 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + clientset "go.pinniped.dev/generated/1.19/client/supervisor/virtual/clientset/versioned" + oauthv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" + fakeoauthv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/watch" + "k8s.io/client-go/discovery" + fakediscovery "k8s.io/client-go/discovery/fake" + "k8s.io/client-go/testing" +) + +// NewSimpleClientset returns a clientset that will respond with the provided objects. +// It's backed by a very simple object tracker that processes creates, updates and deletions as-is, +// without applying any validations and/or defaults. It shouldn't be considered a replacement +// for a real clientset and is mostly useful in simple unit tests. +func NewSimpleClientset(objects ...runtime.Object) *Clientset { + o := testing.NewObjectTracker(scheme, codecs.UniversalDecoder()) + for _, obj := range objects { + if err := o.Add(obj); err != nil { + panic(err) + } + } + + cs := &Clientset{tracker: o} + cs.discovery = &fakediscovery.FakeDiscovery{Fake: &cs.Fake} + cs.AddReactor("*", "*", testing.ObjectReaction(o)) + cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) { + gvr := action.GetResource() + ns := action.GetNamespace() + watch, err := o.Watch(gvr, ns) + if err != nil { + return false, nil, err + } + return true, watch, nil + }) + + return cs +} + +// Clientset implements clientset.Interface. Meant to be embedded into a +// struct to get a default implementation. This makes faking out just the method +// you want to test easier. +type Clientset struct { + testing.Fake + discovery *fakediscovery.FakeDiscovery + tracker testing.ObjectTracker +} + +func (c *Clientset) Discovery() discovery.DiscoveryInterface { + return c.discovery +} + +func (c *Clientset) Tracker() testing.ObjectTracker { + return c.tracker +} + +var _ clientset.Interface = &Clientset{} + +// OauthV1alpha1 retrieves the OauthV1alpha1Client +func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { + return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} +} diff --git a/generated/1.19/client/supervisor/virtual/clientset/versioned/fake/doc.go b/generated/1.19/client/supervisor/virtual/clientset/versioned/fake/doc.go new file mode 100644 index 00000000..7c9538fd --- /dev/null +++ b/generated/1.19/client/supervisor/virtual/clientset/versioned/fake/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated fake clientset. +package fake diff --git a/generated/1.19/client/supervisor/virtual/clientset/versioned/fake/register.go b/generated/1.19/client/supervisor/virtual/clientset/versioned/fake/register.go new file mode 100644 index 00000000..bec66892 --- /dev/null +++ b/generated/1.19/client/supervisor/virtual/clientset/versioned/fake/register.go @@ -0,0 +1,43 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + oauthv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + schema "k8s.io/apimachinery/pkg/runtime/schema" + serializer "k8s.io/apimachinery/pkg/runtime/serializer" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" +) + +var scheme = runtime.NewScheme() +var codecs = serializer.NewCodecFactory(scheme) + +var localSchemeBuilder = runtime.SchemeBuilder{ + oauthv1alpha1.AddToScheme, +} + +// AddToScheme adds all types of this clientset into the given scheme. This allows composition +// of clientsets, like in: +// +// import ( +// "k8s.io/client-go/kubernetes" +// clientsetscheme "k8s.io/client-go/kubernetes/scheme" +// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" +// ) +// +// kclientset, _ := kubernetes.NewForConfig(c) +// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) +// +// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types +// correctly. +var AddToScheme = localSchemeBuilder.AddToScheme + +func init() { + v1.AddToGroupVersion(scheme, schema.GroupVersion{Version: "v1"}) + utilruntime.Must(AddToScheme(scheme)) +} diff --git a/generated/1.19/client/supervisor/virtual/clientset/versioned/scheme/doc.go b/generated/1.19/client/supervisor/virtual/clientset/versioned/scheme/doc.go new file mode 100644 index 00000000..cc02f1d3 --- /dev/null +++ b/generated/1.19/client/supervisor/virtual/clientset/versioned/scheme/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package contains the scheme of the automatically generated clientset. +package scheme diff --git a/generated/1.19/client/supervisor/virtual/clientset/versioned/scheme/register.go b/generated/1.19/client/supervisor/virtual/clientset/versioned/scheme/register.go new file mode 100644 index 00000000..da92b144 --- /dev/null +++ b/generated/1.19/client/supervisor/virtual/clientset/versioned/scheme/register.go @@ -0,0 +1,43 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package scheme + +import ( + oauthv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + schema "k8s.io/apimachinery/pkg/runtime/schema" + serializer "k8s.io/apimachinery/pkg/runtime/serializer" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" +) + +var Scheme = runtime.NewScheme() +var Codecs = serializer.NewCodecFactory(Scheme) +var ParameterCodec = runtime.NewParameterCodec(Scheme) +var localSchemeBuilder = runtime.SchemeBuilder{ + oauthv1alpha1.AddToScheme, +} + +// AddToScheme adds all types of this clientset into the given scheme. This allows composition +// of clientsets, like in: +// +// import ( +// "k8s.io/client-go/kubernetes" +// clientsetscheme "k8s.io/client-go/kubernetes/scheme" +// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" +// ) +// +// kclientset, _ := kubernetes.NewForConfig(c) +// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) +// +// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types +// correctly. +var AddToScheme = localSchemeBuilder.AddToScheme + +func init() { + v1.AddToGroupVersion(Scheme, schema.GroupVersion{Version: "v1"}) + utilruntime.Must(AddToScheme(Scheme)) +} diff --git a/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go new file mode 100644 index 00000000..e7a470b6 --- /dev/null +++ b/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated typed clients. +package v1alpha1 diff --git a/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go new file mode 100644 index 00000000..7906901b --- /dev/null +++ b/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// Package fake has the automatically generated clients. +package fake diff --git a/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go new file mode 100644 index 00000000..0220e89e --- /dev/null +++ b/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go @@ -0,0 +1,27 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + v1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" + rest "k8s.io/client-go/rest" + testing "k8s.io/client-go/testing" +) + +type FakeOauthV1alpha1 struct { + *testing.Fake +} + +func (c *FakeOauthV1alpha1) OIDCClientSecretRequests(namespace string) v1alpha1.OIDCClientSecretRequestInterface { + return &FakeOIDCClientSecretRequests{c, namespace} +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { + var ret *rest.RESTClient + return ret +} diff --git a/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go b/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go new file mode 100644 index 00000000..6560769b --- /dev/null +++ b/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go @@ -0,0 +1,36 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + schema "k8s.io/apimachinery/pkg/runtime/schema" + testing "k8s.io/client-go/testing" +) + +// FakeOIDCClientSecretRequests implements OIDCClientSecretRequestInterface +type FakeOIDCClientSecretRequests struct { + Fake *FakeOauthV1alpha1 + ns string +} + +var oidcclientsecretrequestsResource = schema.GroupVersionResource{Group: "oauth.virtual.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclientsecretrequests"} + +var oidcclientsecretrequestsKind = schema.GroupVersionKind{Group: "oauth.virtual.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClientSecretRequest"} + +// Create takes the representation of a oIDCClientSecretRequest and creates it. Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any. +func (c *FakeOIDCClientSecretRequests) Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (result *v1alpha1.OIDCClientSecretRequest, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(oidcclientsecretrequestsResource, c.ns, oIDCClientSecretRequest), &v1alpha1.OIDCClientSecretRequest{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClientSecretRequest), err +} diff --git a/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go new file mode 100644 index 00000000..427a2ad8 --- /dev/null +++ b/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go @@ -0,0 +1,8 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +type OIDCClientSecretRequestExpansion interface{} diff --git a/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go new file mode 100644 index 00000000..f0d93b95 --- /dev/null +++ b/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go @@ -0,0 +1,76 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1" + "go.pinniped.dev/generated/1.19/client/supervisor/virtual/clientset/versioned/scheme" + rest "k8s.io/client-go/rest" +) + +type OauthV1alpha1Interface interface { + RESTClient() rest.Interface + OIDCClientSecretRequestsGetter +} + +// OauthV1alpha1Client is used to interact with features provided by the oauth.virtual.supervisor.pinniped.dev group. +type OauthV1alpha1Client struct { + restClient rest.Interface +} + +func (c *OauthV1alpha1Client) OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface { + return newOIDCClientSecretRequests(c, namespace) +} + +// NewForConfig creates a new OauthV1alpha1Client for the given config. +func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { + config := *c + if err := setConfigDefaults(&config); err != nil { + return nil, err + } + client, err := rest.RESTClientFor(&config) + if err != nil { + return nil, err + } + return &OauthV1alpha1Client{client}, nil +} + +// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { + client, err := NewForConfig(c) + if err != nil { + panic(err) + } + return client +} + +// New creates a new OauthV1alpha1Client for the given RESTClient. +func New(c rest.Interface) *OauthV1alpha1Client { + return &OauthV1alpha1Client{c} +} + +func setConfigDefaults(config *rest.Config) error { + gv := v1alpha1.SchemeGroupVersion + config.GroupVersion = &gv + config.APIPath = "/apis" + config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() + + if config.UserAgent == "" { + config.UserAgent = rest.DefaultKubernetesUserAgent() + } + + return nil +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *OauthV1alpha1Client) RESTClient() rest.Interface { + if c == nil { + return nil + } + return c.restClient +} diff --git a/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go b/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go new file mode 100644 index 00000000..160ae6da --- /dev/null +++ b/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go @@ -0,0 +1,54 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1" + scheme "go.pinniped.dev/generated/1.19/client/supervisor/virtual/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + rest "k8s.io/client-go/rest" +) + +// OIDCClientSecretRequestsGetter has a method to return a OIDCClientSecretRequestInterface. +// A group's client should implement this interface. +type OIDCClientSecretRequestsGetter interface { + OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface +} + +// OIDCClientSecretRequestInterface has methods to work with OIDCClientSecretRequest resources. +type OIDCClientSecretRequestInterface interface { + Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (*v1alpha1.OIDCClientSecretRequest, error) + OIDCClientSecretRequestExpansion +} + +// oIDCClientSecretRequests implements OIDCClientSecretRequestInterface +type oIDCClientSecretRequests struct { + client rest.Interface + ns string +} + +// newOIDCClientSecretRequests returns a OIDCClientSecretRequests +func newOIDCClientSecretRequests(c *OauthV1alpha1Client, namespace string) *oIDCClientSecretRequests { + return &oIDCClientSecretRequests{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Create takes the representation of a oIDCClientSecretRequest and creates it. Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any. +func (c *oIDCClientSecretRequests) Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (result *v1alpha1.OIDCClientSecretRequest, err error) { + result = &v1alpha1.OIDCClientSecretRequest{} + err = c.client.Post(). + Namespace(c.ns). + Resource("oidcclientsecretrequests"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(oIDCClientSecretRequest). + Do(ctx). + Into(result) + return +} diff --git a/generated/1.20/README.adoc b/generated/1.20/README.adoc index 1c559c9e..f58d5ad8 100644 --- a/generated/1.20/README.adoc +++ b/generated/1.20/README.adoc @@ -13,6 +13,8 @@ - xref:{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1[$$idp.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1[$$oauth.supervisor.pinniped.dev/v1alpha1$$] +- xref:{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-oauth[$$oauth.virtual.supervisor.pinniped.dev/oauth$$] +- xref:{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-v1alpha1[$$oauth.virtual.supervisor.pinniped.dev/v1alpha1$$] [id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"] @@ -1386,3 +1388,95 @@ OIDCClientSpec is a struct that describes an OIDC Client. + +[id="{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-oauth"] +=== oauth.virtual.supervisor.pinniped.dev/oauth + +Package oauth is the internal version of the Pinniped virtual oauth API. + + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-virtual-oauth-oidcclientsecretrequestspec"] +==== OIDCClientSecretRequestSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-virtual-oauth-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generateNewSecret`* __boolean__ | +| *`revokeOldSecrets`* __boolean__ | +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-virtual-oauth-oidcclientsecretrequeststatus"] +==== OIDCClientSecretRequestStatus + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-virtual-oauth-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generatedSecret`* __string__ | +| *`totalClientSecrets`* __integer__ | +|=== + + + +[id="{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-v1alpha1"] +=== oauth.virtual.supervisor.pinniped.dev/v1alpha1 + +Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API. + + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequestspec"] +==== OIDCClientSecretRequestSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generateNewSecret`* __boolean__ | +| *`revokeOldSecrets`* __boolean__ | +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequeststatus"] +==== OIDCClientSecretRequestStatus + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generatedSecret`* __string__ | +| *`totalClientSecrets`* __integer__ | +|=== + + diff --git a/generated/1.20/apis/supervisor/virtual/oauth/doc.go b/generated/1.20/apis/supervisor/virtual/oauth/doc.go new file mode 100644 index 00000000..ca4e9a63 --- /dev/null +++ b/generated/1.20/apis/supervisor/virtual/oauth/doc.go @@ -0,0 +1,8 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:deepcopy-gen=package +// +groupName=oauth.virtual.supervisor.pinniped.dev + +// Package oauth is the internal version of the Pinniped virtual oauth API. +package oauth diff --git a/generated/1.20/apis/supervisor/virtual/oauth/register.go b/generated/1.20/apis/supervisor/virtual/oauth/register.go new file mode 100644 index 00000000..a238d85f --- /dev/null +++ b/generated/1.20/apis/supervisor/virtual/oauth/register.go @@ -0,0 +1,37 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package oauth + +import ( + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "oauth.virtual.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal} + +// Kind takes an unqualified kind and returns back a Group qualified GroupKind. +func Kind(kind string) schema.GroupKind { + return SchemeGroupVersion.WithKind(kind).GroupKind() +} + +// Resource takes an unqualified resource and returns back a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} + +var ( + SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) + AddToScheme = SchemeBuilder.AddToScheme +) + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClientSecretRequest{}, + ) + return nil +} diff --git a/generated/1.20/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go b/generated/1.20/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go new file mode 100644 index 00000000..ac54a93c --- /dev/null +++ b/generated/1.20/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go @@ -0,0 +1,25 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package oauth + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +type OIDCClientSecretRequestSpec struct { + GenerateNewSecret bool `json:"generateNewSecret"` + RevokeOldSecrets bool `json:"revokeOldSecrets"` +} + +type OIDCClientSecretRequestStatus struct { + GeneratedSecret string `json:"generatedSecret,omitempty"` + TotalClientSecrets int `json:"totalClientSecrets"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequest struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID + + Spec OIDCClientSecretRequestSpec `json:"spec"` + Status OIDCClientSecretRequestStatus `json:"status"` +} diff --git a/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/conversion.go b/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/conversion.go new file mode 100644 index 00000000..fcf4e82f --- /dev/null +++ b/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/conversion.go @@ -0,0 +1,4 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 diff --git a/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/defaults.go b/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/defaults.go new file mode 100644 index 00000000..d4f5a9e8 --- /dev/null +++ b/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/defaults.go @@ -0,0 +1,12 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + "k8s.io/apimachinery/pkg/runtime" +) + +func addDefaultingFuncs(scheme *runtime.Scheme) error { + return RegisterDefaults(scheme) +} diff --git a/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/doc.go b/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/doc.go new file mode 100644 index 00000000..009dec5a --- /dev/null +++ b/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/doc.go @@ -0,0 +1,11 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen=package +// +k8s:conversion-gen=go.pinniped.dev/generated/1.20/apis/supervisor/virtual/oauth +// +k8s:defaulter-gen=TypeMeta +// +groupName=oauth.virtual.supervisor.pinniped.dev + +// Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API. +package v1alpha1 diff --git a/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/register.go b/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/register.go new file mode 100644 index 00000000..ecc75a08 --- /dev/null +++ b/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/register.go @@ -0,0 +1,42 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "oauth.virtual.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = SchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClientSecretRequest{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns back a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go b/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go new file mode 100644 index 00000000..dda2f3bb --- /dev/null +++ b/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go @@ -0,0 +1,28 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +type OIDCClientSecretRequestSpec struct { + GenerateNewSecret bool `json:"generateNewSecret"` + RevokeOldSecrets bool `json:"revokeOldSecrets"` +} + +type OIDCClientSecretRequestStatus struct { + GeneratedSecret string `json:"generatedSecret,omitempty"` + TotalClientSecrets int `json:"totalClientSecrets"` +} + +// +genclient +// +genclient:onlyVerbs=create +// +kubebuilder:subresource:status +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequest struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID + + Spec OIDCClientSecretRequestSpec `json:"spec"` + Status OIDCClientSecretRequestStatus `json:"status"` +} diff --git a/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go b/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go new file mode 100644 index 00000000..b98d6b36 --- /dev/null +++ b/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go @@ -0,0 +1,131 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by conversion-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + oauth "go.pinniped.dev/generated/1.20/apis/supervisor/virtual/oauth" + conversion "k8s.io/apimachinery/pkg/conversion" + runtime "k8s.io/apimachinery/pkg/runtime" +) + +func init() { + localSchemeBuilder.Register(RegisterConversions) +} + +// RegisterConversions adds conversion functions to the given scheme. +// Public to allow building arbitrary schemes. +func RegisterConversions(s *runtime.Scheme) error { + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequest)(nil), (*oauth.OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(a.(*OIDCClientSecretRequest), b.(*oauth.OIDCClientSecretRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequest)(nil), (*OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(a.(*oauth.OIDCClientSecretRequest), b.(*OIDCClientSecretRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*oauth.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*oauth.OIDCClientSecretRequestSpec), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequestSpec)(nil), (*OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(a.(*oauth.OIDCClientSecretRequestSpec), b.(*OIDCClientSecretRequestSpec), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestStatus)(nil), (*oauth.OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(a.(*OIDCClientSecretRequestStatus), b.(*oauth.OIDCClientSecretRequestStatus), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequestStatus)(nil), (*OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(a.(*oauth.OIDCClientSecretRequestStatus), b.(*OIDCClientSecretRequestStatus), scope) + }); err != nil { + return err + } + return nil +} + +func autoConvert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *oauth.OIDCClientSecretRequest, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { + return err + } + if err := Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *oauth.OIDCClientSecretRequest, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in, out, s) +} + +func autoConvert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *oauth.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { + return err + } + if err := Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest is an autogenerated conversion function. +func Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *oauth.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { + return autoConvert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s) +} + +func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *oauth.OIDCClientSecretRequestSpec, s conversion.Scope) error { + out.GenerateNewSecret = in.GenerateNewSecret + out.RevokeOldSecrets = in.RevokeOldSecrets + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *oauth.OIDCClientSecretRequestSpec, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in, out, s) +} + +func autoConvert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *oauth.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { + out.GenerateNewSecret = in.GenerateNewSecret + out.RevokeOldSecrets = in.RevokeOldSecrets + return nil +} + +// Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec is an autogenerated conversion function. +func Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *oauth.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { + return autoConvert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in, out, s) +} + +func autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *oauth.OIDCClientSecretRequestStatus, s conversion.Scope) error { + out.GeneratedSecret = in.GeneratedSecret + out.TotalClientSecrets = in.TotalClientSecrets + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *oauth.OIDCClientSecretRequestStatus, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in, out, s) +} + +func autoConvert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *oauth.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { + out.GeneratedSecret = in.GeneratedSecret + out.TotalClientSecrets = in.TotalClientSecrets + return nil +} + +// Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus is an autogenerated conversion function. +func Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *oauth.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { + return autoConvert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in, out, s) +} diff --git a/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go new file mode 100644 index 00000000..e4fce842 --- /dev/null +++ b/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go @@ -0,0 +1,73 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequest) DeepCopyInto(out *OIDCClientSecretRequest) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + out.Spec = in.Spec + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequest. +func (in *OIDCClientSecretRequest) DeepCopy() *OIDCClientSecretRequest { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequest) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestSpec. +func (in *OIDCClientSecretRequestSpec) DeepCopy() *OIDCClientSecretRequestSpec { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestStatus) DeepCopyInto(out *OIDCClientSecretRequestStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestStatus. +func (in *OIDCClientSecretRequestStatus) DeepCopy() *OIDCClientSecretRequestStatus { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go b/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go new file mode 100644 index 00000000..9097a935 --- /dev/null +++ b/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go @@ -0,0 +1,20 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by defaulter-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// RegisterDefaults adds defaulters functions to the given scheme. +// Public to allow building arbitrary schemes. +// All generated defaulters are covering - they call all nested defaulters. +func RegisterDefaults(scheme *runtime.Scheme) error { + return nil +} diff --git a/generated/1.20/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go b/generated/1.20/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go new file mode 100644 index 00000000..24b58e7b --- /dev/null +++ b/generated/1.20/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go @@ -0,0 +1,73 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package oauth + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequest) DeepCopyInto(out *OIDCClientSecretRequest) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + out.Spec = in.Spec + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequest. +func (in *OIDCClientSecretRequest) DeepCopy() *OIDCClientSecretRequest { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequest) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestSpec. +func (in *OIDCClientSecretRequestSpec) DeepCopy() *OIDCClientSecretRequestSpec { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestStatus) DeepCopyInto(out *OIDCClientSecretRequestStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestStatus. +func (in *OIDCClientSecretRequestStatus) DeepCopy() *OIDCClientSecretRequestStatus { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.20/client/supervisor/virtual/clientset/versioned/clientset.go b/generated/1.20/client/supervisor/virtual/clientset/versioned/clientset.go new file mode 100644 index 00000000..3bcc6c36 --- /dev/null +++ b/generated/1.20/client/supervisor/virtual/clientset/versioned/clientset.go @@ -0,0 +1,84 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package versioned + +import ( + "fmt" + + oauthv1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" + discovery "k8s.io/client-go/discovery" + rest "k8s.io/client-go/rest" + flowcontrol "k8s.io/client-go/util/flowcontrol" +) + +type Interface interface { + Discovery() discovery.DiscoveryInterface + OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface +} + +// Clientset contains the clients for groups. Each group has exactly one +// version included in a Clientset. +type Clientset struct { + *discovery.DiscoveryClient + oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client +} + +// OauthV1alpha1 retrieves the OauthV1alpha1Client +func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { + return c.oauthV1alpha1 +} + +// Discovery retrieves the DiscoveryClient +func (c *Clientset) Discovery() discovery.DiscoveryInterface { + if c == nil { + return nil + } + return c.DiscoveryClient +} + +// NewForConfig creates a new Clientset for the given config. +// If config's RateLimiter is not set and QPS and Burst are acceptable, +// NewForConfig will generate a rate-limiter in configShallowCopy. +func NewForConfig(c *rest.Config) (*Clientset, error) { + configShallowCopy := *c + if configShallowCopy.RateLimiter == nil && configShallowCopy.QPS > 0 { + if configShallowCopy.Burst <= 0 { + return nil, fmt.Errorf("burst is required to be greater than 0 when RateLimiter is not set and QPS is set to greater than 0") + } + configShallowCopy.RateLimiter = flowcontrol.NewTokenBucketRateLimiter(configShallowCopy.QPS, configShallowCopy.Burst) + } + var cs Clientset + var err error + cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfig(&configShallowCopy) + if err != nil { + return nil, err + } + + cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfig(&configShallowCopy) + if err != nil { + return nil, err + } + return &cs, nil +} + +// NewForConfigOrDie creates a new Clientset for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *Clientset { + var cs Clientset + cs.oauthV1alpha1 = oauthv1alpha1.NewForConfigOrDie(c) + + cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c) + return &cs +} + +// New creates a new Clientset for the given RESTClient. +func New(c rest.Interface) *Clientset { + var cs Clientset + cs.oauthV1alpha1 = oauthv1alpha1.New(c) + + cs.DiscoveryClient = discovery.NewDiscoveryClient(c) + return &cs +} diff --git a/generated/1.20/client/supervisor/virtual/clientset/versioned/doc.go b/generated/1.20/client/supervisor/virtual/clientset/versioned/doc.go new file mode 100644 index 00000000..5dc02e6e --- /dev/null +++ b/generated/1.20/client/supervisor/virtual/clientset/versioned/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated clientset. +package versioned diff --git a/generated/1.20/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go b/generated/1.20/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go new file mode 100644 index 00000000..4bf17f6c --- /dev/null +++ b/generated/1.20/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go @@ -0,0 +1,69 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + clientset "go.pinniped.dev/generated/1.20/client/supervisor/virtual/clientset/versioned" + oauthv1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" + fakeoauthv1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/watch" + "k8s.io/client-go/discovery" + fakediscovery "k8s.io/client-go/discovery/fake" + "k8s.io/client-go/testing" +) + +// NewSimpleClientset returns a clientset that will respond with the provided objects. +// It's backed by a very simple object tracker that processes creates, updates and deletions as-is, +// without applying any validations and/or defaults. It shouldn't be considered a replacement +// for a real clientset and is mostly useful in simple unit tests. +func NewSimpleClientset(objects ...runtime.Object) *Clientset { + o := testing.NewObjectTracker(scheme, codecs.UniversalDecoder()) + for _, obj := range objects { + if err := o.Add(obj); err != nil { + panic(err) + } + } + + cs := &Clientset{tracker: o} + cs.discovery = &fakediscovery.FakeDiscovery{Fake: &cs.Fake} + cs.AddReactor("*", "*", testing.ObjectReaction(o)) + cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) { + gvr := action.GetResource() + ns := action.GetNamespace() + watch, err := o.Watch(gvr, ns) + if err != nil { + return false, nil, err + } + return true, watch, nil + }) + + return cs +} + +// Clientset implements clientset.Interface. Meant to be embedded into a +// struct to get a default implementation. This makes faking out just the method +// you want to test easier. +type Clientset struct { + testing.Fake + discovery *fakediscovery.FakeDiscovery + tracker testing.ObjectTracker +} + +func (c *Clientset) Discovery() discovery.DiscoveryInterface { + return c.discovery +} + +func (c *Clientset) Tracker() testing.ObjectTracker { + return c.tracker +} + +var _ clientset.Interface = &Clientset{} + +// OauthV1alpha1 retrieves the OauthV1alpha1Client +func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { + return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} +} diff --git a/generated/1.20/client/supervisor/virtual/clientset/versioned/fake/doc.go b/generated/1.20/client/supervisor/virtual/clientset/versioned/fake/doc.go new file mode 100644 index 00000000..7c9538fd --- /dev/null +++ b/generated/1.20/client/supervisor/virtual/clientset/versioned/fake/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated fake clientset. +package fake diff --git a/generated/1.20/client/supervisor/virtual/clientset/versioned/fake/register.go b/generated/1.20/client/supervisor/virtual/clientset/versioned/fake/register.go new file mode 100644 index 00000000..089583bd --- /dev/null +++ b/generated/1.20/client/supervisor/virtual/clientset/versioned/fake/register.go @@ -0,0 +1,43 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + oauthv1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + schema "k8s.io/apimachinery/pkg/runtime/schema" + serializer "k8s.io/apimachinery/pkg/runtime/serializer" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" +) + +var scheme = runtime.NewScheme() +var codecs = serializer.NewCodecFactory(scheme) + +var localSchemeBuilder = runtime.SchemeBuilder{ + oauthv1alpha1.AddToScheme, +} + +// AddToScheme adds all types of this clientset into the given scheme. This allows composition +// of clientsets, like in: +// +// import ( +// "k8s.io/client-go/kubernetes" +// clientsetscheme "k8s.io/client-go/kubernetes/scheme" +// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" +// ) +// +// kclientset, _ := kubernetes.NewForConfig(c) +// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) +// +// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types +// correctly. +var AddToScheme = localSchemeBuilder.AddToScheme + +func init() { + v1.AddToGroupVersion(scheme, schema.GroupVersion{Version: "v1"}) + utilruntime.Must(AddToScheme(scheme)) +} diff --git a/generated/1.20/client/supervisor/virtual/clientset/versioned/scheme/doc.go b/generated/1.20/client/supervisor/virtual/clientset/versioned/scheme/doc.go new file mode 100644 index 00000000..cc02f1d3 --- /dev/null +++ b/generated/1.20/client/supervisor/virtual/clientset/versioned/scheme/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package contains the scheme of the automatically generated clientset. +package scheme diff --git a/generated/1.20/client/supervisor/virtual/clientset/versioned/scheme/register.go b/generated/1.20/client/supervisor/virtual/clientset/versioned/scheme/register.go new file mode 100644 index 00000000..913e9c9a --- /dev/null +++ b/generated/1.20/client/supervisor/virtual/clientset/versioned/scheme/register.go @@ -0,0 +1,43 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package scheme + +import ( + oauthv1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + schema "k8s.io/apimachinery/pkg/runtime/schema" + serializer "k8s.io/apimachinery/pkg/runtime/serializer" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" +) + +var Scheme = runtime.NewScheme() +var Codecs = serializer.NewCodecFactory(Scheme) +var ParameterCodec = runtime.NewParameterCodec(Scheme) +var localSchemeBuilder = runtime.SchemeBuilder{ + oauthv1alpha1.AddToScheme, +} + +// AddToScheme adds all types of this clientset into the given scheme. This allows composition +// of clientsets, like in: +// +// import ( +// "k8s.io/client-go/kubernetes" +// clientsetscheme "k8s.io/client-go/kubernetes/scheme" +// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" +// ) +// +// kclientset, _ := kubernetes.NewForConfig(c) +// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) +// +// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types +// correctly. +var AddToScheme = localSchemeBuilder.AddToScheme + +func init() { + v1.AddToGroupVersion(Scheme, schema.GroupVersion{Version: "v1"}) + utilruntime.Must(AddToScheme(Scheme)) +} diff --git a/generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go new file mode 100644 index 00000000..e7a470b6 --- /dev/null +++ b/generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated typed clients. +package v1alpha1 diff --git a/generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go new file mode 100644 index 00000000..7906901b --- /dev/null +++ b/generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// Package fake has the automatically generated clients. +package fake diff --git a/generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go new file mode 100644 index 00000000..d6e9ee9a --- /dev/null +++ b/generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go @@ -0,0 +1,27 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + v1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" + rest "k8s.io/client-go/rest" + testing "k8s.io/client-go/testing" +) + +type FakeOauthV1alpha1 struct { + *testing.Fake +} + +func (c *FakeOauthV1alpha1) OIDCClientSecretRequests(namespace string) v1alpha1.OIDCClientSecretRequestInterface { + return &FakeOIDCClientSecretRequests{c, namespace} +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { + var ret *rest.RESTClient + return ret +} diff --git a/generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go b/generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go new file mode 100644 index 00000000..6c7a7829 --- /dev/null +++ b/generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go @@ -0,0 +1,36 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + schema "k8s.io/apimachinery/pkg/runtime/schema" + testing "k8s.io/client-go/testing" +) + +// FakeOIDCClientSecretRequests implements OIDCClientSecretRequestInterface +type FakeOIDCClientSecretRequests struct { + Fake *FakeOauthV1alpha1 + ns string +} + +var oidcclientsecretrequestsResource = schema.GroupVersionResource{Group: "oauth.virtual.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclientsecretrequests"} + +var oidcclientsecretrequestsKind = schema.GroupVersionKind{Group: "oauth.virtual.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClientSecretRequest"} + +// Create takes the representation of a oIDCClientSecretRequest and creates it. Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any. +func (c *FakeOIDCClientSecretRequests) Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (result *v1alpha1.OIDCClientSecretRequest, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(oidcclientsecretrequestsResource, c.ns, oIDCClientSecretRequest), &v1alpha1.OIDCClientSecretRequest{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClientSecretRequest), err +} diff --git a/generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go new file mode 100644 index 00000000..427a2ad8 --- /dev/null +++ b/generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go @@ -0,0 +1,8 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +type OIDCClientSecretRequestExpansion interface{} diff --git a/generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go new file mode 100644 index 00000000..8141d975 --- /dev/null +++ b/generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go @@ -0,0 +1,76 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1" + "go.pinniped.dev/generated/1.20/client/supervisor/virtual/clientset/versioned/scheme" + rest "k8s.io/client-go/rest" +) + +type OauthV1alpha1Interface interface { + RESTClient() rest.Interface + OIDCClientSecretRequestsGetter +} + +// OauthV1alpha1Client is used to interact with features provided by the oauth.virtual.supervisor.pinniped.dev group. +type OauthV1alpha1Client struct { + restClient rest.Interface +} + +func (c *OauthV1alpha1Client) OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface { + return newOIDCClientSecretRequests(c, namespace) +} + +// NewForConfig creates a new OauthV1alpha1Client for the given config. +func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { + config := *c + if err := setConfigDefaults(&config); err != nil { + return nil, err + } + client, err := rest.RESTClientFor(&config) + if err != nil { + return nil, err + } + return &OauthV1alpha1Client{client}, nil +} + +// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { + client, err := NewForConfig(c) + if err != nil { + panic(err) + } + return client +} + +// New creates a new OauthV1alpha1Client for the given RESTClient. +func New(c rest.Interface) *OauthV1alpha1Client { + return &OauthV1alpha1Client{c} +} + +func setConfigDefaults(config *rest.Config) error { + gv := v1alpha1.SchemeGroupVersion + config.GroupVersion = &gv + config.APIPath = "/apis" + config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() + + if config.UserAgent == "" { + config.UserAgent = rest.DefaultKubernetesUserAgent() + } + + return nil +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *OauthV1alpha1Client) RESTClient() rest.Interface { + if c == nil { + return nil + } + return c.restClient +} diff --git a/generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go b/generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go new file mode 100644 index 00000000..c9e5804d --- /dev/null +++ b/generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go @@ -0,0 +1,54 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1" + scheme "go.pinniped.dev/generated/1.20/client/supervisor/virtual/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + rest "k8s.io/client-go/rest" +) + +// OIDCClientSecretRequestsGetter has a method to return a OIDCClientSecretRequestInterface. +// A group's client should implement this interface. +type OIDCClientSecretRequestsGetter interface { + OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface +} + +// OIDCClientSecretRequestInterface has methods to work with OIDCClientSecretRequest resources. +type OIDCClientSecretRequestInterface interface { + Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (*v1alpha1.OIDCClientSecretRequest, error) + OIDCClientSecretRequestExpansion +} + +// oIDCClientSecretRequests implements OIDCClientSecretRequestInterface +type oIDCClientSecretRequests struct { + client rest.Interface + ns string +} + +// newOIDCClientSecretRequests returns a OIDCClientSecretRequests +func newOIDCClientSecretRequests(c *OauthV1alpha1Client, namespace string) *oIDCClientSecretRequests { + return &oIDCClientSecretRequests{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Create takes the representation of a oIDCClientSecretRequest and creates it. Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any. +func (c *oIDCClientSecretRequests) Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (result *v1alpha1.OIDCClientSecretRequest, err error) { + result = &v1alpha1.OIDCClientSecretRequest{} + err = c.client.Post(). + Namespace(c.ns). + Resource("oidcclientsecretrequests"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(oIDCClientSecretRequest). + Do(ctx). + Into(result) + return +} diff --git a/generated/1.21/README.adoc b/generated/1.21/README.adoc index 2a9ca757..e83a59ea 100644 --- a/generated/1.21/README.adoc +++ b/generated/1.21/README.adoc @@ -13,6 +13,8 @@ - xref:{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1[$$idp.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1[$$oauth.supervisor.pinniped.dev/v1alpha1$$] +- xref:{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-oauth[$$oauth.virtual.supervisor.pinniped.dev/oauth$$] +- xref:{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-v1alpha1[$$oauth.virtual.supervisor.pinniped.dev/v1alpha1$$] [id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"] @@ -1386,3 +1388,95 @@ OIDCClientSpec is a struct that describes an OIDC Client. + +[id="{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-oauth"] +=== oauth.virtual.supervisor.pinniped.dev/oauth + +Package oauth is the internal version of the Pinniped virtual oauth API. + + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-virtual-oauth-oidcclientsecretrequestspec"] +==== OIDCClientSecretRequestSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-virtual-oauth-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generateNewSecret`* __boolean__ | +| *`revokeOldSecrets`* __boolean__ | +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-virtual-oauth-oidcclientsecretrequeststatus"] +==== OIDCClientSecretRequestStatus + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-virtual-oauth-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generatedSecret`* __string__ | +| *`totalClientSecrets`* __integer__ | +|=== + + + +[id="{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-v1alpha1"] +=== oauth.virtual.supervisor.pinniped.dev/v1alpha1 + +Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API. + + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequestspec"] +==== OIDCClientSecretRequestSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generateNewSecret`* __boolean__ | +| *`revokeOldSecrets`* __boolean__ | +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequeststatus"] +==== OIDCClientSecretRequestStatus + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generatedSecret`* __string__ | +| *`totalClientSecrets`* __integer__ | +|=== + + diff --git a/generated/1.21/apis/supervisor/virtual/oauth/doc.go b/generated/1.21/apis/supervisor/virtual/oauth/doc.go new file mode 100644 index 00000000..ca4e9a63 --- /dev/null +++ b/generated/1.21/apis/supervisor/virtual/oauth/doc.go @@ -0,0 +1,8 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:deepcopy-gen=package +// +groupName=oauth.virtual.supervisor.pinniped.dev + +// Package oauth is the internal version of the Pinniped virtual oauth API. +package oauth diff --git a/generated/1.21/apis/supervisor/virtual/oauth/register.go b/generated/1.21/apis/supervisor/virtual/oauth/register.go new file mode 100644 index 00000000..a238d85f --- /dev/null +++ b/generated/1.21/apis/supervisor/virtual/oauth/register.go @@ -0,0 +1,37 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package oauth + +import ( + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "oauth.virtual.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal} + +// Kind takes an unqualified kind and returns back a Group qualified GroupKind. +func Kind(kind string) schema.GroupKind { + return SchemeGroupVersion.WithKind(kind).GroupKind() +} + +// Resource takes an unqualified resource and returns back a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} + +var ( + SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) + AddToScheme = SchemeBuilder.AddToScheme +) + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClientSecretRequest{}, + ) + return nil +} diff --git a/generated/1.21/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go b/generated/1.21/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go new file mode 100644 index 00000000..ac54a93c --- /dev/null +++ b/generated/1.21/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go @@ -0,0 +1,25 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package oauth + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +type OIDCClientSecretRequestSpec struct { + GenerateNewSecret bool `json:"generateNewSecret"` + RevokeOldSecrets bool `json:"revokeOldSecrets"` +} + +type OIDCClientSecretRequestStatus struct { + GeneratedSecret string `json:"generatedSecret,omitempty"` + TotalClientSecrets int `json:"totalClientSecrets"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequest struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID + + Spec OIDCClientSecretRequestSpec `json:"spec"` + Status OIDCClientSecretRequestStatus `json:"status"` +} diff --git a/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/conversion.go b/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/conversion.go new file mode 100644 index 00000000..fcf4e82f --- /dev/null +++ b/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/conversion.go @@ -0,0 +1,4 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 diff --git a/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/defaults.go b/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/defaults.go new file mode 100644 index 00000000..d4f5a9e8 --- /dev/null +++ b/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/defaults.go @@ -0,0 +1,12 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + "k8s.io/apimachinery/pkg/runtime" +) + +func addDefaultingFuncs(scheme *runtime.Scheme) error { + return RegisterDefaults(scheme) +} diff --git a/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/doc.go b/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/doc.go new file mode 100644 index 00000000..b3cb2440 --- /dev/null +++ b/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/doc.go @@ -0,0 +1,11 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen=package +// +k8s:conversion-gen=go.pinniped.dev/generated/1.21/apis/supervisor/virtual/oauth +// +k8s:defaulter-gen=TypeMeta +// +groupName=oauth.virtual.supervisor.pinniped.dev + +// Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API. +package v1alpha1 diff --git a/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/register.go b/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/register.go new file mode 100644 index 00000000..ecc75a08 --- /dev/null +++ b/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/register.go @@ -0,0 +1,42 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "oauth.virtual.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = SchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClientSecretRequest{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns back a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go b/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go new file mode 100644 index 00000000..dda2f3bb --- /dev/null +++ b/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go @@ -0,0 +1,28 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +type OIDCClientSecretRequestSpec struct { + GenerateNewSecret bool `json:"generateNewSecret"` + RevokeOldSecrets bool `json:"revokeOldSecrets"` +} + +type OIDCClientSecretRequestStatus struct { + GeneratedSecret string `json:"generatedSecret,omitempty"` + TotalClientSecrets int `json:"totalClientSecrets"` +} + +// +genclient +// +genclient:onlyVerbs=create +// +kubebuilder:subresource:status +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequest struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID + + Spec OIDCClientSecretRequestSpec `json:"spec"` + Status OIDCClientSecretRequestStatus `json:"status"` +} diff --git a/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go b/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go new file mode 100644 index 00000000..384717d0 --- /dev/null +++ b/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go @@ -0,0 +1,131 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by conversion-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + oauth "go.pinniped.dev/generated/1.21/apis/supervisor/virtual/oauth" + conversion "k8s.io/apimachinery/pkg/conversion" + runtime "k8s.io/apimachinery/pkg/runtime" +) + +func init() { + localSchemeBuilder.Register(RegisterConversions) +} + +// RegisterConversions adds conversion functions to the given scheme. +// Public to allow building arbitrary schemes. +func RegisterConversions(s *runtime.Scheme) error { + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequest)(nil), (*oauth.OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(a.(*OIDCClientSecretRequest), b.(*oauth.OIDCClientSecretRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequest)(nil), (*OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(a.(*oauth.OIDCClientSecretRequest), b.(*OIDCClientSecretRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*oauth.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*oauth.OIDCClientSecretRequestSpec), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequestSpec)(nil), (*OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(a.(*oauth.OIDCClientSecretRequestSpec), b.(*OIDCClientSecretRequestSpec), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestStatus)(nil), (*oauth.OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(a.(*OIDCClientSecretRequestStatus), b.(*oauth.OIDCClientSecretRequestStatus), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequestStatus)(nil), (*OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(a.(*oauth.OIDCClientSecretRequestStatus), b.(*OIDCClientSecretRequestStatus), scope) + }); err != nil { + return err + } + return nil +} + +func autoConvert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *oauth.OIDCClientSecretRequest, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { + return err + } + if err := Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *oauth.OIDCClientSecretRequest, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in, out, s) +} + +func autoConvert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *oauth.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { + return err + } + if err := Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest is an autogenerated conversion function. +func Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *oauth.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { + return autoConvert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s) +} + +func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *oauth.OIDCClientSecretRequestSpec, s conversion.Scope) error { + out.GenerateNewSecret = in.GenerateNewSecret + out.RevokeOldSecrets = in.RevokeOldSecrets + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *oauth.OIDCClientSecretRequestSpec, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in, out, s) +} + +func autoConvert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *oauth.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { + out.GenerateNewSecret = in.GenerateNewSecret + out.RevokeOldSecrets = in.RevokeOldSecrets + return nil +} + +// Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec is an autogenerated conversion function. +func Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *oauth.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { + return autoConvert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in, out, s) +} + +func autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *oauth.OIDCClientSecretRequestStatus, s conversion.Scope) error { + out.GeneratedSecret = in.GeneratedSecret + out.TotalClientSecrets = in.TotalClientSecrets + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *oauth.OIDCClientSecretRequestStatus, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in, out, s) +} + +func autoConvert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *oauth.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { + out.GeneratedSecret = in.GeneratedSecret + out.TotalClientSecrets = in.TotalClientSecrets + return nil +} + +// Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus is an autogenerated conversion function. +func Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *oauth.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { + return autoConvert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in, out, s) +} diff --git a/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go new file mode 100644 index 00000000..e4fce842 --- /dev/null +++ b/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go @@ -0,0 +1,73 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequest) DeepCopyInto(out *OIDCClientSecretRequest) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + out.Spec = in.Spec + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequest. +func (in *OIDCClientSecretRequest) DeepCopy() *OIDCClientSecretRequest { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequest) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestSpec. +func (in *OIDCClientSecretRequestSpec) DeepCopy() *OIDCClientSecretRequestSpec { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestStatus) DeepCopyInto(out *OIDCClientSecretRequestStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestStatus. +func (in *OIDCClientSecretRequestStatus) DeepCopy() *OIDCClientSecretRequestStatus { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go b/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go new file mode 100644 index 00000000..9097a935 --- /dev/null +++ b/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go @@ -0,0 +1,20 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by defaulter-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// RegisterDefaults adds defaulters functions to the given scheme. +// Public to allow building arbitrary schemes. +// All generated defaulters are covering - they call all nested defaulters. +func RegisterDefaults(scheme *runtime.Scheme) error { + return nil +} diff --git a/generated/1.21/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go b/generated/1.21/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go new file mode 100644 index 00000000..24b58e7b --- /dev/null +++ b/generated/1.21/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go @@ -0,0 +1,73 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package oauth + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequest) DeepCopyInto(out *OIDCClientSecretRequest) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + out.Spec = in.Spec + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequest. +func (in *OIDCClientSecretRequest) DeepCopy() *OIDCClientSecretRequest { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequest) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestSpec. +func (in *OIDCClientSecretRequestSpec) DeepCopy() *OIDCClientSecretRequestSpec { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestStatus) DeepCopyInto(out *OIDCClientSecretRequestStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestStatus. +func (in *OIDCClientSecretRequestStatus) DeepCopy() *OIDCClientSecretRequestStatus { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.21/client/supervisor/virtual/clientset/versioned/clientset.go b/generated/1.21/client/supervisor/virtual/clientset/versioned/clientset.go new file mode 100644 index 00000000..93a539cc --- /dev/null +++ b/generated/1.21/client/supervisor/virtual/clientset/versioned/clientset.go @@ -0,0 +1,84 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package versioned + +import ( + "fmt" + + oauthv1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" + discovery "k8s.io/client-go/discovery" + rest "k8s.io/client-go/rest" + flowcontrol "k8s.io/client-go/util/flowcontrol" +) + +type Interface interface { + Discovery() discovery.DiscoveryInterface + OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface +} + +// Clientset contains the clients for groups. Each group has exactly one +// version included in a Clientset. +type Clientset struct { + *discovery.DiscoveryClient + oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client +} + +// OauthV1alpha1 retrieves the OauthV1alpha1Client +func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { + return c.oauthV1alpha1 +} + +// Discovery retrieves the DiscoveryClient +func (c *Clientset) Discovery() discovery.DiscoveryInterface { + if c == nil { + return nil + } + return c.DiscoveryClient +} + +// NewForConfig creates a new Clientset for the given config. +// If config's RateLimiter is not set and QPS and Burst are acceptable, +// NewForConfig will generate a rate-limiter in configShallowCopy. +func NewForConfig(c *rest.Config) (*Clientset, error) { + configShallowCopy := *c + if configShallowCopy.RateLimiter == nil && configShallowCopy.QPS > 0 { + if configShallowCopy.Burst <= 0 { + return nil, fmt.Errorf("burst is required to be greater than 0 when RateLimiter is not set and QPS is set to greater than 0") + } + configShallowCopy.RateLimiter = flowcontrol.NewTokenBucketRateLimiter(configShallowCopy.QPS, configShallowCopy.Burst) + } + var cs Clientset + var err error + cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfig(&configShallowCopy) + if err != nil { + return nil, err + } + + cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfig(&configShallowCopy) + if err != nil { + return nil, err + } + return &cs, nil +} + +// NewForConfigOrDie creates a new Clientset for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *Clientset { + var cs Clientset + cs.oauthV1alpha1 = oauthv1alpha1.NewForConfigOrDie(c) + + cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c) + return &cs +} + +// New creates a new Clientset for the given RESTClient. +func New(c rest.Interface) *Clientset { + var cs Clientset + cs.oauthV1alpha1 = oauthv1alpha1.New(c) + + cs.DiscoveryClient = discovery.NewDiscoveryClient(c) + return &cs +} diff --git a/generated/1.21/client/supervisor/virtual/clientset/versioned/doc.go b/generated/1.21/client/supervisor/virtual/clientset/versioned/doc.go new file mode 100644 index 00000000..5dc02e6e --- /dev/null +++ b/generated/1.21/client/supervisor/virtual/clientset/versioned/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated clientset. +package versioned diff --git a/generated/1.21/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go b/generated/1.21/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go new file mode 100644 index 00000000..fcf86e29 --- /dev/null +++ b/generated/1.21/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go @@ -0,0 +1,69 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + clientset "go.pinniped.dev/generated/1.21/client/supervisor/virtual/clientset/versioned" + oauthv1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" + fakeoauthv1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/watch" + "k8s.io/client-go/discovery" + fakediscovery "k8s.io/client-go/discovery/fake" + "k8s.io/client-go/testing" +) + +// NewSimpleClientset returns a clientset that will respond with the provided objects. +// It's backed by a very simple object tracker that processes creates, updates and deletions as-is, +// without applying any validations and/or defaults. It shouldn't be considered a replacement +// for a real clientset and is mostly useful in simple unit tests. +func NewSimpleClientset(objects ...runtime.Object) *Clientset { + o := testing.NewObjectTracker(scheme, codecs.UniversalDecoder()) + for _, obj := range objects { + if err := o.Add(obj); err != nil { + panic(err) + } + } + + cs := &Clientset{tracker: o} + cs.discovery = &fakediscovery.FakeDiscovery{Fake: &cs.Fake} + cs.AddReactor("*", "*", testing.ObjectReaction(o)) + cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) { + gvr := action.GetResource() + ns := action.GetNamespace() + watch, err := o.Watch(gvr, ns) + if err != nil { + return false, nil, err + } + return true, watch, nil + }) + + return cs +} + +// Clientset implements clientset.Interface. Meant to be embedded into a +// struct to get a default implementation. This makes faking out just the method +// you want to test easier. +type Clientset struct { + testing.Fake + discovery *fakediscovery.FakeDiscovery + tracker testing.ObjectTracker +} + +func (c *Clientset) Discovery() discovery.DiscoveryInterface { + return c.discovery +} + +func (c *Clientset) Tracker() testing.ObjectTracker { + return c.tracker +} + +var _ clientset.Interface = &Clientset{} + +// OauthV1alpha1 retrieves the OauthV1alpha1Client +func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { + return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} +} diff --git a/generated/1.21/client/supervisor/virtual/clientset/versioned/fake/doc.go b/generated/1.21/client/supervisor/virtual/clientset/versioned/fake/doc.go new file mode 100644 index 00000000..7c9538fd --- /dev/null +++ b/generated/1.21/client/supervisor/virtual/clientset/versioned/fake/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated fake clientset. +package fake diff --git a/generated/1.21/client/supervisor/virtual/clientset/versioned/fake/register.go b/generated/1.21/client/supervisor/virtual/clientset/versioned/fake/register.go new file mode 100644 index 00000000..c7b66d2c --- /dev/null +++ b/generated/1.21/client/supervisor/virtual/clientset/versioned/fake/register.go @@ -0,0 +1,43 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + oauthv1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + schema "k8s.io/apimachinery/pkg/runtime/schema" + serializer "k8s.io/apimachinery/pkg/runtime/serializer" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" +) + +var scheme = runtime.NewScheme() +var codecs = serializer.NewCodecFactory(scheme) + +var localSchemeBuilder = runtime.SchemeBuilder{ + oauthv1alpha1.AddToScheme, +} + +// AddToScheme adds all types of this clientset into the given scheme. This allows composition +// of clientsets, like in: +// +// import ( +// "k8s.io/client-go/kubernetes" +// clientsetscheme "k8s.io/client-go/kubernetes/scheme" +// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" +// ) +// +// kclientset, _ := kubernetes.NewForConfig(c) +// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) +// +// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types +// correctly. +var AddToScheme = localSchemeBuilder.AddToScheme + +func init() { + v1.AddToGroupVersion(scheme, schema.GroupVersion{Version: "v1"}) + utilruntime.Must(AddToScheme(scheme)) +} diff --git a/generated/1.21/client/supervisor/virtual/clientset/versioned/scheme/doc.go b/generated/1.21/client/supervisor/virtual/clientset/versioned/scheme/doc.go new file mode 100644 index 00000000..cc02f1d3 --- /dev/null +++ b/generated/1.21/client/supervisor/virtual/clientset/versioned/scheme/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package contains the scheme of the automatically generated clientset. +package scheme diff --git a/generated/1.21/client/supervisor/virtual/clientset/versioned/scheme/register.go b/generated/1.21/client/supervisor/virtual/clientset/versioned/scheme/register.go new file mode 100644 index 00000000..3afd089b --- /dev/null +++ b/generated/1.21/client/supervisor/virtual/clientset/versioned/scheme/register.go @@ -0,0 +1,43 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package scheme + +import ( + oauthv1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + schema "k8s.io/apimachinery/pkg/runtime/schema" + serializer "k8s.io/apimachinery/pkg/runtime/serializer" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" +) + +var Scheme = runtime.NewScheme() +var Codecs = serializer.NewCodecFactory(Scheme) +var ParameterCodec = runtime.NewParameterCodec(Scheme) +var localSchemeBuilder = runtime.SchemeBuilder{ + oauthv1alpha1.AddToScheme, +} + +// AddToScheme adds all types of this clientset into the given scheme. This allows composition +// of clientsets, like in: +// +// import ( +// "k8s.io/client-go/kubernetes" +// clientsetscheme "k8s.io/client-go/kubernetes/scheme" +// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" +// ) +// +// kclientset, _ := kubernetes.NewForConfig(c) +// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) +// +// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types +// correctly. +var AddToScheme = localSchemeBuilder.AddToScheme + +func init() { + v1.AddToGroupVersion(Scheme, schema.GroupVersion{Version: "v1"}) + utilruntime.Must(AddToScheme(Scheme)) +} diff --git a/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go new file mode 100644 index 00000000..e7a470b6 --- /dev/null +++ b/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated typed clients. +package v1alpha1 diff --git a/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go new file mode 100644 index 00000000..7906901b --- /dev/null +++ b/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// Package fake has the automatically generated clients. +package fake diff --git a/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go new file mode 100644 index 00000000..341e6495 --- /dev/null +++ b/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go @@ -0,0 +1,27 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + v1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" + rest "k8s.io/client-go/rest" + testing "k8s.io/client-go/testing" +) + +type FakeOauthV1alpha1 struct { + *testing.Fake +} + +func (c *FakeOauthV1alpha1) OIDCClientSecretRequests(namespace string) v1alpha1.OIDCClientSecretRequestInterface { + return &FakeOIDCClientSecretRequests{c, namespace} +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { + var ret *rest.RESTClient + return ret +} diff --git a/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go b/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go new file mode 100644 index 00000000..28997757 --- /dev/null +++ b/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go @@ -0,0 +1,36 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + schema "k8s.io/apimachinery/pkg/runtime/schema" + testing "k8s.io/client-go/testing" +) + +// FakeOIDCClientSecretRequests implements OIDCClientSecretRequestInterface +type FakeOIDCClientSecretRequests struct { + Fake *FakeOauthV1alpha1 + ns string +} + +var oidcclientsecretrequestsResource = schema.GroupVersionResource{Group: "oauth.virtual.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclientsecretrequests"} + +var oidcclientsecretrequestsKind = schema.GroupVersionKind{Group: "oauth.virtual.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClientSecretRequest"} + +// Create takes the representation of a oIDCClientSecretRequest and creates it. Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any. +func (c *FakeOIDCClientSecretRequests) Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (result *v1alpha1.OIDCClientSecretRequest, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(oidcclientsecretrequestsResource, c.ns, oIDCClientSecretRequest), &v1alpha1.OIDCClientSecretRequest{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClientSecretRequest), err +} diff --git a/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go new file mode 100644 index 00000000..427a2ad8 --- /dev/null +++ b/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go @@ -0,0 +1,8 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +type OIDCClientSecretRequestExpansion interface{} diff --git a/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go new file mode 100644 index 00000000..8d4fc39d --- /dev/null +++ b/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go @@ -0,0 +1,76 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1" + "go.pinniped.dev/generated/1.21/client/supervisor/virtual/clientset/versioned/scheme" + rest "k8s.io/client-go/rest" +) + +type OauthV1alpha1Interface interface { + RESTClient() rest.Interface + OIDCClientSecretRequestsGetter +} + +// OauthV1alpha1Client is used to interact with features provided by the oauth.virtual.supervisor.pinniped.dev group. +type OauthV1alpha1Client struct { + restClient rest.Interface +} + +func (c *OauthV1alpha1Client) OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface { + return newOIDCClientSecretRequests(c, namespace) +} + +// NewForConfig creates a new OauthV1alpha1Client for the given config. +func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { + config := *c + if err := setConfigDefaults(&config); err != nil { + return nil, err + } + client, err := rest.RESTClientFor(&config) + if err != nil { + return nil, err + } + return &OauthV1alpha1Client{client}, nil +} + +// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { + client, err := NewForConfig(c) + if err != nil { + panic(err) + } + return client +} + +// New creates a new OauthV1alpha1Client for the given RESTClient. +func New(c rest.Interface) *OauthV1alpha1Client { + return &OauthV1alpha1Client{c} +} + +func setConfigDefaults(config *rest.Config) error { + gv := v1alpha1.SchemeGroupVersion + config.GroupVersion = &gv + config.APIPath = "/apis" + config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() + + if config.UserAgent == "" { + config.UserAgent = rest.DefaultKubernetesUserAgent() + } + + return nil +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *OauthV1alpha1Client) RESTClient() rest.Interface { + if c == nil { + return nil + } + return c.restClient +} diff --git a/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go b/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go new file mode 100644 index 00000000..3b8b2f84 --- /dev/null +++ b/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go @@ -0,0 +1,54 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1" + scheme "go.pinniped.dev/generated/1.21/client/supervisor/virtual/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + rest "k8s.io/client-go/rest" +) + +// OIDCClientSecretRequestsGetter has a method to return a OIDCClientSecretRequestInterface. +// A group's client should implement this interface. +type OIDCClientSecretRequestsGetter interface { + OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface +} + +// OIDCClientSecretRequestInterface has methods to work with OIDCClientSecretRequest resources. +type OIDCClientSecretRequestInterface interface { + Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (*v1alpha1.OIDCClientSecretRequest, error) + OIDCClientSecretRequestExpansion +} + +// oIDCClientSecretRequests implements OIDCClientSecretRequestInterface +type oIDCClientSecretRequests struct { + client rest.Interface + ns string +} + +// newOIDCClientSecretRequests returns a OIDCClientSecretRequests +func newOIDCClientSecretRequests(c *OauthV1alpha1Client, namespace string) *oIDCClientSecretRequests { + return &oIDCClientSecretRequests{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Create takes the representation of a oIDCClientSecretRequest and creates it. Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any. +func (c *oIDCClientSecretRequests) Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (result *v1alpha1.OIDCClientSecretRequest, err error) { + result = &v1alpha1.OIDCClientSecretRequest{} + err = c.client.Post(). + Namespace(c.ns). + Resource("oidcclientsecretrequests"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(oIDCClientSecretRequest). + Do(ctx). + Into(result) + return +} diff --git a/generated/1.22/README.adoc b/generated/1.22/README.adoc index 78e1cd46..55db1f5b 100644 --- a/generated/1.22/README.adoc +++ b/generated/1.22/README.adoc @@ -13,6 +13,8 @@ - xref:{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1[$$idp.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1[$$oauth.supervisor.pinniped.dev/v1alpha1$$] +- xref:{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-oauth[$$oauth.virtual.supervisor.pinniped.dev/oauth$$] +- xref:{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-v1alpha1[$$oauth.virtual.supervisor.pinniped.dev/v1alpha1$$] [id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"] @@ -1386,3 +1388,95 @@ OIDCClientSpec is a struct that describes an OIDC Client. + +[id="{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-oauth"] +=== oauth.virtual.supervisor.pinniped.dev/oauth + +Package oauth is the internal version of the Pinniped virtual oauth API. + + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-virtual-oauth-oidcclientsecretrequestspec"] +==== OIDCClientSecretRequestSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-virtual-oauth-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generateNewSecret`* __boolean__ | +| *`revokeOldSecrets`* __boolean__ | +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-virtual-oauth-oidcclientsecretrequeststatus"] +==== OIDCClientSecretRequestStatus + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-virtual-oauth-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generatedSecret`* __string__ | +| *`totalClientSecrets`* __integer__ | +|=== + + + +[id="{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-v1alpha1"] +=== oauth.virtual.supervisor.pinniped.dev/v1alpha1 + +Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API. + + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequestspec"] +==== OIDCClientSecretRequestSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generateNewSecret`* __boolean__ | +| *`revokeOldSecrets`* __boolean__ | +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequeststatus"] +==== OIDCClientSecretRequestStatus + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generatedSecret`* __string__ | +| *`totalClientSecrets`* __integer__ | +|=== + + diff --git a/generated/1.22/apis/supervisor/virtual/oauth/doc.go b/generated/1.22/apis/supervisor/virtual/oauth/doc.go new file mode 100644 index 00000000..ca4e9a63 --- /dev/null +++ b/generated/1.22/apis/supervisor/virtual/oauth/doc.go @@ -0,0 +1,8 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:deepcopy-gen=package +// +groupName=oauth.virtual.supervisor.pinniped.dev + +// Package oauth is the internal version of the Pinniped virtual oauth API. +package oauth diff --git a/generated/1.22/apis/supervisor/virtual/oauth/register.go b/generated/1.22/apis/supervisor/virtual/oauth/register.go new file mode 100644 index 00000000..a238d85f --- /dev/null +++ b/generated/1.22/apis/supervisor/virtual/oauth/register.go @@ -0,0 +1,37 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package oauth + +import ( + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "oauth.virtual.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal} + +// Kind takes an unqualified kind and returns back a Group qualified GroupKind. +func Kind(kind string) schema.GroupKind { + return SchemeGroupVersion.WithKind(kind).GroupKind() +} + +// Resource takes an unqualified resource and returns back a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} + +var ( + SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) + AddToScheme = SchemeBuilder.AddToScheme +) + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClientSecretRequest{}, + ) + return nil +} diff --git a/generated/1.22/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go b/generated/1.22/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go new file mode 100644 index 00000000..ac54a93c --- /dev/null +++ b/generated/1.22/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go @@ -0,0 +1,25 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package oauth + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +type OIDCClientSecretRequestSpec struct { + GenerateNewSecret bool `json:"generateNewSecret"` + RevokeOldSecrets bool `json:"revokeOldSecrets"` +} + +type OIDCClientSecretRequestStatus struct { + GeneratedSecret string `json:"generatedSecret,omitempty"` + TotalClientSecrets int `json:"totalClientSecrets"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequest struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID + + Spec OIDCClientSecretRequestSpec `json:"spec"` + Status OIDCClientSecretRequestStatus `json:"status"` +} diff --git a/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/conversion.go b/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/conversion.go new file mode 100644 index 00000000..fcf4e82f --- /dev/null +++ b/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/conversion.go @@ -0,0 +1,4 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 diff --git a/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/defaults.go b/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/defaults.go new file mode 100644 index 00000000..d4f5a9e8 --- /dev/null +++ b/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/defaults.go @@ -0,0 +1,12 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + "k8s.io/apimachinery/pkg/runtime" +) + +func addDefaultingFuncs(scheme *runtime.Scheme) error { + return RegisterDefaults(scheme) +} diff --git a/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/doc.go b/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/doc.go new file mode 100644 index 00000000..2529f68c --- /dev/null +++ b/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/doc.go @@ -0,0 +1,11 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen=package +// +k8s:conversion-gen=go.pinniped.dev/generated/1.22/apis/supervisor/virtual/oauth +// +k8s:defaulter-gen=TypeMeta +// +groupName=oauth.virtual.supervisor.pinniped.dev + +// Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API. +package v1alpha1 diff --git a/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/register.go b/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/register.go new file mode 100644 index 00000000..ecc75a08 --- /dev/null +++ b/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/register.go @@ -0,0 +1,42 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "oauth.virtual.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = SchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClientSecretRequest{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns back a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go b/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go new file mode 100644 index 00000000..dda2f3bb --- /dev/null +++ b/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go @@ -0,0 +1,28 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +type OIDCClientSecretRequestSpec struct { + GenerateNewSecret bool `json:"generateNewSecret"` + RevokeOldSecrets bool `json:"revokeOldSecrets"` +} + +type OIDCClientSecretRequestStatus struct { + GeneratedSecret string `json:"generatedSecret,omitempty"` + TotalClientSecrets int `json:"totalClientSecrets"` +} + +// +genclient +// +genclient:onlyVerbs=create +// +kubebuilder:subresource:status +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequest struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID + + Spec OIDCClientSecretRequestSpec `json:"spec"` + Status OIDCClientSecretRequestStatus `json:"status"` +} diff --git a/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go b/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go new file mode 100644 index 00000000..a0866234 --- /dev/null +++ b/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go @@ -0,0 +1,131 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by conversion-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + oauth "go.pinniped.dev/generated/1.22/apis/supervisor/virtual/oauth" + conversion "k8s.io/apimachinery/pkg/conversion" + runtime "k8s.io/apimachinery/pkg/runtime" +) + +func init() { + localSchemeBuilder.Register(RegisterConversions) +} + +// RegisterConversions adds conversion functions to the given scheme. +// Public to allow building arbitrary schemes. +func RegisterConversions(s *runtime.Scheme) error { + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequest)(nil), (*oauth.OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(a.(*OIDCClientSecretRequest), b.(*oauth.OIDCClientSecretRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequest)(nil), (*OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(a.(*oauth.OIDCClientSecretRequest), b.(*OIDCClientSecretRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*oauth.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*oauth.OIDCClientSecretRequestSpec), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequestSpec)(nil), (*OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(a.(*oauth.OIDCClientSecretRequestSpec), b.(*OIDCClientSecretRequestSpec), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestStatus)(nil), (*oauth.OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(a.(*OIDCClientSecretRequestStatus), b.(*oauth.OIDCClientSecretRequestStatus), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequestStatus)(nil), (*OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(a.(*oauth.OIDCClientSecretRequestStatus), b.(*OIDCClientSecretRequestStatus), scope) + }); err != nil { + return err + } + return nil +} + +func autoConvert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *oauth.OIDCClientSecretRequest, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { + return err + } + if err := Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *oauth.OIDCClientSecretRequest, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in, out, s) +} + +func autoConvert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *oauth.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { + return err + } + if err := Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest is an autogenerated conversion function. +func Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *oauth.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { + return autoConvert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s) +} + +func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *oauth.OIDCClientSecretRequestSpec, s conversion.Scope) error { + out.GenerateNewSecret = in.GenerateNewSecret + out.RevokeOldSecrets = in.RevokeOldSecrets + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *oauth.OIDCClientSecretRequestSpec, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in, out, s) +} + +func autoConvert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *oauth.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { + out.GenerateNewSecret = in.GenerateNewSecret + out.RevokeOldSecrets = in.RevokeOldSecrets + return nil +} + +// Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec is an autogenerated conversion function. +func Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *oauth.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { + return autoConvert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in, out, s) +} + +func autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *oauth.OIDCClientSecretRequestStatus, s conversion.Scope) error { + out.GeneratedSecret = in.GeneratedSecret + out.TotalClientSecrets = in.TotalClientSecrets + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *oauth.OIDCClientSecretRequestStatus, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in, out, s) +} + +func autoConvert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *oauth.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { + out.GeneratedSecret = in.GeneratedSecret + out.TotalClientSecrets = in.TotalClientSecrets + return nil +} + +// Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus is an autogenerated conversion function. +func Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *oauth.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { + return autoConvert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in, out, s) +} diff --git a/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go new file mode 100644 index 00000000..e4fce842 --- /dev/null +++ b/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go @@ -0,0 +1,73 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequest) DeepCopyInto(out *OIDCClientSecretRequest) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + out.Spec = in.Spec + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequest. +func (in *OIDCClientSecretRequest) DeepCopy() *OIDCClientSecretRequest { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequest) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestSpec. +func (in *OIDCClientSecretRequestSpec) DeepCopy() *OIDCClientSecretRequestSpec { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestStatus) DeepCopyInto(out *OIDCClientSecretRequestStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestStatus. +func (in *OIDCClientSecretRequestStatus) DeepCopy() *OIDCClientSecretRequestStatus { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go b/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go new file mode 100644 index 00000000..9097a935 --- /dev/null +++ b/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go @@ -0,0 +1,20 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by defaulter-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// RegisterDefaults adds defaulters functions to the given scheme. +// Public to allow building arbitrary schemes. +// All generated defaulters are covering - they call all nested defaulters. +func RegisterDefaults(scheme *runtime.Scheme) error { + return nil +} diff --git a/generated/1.22/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go b/generated/1.22/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go new file mode 100644 index 00000000..24b58e7b --- /dev/null +++ b/generated/1.22/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go @@ -0,0 +1,73 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package oauth + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequest) DeepCopyInto(out *OIDCClientSecretRequest) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + out.Spec = in.Spec + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequest. +func (in *OIDCClientSecretRequest) DeepCopy() *OIDCClientSecretRequest { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequest) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestSpec. +func (in *OIDCClientSecretRequestSpec) DeepCopy() *OIDCClientSecretRequestSpec { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestStatus) DeepCopyInto(out *OIDCClientSecretRequestStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestStatus. +func (in *OIDCClientSecretRequestStatus) DeepCopy() *OIDCClientSecretRequestStatus { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.22/client/supervisor/virtual/clientset/versioned/clientset.go b/generated/1.22/client/supervisor/virtual/clientset/versioned/clientset.go new file mode 100644 index 00000000..c9c89465 --- /dev/null +++ b/generated/1.22/client/supervisor/virtual/clientset/versioned/clientset.go @@ -0,0 +1,84 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package versioned + +import ( + "fmt" + + oauthv1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" + discovery "k8s.io/client-go/discovery" + rest "k8s.io/client-go/rest" + flowcontrol "k8s.io/client-go/util/flowcontrol" +) + +type Interface interface { + Discovery() discovery.DiscoveryInterface + OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface +} + +// Clientset contains the clients for groups. Each group has exactly one +// version included in a Clientset. +type Clientset struct { + *discovery.DiscoveryClient + oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client +} + +// OauthV1alpha1 retrieves the OauthV1alpha1Client +func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { + return c.oauthV1alpha1 +} + +// Discovery retrieves the DiscoveryClient +func (c *Clientset) Discovery() discovery.DiscoveryInterface { + if c == nil { + return nil + } + return c.DiscoveryClient +} + +// NewForConfig creates a new Clientset for the given config. +// If config's RateLimiter is not set and QPS and Burst are acceptable, +// NewForConfig will generate a rate-limiter in configShallowCopy. +func NewForConfig(c *rest.Config) (*Clientset, error) { + configShallowCopy := *c + if configShallowCopy.RateLimiter == nil && configShallowCopy.QPS > 0 { + if configShallowCopy.Burst <= 0 { + return nil, fmt.Errorf("burst is required to be greater than 0 when RateLimiter is not set and QPS is set to greater than 0") + } + configShallowCopy.RateLimiter = flowcontrol.NewTokenBucketRateLimiter(configShallowCopy.QPS, configShallowCopy.Burst) + } + var cs Clientset + var err error + cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfig(&configShallowCopy) + if err != nil { + return nil, err + } + + cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfig(&configShallowCopy) + if err != nil { + return nil, err + } + return &cs, nil +} + +// NewForConfigOrDie creates a new Clientset for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *Clientset { + var cs Clientset + cs.oauthV1alpha1 = oauthv1alpha1.NewForConfigOrDie(c) + + cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c) + return &cs +} + +// New creates a new Clientset for the given RESTClient. +func New(c rest.Interface) *Clientset { + var cs Clientset + cs.oauthV1alpha1 = oauthv1alpha1.New(c) + + cs.DiscoveryClient = discovery.NewDiscoveryClient(c) + return &cs +} diff --git a/generated/1.22/client/supervisor/virtual/clientset/versioned/doc.go b/generated/1.22/client/supervisor/virtual/clientset/versioned/doc.go new file mode 100644 index 00000000..5dc02e6e --- /dev/null +++ b/generated/1.22/client/supervisor/virtual/clientset/versioned/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated clientset. +package versioned diff --git a/generated/1.22/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go b/generated/1.22/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go new file mode 100644 index 00000000..5cb64013 --- /dev/null +++ b/generated/1.22/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go @@ -0,0 +1,72 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + clientset "go.pinniped.dev/generated/1.22/client/supervisor/virtual/clientset/versioned" + oauthv1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" + fakeoauthv1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/watch" + "k8s.io/client-go/discovery" + fakediscovery "k8s.io/client-go/discovery/fake" + "k8s.io/client-go/testing" +) + +// NewSimpleClientset returns a clientset that will respond with the provided objects. +// It's backed by a very simple object tracker that processes creates, updates and deletions as-is, +// without applying any validations and/or defaults. It shouldn't be considered a replacement +// for a real clientset and is mostly useful in simple unit tests. +func NewSimpleClientset(objects ...runtime.Object) *Clientset { + o := testing.NewObjectTracker(scheme, codecs.UniversalDecoder()) + for _, obj := range objects { + if err := o.Add(obj); err != nil { + panic(err) + } + } + + cs := &Clientset{tracker: o} + cs.discovery = &fakediscovery.FakeDiscovery{Fake: &cs.Fake} + cs.AddReactor("*", "*", testing.ObjectReaction(o)) + cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) { + gvr := action.GetResource() + ns := action.GetNamespace() + watch, err := o.Watch(gvr, ns) + if err != nil { + return false, nil, err + } + return true, watch, nil + }) + + return cs +} + +// Clientset implements clientset.Interface. Meant to be embedded into a +// struct to get a default implementation. This makes faking out just the method +// you want to test easier. +type Clientset struct { + testing.Fake + discovery *fakediscovery.FakeDiscovery + tracker testing.ObjectTracker +} + +func (c *Clientset) Discovery() discovery.DiscoveryInterface { + return c.discovery +} + +func (c *Clientset) Tracker() testing.ObjectTracker { + return c.tracker +} + +var ( + _ clientset.Interface = &Clientset{} + _ testing.FakeClient = &Clientset{} +) + +// OauthV1alpha1 retrieves the OauthV1alpha1Client +func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { + return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} +} diff --git a/generated/1.22/client/supervisor/virtual/clientset/versioned/fake/doc.go b/generated/1.22/client/supervisor/virtual/clientset/versioned/fake/doc.go new file mode 100644 index 00000000..7c9538fd --- /dev/null +++ b/generated/1.22/client/supervisor/virtual/clientset/versioned/fake/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated fake clientset. +package fake diff --git a/generated/1.22/client/supervisor/virtual/clientset/versioned/fake/register.go b/generated/1.22/client/supervisor/virtual/clientset/versioned/fake/register.go new file mode 100644 index 00000000..87de2f5a --- /dev/null +++ b/generated/1.22/client/supervisor/virtual/clientset/versioned/fake/register.go @@ -0,0 +1,43 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + oauthv1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + schema "k8s.io/apimachinery/pkg/runtime/schema" + serializer "k8s.io/apimachinery/pkg/runtime/serializer" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" +) + +var scheme = runtime.NewScheme() +var codecs = serializer.NewCodecFactory(scheme) + +var localSchemeBuilder = runtime.SchemeBuilder{ + oauthv1alpha1.AddToScheme, +} + +// AddToScheme adds all types of this clientset into the given scheme. This allows composition +// of clientsets, like in: +// +// import ( +// "k8s.io/client-go/kubernetes" +// clientsetscheme "k8s.io/client-go/kubernetes/scheme" +// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" +// ) +// +// kclientset, _ := kubernetes.NewForConfig(c) +// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) +// +// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types +// correctly. +var AddToScheme = localSchemeBuilder.AddToScheme + +func init() { + v1.AddToGroupVersion(scheme, schema.GroupVersion{Version: "v1"}) + utilruntime.Must(AddToScheme(scheme)) +} diff --git a/generated/1.22/client/supervisor/virtual/clientset/versioned/scheme/doc.go b/generated/1.22/client/supervisor/virtual/clientset/versioned/scheme/doc.go new file mode 100644 index 00000000..cc02f1d3 --- /dev/null +++ b/generated/1.22/client/supervisor/virtual/clientset/versioned/scheme/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package contains the scheme of the automatically generated clientset. +package scheme diff --git a/generated/1.22/client/supervisor/virtual/clientset/versioned/scheme/register.go b/generated/1.22/client/supervisor/virtual/clientset/versioned/scheme/register.go new file mode 100644 index 00000000..4fcfd7d8 --- /dev/null +++ b/generated/1.22/client/supervisor/virtual/clientset/versioned/scheme/register.go @@ -0,0 +1,43 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package scheme + +import ( + oauthv1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + schema "k8s.io/apimachinery/pkg/runtime/schema" + serializer "k8s.io/apimachinery/pkg/runtime/serializer" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" +) + +var Scheme = runtime.NewScheme() +var Codecs = serializer.NewCodecFactory(Scheme) +var ParameterCodec = runtime.NewParameterCodec(Scheme) +var localSchemeBuilder = runtime.SchemeBuilder{ + oauthv1alpha1.AddToScheme, +} + +// AddToScheme adds all types of this clientset into the given scheme. This allows composition +// of clientsets, like in: +// +// import ( +// "k8s.io/client-go/kubernetes" +// clientsetscheme "k8s.io/client-go/kubernetes/scheme" +// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" +// ) +// +// kclientset, _ := kubernetes.NewForConfig(c) +// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) +// +// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types +// correctly. +var AddToScheme = localSchemeBuilder.AddToScheme + +func init() { + v1.AddToGroupVersion(Scheme, schema.GroupVersion{Version: "v1"}) + utilruntime.Must(AddToScheme(Scheme)) +} diff --git a/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go new file mode 100644 index 00000000..e7a470b6 --- /dev/null +++ b/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated typed clients. +package v1alpha1 diff --git a/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go new file mode 100644 index 00000000..7906901b --- /dev/null +++ b/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// Package fake has the automatically generated clients. +package fake diff --git a/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go new file mode 100644 index 00000000..26dd6706 --- /dev/null +++ b/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go @@ -0,0 +1,27 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + v1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" + rest "k8s.io/client-go/rest" + testing "k8s.io/client-go/testing" +) + +type FakeOauthV1alpha1 struct { + *testing.Fake +} + +func (c *FakeOauthV1alpha1) OIDCClientSecretRequests(namespace string) v1alpha1.OIDCClientSecretRequestInterface { + return &FakeOIDCClientSecretRequests{c, namespace} +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { + var ret *rest.RESTClient + return ret +} diff --git a/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go b/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go new file mode 100644 index 00000000..1fadc80c --- /dev/null +++ b/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go @@ -0,0 +1,36 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + schema "k8s.io/apimachinery/pkg/runtime/schema" + testing "k8s.io/client-go/testing" +) + +// FakeOIDCClientSecretRequests implements OIDCClientSecretRequestInterface +type FakeOIDCClientSecretRequests struct { + Fake *FakeOauthV1alpha1 + ns string +} + +var oidcclientsecretrequestsResource = schema.GroupVersionResource{Group: "oauth.virtual.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclientsecretrequests"} + +var oidcclientsecretrequestsKind = schema.GroupVersionKind{Group: "oauth.virtual.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClientSecretRequest"} + +// Create takes the representation of a oIDCClientSecretRequest and creates it. Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any. +func (c *FakeOIDCClientSecretRequests) Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (result *v1alpha1.OIDCClientSecretRequest, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(oidcclientsecretrequestsResource, c.ns, oIDCClientSecretRequest), &v1alpha1.OIDCClientSecretRequest{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClientSecretRequest), err +} diff --git a/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go new file mode 100644 index 00000000..427a2ad8 --- /dev/null +++ b/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go @@ -0,0 +1,8 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +type OIDCClientSecretRequestExpansion interface{} diff --git a/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go new file mode 100644 index 00000000..cfb00d3a --- /dev/null +++ b/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go @@ -0,0 +1,76 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1" + "go.pinniped.dev/generated/1.22/client/supervisor/virtual/clientset/versioned/scheme" + rest "k8s.io/client-go/rest" +) + +type OauthV1alpha1Interface interface { + RESTClient() rest.Interface + OIDCClientSecretRequestsGetter +} + +// OauthV1alpha1Client is used to interact with features provided by the oauth.virtual.supervisor.pinniped.dev group. +type OauthV1alpha1Client struct { + restClient rest.Interface +} + +func (c *OauthV1alpha1Client) OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface { + return newOIDCClientSecretRequests(c, namespace) +} + +// NewForConfig creates a new OauthV1alpha1Client for the given config. +func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { + config := *c + if err := setConfigDefaults(&config); err != nil { + return nil, err + } + client, err := rest.RESTClientFor(&config) + if err != nil { + return nil, err + } + return &OauthV1alpha1Client{client}, nil +} + +// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { + client, err := NewForConfig(c) + if err != nil { + panic(err) + } + return client +} + +// New creates a new OauthV1alpha1Client for the given RESTClient. +func New(c rest.Interface) *OauthV1alpha1Client { + return &OauthV1alpha1Client{c} +} + +func setConfigDefaults(config *rest.Config) error { + gv := v1alpha1.SchemeGroupVersion + config.GroupVersion = &gv + config.APIPath = "/apis" + config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() + + if config.UserAgent == "" { + config.UserAgent = rest.DefaultKubernetesUserAgent() + } + + return nil +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *OauthV1alpha1Client) RESTClient() rest.Interface { + if c == nil { + return nil + } + return c.restClient +} diff --git a/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go b/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go new file mode 100644 index 00000000..995eb80e --- /dev/null +++ b/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go @@ -0,0 +1,54 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1" + scheme "go.pinniped.dev/generated/1.22/client/supervisor/virtual/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + rest "k8s.io/client-go/rest" +) + +// OIDCClientSecretRequestsGetter has a method to return a OIDCClientSecretRequestInterface. +// A group's client should implement this interface. +type OIDCClientSecretRequestsGetter interface { + OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface +} + +// OIDCClientSecretRequestInterface has methods to work with OIDCClientSecretRequest resources. +type OIDCClientSecretRequestInterface interface { + Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (*v1alpha1.OIDCClientSecretRequest, error) + OIDCClientSecretRequestExpansion +} + +// oIDCClientSecretRequests implements OIDCClientSecretRequestInterface +type oIDCClientSecretRequests struct { + client rest.Interface + ns string +} + +// newOIDCClientSecretRequests returns a OIDCClientSecretRequests +func newOIDCClientSecretRequests(c *OauthV1alpha1Client, namespace string) *oIDCClientSecretRequests { + return &oIDCClientSecretRequests{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Create takes the representation of a oIDCClientSecretRequest and creates it. Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any. +func (c *oIDCClientSecretRequests) Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (result *v1alpha1.OIDCClientSecretRequest, err error) { + result = &v1alpha1.OIDCClientSecretRequest{} + err = c.client.Post(). + Namespace(c.ns). + Resource("oidcclientsecretrequests"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(oIDCClientSecretRequest). + Do(ctx). + Into(result) + return +} diff --git a/generated/1.23/README.adoc b/generated/1.23/README.adoc index d858f07a..d078f60c 100644 --- a/generated/1.23/README.adoc +++ b/generated/1.23/README.adoc @@ -13,6 +13,8 @@ - xref:{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1[$$idp.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1[$$oauth.supervisor.pinniped.dev/v1alpha1$$] +- xref:{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-oauth[$$oauth.virtual.supervisor.pinniped.dev/oauth$$] +- xref:{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-v1alpha1[$$oauth.virtual.supervisor.pinniped.dev/v1alpha1$$] [id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"] @@ -1386,3 +1388,95 @@ OIDCClientSpec is a struct that describes an OIDC Client. + +[id="{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-oauth"] +=== oauth.virtual.supervisor.pinniped.dev/oauth + +Package oauth is the internal version of the Pinniped virtual oauth API. + + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-virtual-oauth-oidcclientsecretrequestspec"] +==== OIDCClientSecretRequestSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-virtual-oauth-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generateNewSecret`* __boolean__ | +| *`revokeOldSecrets`* __boolean__ | +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-virtual-oauth-oidcclientsecretrequeststatus"] +==== OIDCClientSecretRequestStatus + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-virtual-oauth-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generatedSecret`* __string__ | +| *`totalClientSecrets`* __integer__ | +|=== + + + +[id="{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-v1alpha1"] +=== oauth.virtual.supervisor.pinniped.dev/v1alpha1 + +Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API. + + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequestspec"] +==== OIDCClientSecretRequestSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generateNewSecret`* __boolean__ | +| *`revokeOldSecrets`* __boolean__ | +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequeststatus"] +==== OIDCClientSecretRequestStatus + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generatedSecret`* __string__ | +| *`totalClientSecrets`* __integer__ | +|=== + + diff --git a/generated/1.23/apis/supervisor/virtual/oauth/doc.go b/generated/1.23/apis/supervisor/virtual/oauth/doc.go new file mode 100644 index 00000000..ca4e9a63 --- /dev/null +++ b/generated/1.23/apis/supervisor/virtual/oauth/doc.go @@ -0,0 +1,8 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:deepcopy-gen=package +// +groupName=oauth.virtual.supervisor.pinniped.dev + +// Package oauth is the internal version of the Pinniped virtual oauth API. +package oauth diff --git a/generated/1.23/apis/supervisor/virtual/oauth/register.go b/generated/1.23/apis/supervisor/virtual/oauth/register.go new file mode 100644 index 00000000..a238d85f --- /dev/null +++ b/generated/1.23/apis/supervisor/virtual/oauth/register.go @@ -0,0 +1,37 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package oauth + +import ( + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "oauth.virtual.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal} + +// Kind takes an unqualified kind and returns back a Group qualified GroupKind. +func Kind(kind string) schema.GroupKind { + return SchemeGroupVersion.WithKind(kind).GroupKind() +} + +// Resource takes an unqualified resource and returns back a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} + +var ( + SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) + AddToScheme = SchemeBuilder.AddToScheme +) + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClientSecretRequest{}, + ) + return nil +} diff --git a/generated/1.23/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go b/generated/1.23/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go new file mode 100644 index 00000000..ac54a93c --- /dev/null +++ b/generated/1.23/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go @@ -0,0 +1,25 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package oauth + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +type OIDCClientSecretRequestSpec struct { + GenerateNewSecret bool `json:"generateNewSecret"` + RevokeOldSecrets bool `json:"revokeOldSecrets"` +} + +type OIDCClientSecretRequestStatus struct { + GeneratedSecret string `json:"generatedSecret,omitempty"` + TotalClientSecrets int `json:"totalClientSecrets"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequest struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID + + Spec OIDCClientSecretRequestSpec `json:"spec"` + Status OIDCClientSecretRequestStatus `json:"status"` +} diff --git a/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/conversion.go b/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/conversion.go new file mode 100644 index 00000000..fcf4e82f --- /dev/null +++ b/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/conversion.go @@ -0,0 +1,4 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 diff --git a/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/defaults.go b/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/defaults.go new file mode 100644 index 00000000..d4f5a9e8 --- /dev/null +++ b/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/defaults.go @@ -0,0 +1,12 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + "k8s.io/apimachinery/pkg/runtime" +) + +func addDefaultingFuncs(scheme *runtime.Scheme) error { + return RegisterDefaults(scheme) +} diff --git a/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/doc.go b/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/doc.go new file mode 100644 index 00000000..dd351ef9 --- /dev/null +++ b/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/doc.go @@ -0,0 +1,11 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen=package +// +k8s:conversion-gen=go.pinniped.dev/generated/1.23/apis/supervisor/virtual/oauth +// +k8s:defaulter-gen=TypeMeta +// +groupName=oauth.virtual.supervisor.pinniped.dev + +// Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API. +package v1alpha1 diff --git a/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/register.go b/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/register.go new file mode 100644 index 00000000..ecc75a08 --- /dev/null +++ b/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/register.go @@ -0,0 +1,42 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "oauth.virtual.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = SchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClientSecretRequest{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns back a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go b/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go new file mode 100644 index 00000000..dda2f3bb --- /dev/null +++ b/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go @@ -0,0 +1,28 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +type OIDCClientSecretRequestSpec struct { + GenerateNewSecret bool `json:"generateNewSecret"` + RevokeOldSecrets bool `json:"revokeOldSecrets"` +} + +type OIDCClientSecretRequestStatus struct { + GeneratedSecret string `json:"generatedSecret,omitempty"` + TotalClientSecrets int `json:"totalClientSecrets"` +} + +// +genclient +// +genclient:onlyVerbs=create +// +kubebuilder:subresource:status +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequest struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID + + Spec OIDCClientSecretRequestSpec `json:"spec"` + Status OIDCClientSecretRequestStatus `json:"status"` +} diff --git a/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go b/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go new file mode 100644 index 00000000..300b394f --- /dev/null +++ b/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go @@ -0,0 +1,131 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by conversion-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + oauth "go.pinniped.dev/generated/1.23/apis/supervisor/virtual/oauth" + conversion "k8s.io/apimachinery/pkg/conversion" + runtime "k8s.io/apimachinery/pkg/runtime" +) + +func init() { + localSchemeBuilder.Register(RegisterConversions) +} + +// RegisterConversions adds conversion functions to the given scheme. +// Public to allow building arbitrary schemes. +func RegisterConversions(s *runtime.Scheme) error { + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequest)(nil), (*oauth.OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(a.(*OIDCClientSecretRequest), b.(*oauth.OIDCClientSecretRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequest)(nil), (*OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(a.(*oauth.OIDCClientSecretRequest), b.(*OIDCClientSecretRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*oauth.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*oauth.OIDCClientSecretRequestSpec), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequestSpec)(nil), (*OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(a.(*oauth.OIDCClientSecretRequestSpec), b.(*OIDCClientSecretRequestSpec), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestStatus)(nil), (*oauth.OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(a.(*OIDCClientSecretRequestStatus), b.(*oauth.OIDCClientSecretRequestStatus), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequestStatus)(nil), (*OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(a.(*oauth.OIDCClientSecretRequestStatus), b.(*OIDCClientSecretRequestStatus), scope) + }); err != nil { + return err + } + return nil +} + +func autoConvert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *oauth.OIDCClientSecretRequest, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { + return err + } + if err := Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *oauth.OIDCClientSecretRequest, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in, out, s) +} + +func autoConvert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *oauth.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { + return err + } + if err := Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest is an autogenerated conversion function. +func Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *oauth.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { + return autoConvert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s) +} + +func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *oauth.OIDCClientSecretRequestSpec, s conversion.Scope) error { + out.GenerateNewSecret = in.GenerateNewSecret + out.RevokeOldSecrets = in.RevokeOldSecrets + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *oauth.OIDCClientSecretRequestSpec, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in, out, s) +} + +func autoConvert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *oauth.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { + out.GenerateNewSecret = in.GenerateNewSecret + out.RevokeOldSecrets = in.RevokeOldSecrets + return nil +} + +// Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec is an autogenerated conversion function. +func Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *oauth.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { + return autoConvert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in, out, s) +} + +func autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *oauth.OIDCClientSecretRequestStatus, s conversion.Scope) error { + out.GeneratedSecret = in.GeneratedSecret + out.TotalClientSecrets = in.TotalClientSecrets + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *oauth.OIDCClientSecretRequestStatus, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in, out, s) +} + +func autoConvert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *oauth.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { + out.GeneratedSecret = in.GeneratedSecret + out.TotalClientSecrets = in.TotalClientSecrets + return nil +} + +// Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus is an autogenerated conversion function. +func Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *oauth.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { + return autoConvert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in, out, s) +} diff --git a/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go new file mode 100644 index 00000000..e4fce842 --- /dev/null +++ b/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go @@ -0,0 +1,73 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequest) DeepCopyInto(out *OIDCClientSecretRequest) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + out.Spec = in.Spec + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequest. +func (in *OIDCClientSecretRequest) DeepCopy() *OIDCClientSecretRequest { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequest) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestSpec. +func (in *OIDCClientSecretRequestSpec) DeepCopy() *OIDCClientSecretRequestSpec { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestStatus) DeepCopyInto(out *OIDCClientSecretRequestStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestStatus. +func (in *OIDCClientSecretRequestStatus) DeepCopy() *OIDCClientSecretRequestStatus { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go b/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go new file mode 100644 index 00000000..9097a935 --- /dev/null +++ b/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go @@ -0,0 +1,20 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by defaulter-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// RegisterDefaults adds defaulters functions to the given scheme. +// Public to allow building arbitrary schemes. +// All generated defaulters are covering - they call all nested defaulters. +func RegisterDefaults(scheme *runtime.Scheme) error { + return nil +} diff --git a/generated/1.23/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go b/generated/1.23/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go new file mode 100644 index 00000000..24b58e7b --- /dev/null +++ b/generated/1.23/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go @@ -0,0 +1,73 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package oauth + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequest) DeepCopyInto(out *OIDCClientSecretRequest) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + out.Spec = in.Spec + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequest. +func (in *OIDCClientSecretRequest) DeepCopy() *OIDCClientSecretRequest { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequest) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestSpec. +func (in *OIDCClientSecretRequestSpec) DeepCopy() *OIDCClientSecretRequestSpec { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestStatus) DeepCopyInto(out *OIDCClientSecretRequestStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestStatus. +func (in *OIDCClientSecretRequestStatus) DeepCopy() *OIDCClientSecretRequestStatus { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.23/client/supervisor/virtual/clientset/versioned/clientset.go b/generated/1.23/client/supervisor/virtual/clientset/versioned/clientset.go new file mode 100644 index 00000000..ef665be8 --- /dev/null +++ b/generated/1.23/client/supervisor/virtual/clientset/versioned/clientset.go @@ -0,0 +1,104 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package versioned + +import ( + "fmt" + "net/http" + + oauthv1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" + discovery "k8s.io/client-go/discovery" + rest "k8s.io/client-go/rest" + flowcontrol "k8s.io/client-go/util/flowcontrol" +) + +type Interface interface { + Discovery() discovery.DiscoveryInterface + OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface +} + +// Clientset contains the clients for groups. Each group has exactly one +// version included in a Clientset. +type Clientset struct { + *discovery.DiscoveryClient + oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client +} + +// OauthV1alpha1 retrieves the OauthV1alpha1Client +func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { + return c.oauthV1alpha1 +} + +// Discovery retrieves the DiscoveryClient +func (c *Clientset) Discovery() discovery.DiscoveryInterface { + if c == nil { + return nil + } + return c.DiscoveryClient +} + +// NewForConfig creates a new Clientset for the given config. +// If config's RateLimiter is not set and QPS and Burst are acceptable, +// NewForConfig will generate a rate-limiter in configShallowCopy. +// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient), +// where httpClient was generated with rest.HTTPClientFor(c). +func NewForConfig(c *rest.Config) (*Clientset, error) { + configShallowCopy := *c + + // share the transport between all clients + httpClient, err := rest.HTTPClientFor(&configShallowCopy) + if err != nil { + return nil, err + } + + return NewForConfigAndClient(&configShallowCopy, httpClient) +} + +// NewForConfigAndClient creates a new Clientset for the given config and http client. +// Note the http client provided takes precedence over the configured transport values. +// If config's RateLimiter is not set and QPS and Burst are acceptable, +// NewForConfigAndClient will generate a rate-limiter in configShallowCopy. +func NewForConfigAndClient(c *rest.Config, httpClient *http.Client) (*Clientset, error) { + configShallowCopy := *c + if configShallowCopy.RateLimiter == nil && configShallowCopy.QPS > 0 { + if configShallowCopy.Burst <= 0 { + return nil, fmt.Errorf("burst is required to be greater than 0 when RateLimiter is not set and QPS is set to greater than 0") + } + configShallowCopy.RateLimiter = flowcontrol.NewTokenBucketRateLimiter(configShallowCopy.QPS, configShallowCopy.Burst) + } + + var cs Clientset + var err error + cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfigAndClient(&configShallowCopy, httpClient) + if err != nil { + return nil, err + } + + cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfigAndClient(&configShallowCopy, httpClient) + if err != nil { + return nil, err + } + return &cs, nil +} + +// NewForConfigOrDie creates a new Clientset for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *Clientset { + cs, err := NewForConfig(c) + if err != nil { + panic(err) + } + return cs +} + +// New creates a new Clientset for the given RESTClient. +func New(c rest.Interface) *Clientset { + var cs Clientset + cs.oauthV1alpha1 = oauthv1alpha1.New(c) + + cs.DiscoveryClient = discovery.NewDiscoveryClient(c) + return &cs +} diff --git a/generated/1.23/client/supervisor/virtual/clientset/versioned/doc.go b/generated/1.23/client/supervisor/virtual/clientset/versioned/doc.go new file mode 100644 index 00000000..5dc02e6e --- /dev/null +++ b/generated/1.23/client/supervisor/virtual/clientset/versioned/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated clientset. +package versioned diff --git a/generated/1.23/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go b/generated/1.23/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go new file mode 100644 index 00000000..43398825 --- /dev/null +++ b/generated/1.23/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go @@ -0,0 +1,72 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + clientset "go.pinniped.dev/generated/1.23/client/supervisor/virtual/clientset/versioned" + oauthv1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" + fakeoauthv1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/watch" + "k8s.io/client-go/discovery" + fakediscovery "k8s.io/client-go/discovery/fake" + "k8s.io/client-go/testing" +) + +// NewSimpleClientset returns a clientset that will respond with the provided objects. +// It's backed by a very simple object tracker that processes creates, updates and deletions as-is, +// without applying any validations and/or defaults. It shouldn't be considered a replacement +// for a real clientset and is mostly useful in simple unit tests. +func NewSimpleClientset(objects ...runtime.Object) *Clientset { + o := testing.NewObjectTracker(scheme, codecs.UniversalDecoder()) + for _, obj := range objects { + if err := o.Add(obj); err != nil { + panic(err) + } + } + + cs := &Clientset{tracker: o} + cs.discovery = &fakediscovery.FakeDiscovery{Fake: &cs.Fake} + cs.AddReactor("*", "*", testing.ObjectReaction(o)) + cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) { + gvr := action.GetResource() + ns := action.GetNamespace() + watch, err := o.Watch(gvr, ns) + if err != nil { + return false, nil, err + } + return true, watch, nil + }) + + return cs +} + +// Clientset implements clientset.Interface. Meant to be embedded into a +// struct to get a default implementation. This makes faking out just the method +// you want to test easier. +type Clientset struct { + testing.Fake + discovery *fakediscovery.FakeDiscovery + tracker testing.ObjectTracker +} + +func (c *Clientset) Discovery() discovery.DiscoveryInterface { + return c.discovery +} + +func (c *Clientset) Tracker() testing.ObjectTracker { + return c.tracker +} + +var ( + _ clientset.Interface = &Clientset{} + _ testing.FakeClient = &Clientset{} +) + +// OauthV1alpha1 retrieves the OauthV1alpha1Client +func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { + return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} +} diff --git a/generated/1.23/client/supervisor/virtual/clientset/versioned/fake/doc.go b/generated/1.23/client/supervisor/virtual/clientset/versioned/fake/doc.go new file mode 100644 index 00000000..7c9538fd --- /dev/null +++ b/generated/1.23/client/supervisor/virtual/clientset/versioned/fake/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated fake clientset. +package fake diff --git a/generated/1.23/client/supervisor/virtual/clientset/versioned/fake/register.go b/generated/1.23/client/supervisor/virtual/clientset/versioned/fake/register.go new file mode 100644 index 00000000..4657e60e --- /dev/null +++ b/generated/1.23/client/supervisor/virtual/clientset/versioned/fake/register.go @@ -0,0 +1,43 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + oauthv1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + schema "k8s.io/apimachinery/pkg/runtime/schema" + serializer "k8s.io/apimachinery/pkg/runtime/serializer" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" +) + +var scheme = runtime.NewScheme() +var codecs = serializer.NewCodecFactory(scheme) + +var localSchemeBuilder = runtime.SchemeBuilder{ + oauthv1alpha1.AddToScheme, +} + +// AddToScheme adds all types of this clientset into the given scheme. This allows composition +// of clientsets, like in: +// +// import ( +// "k8s.io/client-go/kubernetes" +// clientsetscheme "k8s.io/client-go/kubernetes/scheme" +// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" +// ) +// +// kclientset, _ := kubernetes.NewForConfig(c) +// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) +// +// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types +// correctly. +var AddToScheme = localSchemeBuilder.AddToScheme + +func init() { + v1.AddToGroupVersion(scheme, schema.GroupVersion{Version: "v1"}) + utilruntime.Must(AddToScheme(scheme)) +} diff --git a/generated/1.23/client/supervisor/virtual/clientset/versioned/scheme/doc.go b/generated/1.23/client/supervisor/virtual/clientset/versioned/scheme/doc.go new file mode 100644 index 00000000..cc02f1d3 --- /dev/null +++ b/generated/1.23/client/supervisor/virtual/clientset/versioned/scheme/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package contains the scheme of the automatically generated clientset. +package scheme diff --git a/generated/1.23/client/supervisor/virtual/clientset/versioned/scheme/register.go b/generated/1.23/client/supervisor/virtual/clientset/versioned/scheme/register.go new file mode 100644 index 00000000..c101730c --- /dev/null +++ b/generated/1.23/client/supervisor/virtual/clientset/versioned/scheme/register.go @@ -0,0 +1,43 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package scheme + +import ( + oauthv1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + schema "k8s.io/apimachinery/pkg/runtime/schema" + serializer "k8s.io/apimachinery/pkg/runtime/serializer" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" +) + +var Scheme = runtime.NewScheme() +var Codecs = serializer.NewCodecFactory(Scheme) +var ParameterCodec = runtime.NewParameterCodec(Scheme) +var localSchemeBuilder = runtime.SchemeBuilder{ + oauthv1alpha1.AddToScheme, +} + +// AddToScheme adds all types of this clientset into the given scheme. This allows composition +// of clientsets, like in: +// +// import ( +// "k8s.io/client-go/kubernetes" +// clientsetscheme "k8s.io/client-go/kubernetes/scheme" +// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" +// ) +// +// kclientset, _ := kubernetes.NewForConfig(c) +// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) +// +// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types +// correctly. +var AddToScheme = localSchemeBuilder.AddToScheme + +func init() { + v1.AddToGroupVersion(Scheme, schema.GroupVersion{Version: "v1"}) + utilruntime.Must(AddToScheme(Scheme)) +} diff --git a/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go new file mode 100644 index 00000000..e7a470b6 --- /dev/null +++ b/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated typed clients. +package v1alpha1 diff --git a/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go new file mode 100644 index 00000000..7906901b --- /dev/null +++ b/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// Package fake has the automatically generated clients. +package fake diff --git a/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go new file mode 100644 index 00000000..ef926450 --- /dev/null +++ b/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go @@ -0,0 +1,27 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + v1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" + rest "k8s.io/client-go/rest" + testing "k8s.io/client-go/testing" +) + +type FakeOauthV1alpha1 struct { + *testing.Fake +} + +func (c *FakeOauthV1alpha1) OIDCClientSecretRequests(namespace string) v1alpha1.OIDCClientSecretRequestInterface { + return &FakeOIDCClientSecretRequests{c, namespace} +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { + var ret *rest.RESTClient + return ret +} diff --git a/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go b/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go new file mode 100644 index 00000000..7fbadd7f --- /dev/null +++ b/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go @@ -0,0 +1,36 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + schema "k8s.io/apimachinery/pkg/runtime/schema" + testing "k8s.io/client-go/testing" +) + +// FakeOIDCClientSecretRequests implements OIDCClientSecretRequestInterface +type FakeOIDCClientSecretRequests struct { + Fake *FakeOauthV1alpha1 + ns string +} + +var oidcclientsecretrequestsResource = schema.GroupVersionResource{Group: "oauth.virtual.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclientsecretrequests"} + +var oidcclientsecretrequestsKind = schema.GroupVersionKind{Group: "oauth.virtual.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClientSecretRequest"} + +// Create takes the representation of a oIDCClientSecretRequest and creates it. Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any. +func (c *FakeOIDCClientSecretRequests) Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (result *v1alpha1.OIDCClientSecretRequest, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(oidcclientsecretrequestsResource, c.ns, oIDCClientSecretRequest), &v1alpha1.OIDCClientSecretRequest{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClientSecretRequest), err +} diff --git a/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go new file mode 100644 index 00000000..427a2ad8 --- /dev/null +++ b/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go @@ -0,0 +1,8 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +type OIDCClientSecretRequestExpansion interface{} diff --git a/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go new file mode 100644 index 00000000..c55f2a47 --- /dev/null +++ b/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go @@ -0,0 +1,94 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "net/http" + + v1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1" + "go.pinniped.dev/generated/1.23/client/supervisor/virtual/clientset/versioned/scheme" + rest "k8s.io/client-go/rest" +) + +type OauthV1alpha1Interface interface { + RESTClient() rest.Interface + OIDCClientSecretRequestsGetter +} + +// OauthV1alpha1Client is used to interact with features provided by the oauth.virtual.supervisor.pinniped.dev group. +type OauthV1alpha1Client struct { + restClient rest.Interface +} + +func (c *OauthV1alpha1Client) OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface { + return newOIDCClientSecretRequests(c, namespace) +} + +// NewForConfig creates a new OauthV1alpha1Client for the given config. +// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient), +// where httpClient was generated with rest.HTTPClientFor(c). +func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { + config := *c + if err := setConfigDefaults(&config); err != nil { + return nil, err + } + httpClient, err := rest.HTTPClientFor(&config) + if err != nil { + return nil, err + } + return NewForConfigAndClient(&config, httpClient) +} + +// NewForConfigAndClient creates a new OauthV1alpha1Client for the given config and http client. +// Note the http client provided takes precedence over the configured transport values. +func NewForConfigAndClient(c *rest.Config, h *http.Client) (*OauthV1alpha1Client, error) { + config := *c + if err := setConfigDefaults(&config); err != nil { + return nil, err + } + client, err := rest.RESTClientForConfigAndClient(&config, h) + if err != nil { + return nil, err + } + return &OauthV1alpha1Client{client}, nil +} + +// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { + client, err := NewForConfig(c) + if err != nil { + panic(err) + } + return client +} + +// New creates a new OauthV1alpha1Client for the given RESTClient. +func New(c rest.Interface) *OauthV1alpha1Client { + return &OauthV1alpha1Client{c} +} + +func setConfigDefaults(config *rest.Config) error { + gv := v1alpha1.SchemeGroupVersion + config.GroupVersion = &gv + config.APIPath = "/apis" + config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() + + if config.UserAgent == "" { + config.UserAgent = rest.DefaultKubernetesUserAgent() + } + + return nil +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *OauthV1alpha1Client) RESTClient() rest.Interface { + if c == nil { + return nil + } + return c.restClient +} diff --git a/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go b/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go new file mode 100644 index 00000000..073ea69b --- /dev/null +++ b/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go @@ -0,0 +1,54 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1" + scheme "go.pinniped.dev/generated/1.23/client/supervisor/virtual/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + rest "k8s.io/client-go/rest" +) + +// OIDCClientSecretRequestsGetter has a method to return a OIDCClientSecretRequestInterface. +// A group's client should implement this interface. +type OIDCClientSecretRequestsGetter interface { + OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface +} + +// OIDCClientSecretRequestInterface has methods to work with OIDCClientSecretRequest resources. +type OIDCClientSecretRequestInterface interface { + Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (*v1alpha1.OIDCClientSecretRequest, error) + OIDCClientSecretRequestExpansion +} + +// oIDCClientSecretRequests implements OIDCClientSecretRequestInterface +type oIDCClientSecretRequests struct { + client rest.Interface + ns string +} + +// newOIDCClientSecretRequests returns a OIDCClientSecretRequests +func newOIDCClientSecretRequests(c *OauthV1alpha1Client, namespace string) *oIDCClientSecretRequests { + return &oIDCClientSecretRequests{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Create takes the representation of a oIDCClientSecretRequest and creates it. Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any. +func (c *oIDCClientSecretRequests) Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (result *v1alpha1.OIDCClientSecretRequest, err error) { + result = &v1alpha1.OIDCClientSecretRequest{} + err = c.client.Post(). + Namespace(c.ns). + Resource("oidcclientsecretrequests"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(oIDCClientSecretRequest). + Do(ctx). + Into(result) + return +} diff --git a/generated/latest/apis/supervisor/virtual/oauth/doc.go b/generated/latest/apis/supervisor/virtual/oauth/doc.go new file mode 100644 index 00000000..ca4e9a63 --- /dev/null +++ b/generated/latest/apis/supervisor/virtual/oauth/doc.go @@ -0,0 +1,8 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:deepcopy-gen=package +// +groupName=oauth.virtual.supervisor.pinniped.dev + +// Package oauth is the internal version of the Pinniped virtual oauth API. +package oauth diff --git a/generated/latest/apis/supervisor/virtual/oauth/register.go b/generated/latest/apis/supervisor/virtual/oauth/register.go new file mode 100644 index 00000000..a238d85f --- /dev/null +++ b/generated/latest/apis/supervisor/virtual/oauth/register.go @@ -0,0 +1,37 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package oauth + +import ( + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "oauth.virtual.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal} + +// Kind takes an unqualified kind and returns back a Group qualified GroupKind. +func Kind(kind string) schema.GroupKind { + return SchemeGroupVersion.WithKind(kind).GroupKind() +} + +// Resource takes an unqualified resource and returns back a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} + +var ( + SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) + AddToScheme = SchemeBuilder.AddToScheme +) + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClientSecretRequest{}, + ) + return nil +} diff --git a/generated/latest/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go b/generated/latest/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go new file mode 100644 index 00000000..ac54a93c --- /dev/null +++ b/generated/latest/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go @@ -0,0 +1,25 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package oauth + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +type OIDCClientSecretRequestSpec struct { + GenerateNewSecret bool `json:"generateNewSecret"` + RevokeOldSecrets bool `json:"revokeOldSecrets"` +} + +type OIDCClientSecretRequestStatus struct { + GeneratedSecret string `json:"generatedSecret,omitempty"` + TotalClientSecrets int `json:"totalClientSecrets"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequest struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID + + Spec OIDCClientSecretRequestSpec `json:"spec"` + Status OIDCClientSecretRequestStatus `json:"status"` +} diff --git a/generated/latest/apis/supervisor/virtual/oauth/v1alpha1/conversion.go b/generated/latest/apis/supervisor/virtual/oauth/v1alpha1/conversion.go new file mode 100644 index 00000000..fcf4e82f --- /dev/null +++ b/generated/latest/apis/supervisor/virtual/oauth/v1alpha1/conversion.go @@ -0,0 +1,4 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 diff --git a/generated/latest/apis/supervisor/virtual/oauth/v1alpha1/defaults.go b/generated/latest/apis/supervisor/virtual/oauth/v1alpha1/defaults.go new file mode 100644 index 00000000..d4f5a9e8 --- /dev/null +++ b/generated/latest/apis/supervisor/virtual/oauth/v1alpha1/defaults.go @@ -0,0 +1,12 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + "k8s.io/apimachinery/pkg/runtime" +) + +func addDefaultingFuncs(scheme *runtime.Scheme) error { + return RegisterDefaults(scheme) +} diff --git a/generated/latest/apis/supervisor/virtual/oauth/v1alpha1/doc.go b/generated/latest/apis/supervisor/virtual/oauth/v1alpha1/doc.go new file mode 100644 index 00000000..8aaf4d21 --- /dev/null +++ b/generated/latest/apis/supervisor/virtual/oauth/v1alpha1/doc.go @@ -0,0 +1,11 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen=package +// +k8s:conversion-gen=go.pinniped.dev/generated/latest/apis/supervisor/virtual/oauth +// +k8s:defaulter-gen=TypeMeta +// +groupName=oauth.virtual.supervisor.pinniped.dev + +// Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API. +package v1alpha1 diff --git a/generated/latest/apis/supervisor/virtual/oauth/v1alpha1/register.go b/generated/latest/apis/supervisor/virtual/oauth/v1alpha1/register.go new file mode 100644 index 00000000..ecc75a08 --- /dev/null +++ b/generated/latest/apis/supervisor/virtual/oauth/v1alpha1/register.go @@ -0,0 +1,42 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "oauth.virtual.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = SchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClientSecretRequest{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns back a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/generated/latest/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go b/generated/latest/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go new file mode 100644 index 00000000..dda2f3bb --- /dev/null +++ b/generated/latest/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go @@ -0,0 +1,28 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +type OIDCClientSecretRequestSpec struct { + GenerateNewSecret bool `json:"generateNewSecret"` + RevokeOldSecrets bool `json:"revokeOldSecrets"` +} + +type OIDCClientSecretRequestStatus struct { + GeneratedSecret string `json:"generatedSecret,omitempty"` + TotalClientSecrets int `json:"totalClientSecrets"` +} + +// +genclient +// +genclient:onlyVerbs=create +// +kubebuilder:subresource:status +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequest struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID + + Spec OIDCClientSecretRequestSpec `json:"spec"` + Status OIDCClientSecretRequestStatus `json:"status"` +} diff --git a/generated/latest/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go b/generated/latest/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go new file mode 100644 index 00000000..aebfa30d --- /dev/null +++ b/generated/latest/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go @@ -0,0 +1,131 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by conversion-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + oauth "go.pinniped.dev/generated/latest/apis/supervisor/virtual/oauth" + conversion "k8s.io/apimachinery/pkg/conversion" + runtime "k8s.io/apimachinery/pkg/runtime" +) + +func init() { + localSchemeBuilder.Register(RegisterConversions) +} + +// RegisterConversions adds conversion functions to the given scheme. +// Public to allow building arbitrary schemes. +func RegisterConversions(s *runtime.Scheme) error { + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequest)(nil), (*oauth.OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(a.(*OIDCClientSecretRequest), b.(*oauth.OIDCClientSecretRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequest)(nil), (*OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(a.(*oauth.OIDCClientSecretRequest), b.(*OIDCClientSecretRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*oauth.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*oauth.OIDCClientSecretRequestSpec), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequestSpec)(nil), (*OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(a.(*oauth.OIDCClientSecretRequestSpec), b.(*OIDCClientSecretRequestSpec), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestStatus)(nil), (*oauth.OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(a.(*OIDCClientSecretRequestStatus), b.(*oauth.OIDCClientSecretRequestStatus), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequestStatus)(nil), (*OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(a.(*oauth.OIDCClientSecretRequestStatus), b.(*OIDCClientSecretRequestStatus), scope) + }); err != nil { + return err + } + return nil +} + +func autoConvert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *oauth.OIDCClientSecretRequest, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { + return err + } + if err := Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *oauth.OIDCClientSecretRequest, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in, out, s) +} + +func autoConvert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *oauth.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { + return err + } + if err := Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest is an autogenerated conversion function. +func Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *oauth.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { + return autoConvert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s) +} + +func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *oauth.OIDCClientSecretRequestSpec, s conversion.Scope) error { + out.GenerateNewSecret = in.GenerateNewSecret + out.RevokeOldSecrets = in.RevokeOldSecrets + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *oauth.OIDCClientSecretRequestSpec, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in, out, s) +} + +func autoConvert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *oauth.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { + out.GenerateNewSecret = in.GenerateNewSecret + out.RevokeOldSecrets = in.RevokeOldSecrets + return nil +} + +// Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec is an autogenerated conversion function. +func Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *oauth.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { + return autoConvert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in, out, s) +} + +func autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *oauth.OIDCClientSecretRequestStatus, s conversion.Scope) error { + out.GeneratedSecret = in.GeneratedSecret + out.TotalClientSecrets = in.TotalClientSecrets + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *oauth.OIDCClientSecretRequestStatus, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in, out, s) +} + +func autoConvert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *oauth.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { + out.GeneratedSecret = in.GeneratedSecret + out.TotalClientSecrets = in.TotalClientSecrets + return nil +} + +// Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus is an autogenerated conversion function. +func Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *oauth.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { + return autoConvert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in, out, s) +} diff --git a/generated/latest/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/latest/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go new file mode 100644 index 00000000..e4fce842 --- /dev/null +++ b/generated/latest/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go @@ -0,0 +1,73 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequest) DeepCopyInto(out *OIDCClientSecretRequest) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + out.Spec = in.Spec + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequest. +func (in *OIDCClientSecretRequest) DeepCopy() *OIDCClientSecretRequest { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequest) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestSpec. +func (in *OIDCClientSecretRequestSpec) DeepCopy() *OIDCClientSecretRequestSpec { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestStatus) DeepCopyInto(out *OIDCClientSecretRequestStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestStatus. +func (in *OIDCClientSecretRequestStatus) DeepCopy() *OIDCClientSecretRequestStatus { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/latest/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go b/generated/latest/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go new file mode 100644 index 00000000..9097a935 --- /dev/null +++ b/generated/latest/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go @@ -0,0 +1,20 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by defaulter-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// RegisterDefaults adds defaulters functions to the given scheme. +// Public to allow building arbitrary schemes. +// All generated defaulters are covering - they call all nested defaulters. +func RegisterDefaults(scheme *runtime.Scheme) error { + return nil +} diff --git a/generated/latest/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go b/generated/latest/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go new file mode 100644 index 00000000..24b58e7b --- /dev/null +++ b/generated/latest/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go @@ -0,0 +1,73 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package oauth + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequest) DeepCopyInto(out *OIDCClientSecretRequest) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + out.Spec = in.Spec + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequest. +func (in *OIDCClientSecretRequest) DeepCopy() *OIDCClientSecretRequest { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequest) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestSpec. +func (in *OIDCClientSecretRequestSpec) DeepCopy() *OIDCClientSecretRequestSpec { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestStatus) DeepCopyInto(out *OIDCClientSecretRequestStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestStatus. +func (in *OIDCClientSecretRequestStatus) DeepCopy() *OIDCClientSecretRequestStatus { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/latest/client/supervisor/virtual/clientset/versioned/clientset.go b/generated/latest/client/supervisor/virtual/clientset/versioned/clientset.go new file mode 100644 index 00000000..09131c84 --- /dev/null +++ b/generated/latest/client/supervisor/virtual/clientset/versioned/clientset.go @@ -0,0 +1,104 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package versioned + +import ( + "fmt" + "net/http" + + oauthv1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" + discovery "k8s.io/client-go/discovery" + rest "k8s.io/client-go/rest" + flowcontrol "k8s.io/client-go/util/flowcontrol" +) + +type Interface interface { + Discovery() discovery.DiscoveryInterface + OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface +} + +// Clientset contains the clients for groups. Each group has exactly one +// version included in a Clientset. +type Clientset struct { + *discovery.DiscoveryClient + oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client +} + +// OauthV1alpha1 retrieves the OauthV1alpha1Client +func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { + return c.oauthV1alpha1 +} + +// Discovery retrieves the DiscoveryClient +func (c *Clientset) Discovery() discovery.DiscoveryInterface { + if c == nil { + return nil + } + return c.DiscoveryClient +} + +// NewForConfig creates a new Clientset for the given config. +// If config's RateLimiter is not set and QPS and Burst are acceptable, +// NewForConfig will generate a rate-limiter in configShallowCopy. +// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient), +// where httpClient was generated with rest.HTTPClientFor(c). +func NewForConfig(c *rest.Config) (*Clientset, error) { + configShallowCopy := *c + + // share the transport between all clients + httpClient, err := rest.HTTPClientFor(&configShallowCopy) + if err != nil { + return nil, err + } + + return NewForConfigAndClient(&configShallowCopy, httpClient) +} + +// NewForConfigAndClient creates a new Clientset for the given config and http client. +// Note the http client provided takes precedence over the configured transport values. +// If config's RateLimiter is not set and QPS and Burst are acceptable, +// NewForConfigAndClient will generate a rate-limiter in configShallowCopy. +func NewForConfigAndClient(c *rest.Config, httpClient *http.Client) (*Clientset, error) { + configShallowCopy := *c + if configShallowCopy.RateLimiter == nil && configShallowCopy.QPS > 0 { + if configShallowCopy.Burst <= 0 { + return nil, fmt.Errorf("burst is required to be greater than 0 when RateLimiter is not set and QPS is set to greater than 0") + } + configShallowCopy.RateLimiter = flowcontrol.NewTokenBucketRateLimiter(configShallowCopy.QPS, configShallowCopy.Burst) + } + + var cs Clientset + var err error + cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfigAndClient(&configShallowCopy, httpClient) + if err != nil { + return nil, err + } + + cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfigAndClient(&configShallowCopy, httpClient) + if err != nil { + return nil, err + } + return &cs, nil +} + +// NewForConfigOrDie creates a new Clientset for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *Clientset { + cs, err := NewForConfig(c) + if err != nil { + panic(err) + } + return cs +} + +// New creates a new Clientset for the given RESTClient. +func New(c rest.Interface) *Clientset { + var cs Clientset + cs.oauthV1alpha1 = oauthv1alpha1.New(c) + + cs.DiscoveryClient = discovery.NewDiscoveryClient(c) + return &cs +} diff --git a/generated/latest/client/supervisor/virtual/clientset/versioned/doc.go b/generated/latest/client/supervisor/virtual/clientset/versioned/doc.go new file mode 100644 index 00000000..5dc02e6e --- /dev/null +++ b/generated/latest/client/supervisor/virtual/clientset/versioned/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated clientset. +package versioned diff --git a/generated/latest/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go b/generated/latest/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go new file mode 100644 index 00000000..a0552547 --- /dev/null +++ b/generated/latest/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go @@ -0,0 +1,72 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + clientset "go.pinniped.dev/generated/latest/client/supervisor/virtual/clientset/versioned" + oauthv1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" + fakeoauthv1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/watch" + "k8s.io/client-go/discovery" + fakediscovery "k8s.io/client-go/discovery/fake" + "k8s.io/client-go/testing" +) + +// NewSimpleClientset returns a clientset that will respond with the provided objects. +// It's backed by a very simple object tracker that processes creates, updates and deletions as-is, +// without applying any validations and/or defaults. It shouldn't be considered a replacement +// for a real clientset and is mostly useful in simple unit tests. +func NewSimpleClientset(objects ...runtime.Object) *Clientset { + o := testing.NewObjectTracker(scheme, codecs.UniversalDecoder()) + for _, obj := range objects { + if err := o.Add(obj); err != nil { + panic(err) + } + } + + cs := &Clientset{tracker: o} + cs.discovery = &fakediscovery.FakeDiscovery{Fake: &cs.Fake} + cs.AddReactor("*", "*", testing.ObjectReaction(o)) + cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) { + gvr := action.GetResource() + ns := action.GetNamespace() + watch, err := o.Watch(gvr, ns) + if err != nil { + return false, nil, err + } + return true, watch, nil + }) + + return cs +} + +// Clientset implements clientset.Interface. Meant to be embedded into a +// struct to get a default implementation. This makes faking out just the method +// you want to test easier. +type Clientset struct { + testing.Fake + discovery *fakediscovery.FakeDiscovery + tracker testing.ObjectTracker +} + +func (c *Clientset) Discovery() discovery.DiscoveryInterface { + return c.discovery +} + +func (c *Clientset) Tracker() testing.ObjectTracker { + return c.tracker +} + +var ( + _ clientset.Interface = &Clientset{} + _ testing.FakeClient = &Clientset{} +) + +// OauthV1alpha1 retrieves the OauthV1alpha1Client +func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { + return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} +} diff --git a/generated/latest/client/supervisor/virtual/clientset/versioned/fake/doc.go b/generated/latest/client/supervisor/virtual/clientset/versioned/fake/doc.go new file mode 100644 index 00000000..7c9538fd --- /dev/null +++ b/generated/latest/client/supervisor/virtual/clientset/versioned/fake/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated fake clientset. +package fake diff --git a/generated/latest/client/supervisor/virtual/clientset/versioned/fake/register.go b/generated/latest/client/supervisor/virtual/clientset/versioned/fake/register.go new file mode 100644 index 00000000..895e8126 --- /dev/null +++ b/generated/latest/client/supervisor/virtual/clientset/versioned/fake/register.go @@ -0,0 +1,43 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + oauthv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/virtual/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + schema "k8s.io/apimachinery/pkg/runtime/schema" + serializer "k8s.io/apimachinery/pkg/runtime/serializer" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" +) + +var scheme = runtime.NewScheme() +var codecs = serializer.NewCodecFactory(scheme) + +var localSchemeBuilder = runtime.SchemeBuilder{ + oauthv1alpha1.AddToScheme, +} + +// AddToScheme adds all types of this clientset into the given scheme. This allows composition +// of clientsets, like in: +// +// import ( +// "k8s.io/client-go/kubernetes" +// clientsetscheme "k8s.io/client-go/kubernetes/scheme" +// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" +// ) +// +// kclientset, _ := kubernetes.NewForConfig(c) +// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) +// +// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types +// correctly. +var AddToScheme = localSchemeBuilder.AddToScheme + +func init() { + v1.AddToGroupVersion(scheme, schema.GroupVersion{Version: "v1"}) + utilruntime.Must(AddToScheme(scheme)) +} diff --git a/generated/latest/client/supervisor/virtual/clientset/versioned/scheme/doc.go b/generated/latest/client/supervisor/virtual/clientset/versioned/scheme/doc.go new file mode 100644 index 00000000..cc02f1d3 --- /dev/null +++ b/generated/latest/client/supervisor/virtual/clientset/versioned/scheme/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package contains the scheme of the automatically generated clientset. +package scheme diff --git a/generated/latest/client/supervisor/virtual/clientset/versioned/scheme/register.go b/generated/latest/client/supervisor/virtual/clientset/versioned/scheme/register.go new file mode 100644 index 00000000..a842d03d --- /dev/null +++ b/generated/latest/client/supervisor/virtual/clientset/versioned/scheme/register.go @@ -0,0 +1,43 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package scheme + +import ( + oauthv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/virtual/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + schema "k8s.io/apimachinery/pkg/runtime/schema" + serializer "k8s.io/apimachinery/pkg/runtime/serializer" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" +) + +var Scheme = runtime.NewScheme() +var Codecs = serializer.NewCodecFactory(Scheme) +var ParameterCodec = runtime.NewParameterCodec(Scheme) +var localSchemeBuilder = runtime.SchemeBuilder{ + oauthv1alpha1.AddToScheme, +} + +// AddToScheme adds all types of this clientset into the given scheme. This allows composition +// of clientsets, like in: +// +// import ( +// "k8s.io/client-go/kubernetes" +// clientsetscheme "k8s.io/client-go/kubernetes/scheme" +// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" +// ) +// +// kclientset, _ := kubernetes.NewForConfig(c) +// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) +// +// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types +// correctly. +var AddToScheme = localSchemeBuilder.AddToScheme + +func init() { + v1.AddToGroupVersion(Scheme, schema.GroupVersion{Version: "v1"}) + utilruntime.Must(AddToScheme(Scheme)) +} diff --git a/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go new file mode 100644 index 00000000..e7a470b6 --- /dev/null +++ b/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated typed clients. +package v1alpha1 diff --git a/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go new file mode 100644 index 00000000..7906901b --- /dev/null +++ b/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// Package fake has the automatically generated clients. +package fake diff --git a/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go new file mode 100644 index 00000000..c73da3da --- /dev/null +++ b/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go @@ -0,0 +1,27 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + v1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" + rest "k8s.io/client-go/rest" + testing "k8s.io/client-go/testing" +) + +type FakeOauthV1alpha1 struct { + *testing.Fake +} + +func (c *FakeOauthV1alpha1) OIDCClientSecretRequests(namespace string) v1alpha1.OIDCClientSecretRequestInterface { + return &FakeOIDCClientSecretRequests{c, namespace} +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { + var ret *rest.RESTClient + return ret +} diff --git a/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go b/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go new file mode 100644 index 00000000..8220bcc7 --- /dev/null +++ b/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go @@ -0,0 +1,36 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/virtual/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + schema "k8s.io/apimachinery/pkg/runtime/schema" + testing "k8s.io/client-go/testing" +) + +// FakeOIDCClientSecretRequests implements OIDCClientSecretRequestInterface +type FakeOIDCClientSecretRequests struct { + Fake *FakeOauthV1alpha1 + ns string +} + +var oidcclientsecretrequestsResource = schema.GroupVersionResource{Group: "oauth.virtual.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclientsecretrequests"} + +var oidcclientsecretrequestsKind = schema.GroupVersionKind{Group: "oauth.virtual.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClientSecretRequest"} + +// Create takes the representation of a oIDCClientSecretRequest and creates it. Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any. +func (c *FakeOIDCClientSecretRequests) Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (result *v1alpha1.OIDCClientSecretRequest, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(oidcclientsecretrequestsResource, c.ns, oIDCClientSecretRequest), &v1alpha1.OIDCClientSecretRequest{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClientSecretRequest), err +} diff --git a/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go new file mode 100644 index 00000000..427a2ad8 --- /dev/null +++ b/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go @@ -0,0 +1,8 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +type OIDCClientSecretRequestExpansion interface{} diff --git a/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go new file mode 100644 index 00000000..f5863aa1 --- /dev/null +++ b/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go @@ -0,0 +1,94 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "net/http" + + v1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/virtual/oauth/v1alpha1" + "go.pinniped.dev/generated/latest/client/supervisor/virtual/clientset/versioned/scheme" + rest "k8s.io/client-go/rest" +) + +type OauthV1alpha1Interface interface { + RESTClient() rest.Interface + OIDCClientSecretRequestsGetter +} + +// OauthV1alpha1Client is used to interact with features provided by the oauth.virtual.supervisor.pinniped.dev group. +type OauthV1alpha1Client struct { + restClient rest.Interface +} + +func (c *OauthV1alpha1Client) OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface { + return newOIDCClientSecretRequests(c, namespace) +} + +// NewForConfig creates a new OauthV1alpha1Client for the given config. +// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient), +// where httpClient was generated with rest.HTTPClientFor(c). +func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { + config := *c + if err := setConfigDefaults(&config); err != nil { + return nil, err + } + httpClient, err := rest.HTTPClientFor(&config) + if err != nil { + return nil, err + } + return NewForConfigAndClient(&config, httpClient) +} + +// NewForConfigAndClient creates a new OauthV1alpha1Client for the given config and http client. +// Note the http client provided takes precedence over the configured transport values. +func NewForConfigAndClient(c *rest.Config, h *http.Client) (*OauthV1alpha1Client, error) { + config := *c + if err := setConfigDefaults(&config); err != nil { + return nil, err + } + client, err := rest.RESTClientForConfigAndClient(&config, h) + if err != nil { + return nil, err + } + return &OauthV1alpha1Client{client}, nil +} + +// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { + client, err := NewForConfig(c) + if err != nil { + panic(err) + } + return client +} + +// New creates a new OauthV1alpha1Client for the given RESTClient. +func New(c rest.Interface) *OauthV1alpha1Client { + return &OauthV1alpha1Client{c} +} + +func setConfigDefaults(config *rest.Config) error { + gv := v1alpha1.SchemeGroupVersion + config.GroupVersion = &gv + config.APIPath = "/apis" + config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() + + if config.UserAgent == "" { + config.UserAgent = rest.DefaultKubernetesUserAgent() + } + + return nil +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *OauthV1alpha1Client) RESTClient() rest.Interface { + if c == nil { + return nil + } + return c.restClient +} diff --git a/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go b/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go new file mode 100644 index 00000000..259bfbc9 --- /dev/null +++ b/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go @@ -0,0 +1,54 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/virtual/oauth/v1alpha1" + scheme "go.pinniped.dev/generated/latest/client/supervisor/virtual/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + rest "k8s.io/client-go/rest" +) + +// OIDCClientSecretRequestsGetter has a method to return a OIDCClientSecretRequestInterface. +// A group's client should implement this interface. +type OIDCClientSecretRequestsGetter interface { + OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface +} + +// OIDCClientSecretRequestInterface has methods to work with OIDCClientSecretRequest resources. +type OIDCClientSecretRequestInterface interface { + Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (*v1alpha1.OIDCClientSecretRequest, error) + OIDCClientSecretRequestExpansion +} + +// oIDCClientSecretRequests implements OIDCClientSecretRequestInterface +type oIDCClientSecretRequests struct { + client rest.Interface + ns string +} + +// newOIDCClientSecretRequests returns a OIDCClientSecretRequests +func newOIDCClientSecretRequests(c *OauthV1alpha1Client, namespace string) *oIDCClientSecretRequests { + return &oIDCClientSecretRequests{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Create takes the representation of a oIDCClientSecretRequest and creates it. Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any. +func (c *oIDCClientSecretRequests) Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (result *v1alpha1.OIDCClientSecretRequest, err error) { + result = &v1alpha1.OIDCClientSecretRequest{} + err = c.client.Post(). + Namespace(c.ns). + Resource("oidcclientsecretrequests"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(oIDCClientSecretRequest). + Do(ctx). + Into(result) + return +} diff --git a/hack/lib/update-codegen.sh b/hack/lib/update-codegen.sh index a31a38d7..81f27cf2 100755 --- a/hack/lib/update-codegen.sh +++ b/hack/lib/update-codegen.sh @@ -123,7 +123,7 @@ echo "generating API-related code for our public API groups..." "deepcopy" \ "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/apis" \ "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/apis" \ - "supervisor/config:v1alpha1 supervisor/idp:v1alpha1 supervisor/oauth:v1alpha1 concierge/config:v1alpha1 concierge/authentication:v1alpha1 concierge/login:v1alpha1 concierge/identity:v1alpha1" \ + "supervisor/config:v1alpha1 supervisor/idp:v1alpha1 supervisor/oauth:v1alpha1 supervisor/virtual/oauth:v1alpha1 concierge/config:v1alpha1 concierge/authentication:v1alpha1 concierge/login:v1alpha1 concierge/identity:v1alpha1" \ --go-header-file "${ROOT}/hack/boilerplate.go.txt" -v "$debug_level" 2>&1 | sed "s|^|gen-api > |" ) @@ -135,7 +135,7 @@ echo "generating API-related code for our internal API groups..." "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/client/concierge" \ "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/apis" \ "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/apis" \ - "concierge/login:v1alpha1 concierge/identity:v1alpha1" \ + "concierge/login:v1alpha1 concierge/identity:v1alpha1 supervisor/virtual/oauth:v1alpha1" \ --go-header-file "${ROOT}/hack/boilerplate.go.txt" -v "$debug_level" 2>&1 | sed "s|^|gen-int-api > |" ) @@ -162,6 +162,15 @@ echo "generating client code for our public API groups..." "supervisor/config:v1alpha1 supervisor/idp:v1alpha1 supervisor/oauth:v1alpha1" \ --go-header-file "${ROOT}/hack/boilerplate.go.txt" -v "$debug_level" 2>&1 | sed "s|^|gen-client > |" ) +(cd client && + bash "${GOPATH}/src/k8s.io/code-generator/generate-groups.sh" \ + "client,lister,informer" \ + "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/client/supervisor/virtual" \ + "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/apis" \ + "supervisor/virtual/oauth:v1alpha1" \ + --go-header-file "${ROOT}/hack/boilerplate.go.txt" -v "$debug_level" 2>&1 | sed "s|^|gen-client > |" +) + # Tidy up the .../client module echo "tidying ${OUTPUT_DIR}/client/go.mod..." diff --git a/internal/config/supervisor/types.go b/internal/config/supervisor/types.go index 147845fb..edef3ce7 100644 --- a/internal/config/supervisor/types.go +++ b/internal/config/supervisor/types.go @@ -24,6 +24,7 @@ type Config struct { // NamesConfigSpec configures the names of some Kubernetes resources for the Supervisor. type NamesConfigSpec struct { DefaultTLSCertificateSecret string `json:"defaultTLSCertificateSecret"` + APIService string `json:"apiService"` } type Endpoints struct { diff --git a/internal/groupsuffix/groupdata.go b/internal/groupsuffix/groupdata.go index bac7ee4c..b2c20e1e 100644 --- a/internal/groupsuffix/groupdata.go +++ b/internal/groupsuffix/groupdata.go @@ -1,4 +1,4 @@ -// Copyright 2021 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package groupsuffix @@ -8,6 +8,7 @@ import ( identityv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/identity/v1alpha1" loginv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/login/v1alpha1" + oauthv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/virtual/oauth/v1alpha1" ) type GroupData schema.GroupVersion @@ -32,3 +33,16 @@ func ConciergeAggregatedGroups(apiGroupSuffix string) (login, identity GroupData Version: identityv1alpha1.SchemeGroupVersion.Version, } } + +func SupervisorAggregatedGroups(apiGroupSuffix string) (oauth GroupData) { + oauthVirtualSupervisorAPIGroup, ok1 := Replace(oauthv1alpha1.GroupName, apiGroupSuffix) + + if !ok1 { + panic("static group input is invalid") + } + + return GroupData{ + Group: oauthVirtualSupervisorAPIGroup, + Version: oauthv1alpha1.SchemeGroupVersion.Version, + } +} diff --git a/internal/registry/clientsecretrequest/rest.go b/internal/registry/clientsecretrequest/rest.go new file mode 100644 index 00000000..cf01c18d --- /dev/null +++ b/internal/registry/clientsecretrequest/rest.go @@ -0,0 +1,83 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Package clientsecretrequest provides REST functionality for the CredentialRequest resource. +package clientsecretrequest + +import ( + "context" + "fmt" + + apierrors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apiserver/pkg/registry/rest" + "k8s.io/utils/trace" + + oauthapi "go.pinniped.dev/generated/latest/apis/supervisor/virtual/oauth" +) + +func NewREST() *REST { + return &REST{} +} + +type REST struct { +} + +// Assert that our *REST implements all the optional interfaces that we expect it to implement. +var _ interface { + rest.Creater + rest.NamespaceScopedStrategy + rest.Scoper + rest.Storage +} = (*REST)(nil) + +func (*REST) New() runtime.Object { + return &oauthapi.OIDCClientSecretRequest{} +} + +func (*REST) NamespaceScoped() bool { + return true +} + +func (*REST) Categories() []string { + // because we haven't implemented lister, adding it to categories breaks things. + return []string{} +} + +func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation rest.ValidateObjectFunc, options *metav1.CreateOptions) (runtime.Object, error) { + t := trace.FromContext(ctx).Nest("create", trace.Field{ + Key: "kind", + Value: "OIDCClientSecretRequest", + }) + defer t.Log() + + _, err := validateRequest(obj, t) + if err != nil { + return nil, err + } + + return &oauthapi.OIDCClientSecretRequest{ + Status: oauthapi.OIDCClientSecretRequestStatus{ + GeneratedSecret: "not-a-real-secret", + TotalClientSecrets: 20, + }, + }, nil +} + +func validateRequest(obj runtime.Object, t *trace.Trace) (*oauthapi.OIDCClientSecretRequest, error) { + clientSecretRequest, ok := obj.(*oauthapi.OIDCClientSecretRequest) + if !ok { + traceValidationFailure(t, "not an OIDCClientSecretRequest") + return nil, apierrors.NewBadRequest(fmt.Sprintf("not an OIDCClientSecretRequest: %#v", obj)) + } + + return clientSecretRequest, nil +} + +func traceValidationFailure(t *trace.Trace, msg string) { + t.Step("failure", + trace.Field{Key: "failureType", Value: "request validation"}, + trace.Field{Key: "msg", Value: msg}, + ) +} diff --git a/internal/supervisor/apiserver/apiserver.go b/internal/supervisor/apiserver/apiserver.go new file mode 100644 index 00000000..21c620e3 --- /dev/null +++ b/internal/supervisor/apiserver/apiserver.go @@ -0,0 +1,139 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package apiserver + +import ( + "context" + "fmt" + "sync" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/apimachinery/pkg/util/errors" + "k8s.io/apiserver/pkg/registry/rest" + genericapiserver "k8s.io/apiserver/pkg/server" + "k8s.io/client-go/pkg/version" + + "go.pinniped.dev/internal/controllerinit" + "go.pinniped.dev/internal/plog" + "go.pinniped.dev/internal/registry/clientsecretrequest" +) + +type Config struct { + GenericConfig *genericapiserver.RecommendedConfig + ExtraConfig ExtraConfig +} + +type ExtraConfig struct { + BuildControllersPostStartHook controllerinit.RunnerBuilder + Scheme *runtime.Scheme + NegotiatedSerializer runtime.NegotiatedSerializer + OauthVirtualSupervisorGroupVersion schema.GroupVersion +} + +type PinnipedServer struct { + GenericAPIServer *genericapiserver.GenericAPIServer +} + +type completedConfig struct { + GenericConfig genericapiserver.CompletedConfig + ExtraConfig *ExtraConfig +} + +type CompletedConfig struct { + // Embed a private pointer that cannot be instantiated outside of this package. + *completedConfig +} + +// Complete fills in any fields not set that are required to have valid data. It's mutating the receiver. +func (c *Config) Complete() CompletedConfig { + completedCfg := completedConfig{ + c.GenericConfig.Complete(), + &c.ExtraConfig, + } + + versionInfo := version.Get() + completedCfg.GenericConfig.Version = &versionInfo + + return CompletedConfig{completedConfig: &completedCfg} +} + +// New returns a new instance of AdmissionServer from the given config. +func (c completedConfig) New() (*PinnipedServer, error) { + genericServer, err := c.GenericConfig.New("pinniped-supervisor", genericapiserver.NewEmptyDelegate()) // completion is done in Complete, no need for a second time + if err != nil { + return nil, fmt.Errorf("completion error: %w", err) + } + + s := &PinnipedServer{ + GenericAPIServer: genericServer, + } + + var errs []error //nolint: prealloc + for _, f := range []func() (schema.GroupVersionResource, rest.Storage){ + func() (schema.GroupVersionResource, rest.Storage) { + clientSecretReqGVR := c.ExtraConfig.OauthVirtualSupervisorGroupVersion.WithResource("oidcclientsecretrequests") + clientSecretReqStorage := clientsecretrequest.NewREST() + return clientSecretReqGVR, clientSecretReqStorage + }, + } { + gvr, storage := f() + errs = append(errs, + s.GenericAPIServer.InstallAPIGroup( + &genericapiserver.APIGroupInfo{ + PrioritizedVersions: []schema.GroupVersion{gvr.GroupVersion()}, + VersionedResourcesStorageMap: map[string]map[string]rest.Storage{gvr.Version: {gvr.Resource: storage}}, + OptionsExternalVersion: &schema.GroupVersion{Version: "v1"}, + Scheme: c.ExtraConfig.Scheme, + ParameterCodec: metav1.ParameterCodec, + NegotiatedSerializer: c.ExtraConfig.NegotiatedSerializer, + }, + ), + ) + } + if err := errors.NewAggregate(errs); err != nil { + return nil, fmt.Errorf("could not install API groups: %w", err) + } + + shutdown := &sync.WaitGroup{} + s.GenericAPIServer.AddPostStartHookOrDie("start-controllers", + func(postStartContext genericapiserver.PostStartHookContext) error { + plog.Debug("start-controllers post start hook starting") + + ctx, cancel := context.WithCancel(context.Background()) + go func() { + defer cancel() + + <-postStartContext.StopCh + }() + + runControllers, err := c.ExtraConfig.BuildControllersPostStartHook(ctx) + if err != nil { + return fmt.Errorf("cannot create run controller func: %w", err) + } + + shutdown.Add(1) + go func() { + defer shutdown.Done() + + runControllers(ctx) + }() + + return nil + }, + ) + s.GenericAPIServer.AddPreShutdownHookOrDie("stop-controllers", + func() error { + plog.Debug("stop-controllers pre shutdown hook starting") + defer plog.Debug("stop-controllers pre shutdown hook completed") + + shutdown.Wait() + + return nil + }, + ) + + return s, nil +} diff --git a/internal/supervisor/scheme/scheme.go b/internal/supervisor/scheme/scheme.go new file mode 100644 index 00000000..6179040e --- /dev/null +++ b/internal/supervisor/scheme/scheme.go @@ -0,0 +1,91 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Package scheme contains code to construct a proper runtime.Scheme for the Concierge aggregated +// API. +package scheme + +import ( + "fmt" + + oauthapi "go.pinniped.dev/generated/latest/apis/supervisor/virtual/oauth" + oauthv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/virtual/oauth/v1alpha1" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" + + "go.pinniped.dev/internal/groupsuffix" +) + +// New returns a runtime.Scheme for use by the Supervisor aggregated API running with the provided +// apiGroupSuffix. +func New(apiGroupSuffix string) (_ *runtime.Scheme, oauth schema.GroupVersion) { + // standard set up of the server side scheme + scheme := runtime.NewScheme() + + // add the options to empty v1 + metav1.AddToGroupVersion(scheme, metav1.Unversioned) + + // nothing fancy is required if using the standard group suffix + if apiGroupSuffix == groupsuffix.PinnipedDefaultSuffix { + schemeBuilder := runtime.NewSchemeBuilder( + oauthv1alpha1.AddToScheme, + oauthapi.AddToScheme, + ) + utilruntime.Must(schemeBuilder.AddToScheme(scheme)) + return scheme, oauthv1alpha1.SchemeGroupVersion + } + + oauthVirtualSupervisorGroupData := groupsuffix.SupervisorAggregatedGroups(apiGroupSuffix) + + addToSchemeAtNewGroup(scheme, oauthv1alpha1.GroupName, oauthVirtualSupervisorGroupData.Group, oauthv1alpha1.AddToScheme, oauthapi.AddToScheme) + + // manually register conversions and defaulting into the correct scheme since we cannot directly call AddToScheme + schemeBuilder := runtime.NewSchemeBuilder( + oauthv1alpha1.RegisterConversions, + oauthv1alpha1.RegisterDefaults, + ) + utilruntime.Must(schemeBuilder.AddToScheme(scheme)) + + // we do not have any defaulting functions for *loginv1alpha1.OIDCClientSecretRequest + // today, but we may have some in the future. Calling AddTypeDefaultingFunc overwrites + // any previously registered defaulting function. Thus to make sure that we catch + // a situation where we add a defaulting func, we attempt to call it here with a nil + // *oauthv1alpha1.OIDCClientSecretRequest. This will do nothing when there is no + // defaulting func registered, but it will almost certainly panic if one is added. + scheme.Default((*oauthv1alpha1.OIDCClientSecretRequest)(nil)) + + return scheme, schema.GroupVersion(oauthVirtualSupervisorGroupData) +} + +func addToSchemeAtNewGroup(scheme *runtime.Scheme, oldGroup, newGroup string, funcs ...func(*runtime.Scheme) error) { + // we need a temporary place to register our types to avoid double registering them + tmpScheme := runtime.NewScheme() + schemeBuilder := runtime.NewSchemeBuilder(funcs...) + utilruntime.Must(schemeBuilder.AddToScheme(tmpScheme)) + + for gvk := range tmpScheme.AllKnownTypes() { + if gvk.GroupVersion() == metav1.Unversioned { + continue // metav1.AddToGroupVersion registers types outside of our aggregated API group that we need to ignore + } + + if gvk.Group != oldGroup { + panic(fmt.Errorf("tmp scheme has type not in the old aggregated API group %s: %s", oldGroup, gvk)) // programmer error + } + + obj, err := tmpScheme.New(gvk) + if err != nil { + panic(err) // programmer error, scheme internal code is broken + } + newGVK := schema.GroupVersionKind{ + Group: newGroup, + Version: gvk.Version, + Kind: gvk.Kind, + } + + // register the existing type but with the new group in the correct scheme + scheme.AddKnownTypeWithName(newGVK, obj) + } +} diff --git a/internal/supervisor/scheme/scheme_test.go b/internal/supervisor/scheme/scheme_test.go new file mode 100644 index 00000000..80d1e1f8 --- /dev/null +++ b/internal/supervisor/scheme/scheme_test.go @@ -0,0 +1,139 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package scheme + +import ( + "reflect" + "testing" + + "github.com/stretchr/testify/require" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" + + oauthapi "go.pinniped.dev/generated/latest/apis/supervisor/virtual/oauth" + oauthv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/virtual/oauth/v1alpha1" +) + +func TestNew(t *testing.T) { + // the standard group + regularOAuthGV := schema.GroupVersion{ + Group: "oauth.virtual.supervisor.pinniped.dev", + Version: "v1alpha1", + } + regularOAuthGVInternal := schema.GroupVersion{ + Group: "oauth.virtual.supervisor.pinniped.dev", + Version: runtime.APIVersionInternal, + } + + // the canonical other group + otherOAuthGV := schema.GroupVersion{ + Group: "oauth.virtual.supervisor.walrus.tld", + Version: "v1alpha1", + } + otherOAuthGVInternal := schema.GroupVersion{ + Group: "oauth.virtual.supervisor.walrus.tld", + Version: runtime.APIVersionInternal, + } + + // kube's core internal + internalGV := schema.GroupVersion{ + Group: "", + Version: runtime.APIVersionInternal, + } + + tests := []struct { + name string + apiGroupSuffix string + want map[schema.GroupVersionKind]reflect.Type + wantOAuthGroupVersion schema.GroupVersion + }{ + { + name: "regular api group", + apiGroupSuffix: "pinniped.dev", + want: map[schema.GroupVersionKind]reflect.Type{ + // all the types that are in the aggregated API group + + regularOAuthGV.WithKind("OIDCClientSecretRequest"): reflect.TypeOf(&oauthv1alpha1.OIDCClientSecretRequest{}).Elem(), + + regularOAuthGVInternal.WithKind("OIDCClientSecretRequest"): reflect.TypeOf(&oauthapi.OIDCClientSecretRequest{}).Elem(), + + regularOAuthGV.WithKind("CreateOptions"): reflect.TypeOf(&metav1.CreateOptions{}).Elem(), + regularOAuthGV.WithKind("DeleteOptions"): reflect.TypeOf(&metav1.DeleteOptions{}).Elem(), + regularOAuthGV.WithKind("GetOptions"): reflect.TypeOf(&metav1.GetOptions{}).Elem(), + regularOAuthGV.WithKind("ListOptions"): reflect.TypeOf(&metav1.ListOptions{}).Elem(), + regularOAuthGV.WithKind("PatchOptions"): reflect.TypeOf(&metav1.PatchOptions{}).Elem(), + regularOAuthGV.WithKind("UpdateOptions"): reflect.TypeOf(&metav1.UpdateOptions{}).Elem(), + regularOAuthGV.WithKind("WatchEvent"): reflect.TypeOf(&metav1.WatchEvent{}).Elem(), + + regularOAuthGVInternal.WithKind("WatchEvent"): reflect.TypeOf(&metav1.InternalEvent{}).Elem(), + + // the types below this line do not really matter to us because they are in the core group + + internalGV.WithKind("WatchEvent"): reflect.TypeOf(&metav1.InternalEvent{}).Elem(), + + metav1.Unversioned.WithKind("APIGroup"): reflect.TypeOf(&metav1.APIGroup{}).Elem(), + metav1.Unversioned.WithKind("APIGroupList"): reflect.TypeOf(&metav1.APIGroupList{}).Elem(), + metav1.Unversioned.WithKind("APIResourceList"): reflect.TypeOf(&metav1.APIResourceList{}).Elem(), + metav1.Unversioned.WithKind("APIVersions"): reflect.TypeOf(&metav1.APIVersions{}).Elem(), + metav1.Unversioned.WithKind("CreateOptions"): reflect.TypeOf(&metav1.CreateOptions{}).Elem(), + metav1.Unversioned.WithKind("DeleteOptions"): reflect.TypeOf(&metav1.DeleteOptions{}).Elem(), + metav1.Unversioned.WithKind("GetOptions"): reflect.TypeOf(&metav1.GetOptions{}).Elem(), + metav1.Unversioned.WithKind("ListOptions"): reflect.TypeOf(&metav1.ListOptions{}).Elem(), + metav1.Unversioned.WithKind("PatchOptions"): reflect.TypeOf(&metav1.PatchOptions{}).Elem(), + metav1.Unversioned.WithKind("Status"): reflect.TypeOf(&metav1.Status{}).Elem(), + metav1.Unversioned.WithKind("UpdateOptions"): reflect.TypeOf(&metav1.UpdateOptions{}).Elem(), + metav1.Unversioned.WithKind("WatchEvent"): reflect.TypeOf(&metav1.WatchEvent{}).Elem(), + }, + wantOAuthGroupVersion: regularOAuthGV, + }, + { + name: "other api group", + apiGroupSuffix: "walrus.tld", + want: map[schema.GroupVersionKind]reflect.Type{ + // all the types that are in the aggregated API group + + otherOAuthGV.WithKind("OIDCClientSecretRequest"): reflect.TypeOf(&oauthv1alpha1.OIDCClientSecretRequest{}).Elem(), + + otherOAuthGVInternal.WithKind("OIDCClientSecretRequest"): reflect.TypeOf(&oauthapi.OIDCClientSecretRequest{}).Elem(), + + otherOAuthGV.WithKind("CreateOptions"): reflect.TypeOf(&metav1.CreateOptions{}).Elem(), + otherOAuthGV.WithKind("DeleteOptions"): reflect.TypeOf(&metav1.DeleteOptions{}).Elem(), + otherOAuthGV.WithKind("GetOptions"): reflect.TypeOf(&metav1.GetOptions{}).Elem(), + otherOAuthGV.WithKind("ListOptions"): reflect.TypeOf(&metav1.ListOptions{}).Elem(), + otherOAuthGV.WithKind("PatchOptions"): reflect.TypeOf(&metav1.PatchOptions{}).Elem(), + otherOAuthGV.WithKind("UpdateOptions"): reflect.TypeOf(&metav1.UpdateOptions{}).Elem(), + otherOAuthGV.WithKind("WatchEvent"): reflect.TypeOf(&metav1.WatchEvent{}).Elem(), + + otherOAuthGVInternal.WithKind("WatchEvent"): reflect.TypeOf(&metav1.InternalEvent{}).Elem(), + + // the types below this line do not really matter to us because they are in the core group + + internalGV.WithKind("WatchEvent"): reflect.TypeOf(&metav1.InternalEvent{}).Elem(), + + metav1.Unversioned.WithKind("APIGroup"): reflect.TypeOf(&metav1.APIGroup{}).Elem(), + metav1.Unversioned.WithKind("APIGroupList"): reflect.TypeOf(&metav1.APIGroupList{}).Elem(), + metav1.Unversioned.WithKind("APIResourceList"): reflect.TypeOf(&metav1.APIResourceList{}).Elem(), + metav1.Unversioned.WithKind("APIVersions"): reflect.TypeOf(&metav1.APIVersions{}).Elem(), + metav1.Unversioned.WithKind("CreateOptions"): reflect.TypeOf(&metav1.CreateOptions{}).Elem(), + metav1.Unversioned.WithKind("DeleteOptions"): reflect.TypeOf(&metav1.DeleteOptions{}).Elem(), + metav1.Unversioned.WithKind("GetOptions"): reflect.TypeOf(&metav1.GetOptions{}).Elem(), + metav1.Unversioned.WithKind("ListOptions"): reflect.TypeOf(&metav1.ListOptions{}).Elem(), + metav1.Unversioned.WithKind("PatchOptions"): reflect.TypeOf(&metav1.PatchOptions{}).Elem(), + metav1.Unversioned.WithKind("Status"): reflect.TypeOf(&metav1.Status{}).Elem(), + metav1.Unversioned.WithKind("UpdateOptions"): reflect.TypeOf(&metav1.UpdateOptions{}).Elem(), + metav1.Unversioned.WithKind("WatchEvent"): reflect.TypeOf(&metav1.WatchEvent{}).Elem(), + }, + wantOAuthGroupVersion: otherOAuthGV, + }, + } + for _, tt := range tests { + tt := tt + t.Run(tt.name, func(t *testing.T) { + scheme, oauthGV := New(tt.apiGroupSuffix) + require.Equal(t, tt.want, scheme.AllKnownTypes()) + require.Equal(t, tt.wantOAuthGroupVersion, oauthGV) + }) + } +} diff --git a/internal/supervisor/server/server.go b/internal/supervisor/server/server.go index 772f0f5a..d4320091 100644 --- a/internal/supervisor/server/server.go +++ b/internal/supervisor/server/server.go @@ -22,18 +22,26 @@ import ( "github.com/joshlf/go-acl" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/apimachinery/pkg/runtime/serializer" apimachineryversion "k8s.io/apimachinery/pkg/version" genericapifilters "k8s.io/apiserver/pkg/endpoints/filters" + genericapiserver "k8s.io/apiserver/pkg/server" + genericoptions "k8s.io/apiserver/pkg/server/options" kubeinformers "k8s.io/client-go/informers" "k8s.io/client-go/kubernetes" "k8s.io/client-go/pkg/version" "k8s.io/client-go/rest" + aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset" "k8s.io/utils/clock" configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" pinnipedclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" pinnipedinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions" + "go.pinniped.dev/internal/apiserviceref" "go.pinniped.dev/internal/config/supervisor" + "go.pinniped.dev/internal/controller/apicerts" "go.pinniped.dev/internal/controller/supervisorconfig" "go.pinniped.dev/internal/controller/supervisorconfig/activedirectoryupstreamwatcher" "go.pinniped.dev/internal/controller/supervisorconfig/generator" @@ -45,6 +53,7 @@ import ( "go.pinniped.dev/internal/crypto/ptls" "go.pinniped.dev/internal/deploymentref" "go.pinniped.dev/internal/downward" + "go.pinniped.dev/internal/dynamiccert" "go.pinniped.dev/internal/groupsuffix" "go.pinniped.dev/internal/kubeclient" "go.pinniped.dev/internal/leaderelection" @@ -53,6 +62,8 @@ import ( "go.pinniped.dev/internal/oidc/provider/manager" "go.pinniped.dev/internal/plog" "go.pinniped.dev/internal/secret" + "go.pinniped.dev/internal/supervisor/apiserver" + supervisorscheme "go.pinniped.dev/internal/supervisor/scheme" ) const ( @@ -116,14 +127,18 @@ func prepareControllers( dynamicJWKSProvider jwks.DynamicJWKSProvider, dynamicTLSCertProvider provider.DynamicTLSCertProvider, dynamicUpstreamIDPProvider provider.DynamicUpstreamIDPProvider, + dynamicServingCertProvider dynamiccert.Private, secretCache *secret.Cache, supervisorDeployment *appsv1.Deployment, kubeClient kubernetes.Interface, pinnipedClient pinnipedclientset.Interface, + aggregatorClient aggregatorclient.Interface, kubeInformers kubeinformers.SharedInformerFactory, pinnipedInformers pinnipedinformers.SharedInformerFactory, leaderElector controllerinit.RunnerWrapper, + podInfo *downward.PodInfo, ) controllerinit.RunnerBuilder { + oauthSupervisorGroupData := groupsuffix.SupervisorAggregatedGroups(*cfg.APIGroupSuffix) federationDomainInformer := pinnipedInformers.Config().V1alpha1().FederationDomains() secretInformer := kubeInformers.Core().V1().Secrets() @@ -291,30 +306,69 @@ func prepareControllers( secretInformer, controllerlib.WithInformer, ), - singletonWorker) + singletonWorker). + WithController( + apicerts.NewCertsManagerController( + podInfo.Namespace, + "pinniped-supervisor-api-tls-serving-certificate", + cfg.Labels, + kubeClient, + secretInformer, + controllerlib.WithInformer, + controllerlib.WithInitialEvent, + 31536000*time.Second, + "Pinniped Aggregation CA", + cfg.NamesConfig.APIService, + ), + singletonWorker, + ). + WithController( + apicerts.NewAPIServiceUpdaterController( + podInfo.Namespace, + "pinniped-supervisor-api-tls-serving-certificate", + oauthSupervisorGroupData.APIServiceName(), + aggregatorClient, + secretInformer, + controllerlib.WithInformer, + ), + singletonWorker, + ). + WithController( + apicerts.NewCertsObserverController( + podInfo.Namespace, + "pinniped-supervisor-api-tls-serving-certificate", + dynamicServingCertProvider, + secretInformer, + controllerlib.WithInformer, + ), + singletonWorker, + ). + WithController( + apicerts.NewCertsExpirerController( + podInfo.Namespace, + "pinniped-supervisor-api-tls-serving-certificate", + kubeClient, + secretInformer, + controllerlib.WithInformer, + 23328000*time.Second, + apicerts.TLSCertificateChainSecretKey, + plog.New(), + ), + singletonWorker, + ) return controllerinit.Prepare(controllerManager.Start, leaderElector, kubeInformers, pinnipedInformers) } -func startControllers(ctx context.Context, shutdown *sync.WaitGroup, buildControllers controllerinit.RunnerBuilder) error { - runControllers, err := buildControllers(ctx) - if err != nil { - return fmt.Errorf("cannot create run controller func: %w", err) - } - - shutdown.Add(1) - go func() { - defer shutdown.Done() - - runControllers(ctx) - }() - - return nil -} - //nolint:funlen func runSupervisor(ctx context.Context, podInfo *downward.PodInfo, cfg *supervisor.Config) error { serverInstallationNamespace := podInfo.Namespace + oauthSupervisorGroupData := groupsuffix.SupervisorAggregatedGroups(*cfg.APIGroupSuffix) + + apiServiceRef, err := apiserviceref.New(oauthSupervisorGroupData.APIServiceName()) + if err != nil { + return fmt.Errorf("cannot create API service ref: %w", err) + } dref, supervisorDeployment, supervisorPod, err := deploymentref.New(podInfo) if err != nil { @@ -323,6 +377,7 @@ func runSupervisor(ctx context.Context, podInfo *downward.PodInfo, cfg *supervis opts := []kubeclient.Option{ dref, + apiServiceRef, kubeclient.WithMiddleware(groupsuffix.New(*cfg.APIGroupSuffix)), } @@ -358,6 +413,8 @@ func runSupervisor(ctx context.Context, podInfo *downward.PodInfo, cfg *supervis _, _ = writer.Write([]byte("ok")) })) + dynamicServingCertProvider := dynamiccert.NewServingCert("supervisor-serving-cert") + dynamicJWKSProvider := jwks.NewDynamicJWKSProvider() dynamicTLSCertProvider := provider.NewDynamicTLSCertProvider() dynamicUpstreamIDPProvider := provider.NewDynamicUpstreamIDPProvider() @@ -372,25 +429,47 @@ func runSupervisor(ctx context.Context, podInfo *downward.PodInfo, cfg *supervis clientWithoutLeaderElection.Kubernetes.CoreV1().Secrets(serverInstallationNamespace), // writes to kube storage are allowed for non-leaders ) + // Get the "real" name of the oauth virtual supervisor API group (i.e., the API group name with the + // injected suffix). + scheme, oauthGV := supervisorscheme.New(*cfg.APIGroupSuffix) + buildControllersFunc := prepareControllers( cfg, oidProvidersManager, dynamicJWKSProvider, dynamicTLSCertProvider, dynamicUpstreamIDPProvider, + dynamicServingCertProvider, &secretCache, supervisorDeployment, client.Kubernetes, client.PinnipedSupervisor, + client.Aggregation, kubeInformers, pinnipedInformers, leaderElector, + podInfo, ) shutdown := &sync.WaitGroup{} - if err := startControllers(ctx, shutdown, buildControllersFunc); err != nil { - return err + // Get the aggregated API server config. + aggregatedAPIServerConfig, err := getAggregatedAPIServerConfig( + dynamicServingCertProvider, + buildControllersFunc, + *cfg.APIGroupSuffix, + 10250, + scheme, + oauthGV, + ) + if err != nil { + return fmt.Errorf("could not configure aggregated API server: %w", err) + } + + // Complete the aggregated API server config and make a server instance. + server, err := aggregatedAPIServerConfig.Complete().New() + if err != nil { + return fmt.Errorf("could not create aggregated API server: %w", err) } if e := cfg.Endpoints.HTTP; e.Network != supervisor.NetworkDisabled { @@ -465,11 +544,73 @@ func runSupervisor(ctx context.Context, podInfo *downward.PodInfo, cfg *supervis plog.Debug("supervisor started") defer plog.Debug("supervisor exiting") + // Run the server. Its post-start hook will start the controllers. + err = server.GenericAPIServer.PrepareRun().Run(ctx.Done()) + if err != nil { + return err + } shutdown.Wait() return nil } +// Create a configuration for the aggregated API server. +func getAggregatedAPIServerConfig( + dynamicCertProvider dynamiccert.Private, + buildControllers controllerinit.RunnerBuilder, + apiGroupSuffix string, + aggregatedAPIServerPort int64, + scheme *runtime.Scheme, + oauthVirtualSupervisorGroupVersion schema.GroupVersion, +) (*apiserver.Config, error) { + codecs := serializer.NewCodecFactory(scheme) + + // this is unused for now but it is a safe value that we could use in the future + defaultEtcdPathPrefix := fmt.Sprintf("/pinniped-concierge-registry/%s", apiGroupSuffix) + + recommendedOptions := genericoptions.NewRecommendedOptions( + defaultEtcdPathPrefix, + codecs.LegacyCodec(oauthVirtualSupervisorGroupVersion), + ) + recommendedOptions.Etcd = nil // turn off etcd storage because we don't need it yet + recommendedOptions.SecureServing.ServerCert.GeneratedCert = dynamicCertProvider + + // This port is configurable. It should be safe to cast because the config reader already validated it. + recommendedOptions.SecureServing.BindPort = int(aggregatedAPIServerPort) + + // secure TLS for connections coming from and going to the Kube API server + // this is best effort because not all options provide the right hooks to override TLS config + // since our only client is the Kube API server, this uses the most secure TLS config + if err := ptls.SecureRecommendedOptions(recommendedOptions, kubeclient.Secure); err != nil { + return nil, fmt.Errorf("failed to secure recommended options: %w", err) + } + + serverConfig := genericapiserver.NewRecommendedConfig(codecs) + // Note that among other things, this ApplyTo() function copies + // `recommendedOptions.SecureServing.ServerCert.GeneratedCert` into + // `serverConfig.SecureServing.Cert` thus making `dynamicCertProvider` + // the cert provider for the running server. The provider will be called + // by the API machinery periodically. When the provider returns nil certs, + // the API server will return "the server is currently unable to + // handle the request" error responses for all incoming requests. + // If the provider later starts returning certs, then the API server + // will use them to handle the incoming requests successfully. + if err := recommendedOptions.ApplyTo(serverConfig); err != nil { + return nil, fmt.Errorf("failed to apply recommended options: %w", err) + } + + apiServerConfig := &apiserver.Config{ + GenericConfig: serverConfig, + ExtraConfig: apiserver.ExtraConfig{ + BuildControllersPostStartHook: buildControllers, + Scheme: scheme, + NegotiatedSerializer: codecs, + OauthVirtualSupervisorGroupVersion: oauthVirtualSupervisorGroupVersion, + }, + } + return apiServerConfig, nil +} + func maybeSetupUnixPerms(endpoint *supervisor.Endpoint, pod *corev1.Pod) func() error { if endpoint.Network != supervisor.NetworkUnix { return func() error { return nil } diff --git a/test/integration/kube_api_discovery_test.go b/test/integration/kube_api_discovery_test.go index c0d243cf..835dcf0a 100644 --- a/test/integration/kube_api_discovery_test.go +++ b/test/integration/kube_api_discovery_test.go @@ -54,6 +54,7 @@ func TestGetAPIResourceList(t *testing.T) { idpSupervisorGV := makeGV("idp", "supervisor") configSupervisorGV := makeGV("config", "supervisor") oauthSupervisorGV := makeGV("oauth", "supervisor") + oauthVirtualSupervisorGV := makeGV("oauth.virtual", "supervisor") tests := []struct { group metav1.APIGroup @@ -111,6 +112,32 @@ func TestGetAPIResourceList(t *testing.T) { }, }, }, + { + group: metav1.APIGroup{ + Name: oauthVirtualSupervisorGV.Group, + Versions: []metav1.GroupVersionForDiscovery{ + { + GroupVersion: oauthVirtualSupervisorGV.String(), + Version: oauthVirtualSupervisorGV.Version, + }, + }, + PreferredVersion: metav1.GroupVersionForDiscovery{ + GroupVersion: oauthVirtualSupervisorGV.String(), + Version: oauthVirtualSupervisorGV.Version, + }, + }, + resourceByVersion: map[string][]metav1.APIResource{ + oauthVirtualSupervisorGV.String(): { + { + Name: "oidcclientsecretrequests", + Kind: "OIDCClientSecretRequest", + Verbs: []string{"create"}, + Namespaced: true, + Categories: nil, + }, + }, + }, + }, { group: metav1.APIGroup{ Name: configSupervisorGV.Group, @@ -347,6 +374,11 @@ func TestGetAPIResourceList(t *testing.T) { if strings.HasSuffix(a.Name, "/status") { continue } + if a.Name == "oidcclientsecretrequests" { + // OIDCClientSecretRequest does not implement list, + // so it doesn't make sense for it to belong to a category. + continue + } assert.Containsf(t, a.Categories, "pinniped", "expected resource %q to be in the 'pinniped' category", a.Name) assert.NotContainsf(t, a.Categories, "all", "expected resource %q not to be in the 'all' category", a.Name) } @@ -373,7 +405,7 @@ func TestGetAPIResourceList(t *testing.T) { t.Run("every API has a status subresource", func(t *testing.T) { t.Parallel() - aggregatedAPIs := sets.NewString("tokencredentialrequests", "whoamirequests") + aggregatedAPIs := sets.NewString("tokencredentialrequests", "whoamirequests", "oidcclientsecretrequests") var regular, status []string From 37884e7015692188627b9ad214ee481da237d994 Mon Sep 17 00:00:00 2001 From: Margo Crawford Date: Thu, 9 Jun 2022 14:39:06 -0700 Subject: [PATCH 09/61] reran update.sh to get the codegen up to date Signed-off-by: Margo Crawford --- generated/1.17/README.adoc | 4 ++-- generated/1.18/README.adoc | 4 ++-- generated/1.19/README.adoc | 4 ++-- generated/1.20/README.adoc | 4 ++-- generated/1.21/README.adoc | 4 ++-- generated/1.22/README.adoc | 4 ++-- generated/1.23/README.adoc | 4 ++-- .../1.23/client/concierge/clientset/versioned/clientset.go | 4 ---- .../1.23/client/supervisor/clientset/versioned/clientset.go | 4 ---- 9 files changed, 14 insertions(+), 22 deletions(-) diff --git a/generated/1.17/README.adoc b/generated/1.17/README.adoc index 0b90292d..5e679530 100644 --- a/generated/1.17/README.adoc +++ b/generated/1.17/README.adoc @@ -1380,9 +1380,9 @@ OIDCClientSpec is a struct that describes an OIDC Client. | Field | Description | *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. | *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. | *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. |=== diff --git a/generated/1.18/README.adoc b/generated/1.18/README.adoc index db96bb48..0d78ed03 100644 --- a/generated/1.18/README.adoc +++ b/generated/1.18/README.adoc @@ -1380,9 +1380,9 @@ OIDCClientSpec is a struct that describes an OIDC Client. | Field | Description | *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. | *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. | *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. |=== diff --git a/generated/1.19/README.adoc b/generated/1.19/README.adoc index 29d52abb..5bb2e556 100644 --- a/generated/1.19/README.adoc +++ b/generated/1.19/README.adoc @@ -1380,9 +1380,9 @@ OIDCClientSpec is a struct that describes an OIDC Client. | Field | Description | *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. | *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. | *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. |=== diff --git a/generated/1.20/README.adoc b/generated/1.20/README.adoc index f58d5ad8..61422b6e 100644 --- a/generated/1.20/README.adoc +++ b/generated/1.20/README.adoc @@ -1380,9 +1380,9 @@ OIDCClientSpec is a struct that describes an OIDC Client. | Field | Description | *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. | *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. | *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. |=== diff --git a/generated/1.21/README.adoc b/generated/1.21/README.adoc index e83a59ea..1c16381d 100644 --- a/generated/1.21/README.adoc +++ b/generated/1.21/README.adoc @@ -1380,9 +1380,9 @@ OIDCClientSpec is a struct that describes an OIDC Client. | Field | Description | *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. | *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. | *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. |=== diff --git a/generated/1.22/README.adoc b/generated/1.22/README.adoc index 55db1f5b..26125e76 100644 --- a/generated/1.22/README.adoc +++ b/generated/1.22/README.adoc @@ -1380,9 +1380,9 @@ OIDCClientSpec is a struct that describes an OIDC Client. | Field | Description | *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. | *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. | *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. |=== diff --git a/generated/1.23/README.adoc b/generated/1.23/README.adoc index d078f60c..c6cbd149 100644 --- a/generated/1.23/README.adoc +++ b/generated/1.23/README.adoc @@ -1380,9 +1380,9 @@ OIDCClientSpec is a struct that describes an OIDC Client. | Field | Description | *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. | *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. | *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. |=== diff --git a/generated/1.23/client/concierge/clientset/versioned/clientset.go b/generated/1.23/client/concierge/clientset/versioned/clientset.go index e026c5f0..ba3cb60b 100644 --- a/generated/1.23/client/concierge/clientset/versioned/clientset.go +++ b/generated/1.23/client/concierge/clientset/versioned/clientset.go @@ -72,10 +72,6 @@ func (c *Clientset) Discovery() discovery.DiscoveryInterface { func NewForConfig(c *rest.Config) (*Clientset, error) { configShallowCopy := *c - if configShallowCopy.UserAgent == "" { - configShallowCopy.UserAgent = rest.DefaultKubernetesUserAgent() - } - // share the transport between all clients httpClient, err := rest.HTTPClientFor(&configShallowCopy) if err != nil { diff --git a/generated/1.23/client/supervisor/clientset/versioned/clientset.go b/generated/1.23/client/supervisor/clientset/versioned/clientset.go index 0347d1bb..b0f81c08 100644 --- a/generated/1.23/client/supervisor/clientset/versioned/clientset.go +++ b/generated/1.23/client/supervisor/clientset/versioned/clientset.go @@ -64,10 +64,6 @@ func (c *Clientset) Discovery() discovery.DiscoveryInterface { func NewForConfig(c *rest.Config) (*Clientset, error) { configShallowCopy := *c - if configShallowCopy.UserAgent == "" { - configShallowCopy.UserAgent = rest.DefaultKubernetesUserAgent() - } - // share the transport between all clients httpClient, err := rest.HTTPClientFor(&configShallowCopy) if err != nil { From 157b5a70796fec7d28c3044caa40ffe00be1d5d5 Mon Sep 17 00:00:00 2001 From: Margo Crawford Date: Fri, 10 Jun 2022 07:55:46 -0700 Subject: [PATCH 10/61] Update 1.24 codegen Signed-off-by: Margo Crawford --- generated/1.24/README.adoc | 94 +++++++++++++ .../1.24/apis/supervisor/virtual/oauth/doc.go | 8 ++ .../apis/supervisor/virtual/oauth/register.go | 37 +++++ .../oauth/types_oidcclientsecretrequest.go | 25 ++++ .../virtual/oauth/v1alpha1/conversion.go | 4 + .../virtual/oauth/v1alpha1/defaults.go | 12 ++ .../supervisor/virtual/oauth/v1alpha1/doc.go | 11 ++ .../virtual/oauth/v1alpha1/register.go | 42 ++++++ .../v1alpha1/types_oidcclientsecretrequest.go | 28 ++++ .../oauth/v1alpha1/zz_generated.conversion.go | 131 ++++++++++++++++++ .../oauth/v1alpha1/zz_generated.deepcopy.go | 73 ++++++++++ .../oauth/v1alpha1/zz_generated.defaults.go | 20 +++ .../virtual/oauth/zz_generated.deepcopy.go | 73 ++++++++++ .../virtual/clientset/versioned/clientset.go | 108 +++++++++++++++ .../virtual/clientset/versioned/doc.go | 7 + .../versioned/fake/clientset_generated.go | 72 ++++++++++ .../virtual/clientset/versioned/fake/doc.go | 7 + .../clientset/versioned/fake/register.go | 43 ++++++ .../virtual/clientset/versioned/scheme/doc.go | 7 + .../clientset/versioned/scheme/register.go | 43 ++++++ .../versioned/typed/oauth/v1alpha1/doc.go | 7 + .../typed/oauth/v1alpha1/fake/doc.go | 7 + .../oauth/v1alpha1/fake/fake_oauth_client.go | 27 ++++ .../fake/fake_oidcclientsecretrequest.go | 36 +++++ .../oauth/v1alpha1/generated_expansion.go | 8 ++ .../typed/oauth/v1alpha1/oauth_client.go | 94 +++++++++++++ .../oauth/v1alpha1/oidcclientsecretrequest.go | 54 ++++++++ .../virtual/clientset/versioned/clientset.go | 4 + 28 files changed, 1082 insertions(+) create mode 100644 generated/1.24/apis/supervisor/virtual/oauth/doc.go create mode 100644 generated/1.24/apis/supervisor/virtual/oauth/register.go create mode 100644 generated/1.24/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go create mode 100644 generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/conversion.go create mode 100644 generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/defaults.go create mode 100644 generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/doc.go create mode 100644 generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/register.go create mode 100644 generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go create mode 100644 generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go create mode 100644 generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go create mode 100644 generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go create mode 100644 generated/1.24/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go create mode 100644 generated/1.24/client/supervisor/virtual/clientset/versioned/clientset.go create mode 100644 generated/1.24/client/supervisor/virtual/clientset/versioned/doc.go create mode 100644 generated/1.24/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go create mode 100644 generated/1.24/client/supervisor/virtual/clientset/versioned/fake/doc.go create mode 100644 generated/1.24/client/supervisor/virtual/clientset/versioned/fake/register.go create mode 100644 generated/1.24/client/supervisor/virtual/clientset/versioned/scheme/doc.go create mode 100644 generated/1.24/client/supervisor/virtual/clientset/versioned/scheme/register.go create mode 100644 generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go create mode 100644 generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go create mode 100644 generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go create mode 100644 generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go create mode 100644 generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go create mode 100644 generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go create mode 100644 generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go diff --git a/generated/1.24/README.adoc b/generated/1.24/README.adoc index 381b2f7e..d1eff286 100644 --- a/generated/1.24/README.adoc +++ b/generated/1.24/README.adoc @@ -13,6 +13,8 @@ - xref:{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1[$$idp.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1[$$oauth.supervisor.pinniped.dev/v1alpha1$$] +- xref:{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-oauth[$$oauth.virtual.supervisor.pinniped.dev/oauth$$] +- xref:{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-v1alpha1[$$oauth.virtual.supervisor.pinniped.dev/v1alpha1$$] [id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"] @@ -1386,3 +1388,95 @@ OIDCClientSpec is a struct that describes an OIDC Client. + +[id="{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-oauth"] +=== oauth.virtual.supervisor.pinniped.dev/oauth + +Package oauth is the internal version of the Pinniped virtual oauth API. + + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-virtual-oauth-oidcclientsecretrequestspec"] +==== OIDCClientSecretRequestSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-virtual-oauth-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generateNewSecret`* __boolean__ | +| *`revokeOldSecrets`* __boolean__ | +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-virtual-oauth-oidcclientsecretrequeststatus"] +==== OIDCClientSecretRequestStatus + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-virtual-oauth-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generatedSecret`* __string__ | +| *`totalClientSecrets`* __integer__ | +|=== + + + +[id="{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-v1alpha1"] +=== oauth.virtual.supervisor.pinniped.dev/v1alpha1 + +Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API. + + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequestspec"] +==== OIDCClientSecretRequestSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generateNewSecret`* __boolean__ | +| *`revokeOldSecrets`* __boolean__ | +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequeststatus"] +==== OIDCClientSecretRequestStatus + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generatedSecret`* __string__ | +| *`totalClientSecrets`* __integer__ | +|=== + + diff --git a/generated/1.24/apis/supervisor/virtual/oauth/doc.go b/generated/1.24/apis/supervisor/virtual/oauth/doc.go new file mode 100644 index 00000000..ca4e9a63 --- /dev/null +++ b/generated/1.24/apis/supervisor/virtual/oauth/doc.go @@ -0,0 +1,8 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:deepcopy-gen=package +// +groupName=oauth.virtual.supervisor.pinniped.dev + +// Package oauth is the internal version of the Pinniped virtual oauth API. +package oauth diff --git a/generated/1.24/apis/supervisor/virtual/oauth/register.go b/generated/1.24/apis/supervisor/virtual/oauth/register.go new file mode 100644 index 00000000..a238d85f --- /dev/null +++ b/generated/1.24/apis/supervisor/virtual/oauth/register.go @@ -0,0 +1,37 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package oauth + +import ( + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "oauth.virtual.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal} + +// Kind takes an unqualified kind and returns back a Group qualified GroupKind. +func Kind(kind string) schema.GroupKind { + return SchemeGroupVersion.WithKind(kind).GroupKind() +} + +// Resource takes an unqualified resource and returns back a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} + +var ( + SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) + AddToScheme = SchemeBuilder.AddToScheme +) + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClientSecretRequest{}, + ) + return nil +} diff --git a/generated/1.24/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go b/generated/1.24/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go new file mode 100644 index 00000000..ac54a93c --- /dev/null +++ b/generated/1.24/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go @@ -0,0 +1,25 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package oauth + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +type OIDCClientSecretRequestSpec struct { + GenerateNewSecret bool `json:"generateNewSecret"` + RevokeOldSecrets bool `json:"revokeOldSecrets"` +} + +type OIDCClientSecretRequestStatus struct { + GeneratedSecret string `json:"generatedSecret,omitempty"` + TotalClientSecrets int `json:"totalClientSecrets"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequest struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID + + Spec OIDCClientSecretRequestSpec `json:"spec"` + Status OIDCClientSecretRequestStatus `json:"status"` +} diff --git a/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/conversion.go b/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/conversion.go new file mode 100644 index 00000000..fcf4e82f --- /dev/null +++ b/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/conversion.go @@ -0,0 +1,4 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 diff --git a/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/defaults.go b/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/defaults.go new file mode 100644 index 00000000..d4f5a9e8 --- /dev/null +++ b/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/defaults.go @@ -0,0 +1,12 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + "k8s.io/apimachinery/pkg/runtime" +) + +func addDefaultingFuncs(scheme *runtime.Scheme) error { + return RegisterDefaults(scheme) +} diff --git a/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/doc.go b/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/doc.go new file mode 100644 index 00000000..e41fce90 --- /dev/null +++ b/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/doc.go @@ -0,0 +1,11 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen=package +// +k8s:conversion-gen=go.pinniped.dev/generated/1.24/apis/supervisor/virtual/oauth +// +k8s:defaulter-gen=TypeMeta +// +groupName=oauth.virtual.supervisor.pinniped.dev + +// Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API. +package v1alpha1 diff --git a/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/register.go b/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/register.go new file mode 100644 index 00000000..ecc75a08 --- /dev/null +++ b/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/register.go @@ -0,0 +1,42 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "oauth.virtual.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = SchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClientSecretRequest{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns back a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go b/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go new file mode 100644 index 00000000..dda2f3bb --- /dev/null +++ b/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go @@ -0,0 +1,28 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +type OIDCClientSecretRequestSpec struct { + GenerateNewSecret bool `json:"generateNewSecret"` + RevokeOldSecrets bool `json:"revokeOldSecrets"` +} + +type OIDCClientSecretRequestStatus struct { + GeneratedSecret string `json:"generatedSecret,omitempty"` + TotalClientSecrets int `json:"totalClientSecrets"` +} + +// +genclient +// +genclient:onlyVerbs=create +// +kubebuilder:subresource:status +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequest struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID + + Spec OIDCClientSecretRequestSpec `json:"spec"` + Status OIDCClientSecretRequestStatus `json:"status"` +} diff --git a/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go b/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go new file mode 100644 index 00000000..35815fbe --- /dev/null +++ b/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go @@ -0,0 +1,131 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by conversion-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + oauth "go.pinniped.dev/generated/1.24/apis/supervisor/virtual/oauth" + conversion "k8s.io/apimachinery/pkg/conversion" + runtime "k8s.io/apimachinery/pkg/runtime" +) + +func init() { + localSchemeBuilder.Register(RegisterConversions) +} + +// RegisterConversions adds conversion functions to the given scheme. +// Public to allow building arbitrary schemes. +func RegisterConversions(s *runtime.Scheme) error { + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequest)(nil), (*oauth.OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(a.(*OIDCClientSecretRequest), b.(*oauth.OIDCClientSecretRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequest)(nil), (*OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(a.(*oauth.OIDCClientSecretRequest), b.(*OIDCClientSecretRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*oauth.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*oauth.OIDCClientSecretRequestSpec), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequestSpec)(nil), (*OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(a.(*oauth.OIDCClientSecretRequestSpec), b.(*OIDCClientSecretRequestSpec), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestStatus)(nil), (*oauth.OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(a.(*OIDCClientSecretRequestStatus), b.(*oauth.OIDCClientSecretRequestStatus), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequestStatus)(nil), (*OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(a.(*oauth.OIDCClientSecretRequestStatus), b.(*OIDCClientSecretRequestStatus), scope) + }); err != nil { + return err + } + return nil +} + +func autoConvert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *oauth.OIDCClientSecretRequest, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { + return err + } + if err := Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *oauth.OIDCClientSecretRequest, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in, out, s) +} + +func autoConvert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *oauth.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { + return err + } + if err := Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest is an autogenerated conversion function. +func Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *oauth.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { + return autoConvert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s) +} + +func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *oauth.OIDCClientSecretRequestSpec, s conversion.Scope) error { + out.GenerateNewSecret = in.GenerateNewSecret + out.RevokeOldSecrets = in.RevokeOldSecrets + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *oauth.OIDCClientSecretRequestSpec, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in, out, s) +} + +func autoConvert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *oauth.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { + out.GenerateNewSecret = in.GenerateNewSecret + out.RevokeOldSecrets = in.RevokeOldSecrets + return nil +} + +// Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec is an autogenerated conversion function. +func Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *oauth.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { + return autoConvert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in, out, s) +} + +func autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *oauth.OIDCClientSecretRequestStatus, s conversion.Scope) error { + out.GeneratedSecret = in.GeneratedSecret + out.TotalClientSecrets = in.TotalClientSecrets + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *oauth.OIDCClientSecretRequestStatus, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in, out, s) +} + +func autoConvert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *oauth.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { + out.GeneratedSecret = in.GeneratedSecret + out.TotalClientSecrets = in.TotalClientSecrets + return nil +} + +// Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus is an autogenerated conversion function. +func Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *oauth.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { + return autoConvert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in, out, s) +} diff --git a/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go new file mode 100644 index 00000000..e4fce842 --- /dev/null +++ b/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go @@ -0,0 +1,73 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequest) DeepCopyInto(out *OIDCClientSecretRequest) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + out.Spec = in.Spec + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequest. +func (in *OIDCClientSecretRequest) DeepCopy() *OIDCClientSecretRequest { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequest) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestSpec. +func (in *OIDCClientSecretRequestSpec) DeepCopy() *OIDCClientSecretRequestSpec { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestStatus) DeepCopyInto(out *OIDCClientSecretRequestStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestStatus. +func (in *OIDCClientSecretRequestStatus) DeepCopy() *OIDCClientSecretRequestStatus { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go b/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go new file mode 100644 index 00000000..9097a935 --- /dev/null +++ b/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go @@ -0,0 +1,20 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by defaulter-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// RegisterDefaults adds defaulters functions to the given scheme. +// Public to allow building arbitrary schemes. +// All generated defaulters are covering - they call all nested defaulters. +func RegisterDefaults(scheme *runtime.Scheme) error { + return nil +} diff --git a/generated/1.24/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go b/generated/1.24/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go new file mode 100644 index 00000000..24b58e7b --- /dev/null +++ b/generated/1.24/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go @@ -0,0 +1,73 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package oauth + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequest) DeepCopyInto(out *OIDCClientSecretRequest) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + out.Spec = in.Spec + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequest. +func (in *OIDCClientSecretRequest) DeepCopy() *OIDCClientSecretRequest { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequest) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestSpec. +func (in *OIDCClientSecretRequestSpec) DeepCopy() *OIDCClientSecretRequestSpec { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestStatus) DeepCopyInto(out *OIDCClientSecretRequestStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestStatus. +func (in *OIDCClientSecretRequestStatus) DeepCopy() *OIDCClientSecretRequestStatus { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.24/client/supervisor/virtual/clientset/versioned/clientset.go b/generated/1.24/client/supervisor/virtual/clientset/versioned/clientset.go new file mode 100644 index 00000000..bc5111f5 --- /dev/null +++ b/generated/1.24/client/supervisor/virtual/clientset/versioned/clientset.go @@ -0,0 +1,108 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package versioned + +import ( + "fmt" + "net/http" + + oauthv1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" + discovery "k8s.io/client-go/discovery" + rest "k8s.io/client-go/rest" + flowcontrol "k8s.io/client-go/util/flowcontrol" +) + +type Interface interface { + Discovery() discovery.DiscoveryInterface + OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface +} + +// Clientset contains the clients for groups. Each group has exactly one +// version included in a Clientset. +type Clientset struct { + *discovery.DiscoveryClient + oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client +} + +// OauthV1alpha1 retrieves the OauthV1alpha1Client +func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { + return c.oauthV1alpha1 +} + +// Discovery retrieves the DiscoveryClient +func (c *Clientset) Discovery() discovery.DiscoveryInterface { + if c == nil { + return nil + } + return c.DiscoveryClient +} + +// NewForConfig creates a new Clientset for the given config. +// If config's RateLimiter is not set and QPS and Burst are acceptable, +// NewForConfig will generate a rate-limiter in configShallowCopy. +// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient), +// where httpClient was generated with rest.HTTPClientFor(c). +func NewForConfig(c *rest.Config) (*Clientset, error) { + configShallowCopy := *c + + if configShallowCopy.UserAgent == "" { + configShallowCopy.UserAgent = rest.DefaultKubernetesUserAgent() + } + + // share the transport between all clients + httpClient, err := rest.HTTPClientFor(&configShallowCopy) + if err != nil { + return nil, err + } + + return NewForConfigAndClient(&configShallowCopy, httpClient) +} + +// NewForConfigAndClient creates a new Clientset for the given config and http client. +// Note the http client provided takes precedence over the configured transport values. +// If config's RateLimiter is not set and QPS and Burst are acceptable, +// NewForConfigAndClient will generate a rate-limiter in configShallowCopy. +func NewForConfigAndClient(c *rest.Config, httpClient *http.Client) (*Clientset, error) { + configShallowCopy := *c + if configShallowCopy.RateLimiter == nil && configShallowCopy.QPS > 0 { + if configShallowCopy.Burst <= 0 { + return nil, fmt.Errorf("burst is required to be greater than 0 when RateLimiter is not set and QPS is set to greater than 0") + } + configShallowCopy.RateLimiter = flowcontrol.NewTokenBucketRateLimiter(configShallowCopy.QPS, configShallowCopy.Burst) + } + + var cs Clientset + var err error + cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfigAndClient(&configShallowCopy, httpClient) + if err != nil { + return nil, err + } + + cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfigAndClient(&configShallowCopy, httpClient) + if err != nil { + return nil, err + } + return &cs, nil +} + +// NewForConfigOrDie creates a new Clientset for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *Clientset { + cs, err := NewForConfig(c) + if err != nil { + panic(err) + } + return cs +} + +// New creates a new Clientset for the given RESTClient. +func New(c rest.Interface) *Clientset { + var cs Clientset + cs.oauthV1alpha1 = oauthv1alpha1.New(c) + + cs.DiscoveryClient = discovery.NewDiscoveryClient(c) + return &cs +} diff --git a/generated/1.24/client/supervisor/virtual/clientset/versioned/doc.go b/generated/1.24/client/supervisor/virtual/clientset/versioned/doc.go new file mode 100644 index 00000000..5dc02e6e --- /dev/null +++ b/generated/1.24/client/supervisor/virtual/clientset/versioned/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated clientset. +package versioned diff --git a/generated/1.24/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go b/generated/1.24/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go new file mode 100644 index 00000000..ad40c879 --- /dev/null +++ b/generated/1.24/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go @@ -0,0 +1,72 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + clientset "go.pinniped.dev/generated/1.24/client/supervisor/virtual/clientset/versioned" + oauthv1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" + fakeoauthv1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/watch" + "k8s.io/client-go/discovery" + fakediscovery "k8s.io/client-go/discovery/fake" + "k8s.io/client-go/testing" +) + +// NewSimpleClientset returns a clientset that will respond with the provided objects. +// It's backed by a very simple object tracker that processes creates, updates and deletions as-is, +// without applying any validations and/or defaults. It shouldn't be considered a replacement +// for a real clientset and is mostly useful in simple unit tests. +func NewSimpleClientset(objects ...runtime.Object) *Clientset { + o := testing.NewObjectTracker(scheme, codecs.UniversalDecoder()) + for _, obj := range objects { + if err := o.Add(obj); err != nil { + panic(err) + } + } + + cs := &Clientset{tracker: o} + cs.discovery = &fakediscovery.FakeDiscovery{Fake: &cs.Fake} + cs.AddReactor("*", "*", testing.ObjectReaction(o)) + cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) { + gvr := action.GetResource() + ns := action.GetNamespace() + watch, err := o.Watch(gvr, ns) + if err != nil { + return false, nil, err + } + return true, watch, nil + }) + + return cs +} + +// Clientset implements clientset.Interface. Meant to be embedded into a +// struct to get a default implementation. This makes faking out just the method +// you want to test easier. +type Clientset struct { + testing.Fake + discovery *fakediscovery.FakeDiscovery + tracker testing.ObjectTracker +} + +func (c *Clientset) Discovery() discovery.DiscoveryInterface { + return c.discovery +} + +func (c *Clientset) Tracker() testing.ObjectTracker { + return c.tracker +} + +var ( + _ clientset.Interface = &Clientset{} + _ testing.FakeClient = &Clientset{} +) + +// OauthV1alpha1 retrieves the OauthV1alpha1Client +func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { + return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} +} diff --git a/generated/1.24/client/supervisor/virtual/clientset/versioned/fake/doc.go b/generated/1.24/client/supervisor/virtual/clientset/versioned/fake/doc.go new file mode 100644 index 00000000..7c9538fd --- /dev/null +++ b/generated/1.24/client/supervisor/virtual/clientset/versioned/fake/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated fake clientset. +package fake diff --git a/generated/1.24/client/supervisor/virtual/clientset/versioned/fake/register.go b/generated/1.24/client/supervisor/virtual/clientset/versioned/fake/register.go new file mode 100644 index 00000000..fcc85a4d --- /dev/null +++ b/generated/1.24/client/supervisor/virtual/clientset/versioned/fake/register.go @@ -0,0 +1,43 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + oauthv1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + schema "k8s.io/apimachinery/pkg/runtime/schema" + serializer "k8s.io/apimachinery/pkg/runtime/serializer" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" +) + +var scheme = runtime.NewScheme() +var codecs = serializer.NewCodecFactory(scheme) + +var localSchemeBuilder = runtime.SchemeBuilder{ + oauthv1alpha1.AddToScheme, +} + +// AddToScheme adds all types of this clientset into the given scheme. This allows composition +// of clientsets, like in: +// +// import ( +// "k8s.io/client-go/kubernetes" +// clientsetscheme "k8s.io/client-go/kubernetes/scheme" +// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" +// ) +// +// kclientset, _ := kubernetes.NewForConfig(c) +// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) +// +// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types +// correctly. +var AddToScheme = localSchemeBuilder.AddToScheme + +func init() { + v1.AddToGroupVersion(scheme, schema.GroupVersion{Version: "v1"}) + utilruntime.Must(AddToScheme(scheme)) +} diff --git a/generated/1.24/client/supervisor/virtual/clientset/versioned/scheme/doc.go b/generated/1.24/client/supervisor/virtual/clientset/versioned/scheme/doc.go new file mode 100644 index 00000000..cc02f1d3 --- /dev/null +++ b/generated/1.24/client/supervisor/virtual/clientset/versioned/scheme/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package contains the scheme of the automatically generated clientset. +package scheme diff --git a/generated/1.24/client/supervisor/virtual/clientset/versioned/scheme/register.go b/generated/1.24/client/supervisor/virtual/clientset/versioned/scheme/register.go new file mode 100644 index 00000000..4c7d2651 --- /dev/null +++ b/generated/1.24/client/supervisor/virtual/clientset/versioned/scheme/register.go @@ -0,0 +1,43 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package scheme + +import ( + oauthv1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + schema "k8s.io/apimachinery/pkg/runtime/schema" + serializer "k8s.io/apimachinery/pkg/runtime/serializer" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" +) + +var Scheme = runtime.NewScheme() +var Codecs = serializer.NewCodecFactory(Scheme) +var ParameterCodec = runtime.NewParameterCodec(Scheme) +var localSchemeBuilder = runtime.SchemeBuilder{ + oauthv1alpha1.AddToScheme, +} + +// AddToScheme adds all types of this clientset into the given scheme. This allows composition +// of clientsets, like in: +// +// import ( +// "k8s.io/client-go/kubernetes" +// clientsetscheme "k8s.io/client-go/kubernetes/scheme" +// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" +// ) +// +// kclientset, _ := kubernetes.NewForConfig(c) +// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) +// +// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types +// correctly. +var AddToScheme = localSchemeBuilder.AddToScheme + +func init() { + v1.AddToGroupVersion(Scheme, schema.GroupVersion{Version: "v1"}) + utilruntime.Must(AddToScheme(Scheme)) +} diff --git a/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go new file mode 100644 index 00000000..e7a470b6 --- /dev/null +++ b/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated typed clients. +package v1alpha1 diff --git a/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go new file mode 100644 index 00000000..7906901b --- /dev/null +++ b/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// Package fake has the automatically generated clients. +package fake diff --git a/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go new file mode 100644 index 00000000..487cc65b --- /dev/null +++ b/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go @@ -0,0 +1,27 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + v1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" + rest "k8s.io/client-go/rest" + testing "k8s.io/client-go/testing" +) + +type FakeOauthV1alpha1 struct { + *testing.Fake +} + +func (c *FakeOauthV1alpha1) OIDCClientSecretRequests(namespace string) v1alpha1.OIDCClientSecretRequestInterface { + return &FakeOIDCClientSecretRequests{c, namespace} +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { + var ret *rest.RESTClient + return ret +} diff --git a/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go b/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go new file mode 100644 index 00000000..fc821273 --- /dev/null +++ b/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go @@ -0,0 +1,36 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + schema "k8s.io/apimachinery/pkg/runtime/schema" + testing "k8s.io/client-go/testing" +) + +// FakeOIDCClientSecretRequests implements OIDCClientSecretRequestInterface +type FakeOIDCClientSecretRequests struct { + Fake *FakeOauthV1alpha1 + ns string +} + +var oidcclientsecretrequestsResource = schema.GroupVersionResource{Group: "oauth.virtual.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclientsecretrequests"} + +var oidcclientsecretrequestsKind = schema.GroupVersionKind{Group: "oauth.virtual.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClientSecretRequest"} + +// Create takes the representation of a oIDCClientSecretRequest and creates it. Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any. +func (c *FakeOIDCClientSecretRequests) Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (result *v1alpha1.OIDCClientSecretRequest, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(oidcclientsecretrequestsResource, c.ns, oIDCClientSecretRequest), &v1alpha1.OIDCClientSecretRequest{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClientSecretRequest), err +} diff --git a/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go new file mode 100644 index 00000000..427a2ad8 --- /dev/null +++ b/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go @@ -0,0 +1,8 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +type OIDCClientSecretRequestExpansion interface{} diff --git a/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go new file mode 100644 index 00000000..aa4521a2 --- /dev/null +++ b/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go @@ -0,0 +1,94 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "net/http" + + v1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1" + "go.pinniped.dev/generated/1.24/client/supervisor/virtual/clientset/versioned/scheme" + rest "k8s.io/client-go/rest" +) + +type OauthV1alpha1Interface interface { + RESTClient() rest.Interface + OIDCClientSecretRequestsGetter +} + +// OauthV1alpha1Client is used to interact with features provided by the oauth.virtual.supervisor.pinniped.dev group. +type OauthV1alpha1Client struct { + restClient rest.Interface +} + +func (c *OauthV1alpha1Client) OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface { + return newOIDCClientSecretRequests(c, namespace) +} + +// NewForConfig creates a new OauthV1alpha1Client for the given config. +// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient), +// where httpClient was generated with rest.HTTPClientFor(c). +func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { + config := *c + if err := setConfigDefaults(&config); err != nil { + return nil, err + } + httpClient, err := rest.HTTPClientFor(&config) + if err != nil { + return nil, err + } + return NewForConfigAndClient(&config, httpClient) +} + +// NewForConfigAndClient creates a new OauthV1alpha1Client for the given config and http client. +// Note the http client provided takes precedence over the configured transport values. +func NewForConfigAndClient(c *rest.Config, h *http.Client) (*OauthV1alpha1Client, error) { + config := *c + if err := setConfigDefaults(&config); err != nil { + return nil, err + } + client, err := rest.RESTClientForConfigAndClient(&config, h) + if err != nil { + return nil, err + } + return &OauthV1alpha1Client{client}, nil +} + +// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { + client, err := NewForConfig(c) + if err != nil { + panic(err) + } + return client +} + +// New creates a new OauthV1alpha1Client for the given RESTClient. +func New(c rest.Interface) *OauthV1alpha1Client { + return &OauthV1alpha1Client{c} +} + +func setConfigDefaults(config *rest.Config) error { + gv := v1alpha1.SchemeGroupVersion + config.GroupVersion = &gv + config.APIPath = "/apis" + config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() + + if config.UserAgent == "" { + config.UserAgent = rest.DefaultKubernetesUserAgent() + } + + return nil +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *OauthV1alpha1Client) RESTClient() rest.Interface { + if c == nil { + return nil + } + return c.restClient +} diff --git a/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go b/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go new file mode 100644 index 00000000..ed4b8949 --- /dev/null +++ b/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go @@ -0,0 +1,54 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1" + scheme "go.pinniped.dev/generated/1.24/client/supervisor/virtual/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + rest "k8s.io/client-go/rest" +) + +// OIDCClientSecretRequestsGetter has a method to return a OIDCClientSecretRequestInterface. +// A group's client should implement this interface. +type OIDCClientSecretRequestsGetter interface { + OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface +} + +// OIDCClientSecretRequestInterface has methods to work with OIDCClientSecretRequest resources. +type OIDCClientSecretRequestInterface interface { + Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (*v1alpha1.OIDCClientSecretRequest, error) + OIDCClientSecretRequestExpansion +} + +// oIDCClientSecretRequests implements OIDCClientSecretRequestInterface +type oIDCClientSecretRequests struct { + client rest.Interface + ns string +} + +// newOIDCClientSecretRequests returns a OIDCClientSecretRequests +func newOIDCClientSecretRequests(c *OauthV1alpha1Client, namespace string) *oIDCClientSecretRequests { + return &oIDCClientSecretRequests{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Create takes the representation of a oIDCClientSecretRequest and creates it. Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any. +func (c *oIDCClientSecretRequests) Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (result *v1alpha1.OIDCClientSecretRequest, err error) { + result = &v1alpha1.OIDCClientSecretRequest{} + err = c.client.Post(). + Namespace(c.ns). + Resource("oidcclientsecretrequests"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(oIDCClientSecretRequest). + Do(ctx). + Into(result) + return +} diff --git a/generated/latest/client/supervisor/virtual/clientset/versioned/clientset.go b/generated/latest/client/supervisor/virtual/clientset/versioned/clientset.go index 09131c84..87726aee 100644 --- a/generated/latest/client/supervisor/virtual/clientset/versioned/clientset.go +++ b/generated/latest/client/supervisor/virtual/clientset/versioned/clientset.go @@ -48,6 +48,10 @@ func (c *Clientset) Discovery() discovery.DiscoveryInterface { func NewForConfig(c *rest.Config) (*Clientset, error) { configShallowCopy := *c + if configShallowCopy.UserAgent == "" { + configShallowCopy.UserAgent = rest.DefaultKubernetesUserAgent() + } + // share the transport between all clients httpClient, err := rest.HTTPClientFor(&configShallowCopy) if err != nil { From 479b6c421daec83cc96c3cfbd1b90cf5cadc5b83 Mon Sep 17 00:00:00 2001 From: Margo Crawford Date: Fri, 10 Jun 2022 09:51:37 -0700 Subject: [PATCH 11/61] fix out of date codegen images Signed-off-by: Margo Crawford --- generated/1.17/README.adoc | 4 ++-- generated/1.18/README.adoc | 4 ++-- generated/1.19/README.adoc | 4 ++-- generated/1.20/README.adoc | 4 ++-- generated/1.21/README.adoc | 4 ++-- generated/1.22/README.adoc | 4 ++-- generated/1.23/README.adoc | 4 ++-- .../1.23/client/concierge/clientset/versioned/clientset.go | 4 ++++ .../1.23/client/supervisor/clientset/versioned/clientset.go | 4 ++++ .../supervisor/virtual/clientset/versioned/clientset.go | 4 ++++ 10 files changed, 26 insertions(+), 14 deletions(-) diff --git a/generated/1.17/README.adoc b/generated/1.17/README.adoc index 5e679530..0b90292d 100644 --- a/generated/1.17/README.adoc +++ b/generated/1.17/README.adoc @@ -1380,9 +1380,9 @@ OIDCClientSpec is a struct that describes an OIDC Client. | Field | Description | *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. | *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. | *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. |=== diff --git a/generated/1.18/README.adoc b/generated/1.18/README.adoc index 0d78ed03..db96bb48 100644 --- a/generated/1.18/README.adoc +++ b/generated/1.18/README.adoc @@ -1380,9 +1380,9 @@ OIDCClientSpec is a struct that describes an OIDC Client. | Field | Description | *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. | *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. | *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. |=== diff --git a/generated/1.19/README.adoc b/generated/1.19/README.adoc index 5bb2e556..29d52abb 100644 --- a/generated/1.19/README.adoc +++ b/generated/1.19/README.adoc @@ -1380,9 +1380,9 @@ OIDCClientSpec is a struct that describes an OIDC Client. | Field | Description | *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. | *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. | *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. |=== diff --git a/generated/1.20/README.adoc b/generated/1.20/README.adoc index 61422b6e..f58d5ad8 100644 --- a/generated/1.20/README.adoc +++ b/generated/1.20/README.adoc @@ -1380,9 +1380,9 @@ OIDCClientSpec is a struct that describes an OIDC Client. | Field | Description | *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. | *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. | *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. |=== diff --git a/generated/1.21/README.adoc b/generated/1.21/README.adoc index 1c16381d..e83a59ea 100644 --- a/generated/1.21/README.adoc +++ b/generated/1.21/README.adoc @@ -1380,9 +1380,9 @@ OIDCClientSpec is a struct that describes an OIDC Client. | Field | Description | *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. | *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. | *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. |=== diff --git a/generated/1.22/README.adoc b/generated/1.22/README.adoc index 26125e76..55db1f5b 100644 --- a/generated/1.22/README.adoc +++ b/generated/1.22/README.adoc @@ -1380,9 +1380,9 @@ OIDCClientSpec is a struct that describes an OIDC Client. | Field | Description | *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. | *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. | *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. |=== diff --git a/generated/1.23/README.adoc b/generated/1.23/README.adoc index c6cbd149..d078f60c 100644 --- a/generated/1.23/README.adoc +++ b/generated/1.23/README.adoc @@ -1380,9 +1380,9 @@ OIDCClientSpec is a struct that describes an OIDC Client. | Field | Description | *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. | *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. | *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. |=== diff --git a/generated/1.23/client/concierge/clientset/versioned/clientset.go b/generated/1.23/client/concierge/clientset/versioned/clientset.go index ba3cb60b..e026c5f0 100644 --- a/generated/1.23/client/concierge/clientset/versioned/clientset.go +++ b/generated/1.23/client/concierge/clientset/versioned/clientset.go @@ -72,6 +72,10 @@ func (c *Clientset) Discovery() discovery.DiscoveryInterface { func NewForConfig(c *rest.Config) (*Clientset, error) { configShallowCopy := *c + if configShallowCopy.UserAgent == "" { + configShallowCopy.UserAgent = rest.DefaultKubernetesUserAgent() + } + // share the transport between all clients httpClient, err := rest.HTTPClientFor(&configShallowCopy) if err != nil { diff --git a/generated/1.23/client/supervisor/clientset/versioned/clientset.go b/generated/1.23/client/supervisor/clientset/versioned/clientset.go index b0f81c08..0347d1bb 100644 --- a/generated/1.23/client/supervisor/clientset/versioned/clientset.go +++ b/generated/1.23/client/supervisor/clientset/versioned/clientset.go @@ -64,6 +64,10 @@ func (c *Clientset) Discovery() discovery.DiscoveryInterface { func NewForConfig(c *rest.Config) (*Clientset, error) { configShallowCopy := *c + if configShallowCopy.UserAgent == "" { + configShallowCopy.UserAgent = rest.DefaultKubernetesUserAgent() + } + // share the transport between all clients httpClient, err := rest.HTTPClientFor(&configShallowCopy) if err != nil { diff --git a/generated/1.23/client/supervisor/virtual/clientset/versioned/clientset.go b/generated/1.23/client/supervisor/virtual/clientset/versioned/clientset.go index ef665be8..e3386a25 100644 --- a/generated/1.23/client/supervisor/virtual/clientset/versioned/clientset.go +++ b/generated/1.23/client/supervisor/virtual/clientset/versioned/clientset.go @@ -48,6 +48,10 @@ func (c *Clientset) Discovery() discovery.DiscoveryInterface { func NewForConfig(c *rest.Config) (*Clientset, error) { configShallowCopy := *c + if configShallowCopy.UserAgent == "" { + configShallowCopy.UserAgent = rest.DefaultKubernetesUserAgent() + } + // share the transport between all clients httpClient, err := rest.HTTPClientFor(&configShallowCopy) if err != nil { From ba371423d98243ea57f2029c74cfbb85faf04ab5 Mon Sep 17 00:00:00 2001 From: Margo Crawford Date: Fri, 10 Jun 2022 13:56:15 -0700 Subject: [PATCH 12/61] Add integration test for OIDCClientSecretRequest Signed-off-by: Margo Crawford --- internal/kubeclient/kubeclient.go | 25 ++++++--- .../supervisor_oidcclientsecret_test.go | 54 +++++++++++++++++++ test/testlib/client.go | 15 +++++- 3 files changed, 85 insertions(+), 9 deletions(-) create mode 100644 test/integration/supervisor_oidcclientsecret_test.go diff --git a/internal/kubeclient/kubeclient.go b/internal/kubeclient/kubeclient.go index 98d0b7f6..6a9d4eb5 100644 --- a/internal/kubeclient/kubeclient.go +++ b/internal/kubeclient/kubeclient.go @@ -23,14 +23,17 @@ import ( pinnipedconciergeclientsetscheme "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/scheme" pinnipedsupervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" pinnipedsupervisorclientsetscheme "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/scheme" + pinnipedsupervisorvirtualclientset "go.pinniped.dev/generated/latest/client/supervisor/virtual/clientset/versioned" + pinnipedsupervisorvirtualclientsetscheme "go.pinniped.dev/generated/latest/client/supervisor/virtual/clientset/versioned/scheme" "go.pinniped.dev/internal/crypto/ptls" ) type Client struct { - Kubernetes kubernetes.Interface - Aggregation aggregatorclient.Interface - PinnipedConcierge pinnipedconciergeclientset.Interface - PinnipedSupervisor pinnipedsupervisorclientset.Interface + Kubernetes kubernetes.Interface + Aggregation aggregatorclient.Interface + PinnipedConcierge pinnipedconciergeclientset.Interface + PinnipedSupervisor pinnipedsupervisorclientset.Interface + PinnipedSupervisorVirtual pinnipedsupervisorvirtualclientset.Interface JSONConfig, ProtoConfig *restclient.Config } @@ -90,11 +93,17 @@ func New(opts ...Option) (*Client, error) { return nil, fmt.Errorf("could not initialize pinniped client: %w", err) } + // Connect to the pinniped supervisor aggregated API. + pinnipedSupervisorVirtualClient, err := pinnipedsupervisorvirtualclientset.NewForConfig(configWithWrapper(jsonKubeConfig, pinnipedsupervisorvirtualclientsetscheme.Scheme, pinnipedsupervisorvirtualclientsetscheme.Codecs, c.middlewares, c.transportWrapper)) + if err != nil { + return nil, fmt.Errorf("could not initialize pinniped client: %w", err) + } return &Client{ - Kubernetes: k8sClient, - Aggregation: aggregatorClient, - PinnipedConcierge: pinnipedConciergeClient, - PinnipedSupervisor: pinnipedSupervisorClient, + Kubernetes: k8sClient, + Aggregation: aggregatorClient, + PinnipedConcierge: pinnipedConciergeClient, + PinnipedSupervisor: pinnipedSupervisorClient, + PinnipedSupervisorVirtual: pinnipedSupervisorVirtualClient, JSONConfig: jsonKubeConfig, ProtoConfig: protoKubeConfig, diff --git a/test/integration/supervisor_oidcclientsecret_test.go b/test/integration/supervisor_oidcclientsecret_test.go new file mode 100644 index 00000000..9133f0c7 --- /dev/null +++ b/test/integration/supervisor_oidcclientsecret_test.go @@ -0,0 +1,54 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package integration + +import ( + "context" + "testing" + "time" + + "github.com/stretchr/testify/require" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + "go.pinniped.dev/generated/latest/apis/supervisor/virtual/oauth/v1alpha1" + "go.pinniped.dev/test/testlib" +) + +func TestOIDCClientSecretRequest_HappyPath_Parallel(t *testing.T) { + env := testlib.IntegrationEnv(t) + + ctx, cancel := context.WithTimeout(context.Background(), time.Minute) + defer cancel() + + client := testlib.NewVirtualSupervisorClientset(t) + + response, err := client.OauthV1alpha1().OIDCClientSecretRequests(env.SupervisorNamespace).Create(ctx, + &v1alpha1.OIDCClientSecretRequest{ + Spec: v1alpha1.OIDCClientSecretRequestSpec{ + GenerateNewSecret: true, + }, + }, metav1.CreateOptions{}) + require.NoError(t, err) + // the hardcoded values from the nonfunctional request + require.Equal(t, response.Status.TotalClientSecrets, 20) + require.Equal(t, response.Status.GeneratedSecret, "not-a-real-secret") +} + +func TestOIDCClientSecretRequest_Unauthenticated_Parallel(t *testing.T) { + env := testlib.IntegrationEnv(t) + + ctx, cancel := context.WithTimeout(context.Background(), time.Minute) + defer cancel() + + client := testlib.NewAnonymousVirtualSupervisorClientset(t) + + _, err := client.OauthV1alpha1().OIDCClientSecretRequests(env.SupervisorNamespace).Create(ctx, + &v1alpha1.OIDCClientSecretRequest{ + Spec: v1alpha1.OIDCClientSecretRequestSpec{ + GenerateNewSecret: true, + }, + }, metav1.CreateOptions{}) + require.Error(t, err) + require.Contains(t, err.Error(), "User \"system:anonymous\" cannot create resource \"oidcclientsecretrequests\"") +} diff --git a/test/testlib/client.go b/test/testlib/client.go index c5e96339..376e1462 100644 --- a/test/testlib/client.go +++ b/test/testlib/client.go @@ -1,4 +1,4 @@ -// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package testlib @@ -34,6 +34,7 @@ import ( idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" conciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned" supervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" + virtualsupervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/virtual/clientset/versioned" "go.pinniped.dev/internal/groupsuffix" "go.pinniped.dev/internal/kubeclient" @@ -86,6 +87,18 @@ func NewSupervisorClientset(t *testing.T) supervisorclientset.Interface { return NewKubeclient(t, NewClientConfig(t)).PinnipedSupervisor } +func NewAnonymousVirtualSupervisorClientset(t *testing.T) virtualsupervisorclientset.Interface { + t.Helper() + + return NewKubeclient(t, NewAnonymousClientRestConfig(t)).PinnipedSupervisorVirtual +} + +func NewVirtualSupervisorClientset(t *testing.T) virtualsupervisorclientset.Interface { + t.Helper() + + return NewKubeclient(t, NewClientConfig(t)).PinnipedSupervisorVirtual +} + func NewConciergeClientset(t *testing.T) conciergeclientset.Interface { t.Helper() From b9272b27298e5b11be63a6926a21277c4710ef4b Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Mon, 13 Jun 2022 12:08:11 -0700 Subject: [PATCH 13/61] Reserve all of *.pinniped.dev for requested aud in token exchanges Our previous plan was to reserve only *.oauth.pinniped.dev but we changed our minds during PR review. --- internal/oidc/token/token_handler_test.go | 8 +++---- internal/oidc/token_exchange.go | 10 ++++----- test/integration/supervisor_login_test.go | 27 ++++++++++++++++++++--- 3 files changed, 33 insertions(+), 12 deletions(-) diff --git a/internal/oidc/token/token_handler_test.go b/internal/oidc/token/token_handler_test.go index e3d70952..1211f7f4 100644 --- a/internal/oidc/token/token_handler_test.go +++ b/internal/oidc/token/token_handler_test.go @@ -671,14 +671,14 @@ func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn authcodeExchange: doValidAuthCodeExchange, requestedAudience: "client.oauth.pinniped.dev-some-client-abc123", wantStatus: http.StatusBadRequest, - wantResponseBodyContains: "requested audience cannot contain '.oauth.pinniped.dev'", + wantResponseBodyContains: "requested audience cannot contain '.pinniped.dev'", }, { - name: "bad requested audience when it contains the substring .oauth.pinniped.dev because it is reserved for potential future usage", + name: "bad requested audience when it contains the substring .pinniped.dev because it is reserved for potential future usage", authcodeExchange: doValidAuthCodeExchange, - requestedAudience: "something.oauth.pinniped.dev/some_aud", + requestedAudience: "something.pinniped.dev/some_aud", wantStatus: http.StatusBadRequest, - wantResponseBodyContains: "requested audience cannot contain '.oauth.pinniped.dev'", + wantResponseBodyContains: "requested audience cannot contain '.pinniped.dev'", }, { name: "bad requested audience when it is the same name as the static public client pinniped-cli", diff --git a/internal/oidc/token_exchange.go b/internal/oidc/token_exchange.go index 94c37c74..a7a7812b 100644 --- a/internal/oidc/token_exchange.go +++ b/internal/oidc/token_exchange.go @@ -131,16 +131,16 @@ func (t *TokenExchangeHandler) validateParams(params url.Values) (*stsParams, er // Validate that the requested audience is not one of the reserved strings. All possible requested audience strings // are subdivided into these classifications: // 1. pinniped-cli is reserved for the statically defined OAuth client, which is disallowed for this token exchange. - // 2. clients.oauth.pinniped.dev-* is reserved to be the names of user-defined dynamic OAuth clients, which is also + // 2. client.oauth.pinniped.dev-* is reserved to be the names of user-defined dynamic OAuth clients, which is also // disallowed for this token exchange. - // 3. Anything else matching *.oauth.pinniped.dev* is reserved for future use, in case we want to create more - // buckets of names some day, e.g. something.oauth.pinniped.dev/*. These names are also disallowed for this + // 3. Anything else matching *.pinniped.dev* is reserved for future use, in case we want to create more + // buckets of names some day, e.g. something.pinniped.dev/*. These names are also disallowed for this // token exchange. // 4. Any other string is reserved to conceptually mean the name of a workload cluster (technically, it's the // configured audience of its Concierge JWTAuthenticator or other OIDC JWT validator). These are the only // allowed values for this token exchange. - if strings.Contains(result.requestedAudience, ".oauth.pinniped.dev") { - return nil, fosite.ErrInvalidRequest.WithHintf("requested audience cannot contain '.oauth.pinniped.dev'") + if strings.Contains(result.requestedAudience, ".pinniped.dev") { + return nil, fosite.ErrInvalidRequest.WithHintf("requested audience cannot contain '.pinniped.dev'") } if result.requestedAudience == "pinniped-cli" { return nil, fosite.ErrInvalidRequest.WithHintf("requested audience cannot equal 'pinniped-cli'") diff --git a/test/integration/supervisor_login_test.go b/test/integration/supervisor_login_test.go index 16f33d98..d584eab0 100644 --- a/test/integration/supervisor_login_test.go +++ b/test/integration/supervisor_login_test.go @@ -1124,7 +1124,7 @@ func TestSupervisorLogin_Browser(t *testing.T) { return testlib.CreateTestOIDCIdentityProvider(t, basicOIDCIdentityProviderSpec(), idpv1alpha1.PhaseReady).Name }, requestAuthorization: requestAuthorizationUsingBrowserAuthcodeFlowOIDC, - requestTokenExchangeAud: "contains-disallowed-substring.oauth.pinniped.dev-something", // .oauth.pinniped.dev substring is not allowed + requestTokenExchangeAud: "contains-disallowed-substring.pinniped.dev-something", // .pinniped.dev substring is not allowed // the ID token Subject should include the upstream user ID after the upstream issuer name wantDownstreamIDTokenSubjectToMatch: "^" + regexp.QuoteMeta(env.SupervisorUpstreamOIDC.Issuer+"?sub=") + ".+", // the ID token Username should include the upstream user ID after the upstream issuer name @@ -1134,7 +1134,28 @@ func TestSupervisorLogin_Browser(t *testing.T) { require.Equal(t, `{"error":"invalid_request","error_description":"The request is missing a required parameter, `+ `includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. `+ - `requested audience cannot contain '.oauth.pinniped.dev'"}`, + `requested audience cannot contain '.pinniped.dev'"}`, + body) + }, + }, + { + name: "disallowed requested audience using specific reserved name of a dynamic client on token exchange results in token exchange error", + maybeSkip: skipNever, + createIDP: func(t *testing.T) string { + return testlib.CreateTestOIDCIdentityProvider(t, basicOIDCIdentityProviderSpec(), idpv1alpha1.PhaseReady).Name + }, + requestAuthorization: requestAuthorizationUsingBrowserAuthcodeFlowOIDC, + requestTokenExchangeAud: "client.oauth.pinniped.dev-client-name", // OIDC dynamic client name is not allowed + // the ID token Subject should include the upstream user ID after the upstream issuer name + wantDownstreamIDTokenSubjectToMatch: "^" + regexp.QuoteMeta(env.SupervisorUpstreamOIDC.Issuer+"?sub=") + ".+", + // the ID token Username should include the upstream user ID after the upstream issuer name + wantDownstreamIDTokenUsernameToMatch: func(_ string) string { return "^" + regexp.QuoteMeta(env.SupervisorUpstreamOIDC.Issuer+"?sub=") + ".+" }, + wantTokenExchangeResponse: func(t *testing.T, status int, body string) { + require.Equal(t, http.StatusBadRequest, status) + require.Equal(t, + `{"error":"invalid_request","error_description":"The request is missing a required parameter, `+ + `includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. `+ + `requested audience cannot contain '.pinniped.dev'"}`, body) }, }, @@ -1846,6 +1867,7 @@ func doTokenExchange( resp, err := httpClient.Do(req) require.NoError(t, err) + defer func() { _ = resp.Body.Close() }() // If a function was passed, call it, so it can make the desired assertions. if wantTokenExchangeResponse != nil { @@ -1858,7 +1880,6 @@ func doTokenExchange( // Else, want a successful response. require.Equal(t, resp.StatusCode, http.StatusOK) - defer func() { _ = resp.Body.Close() }() var respBody struct { AccessToken string `json:"access_token"` IssuedTokenType string `json:"issued_token_type"` From 8f4285dbff43fb470c5745e42b34946ca299a143 Mon Sep 17 00:00:00 2001 From: Margo Crawford Date: Mon, 13 Jun 2022 14:28:05 -0700 Subject: [PATCH 14/61] Change group names Signed-off-by: Margo Crawford --- apis/supervisor/clientsecret/doc.go.tmpl | 8 + .../oauth => clientsecret}/register.go.tmpl | 4 +- .../types_oidcclientsecretrequest.go.tmpl | 2 +- .../v1alpha1/conversion.go.tmpl | 0 .../v1alpha1/defaults.go.tmpl | 0 .../v1alpha1/doc.go.tmpl | 6 +- .../v1alpha1/register.go.tmpl | 2 +- .../types_oidcclientsecretrequest.go.tmpl | 0 .../config/v1alpha1/register.go.tmpl | 2 + .../v1alpha1/types_oidcclient.go.tmpl | 0 apis/supervisor/oauth/v1alpha1/doc.go.tmpl | 10 - .../oauth/v1alpha1/register.go.tmpl | 43 --- apis/supervisor/virtual/oauth/doc.go.tmpl | 8 - ....supervisor.pinniped.dev_oidcclients.yaml} | 4 +- deploy/supervisor/deployment.yaml | 4 +- deploy/supervisor/z0_crd_overlay.yaml | 6 +- generated/1.17/README.adoc | 287 +++++++++--------- .../1.17/apis/supervisor/clientsecret/doc.go | 8 + .../apis/supervisor/clientsecret}/register.go | 4 +- .../types_oidcclientsecretrequest.go | 2 +- .../v1alpha1/conversion.go | 0 .../v1alpha1/defaults.go | 0 .../oauth => clientsecret}/v1alpha1/doc.go | 6 +- .../clientsecret}/v1alpha1/register.go | 2 +- .../v1alpha1/types_oidcclientsecretrequest.go | 0 .../v1alpha1/zz_generated.conversion.go | 131 ++++++++ .../v1alpha1/zz_generated.deepcopy.go | 0 .../v1alpha1/zz_generated.defaults.go | 0 .../clientsecret}/zz_generated.deepcopy.go | 2 +- .../supervisor/config/v1alpha1/register.go | 2 + .../v1alpha1/types_oidcclient.go | 0 .../config/v1alpha1/zz_generated.deepcopy.go | 108 +++++++ .../apis/supervisor/oauth/v1alpha1/doc.go | 10 - .../supervisor/oauth/v1alpha1/register.go | 43 --- .../oauth/v1alpha1/zz_generated.deepcopy.go | 121 -------- .../1.17/apis/supervisor/virtual/oauth/doc.go | 8 - .../oauth/v1alpha1/zz_generated.conversion.go | 131 -------- .../clientset/versioned/clientset.go | 32 +- .../versioned/fake/clientset_generated.go | 14 +- .../clientset/versioned/fake/register.go | 4 +- .../clientset/versioned/scheme/register.go | 4 +- .../v1alpha1/clientsecret_client.go} | 30 +- .../{oauth => clientsecret}/v1alpha1/doc.go | 0 .../v1alpha1/fake/doc.go | 0 .../fake/fake_clientsecret_client.go} | 10 +- .../fake/fake_oidcclientsecretrequest.go | 8 +- .../v1alpha1/generated_expansion.go | 0 .../v1alpha1/oidcclientsecretrequest.go | 4 +- .../typed/config/v1alpha1/config_client.go | 5 + .../v1alpha1/fake/fake_config_client.go | 4 + .../v1alpha1/fake/fake_oidcclient.go | 8 +- .../config/v1alpha1/generated_expansion.go | 2 + .../{oauth => config}/v1alpha1/oidcclient.go | 4 +- .../oauth/v1alpha1/generated_expansion.go | 8 - .../typed/oauth/v1alpha1/oauth_client.go | 76 ----- .../config/v1alpha1/interface.go | 7 + .../{oauth => config}/v1alpha1/oidcclient.go | 12 +- .../informers/externalversions/factory.go | 6 - .../informers/externalversions/generic.go | 7 +- .../externalversions/oauth/interface.go | 33 -- .../oauth/v1alpha1/interface.go | 32 -- .../config/v1alpha1/expansion_generated.go | 8 + .../listers/config}/v1alpha1/oidcclient.go | 2 +- .../oauth/v1alpha1/expansion_generated.go | 14 - .../virtual/clientset/versioned/clientset.go | 84 ----- .../virtual/clientset/versioned/doc.go | 7 - .../versioned/fake/clientset_generated.go | 69 ----- .../virtual/clientset/versioned/fake/doc.go | 7 - .../clientset/versioned/fake/register.go | 43 --- .../virtual/clientset/versioned/scheme/doc.go | 7 - .../clientset/versioned/scheme/register.go | 43 --- .../oauth/v1alpha1/fake/fake_oauth_client.go | 27 -- ....supervisor.pinniped.dev_oidcclients.yaml} | 4 +- generated/1.18/README.adoc | 287 +++++++++--------- .../1.18/apis/supervisor/clientsecret/doc.go | 8 + .../apis/supervisor/clientsecret}/register.go | 4 +- .../types_oidcclientsecretrequest.go | 2 +- .../v1alpha1/conversion.go | 0 .../v1alpha1/defaults.go | 0 .../oauth => clientsecret}/v1alpha1/doc.go | 6 +- .../v1alpha1/register.go | 2 +- .../v1alpha1/types_oidcclientsecretrequest.go | 0 .../v1alpha1/zz_generated.conversion.go | 131 ++++++++ .../v1alpha1/zz_generated.deepcopy.go | 0 .../v1alpha1/zz_generated.defaults.go | 0 .../clientsecret}/zz_generated.deepcopy.go | 2 +- .../supervisor/config/v1alpha1/register.go | 2 + .../v1alpha1/types_oidcclient.go | 0 .../config/v1alpha1/zz_generated.deepcopy.go | 108 +++++++ .../apis/supervisor/oauth/v1alpha1/doc.go | 10 - .../supervisor/oauth/v1alpha1/register.go | 43 --- .../oauth/v1alpha1/zz_generated.deepcopy.go | 121 -------- .../1.18/apis/supervisor/virtual/oauth/doc.go | 8 - .../oauth/v1alpha1/zz_generated.conversion.go | 131 -------- .../clientset/versioned/clientset.go | 32 +- .../versioned/fake/clientset_generated.go | 14 +- .../clientset/versioned/fake/register.go | 4 +- .../clientset/versioned/scheme/register.go | 4 +- .../v1alpha1/clientsecret_client.go} | 30 +- .../typed/clientsecret}/v1alpha1/doc.go | 0 .../typed/clientsecret}/v1alpha1/fake/doc.go | 0 .../fake/fake_clientsecret_client.go} | 10 +- .../fake/fake_oidcclientsecretrequest.go | 8 +- .../v1alpha1/generated_expansion.go | 0 .../v1alpha1/oidcclientsecretrequest.go | 6 +- .../typed/config/v1alpha1/config_client.go | 5 + .../v1alpha1/fake/fake_config_client.go | 4 + .../config}/v1alpha1/fake/fake_oidcclient.go | 8 +- .../config/v1alpha1/generated_expansion.go | 2 + .../{oauth => config}/v1alpha1/oidcclient.go | 4 +- .../oauth/v1alpha1/generated_expansion.go | 8 - .../typed/oauth/v1alpha1/oauth_client.go | 76 ----- .../config/v1alpha1/interface.go | 7 + .../{oauth => config}/v1alpha1/oidcclient.go | 12 +- .../informers/externalversions/factory.go | 6 - .../informers/externalversions/generic.go | 7 +- .../externalversions/oauth/interface.go | 33 -- .../oauth/v1alpha1/interface.go | 32 -- .../config/v1alpha1/expansion_generated.go | 8 + .../listers/config}/v1alpha1/oidcclient.go | 2 +- .../oauth/v1alpha1/expansion_generated.go | 14 - .../virtual/clientset/versioned/clientset.go | 84 ----- .../virtual/clientset/versioned/doc.go | 7 - .../versioned/fake/clientset_generated.go | 69 ----- .../virtual/clientset/versioned/fake/doc.go | 7 - .../clientset/versioned/fake/register.go | 43 --- .../virtual/clientset/versioned/scheme/doc.go | 7 - .../clientset/versioned/scheme/register.go | 43 --- .../oauth/v1alpha1/fake/fake_oauth_client.go | 27 -- ....supervisor.pinniped.dev_oidcclients.yaml} | 4 +- generated/1.19/README.adoc | 287 +++++++++--------- .../1.19/apis/supervisor/clientsecret/doc.go | 8 + .../oauth => clientsecret}/register.go | 4 +- .../types_oidcclientsecretrequest.go | 2 +- .../v1alpha1/conversion.go | 0 .../v1alpha1/defaults.go | 0 .../oauth => clientsecret}/v1alpha1/doc.go | 6 +- .../v1alpha1/register.go | 2 +- .../v1alpha1/types_oidcclientsecretrequest.go | 0 .../v1alpha1/zz_generated.conversion.go | 131 ++++++++ .../v1alpha1/zz_generated.deepcopy.go | 0 .../v1alpha1/zz_generated.defaults.go | 0 .../clientsecret}/zz_generated.deepcopy.go | 2 +- .../supervisor/config/v1alpha1/register.go | 2 + .../v1alpha1/types_oidcclient.go | 0 .../config/v1alpha1/zz_generated.deepcopy.go | 108 +++++++ .../apis/supervisor/oauth/v1alpha1/doc.go | 10 - .../supervisor/oauth/v1alpha1/register.go | 43 --- .../oauth/v1alpha1/zz_generated.deepcopy.go | 121 -------- .../1.19/apis/supervisor/virtual/oauth/doc.go | 8 - .../oauth/v1alpha1/zz_generated.conversion.go | 131 -------- .../clientset/versioned/clientset.go | 32 +- .../versioned/fake/clientset_generated.go | 14 +- .../clientset/versioned/fake/register.go | 4 +- .../clientset/versioned/scheme/register.go | 4 +- .../v1alpha1/clientsecret_client.go} | 30 +- .../typed/clientsecret}/v1alpha1/doc.go | 0 .../typed/clientsecret}/v1alpha1/fake/doc.go | 0 .../fake/fake_clientsecret_client.go} | 10 +- .../fake/fake_oidcclientsecretrequest.go | 8 +- .../v1alpha1/generated_expansion.go | 0 .../v1alpha1/oidcclientsecretrequest.go | 6 +- .../typed/config/v1alpha1/config_client.go | 5 + .../v1alpha1/fake/fake_config_client.go | 4 + .../config}/v1alpha1/fake/fake_oidcclient.go | 8 +- .../config/v1alpha1/generated_expansion.go | 2 + .../{oauth => config}/v1alpha1/oidcclient.go | 4 +- .../oauth/v1alpha1/generated_expansion.go | 8 - .../typed/oauth/v1alpha1/oauth_client.go | 76 ----- .../config/v1alpha1/interface.go | 7 + .../{oauth => config}/v1alpha1/oidcclient.go | 12 +- .../informers/externalversions/factory.go | 6 - .../informers/externalversions/generic.go | 7 +- .../externalversions/oauth/interface.go | 33 -- .../oauth/v1alpha1/interface.go | 32 -- .../config/v1alpha1/expansion_generated.go | 8 + .../listers/config}/v1alpha1/oidcclient.go | 2 +- .../oauth/v1alpha1/expansion_generated.go | 14 - .../virtual/clientset/versioned/clientset.go | 84 ----- .../virtual/clientset/versioned/doc.go | 7 - .../versioned/fake/clientset_generated.go | 69 ----- .../virtual/clientset/versioned/fake/doc.go | 7 - .../clientset/versioned/fake/register.go | 43 --- .../virtual/clientset/versioned/scheme/doc.go | 7 - .../clientset/versioned/scheme/register.go | 43 --- .../oauth/v1alpha1/fake/fake_oauth_client.go | 27 -- ....supervisor.pinniped.dev_oidcclients.yaml} | 4 +- generated/1.20/README.adoc | 287 +++++++++--------- .../1.20/apis/supervisor/clientsecret/doc.go | 8 + .../oauth => clientsecret}/register.go | 4 +- .../types_oidcclientsecretrequest.go | 2 +- .../v1alpha1/conversion.go | 0 .../v1alpha1/defaults.go | 0 .../oauth => clientsecret}/v1alpha1/doc.go | 6 +- .../clientsecret}/v1alpha1/register.go | 2 +- .../v1alpha1/types_oidcclientsecretrequest.go | 0 .../v1alpha1/zz_generated.conversion.go | 131 ++++++++ .../v1alpha1/zz_generated.deepcopy.go | 0 .../v1alpha1/zz_generated.defaults.go | 0 .../clientsecret}/zz_generated.deepcopy.go | 2 +- .../supervisor/config/v1alpha1/register.go | 2 + .../v1alpha1/types_oidcclient.go | 0 .../config/v1alpha1/zz_generated.deepcopy.go | 108 +++++++ .../apis/supervisor/oauth/v1alpha1/doc.go | 10 - .../supervisor/oauth/v1alpha1/register.go | 43 --- .../oauth/v1alpha1/zz_generated.deepcopy.go | 121 -------- .../1.20/apis/supervisor/virtual/oauth/doc.go | 8 - .../oauth/v1alpha1/zz_generated.conversion.go | 131 -------- .../clientset/versioned/clientset.go | 32 +- .../versioned/fake/clientset_generated.go | 14 +- .../clientset/versioned/fake/register.go | 4 +- .../clientset/versioned/scheme/register.go | 4 +- .../v1alpha1/clientsecret_client.go} | 30 +- .../typed/clientsecret}/v1alpha1/doc.go | 0 .../typed/clientsecret}/v1alpha1/fake/doc.go | 0 .../fake/fake_clientsecret_client.go} | 10 +- .../fake/fake_oidcclientsecretrequest.go | 8 +- .../v1alpha1/generated_expansion.go | 0 .../v1alpha1/oidcclientsecretrequest.go | 6 +- .../typed/config/v1alpha1/config_client.go | 5 + .../v1alpha1/fake/fake_config_client.go | 4 + .../config}/v1alpha1/fake/fake_oidcclient.go | 8 +- .../config/v1alpha1/generated_expansion.go | 2 + .../{oauth => config}/v1alpha1/oidcclient.go | 4 +- .../oauth/v1alpha1/generated_expansion.go | 8 - .../typed/oauth/v1alpha1/oauth_client.go | 76 ----- .../config/v1alpha1/interface.go | 7 + .../{oauth => config}/v1alpha1/oidcclient.go | 12 +- .../informers/externalversions/factory.go | 6 - .../informers/externalversions/generic.go | 7 +- .../externalversions/oauth/interface.go | 33 -- .../oauth/v1alpha1/interface.go | 32 -- .../config/v1alpha1/expansion_generated.go | 8 + .../listers/config}/v1alpha1/oidcclient.go | 2 +- .../oauth/v1alpha1/expansion_generated.go | 14 - .../virtual/clientset/versioned/clientset.go | 84 ----- .../virtual/clientset/versioned/doc.go | 7 - .../versioned/fake/clientset_generated.go | 69 ----- .../virtual/clientset/versioned/fake/doc.go | 7 - .../clientset/versioned/fake/register.go | 43 --- .../virtual/clientset/versioned/scheme/doc.go | 7 - .../clientset/versioned/scheme/register.go | 43 --- .../oauth/v1alpha1/fake/fake_oauth_client.go | 27 -- ...g.supervisor.pinniped.dev_oidcclients.yaml | 125 ++++++++ ...h.supervisor.pinniped.dev_oidcclients.yaml | 125 -------- generated/1.21/README.adoc | 287 +++++++++--------- .../1.21/apis/supervisor/clientsecret/doc.go | 8 + .../apis/supervisor/clientsecret/register.go | 37 +++ .../types_oidcclientsecretrequest.go | 25 ++ .../v1alpha1/conversion.go | 0 .../v1alpha1/defaults.go | 0 .../oauth => clientsecret}/v1alpha1/doc.go | 6 +- .../clientsecret/v1alpha1/register.go | 42 +++ .../v1alpha1/types_oidcclientsecretrequest.go | 0 .../v1alpha1/zz_generated.conversion.go | 131 ++++++++ .../v1alpha1/zz_generated.deepcopy.go | 0 .../v1alpha1/zz_generated.defaults.go | 0 .../clientsecret/zz_generated.deepcopy.go | 73 +++++ .../supervisor/config/v1alpha1/register.go | 2 + .../v1alpha1/types_oidcclient.go | 0 .../config/v1alpha1/zz_generated.deepcopy.go | 108 +++++++ .../apis/supervisor/oauth/v1alpha1/doc.go | 10 - .../supervisor/oauth/v1alpha1/register.go | 43 --- .../oauth/v1alpha1/zz_generated.deepcopy.go | 121 -------- .../1.21/apis/supervisor/virtual/oauth/doc.go | 8 - .../apis/supervisor/virtual/oauth/register.go | 37 --- .../oauth/types_oidcclientsecretrequest.go | 25 -- .../virtual/oauth/v1alpha1/register.go | 42 --- .../oauth/v1alpha1/zz_generated.conversion.go | 131 -------- .../virtual/oauth/zz_generated.deepcopy.go | 73 ----- .../clientset/versioned/clientset.go | 32 +- .../versioned/fake/clientset_generated.go | 14 +- .../clientset/versioned/fake/register.go | 4 +- .../clientset/versioned/scheme/register.go | 4 +- .../v1alpha1/clientsecret_client.go | 76 +++++ .../typed/clientsecret}/v1alpha1/doc.go | 0 .../typed/clientsecret}/v1alpha1/fake/doc.go | 0 .../fake/fake_clientsecret_client.go} | 10 +- .../fake/fake_oidcclientsecretrequest.go | 8 +- .../v1alpha1/generated_expansion.go | 0 .../v1alpha1/oidcclientsecretrequest.go | 6 +- .../typed/config/v1alpha1/config_client.go | 5 + .../v1alpha1/fake/fake_config_client.go | 4 + .../config}/v1alpha1/fake/fake_oidcclient.go | 8 +- .../config/v1alpha1/generated_expansion.go | 2 + .../{oauth => config}/v1alpha1/oidcclient.go | 4 +- .../oauth/v1alpha1/generated_expansion.go | 8 - .../typed/oauth/v1alpha1/oauth_client.go | 76 ----- .../config/v1alpha1/interface.go | 7 + .../{oauth => config}/v1alpha1/oidcclient.go | 12 +- .../informers/externalversions/factory.go | 6 - .../informers/externalversions/generic.go | 7 +- .../externalversions/oauth/interface.go | 33 -- .../oauth/v1alpha1/interface.go | 32 -- .../config/v1alpha1/expansion_generated.go | 8 + .../listers/config}/v1alpha1/oidcclient.go | 2 +- .../oauth/v1alpha1/expansion_generated.go | 14 - .../virtual/clientset/versioned/clientset.go | 84 ----- .../virtual/clientset/versioned/doc.go | 7 - .../versioned/fake/clientset_generated.go | 69 ----- .../virtual/clientset/versioned/fake/doc.go | 7 - .../clientset/versioned/fake/register.go | 43 --- .../virtual/clientset/versioned/scheme/doc.go | 7 - .../clientset/versioned/scheme/register.go | 43 --- .../versioned/typed/oauth/v1alpha1/doc.go | 7 - .../typed/oauth/v1alpha1/fake/doc.go | 7 - .../oauth/v1alpha1/fake/fake_oauth_client.go | 27 -- .../typed/oauth/v1alpha1/oauth_client.go | 76 ----- ...g.supervisor.pinniped.dev_oidcclients.yaml | 125 ++++++++ ...h.supervisor.pinniped.dev_oidcclients.yaml | 125 -------- generated/1.22/README.adoc | 287 +++++++++--------- .../1.22/apis/supervisor/clientsecret/doc.go | 8 + .../apis/supervisor/clientsecret/register.go | 37 +++ .../types_oidcclientsecretrequest.go | 25 ++ .../v1alpha1/conversion.go | 0 .../v1alpha1/defaults.go | 0 .../oauth => clientsecret}/v1alpha1/doc.go | 6 +- .../clientsecret/v1alpha1/register.go | 42 +++ .../v1alpha1/types_oidcclientsecretrequest.go | 0 .../v1alpha1/zz_generated.conversion.go | 131 ++++++++ .../v1alpha1/zz_generated.deepcopy.go | 0 .../v1alpha1/zz_generated.defaults.go | 0 .../clientsecret/zz_generated.deepcopy.go | 73 +++++ .../supervisor/config/v1alpha1/register.go | 2 + .../v1alpha1/types_oidcclient.go | 0 .../config/v1alpha1/zz_generated.deepcopy.go | 108 +++++++ .../apis/supervisor/oauth/v1alpha1/doc.go | 10 - .../supervisor/oauth/v1alpha1/register.go | 43 --- .../oauth/v1alpha1/zz_generated.deepcopy.go | 121 -------- .../1.22/apis/supervisor/virtual/oauth/doc.go | 8 - .../apis/supervisor/virtual/oauth/register.go | 37 --- .../oauth/types_oidcclientsecretrequest.go | 25 -- .../virtual/oauth/v1alpha1/register.go | 42 --- .../oauth/v1alpha1/zz_generated.conversion.go | 131 -------- .../virtual/oauth/zz_generated.deepcopy.go | 73 ----- .../clientset/versioned/clientset.go | 32 +- .../versioned/fake/clientset_generated.go | 14 +- .../clientset/versioned/fake/register.go | 4 +- .../clientset/versioned/scheme/register.go | 4 +- .../v1alpha1/clientsecret_client.go | 76 +++++ .../typed/clientsecret}/v1alpha1/doc.go | 0 .../typed/clientsecret}/v1alpha1/fake/doc.go | 0 .../fake/fake_clientsecret_client.go} | 10 +- .../fake/fake_oidcclientsecretrequest.go | 36 +++ .../v1alpha1/generated_expansion.go | 0 .../v1alpha1/oidcclientsecretrequest.go | 54 ++++ .../typed/config/v1alpha1/config_client.go | 5 + .../v1alpha1/fake/fake_config_client.go | 4 + .../config/v1alpha1/fake/fake_oidcclient.go | 129 ++++++++ .../config/v1alpha1/generated_expansion.go | 2 + .../{oauth => config}/v1alpha1/oidcclient.go | 4 +- .../versioned/typed/oauth/v1alpha1/doc.go | 7 - .../typed/oauth/v1alpha1/fake/doc.go | 7 - .../oauth/v1alpha1/fake/fake_oidcclient.go | 129 -------- .../oauth/v1alpha1/generated_expansion.go | 8 - .../typed/oauth/v1alpha1/oauth_client.go | 76 ----- .../config/v1alpha1/interface.go | 7 + .../{oauth => config}/v1alpha1/oidcclient.go | 12 +- .../informers/externalversions/factory.go | 6 - .../informers/externalversions/generic.go | 7 +- .../externalversions/oauth/interface.go | 33 -- .../oauth/v1alpha1/interface.go | 32 -- .../config/v1alpha1/expansion_generated.go | 8 + .../listers/config}/v1alpha1/oidcclient.go | 2 +- .../oauth/v1alpha1/expansion_generated.go | 14 - .../virtual/clientset/versioned/clientset.go | 84 ----- .../virtual/clientset/versioned/doc.go | 7 - .../versioned/fake/clientset_generated.go | 72 ----- .../virtual/clientset/versioned/fake/doc.go | 7 - .../clientset/versioned/fake/register.go | 43 --- .../virtual/clientset/versioned/scheme/doc.go | 7 - .../clientset/versioned/scheme/register.go | 43 --- .../versioned/typed/oauth/v1alpha1/doc.go | 7 - .../typed/oauth/v1alpha1/fake/doc.go | 7 - .../oauth/v1alpha1/fake/fake_oauth_client.go | 27 -- .../fake/fake_oidcclientsecretrequest.go | 36 --- .../typed/oauth/v1alpha1/oauth_client.go | 76 ----- .../oauth/v1alpha1/oidcclientsecretrequest.go | 54 ---- ...g.supervisor.pinniped.dev_oidcclients.yaml | 125 ++++++++ ...h.supervisor.pinniped.dev_oidcclients.yaml | 125 -------- generated/1.23/README.adoc | 287 +++++++++--------- .../1.23/apis/supervisor/clientsecret/doc.go | 8 + .../apis/supervisor/clientsecret/register.go | 37 +++ .../types_oidcclientsecretrequest.go | 25 ++ .../v1alpha1/conversion.go | 0 .../v1alpha1/defaults.go | 0 .../oauth => clientsecret}/v1alpha1/doc.go | 6 +- .../clientsecret/v1alpha1/register.go | 42 +++ .../v1alpha1/types_oidcclientsecretrequest.go | 0 .../v1alpha1/zz_generated.conversion.go | 131 ++++++++ .../v1alpha1/zz_generated.deepcopy.go | 0 .../v1alpha1/zz_generated.defaults.go | 0 .../clientsecret/zz_generated.deepcopy.go | 73 +++++ .../supervisor/config/v1alpha1/register.go | 2 + .../v1alpha1/types_oidcclient.go | 0 .../config/v1alpha1/zz_generated.deepcopy.go | 108 +++++++ .../apis/supervisor/oauth/v1alpha1/doc.go | 10 - .../supervisor/oauth/v1alpha1/register.go | 43 --- .../oauth/v1alpha1/zz_generated.deepcopy.go | 121 -------- .../1.23/apis/supervisor/virtual/oauth/doc.go | 8 - .../apis/supervisor/virtual/oauth/register.go | 37 --- .../oauth/types_oidcclientsecretrequest.go | 25 -- .../virtual/oauth/v1alpha1/register.go | 42 --- .../oauth/v1alpha1/zz_generated.conversion.go | 131 -------- .../virtual/oauth/zz_generated.deepcopy.go | 73 ----- .../clientset/versioned/clientset.go | 30 +- .../versioned/fake/clientset_generated.go | 14 +- .../clientset/versioned/fake/register.go | 4 +- .../clientset/versioned/scheme/register.go | 4 +- .../v1alpha1/clientsecret_client.go} | 34 +-- .../typed/clientsecret}/v1alpha1/doc.go | 0 .../typed/clientsecret}/v1alpha1/fake/doc.go | 0 .../fake/fake_clientsecret_client.go} | 10 +- .../fake/fake_oidcclientsecretrequest.go | 36 +++ .../v1alpha1/generated_expansion.go | 0 .../v1alpha1/oidcclientsecretrequest.go | 54 ++++ .../typed/config/v1alpha1/config_client.go | 5 + .../v1alpha1/fake/fake_config_client.go | 4 + .../v1alpha1/fake/fake_oidcclient.go | 8 +- .../config/v1alpha1/generated_expansion.go | 2 + .../{oauth => config}/v1alpha1/oidcclient.go | 4 +- .../versioned/typed/oauth/v1alpha1/doc.go | 7 - .../typed/oauth/v1alpha1/fake/doc.go | 7 - .../oauth/v1alpha1/generated_expansion.go | 8 - .../typed/oauth/v1alpha1/oauth_client.go | 94 ------ .../config/v1alpha1/interface.go | 7 + .../{oauth => config}/v1alpha1/oidcclient.go | 12 +- .../informers/externalversions/factory.go | 6 - .../informers/externalversions/generic.go | 7 +- .../externalversions/oauth/interface.go | 33 -- .../oauth/v1alpha1/interface.go | 32 -- .../config/v1alpha1/expansion_generated.go | 8 + .../listers/config/v1alpha1/oidcclient.go | 86 ++++++ .../oauth/v1alpha1/expansion_generated.go | 14 - .../listers/oauth/v1alpha1/oidcclient.go | 86 ------ .../virtual/clientset/versioned/clientset.go | 108 ------- .../virtual/clientset/versioned/doc.go | 7 - .../versioned/fake/clientset_generated.go | 72 ----- .../virtual/clientset/versioned/fake/doc.go | 7 - .../clientset/versioned/fake/register.go | 43 --- .../virtual/clientset/versioned/scheme/doc.go | 7 - .../clientset/versioned/scheme/register.go | 43 --- .../versioned/typed/oauth/v1alpha1/doc.go | 7 - .../typed/oauth/v1alpha1/fake/doc.go | 7 - .../oauth/v1alpha1/fake/fake_oauth_client.go | 27 -- .../fake/fake_oidcclientsecretrequest.go | 36 --- .../oauth/v1alpha1/oidcclientsecretrequest.go | 54 ---- ...g.supervisor.pinniped.dev_oidcclients.yaml | 125 ++++++++ ...h.supervisor.pinniped.dev_oidcclients.yaml | 125 -------- generated/1.24/README.adoc | 287 +++++++++--------- .../1.24/apis/supervisor/clientsecret/doc.go | 8 + .../apis/supervisor/clientsecret/register.go | 37 +++ .../types_oidcclientsecretrequest.go | 25 ++ .../v1alpha1/conversion.go | 0 .../v1alpha1/defaults.go | 0 .../oauth => clientsecret}/v1alpha1/doc.go | 6 +- .../clientsecret/v1alpha1/register.go | 42 +++ .../v1alpha1/types_oidcclientsecretrequest.go | 0 .../v1alpha1/zz_generated.conversion.go | 131 ++++++++ .../v1alpha1/zz_generated.deepcopy.go | 0 .../v1alpha1/zz_generated.defaults.go | 0 .../clientsecret/zz_generated.deepcopy.go | 73 +++++ .../supervisor/config/v1alpha1/register.go | 2 + .../v1alpha1/types_oidcclient.go | 0 .../config/v1alpha1/zz_generated.deepcopy.go | 108 +++++++ .../apis/supervisor/oauth/v1alpha1/doc.go | 10 - .../supervisor/oauth/v1alpha1/register.go | 43 --- .../oauth/v1alpha1/zz_generated.deepcopy.go | 121 -------- .../1.24/apis/supervisor/virtual/oauth/doc.go | 8 - .../apis/supervisor/virtual/oauth/register.go | 37 --- .../oauth/types_oidcclientsecretrequest.go | 25 -- .../virtual/oauth/v1alpha1/register.go | 42 --- .../oauth/v1alpha1/zz_generated.conversion.go | 131 -------- .../virtual/oauth/zz_generated.deepcopy.go | 73 ----- .../clientset/versioned/clientset.go | 30 +- .../versioned/fake/clientset_generated.go | 14 +- .../clientset/versioned/fake/register.go | 4 +- .../clientset/versioned/scheme/register.go | 4 +- .../v1alpha1/clientsecret_client.go} | 34 +-- .../typed/clientsecret}/v1alpha1/doc.go | 0 .../typed/clientsecret}/v1alpha1/fake/doc.go | 0 .../fake/fake_clientsecret_client.go} | 10 +- .../fake/fake_oidcclientsecretrequest.go | 36 +++ .../v1alpha1/generated_expansion.go | 0 .../v1alpha1/oidcclientsecretrequest.go | 54 ++++ .../typed/config/v1alpha1/config_client.go | 5 + .../v1alpha1/fake/fake_config_client.go | 4 + .../v1alpha1/fake/fake_oidcclient.go | 8 +- .../config/v1alpha1/generated_expansion.go | 2 + .../{oauth => config}/v1alpha1/oidcclient.go | 4 +- .../versioned/typed/oauth/v1alpha1/doc.go | 7 - .../typed/oauth/v1alpha1/fake/doc.go | 7 - .../oauth/v1alpha1/generated_expansion.go | 8 - .../typed/oauth/v1alpha1/oauth_client.go | 94 ------ .../config/v1alpha1/interface.go | 7 + .../{oauth => config}/v1alpha1/oidcclient.go | 12 +- .../informers/externalversions/factory.go | 6 - .../informers/externalversions/generic.go | 7 +- .../externalversions/oauth/interface.go | 33 -- .../oauth/v1alpha1/interface.go | 32 -- .../config/v1alpha1/expansion_generated.go | 8 + .../listers/config/v1alpha1/oidcclient.go | 86 ++++++ .../oauth/v1alpha1/expansion_generated.go | 14 - .../listers/oauth/v1alpha1/oidcclient.go | 86 ------ .../virtual/clientset/versioned/clientset.go | 108 ------- .../virtual/clientset/versioned/doc.go | 7 - .../versioned/fake/clientset_generated.go | 72 ----- .../virtual/clientset/versioned/fake/doc.go | 7 - .../clientset/versioned/fake/register.go | 43 --- .../virtual/clientset/versioned/scheme/doc.go | 7 - .../clientset/versioned/scheme/register.go | 43 --- .../versioned/typed/oauth/v1alpha1/doc.go | 7 - .../typed/oauth/v1alpha1/fake/doc.go | 7 - .../oauth/v1alpha1/fake/fake_oauth_client.go | 27 -- .../fake/fake_oidcclientsecretrequest.go | 36 --- .../oauth/v1alpha1/oidcclientsecretrequest.go | 54 ---- ...g.supervisor.pinniped.dev_oidcclients.yaml | 125 ++++++++ ...h.supervisor.pinniped.dev_oidcclients.yaml | 125 -------- .../apis/supervisor/clientsecret/doc.go | 8 + .../apis/supervisor/clientsecret/register.go | 37 +++ .../types_oidcclientsecretrequest.go | 25 ++ .../v1alpha1/conversion.go | 0 .../v1alpha1/defaults.go | 0 .../oauth => clientsecret}/v1alpha1/doc.go | 6 +- .../clientsecret/v1alpha1/register.go | 42 +++ .../v1alpha1/types_oidcclientsecretrequest.go | 0 .../v1alpha1/zz_generated.conversion.go | 131 ++++++++ .../v1alpha1/zz_generated.deepcopy.go | 0 .../v1alpha1/zz_generated.defaults.go | 0 .../clientsecret/zz_generated.deepcopy.go | 73 +++++ .../supervisor/config/v1alpha1/register.go | 2 + .../v1alpha1/types_oidcclient.go | 0 .../config/v1alpha1/zz_generated.deepcopy.go | 108 +++++++ .../apis/supervisor/oauth/v1alpha1/doc.go | 10 - .../supervisor/oauth/v1alpha1/register.go | 43 --- .../oauth/v1alpha1/zz_generated.deepcopy.go | 121 -------- .../apis/supervisor/virtual/oauth/doc.go | 8 - .../apis/supervisor/virtual/oauth/register.go | 37 --- .../oauth/types_oidcclientsecretrequest.go | 25 -- .../virtual/oauth/v1alpha1/register.go | 42 --- .../oauth/v1alpha1/zz_generated.conversion.go | 131 -------- .../virtual/oauth/zz_generated.deepcopy.go | 73 ----- .../clientset/versioned/clientset.go | 30 +- .../versioned/fake/clientset_generated.go | 14 +- .../clientset/versioned/fake/register.go | 4 +- .../clientset/versioned/scheme/register.go | 4 +- .../v1alpha1/clientsecret_client.go} | 34 +-- .../typed/clientsecret}/v1alpha1/doc.go | 0 .../typed/clientsecret}/v1alpha1/fake/doc.go | 0 .../fake/fake_clientsecret_client.go} | 10 +- .../fake/fake_oidcclientsecretrequest.go | 36 +++ .../v1alpha1/generated_expansion.go | 0 .../v1alpha1/oidcclientsecretrequest.go | 54 ++++ .../typed/config/v1alpha1/config_client.go | 5 + .../v1alpha1/fake/fake_config_client.go | 4 + .../v1alpha1/fake/fake_oidcclient.go | 8 +- .../config/v1alpha1/generated_expansion.go | 2 + .../{oauth => config}/v1alpha1/oidcclient.go | 4 +- .../versioned/typed/oauth/v1alpha1/doc.go | 7 - .../typed/oauth/v1alpha1/fake/doc.go | 7 - .../oauth/v1alpha1/generated_expansion.go | 8 - .../typed/oauth/v1alpha1/oauth_client.go | 94 ------ .../config/v1alpha1/interface.go | 7 + .../{oauth => config}/v1alpha1/oidcclient.go | 12 +- .../informers/externalversions/factory.go | 6 - .../informers/externalversions/generic.go | 7 +- .../externalversions/oauth/interface.go | 33 -- .../oauth/v1alpha1/interface.go | 32 -- .../config/v1alpha1/expansion_generated.go | 8 + .../listers/config/v1alpha1/oidcclient.go | 86 ++++++ .../oauth/v1alpha1/expansion_generated.go | 14 - .../listers/oauth/v1alpha1/oidcclient.go | 86 ------ .../virtual/clientset/versioned/clientset.go | 108 ------- .../virtual/clientset/versioned/doc.go | 7 - .../versioned/fake/clientset_generated.go | 72 ----- .../virtual/clientset/versioned/fake/doc.go | 7 - .../clientset/versioned/fake/register.go | 43 --- .../virtual/clientset/versioned/scheme/doc.go | 7 - .../clientset/versioned/scheme/register.go | 43 --- .../versioned/typed/oauth/v1alpha1/doc.go | 7 - .../typed/oauth/v1alpha1/fake/doc.go | 7 - .../oauth/v1alpha1/fake/fake_oauth_client.go | 27 -- .../fake/fake_oidcclientsecretrequest.go | 36 --- .../oauth/v1alpha1/oidcclientsecretrequest.go | 54 ---- hack/lib/update-codegen.sh | 16 +- internal/groupsuffix/groupdata.go | 10 +- internal/kubeclient/kubeclient.go | 25 +- internal/registry/clientsecretrequest/rest.go | 12 +- internal/supervisor/scheme/scheme.go | 20 +- internal/supervisor/scheme/scheme_test.go | 64 ++-- test/integration/kube_api_discovery_test.go | 24 +- .../supervisor_oidcclientsecret_test.go | 10 +- test/testlib/client.go | 11 +- 593 files changed, 6704 insertions(+), 11610 deletions(-) create mode 100644 apis/supervisor/clientsecret/doc.go.tmpl rename apis/supervisor/{virtual/oauth => clientsecret}/register.go.tmpl (93%) rename apis/supervisor/{virtual/oauth => clientsecret}/types_oidcclientsecretrequest.go.tmpl (97%) rename apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/conversion.go.tmpl (100%) rename apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/defaults.go.tmpl (100%) rename apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/doc.go.tmpl (64%) rename apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/register.go.tmpl (95%) rename apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/types_oidcclientsecretrequest.go.tmpl (100%) rename apis/supervisor/{oauth => config}/v1alpha1/types_oidcclient.go.tmpl (100%) delete mode 100644 apis/supervisor/oauth/v1alpha1/doc.go.tmpl delete mode 100644 apis/supervisor/oauth/v1alpha1/register.go.tmpl delete mode 100644 apis/supervisor/virtual/oauth/doc.go.tmpl rename deploy/supervisor/{oauth.supervisor.pinniped.dev_oidcclients.yaml => config.supervisor.pinniped.dev_oidcclients.yaml} (98%) create mode 100644 generated/1.17/apis/supervisor/clientsecret/doc.go rename generated/{1.18/apis/supervisor/virtual/oauth => 1.17/apis/supervisor/clientsecret}/register.go (93%) rename generated/{1.19/apis/supervisor/virtual/oauth => 1.17/apis/supervisor/clientsecret}/types_oidcclientsecretrequest.go (97%) rename generated/1.17/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/conversion.go (100%) rename generated/1.17/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/defaults.go (100%) rename generated/1.17/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/doc.go (64%) rename generated/{1.20/apis/supervisor/virtual/oauth => 1.17/apis/supervisor/clientsecret}/v1alpha1/register.go (95%) rename generated/1.17/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/types_oidcclientsecretrequest.go (100%) create mode 100644 generated/1.17/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go rename generated/1.17/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/zz_generated.deepcopy.go (100%) rename generated/1.17/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/zz_generated.defaults.go (100%) rename generated/{1.19/apis/supervisor/virtual/oauth => 1.17/apis/supervisor/clientsecret}/zz_generated.deepcopy.go (99%) rename generated/1.17/apis/supervisor/{oauth => config}/v1alpha1/types_oidcclient.go (100%) delete mode 100644 generated/1.17/apis/supervisor/oauth/v1alpha1/doc.go delete mode 100644 generated/1.17/apis/supervisor/oauth/v1alpha1/register.go delete mode 100644 generated/1.17/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go delete mode 100644 generated/1.17/apis/supervisor/virtual/oauth/doc.go delete mode 100644 generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go rename generated/1.17/client/supervisor/{virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go => clientset/versioned/typed/clientsecret/v1alpha1/clientsecret_client.go} (51%) rename generated/1.17/client/supervisor/clientset/versioned/typed/{oauth => clientsecret}/v1alpha1/doc.go (100%) rename generated/1.17/client/supervisor/clientset/versioned/typed/{oauth => clientsecret}/v1alpha1/fake/doc.go (100%) rename generated/1.17/client/supervisor/clientset/versioned/typed/{oauth/v1alpha1/fake/fake_oauth_client.go => clientsecret/v1alpha1/fake/fake_clientsecret_client.go} (60%) rename generated/1.17/client/supervisor/{virtual/clientset/versioned/typed/oauth => clientset/versioned/typed/clientsecret}/v1alpha1/fake/fake_oidcclientsecretrequest.go (77%) rename generated/1.17/client/supervisor/{virtual/clientset/versioned/typed/oauth => clientset/versioned/typed/clientsecret}/v1alpha1/generated_expansion.go (100%) rename generated/1.17/client/supervisor/{virtual/clientset/versioned/typed/oauth => clientset/versioned/typed/clientsecret}/v1alpha1/oidcclientsecretrequest.go (89%) rename generated/1.17/client/supervisor/clientset/versioned/typed/{oauth => config}/v1alpha1/fake/fake_oidcclient.go (92%) rename generated/1.17/client/supervisor/clientset/versioned/typed/{oauth => config}/v1alpha1/oidcclient.go (97%) delete mode 100644 generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go delete mode 100644 generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go rename generated/1.17/client/supervisor/informers/externalversions/{oauth => config}/v1alpha1/oidcclient.go (89%) delete mode 100644 generated/1.17/client/supervisor/informers/externalversions/oauth/interface.go delete mode 100644 generated/1.17/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go rename generated/{1.18/client/supervisor/listers/oauth => 1.17/client/supervisor/listers/config}/v1alpha1/oidcclient.go (97%) delete mode 100644 generated/1.17/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go delete mode 100644 generated/1.17/client/supervisor/virtual/clientset/versioned/clientset.go delete mode 100644 generated/1.17/client/supervisor/virtual/clientset/versioned/doc.go delete mode 100644 generated/1.17/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go delete mode 100644 generated/1.17/client/supervisor/virtual/clientset/versioned/fake/doc.go delete mode 100644 generated/1.17/client/supervisor/virtual/clientset/versioned/fake/register.go delete mode 100644 generated/1.17/client/supervisor/virtual/clientset/versioned/scheme/doc.go delete mode 100644 generated/1.17/client/supervisor/virtual/clientset/versioned/scheme/register.go delete mode 100644 generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go rename generated/1.17/crds/{oauth.supervisor.pinniped.dev_oidcclients.yaml => config.supervisor.pinniped.dev_oidcclients.yaml} (98%) create mode 100644 generated/1.18/apis/supervisor/clientsecret/doc.go rename generated/{1.17/apis/supervisor/virtual/oauth => 1.18/apis/supervisor/clientsecret}/register.go (93%) rename generated/{1.20/apis/supervisor/virtual/oauth => 1.18/apis/supervisor/clientsecret}/types_oidcclientsecretrequest.go (97%) rename generated/1.18/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/conversion.go (100%) rename generated/1.18/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/defaults.go (100%) rename generated/1.18/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/doc.go (64%) rename generated/1.18/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/register.go (95%) rename generated/1.18/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/types_oidcclientsecretrequest.go (100%) create mode 100644 generated/1.18/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go rename generated/1.18/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/zz_generated.deepcopy.go (100%) rename generated/1.18/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/zz_generated.defaults.go (100%) rename generated/{1.17/apis/supervisor/virtual/oauth => 1.18/apis/supervisor/clientsecret}/zz_generated.deepcopy.go (99%) rename generated/1.18/apis/supervisor/{oauth => config}/v1alpha1/types_oidcclient.go (100%) delete mode 100644 generated/1.18/apis/supervisor/oauth/v1alpha1/doc.go delete mode 100644 generated/1.18/apis/supervisor/oauth/v1alpha1/register.go delete mode 100644 generated/1.18/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go delete mode 100644 generated/1.18/apis/supervisor/virtual/oauth/doc.go delete mode 100644 generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go rename generated/{1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go => 1.18/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/clientsecret_client.go} (51%) rename generated/{1.17/client/supervisor/virtual/clientset/versioned/typed/oauth => 1.18/client/supervisor/clientset/versioned/typed/clientsecret}/v1alpha1/doc.go (100%) rename generated/{1.17/client/supervisor/virtual/clientset/versioned/typed/oauth => 1.18/client/supervisor/clientset/versioned/typed/clientsecret}/v1alpha1/fake/doc.go (100%) rename generated/1.18/client/supervisor/clientset/versioned/typed/{oauth/v1alpha1/fake/fake_oauth_client.go => clientsecret/v1alpha1/fake/fake_clientsecret_client.go} (60%) rename generated/1.18/client/supervisor/{virtual/clientset/versioned/typed/oauth => clientset/versioned/typed/clientsecret}/v1alpha1/fake/fake_oidcclientsecretrequest.go (79%) rename generated/1.18/client/supervisor/{virtual/clientset/versioned/typed/oauth => clientset/versioned/typed/clientsecret}/v1alpha1/generated_expansion.go (100%) rename generated/{1.19/client/supervisor/virtual/clientset/versioned/typed/oauth => 1.18/client/supervisor/clientset/versioned/typed/clientsecret}/v1alpha1/oidcclientsecretrequest.go (86%) rename generated/{1.19/client/supervisor/clientset/versioned/typed/oauth => 1.18/client/supervisor/clientset/versioned/typed/config}/v1alpha1/fake/fake_oidcclient.go (92%) rename generated/1.18/client/supervisor/clientset/versioned/typed/{oauth => config}/v1alpha1/oidcclient.go (97%) delete mode 100644 generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go delete mode 100644 generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go rename generated/1.18/client/supervisor/informers/externalversions/{oauth => config}/v1alpha1/oidcclient.go (88%) delete mode 100644 generated/1.18/client/supervisor/informers/externalversions/oauth/interface.go delete mode 100644 generated/1.18/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go rename generated/{1.17/client/supervisor/listers/oauth => 1.18/client/supervisor/listers/config}/v1alpha1/oidcclient.go (97%) delete mode 100644 generated/1.18/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go delete mode 100644 generated/1.18/client/supervisor/virtual/clientset/versioned/clientset.go delete mode 100644 generated/1.18/client/supervisor/virtual/clientset/versioned/doc.go delete mode 100644 generated/1.18/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go delete mode 100644 generated/1.18/client/supervisor/virtual/clientset/versioned/fake/doc.go delete mode 100644 generated/1.18/client/supervisor/virtual/clientset/versioned/fake/register.go delete mode 100644 generated/1.18/client/supervisor/virtual/clientset/versioned/scheme/doc.go delete mode 100644 generated/1.18/client/supervisor/virtual/clientset/versioned/scheme/register.go delete mode 100644 generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go rename generated/1.18/crds/{oauth.supervisor.pinniped.dev_oidcclients.yaml => config.supervisor.pinniped.dev_oidcclients.yaml} (98%) create mode 100644 generated/1.19/apis/supervisor/clientsecret/doc.go rename generated/1.19/apis/supervisor/{virtual/oauth => clientsecret}/register.go (93%) rename generated/{1.17/apis/supervisor/virtual/oauth => 1.19/apis/supervisor/clientsecret}/types_oidcclientsecretrequest.go (97%) rename generated/1.19/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/conversion.go (100%) rename generated/1.19/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/defaults.go (100%) rename generated/1.19/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/doc.go (64%) rename generated/1.19/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/register.go (95%) rename generated/1.19/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/types_oidcclientsecretrequest.go (100%) create mode 100644 generated/1.19/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go rename generated/1.19/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/zz_generated.deepcopy.go (100%) rename generated/1.19/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/zz_generated.defaults.go (100%) rename generated/{1.20/apis/supervisor/virtual/oauth => 1.19/apis/supervisor/clientsecret}/zz_generated.deepcopy.go (99%) rename generated/1.19/apis/supervisor/{oauth => config}/v1alpha1/types_oidcclient.go (100%) delete mode 100644 generated/1.19/apis/supervisor/oauth/v1alpha1/doc.go delete mode 100644 generated/1.19/apis/supervisor/oauth/v1alpha1/register.go delete mode 100644 generated/1.19/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go delete mode 100644 generated/1.19/apis/supervisor/virtual/oauth/doc.go delete mode 100644 generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go rename generated/{1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go => 1.19/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/clientsecret_client.go} (51%) rename generated/{1.18/client/supervisor/clientset/versioned/typed/oauth => 1.19/client/supervisor/clientset/versioned/typed/clientsecret}/v1alpha1/doc.go (100%) rename generated/{1.18/client/supervisor/clientset/versioned/typed/oauth => 1.19/client/supervisor/clientset/versioned/typed/clientsecret}/v1alpha1/fake/doc.go (100%) rename generated/1.19/client/supervisor/clientset/versioned/typed/{oauth/v1alpha1/fake/fake_oauth_client.go => clientsecret/v1alpha1/fake/fake_clientsecret_client.go} (60%) rename generated/{1.21/client/supervisor/virtual/clientset/versioned/typed/oauth => 1.19/client/supervisor/clientset/versioned/typed/clientsecret}/v1alpha1/fake/fake_oidcclientsecretrequest.go (79%) rename generated/1.19/client/supervisor/{virtual/clientset/versioned/typed/oauth => clientset/versioned/typed/clientsecret}/v1alpha1/generated_expansion.go (100%) rename generated/{1.18/client/supervisor/virtual/clientset/versioned/typed/oauth => 1.19/client/supervisor/clientset/versioned/typed/clientsecret}/v1alpha1/oidcclientsecretrequest.go (86%) rename generated/{1.18/client/supervisor/clientset/versioned/typed/oauth => 1.19/client/supervisor/clientset/versioned/typed/config}/v1alpha1/fake/fake_oidcclient.go (92%) rename generated/1.19/client/supervisor/clientset/versioned/typed/{oauth => config}/v1alpha1/oidcclient.go (97%) delete mode 100644 generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go delete mode 100644 generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go rename generated/1.19/client/supervisor/informers/externalversions/{oauth => config}/v1alpha1/oidcclient.go (88%) delete mode 100644 generated/1.19/client/supervisor/informers/externalversions/oauth/interface.go delete mode 100644 generated/1.19/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go rename generated/{1.21/client/supervisor/listers/oauth => 1.19/client/supervisor/listers/config}/v1alpha1/oidcclient.go (97%) delete mode 100644 generated/1.19/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go delete mode 100644 generated/1.19/client/supervisor/virtual/clientset/versioned/clientset.go delete mode 100644 generated/1.19/client/supervisor/virtual/clientset/versioned/doc.go delete mode 100644 generated/1.19/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go delete mode 100644 generated/1.19/client/supervisor/virtual/clientset/versioned/fake/doc.go delete mode 100644 generated/1.19/client/supervisor/virtual/clientset/versioned/fake/register.go delete mode 100644 generated/1.19/client/supervisor/virtual/clientset/versioned/scheme/doc.go delete mode 100644 generated/1.19/client/supervisor/virtual/clientset/versioned/scheme/register.go delete mode 100644 generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go rename generated/1.19/crds/{oauth.supervisor.pinniped.dev_oidcclients.yaml => config.supervisor.pinniped.dev_oidcclients.yaml} (98%) create mode 100644 generated/1.20/apis/supervisor/clientsecret/doc.go rename generated/1.20/apis/supervisor/{virtual/oauth => clientsecret}/register.go (93%) rename generated/{1.18/apis/supervisor/virtual/oauth => 1.20/apis/supervisor/clientsecret}/types_oidcclientsecretrequest.go (97%) rename generated/1.20/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/conversion.go (100%) rename generated/1.20/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/defaults.go (100%) rename generated/1.20/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/doc.go (64%) rename generated/{1.17/apis/supervisor/virtual/oauth => 1.20/apis/supervisor/clientsecret}/v1alpha1/register.go (95%) rename generated/1.20/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/types_oidcclientsecretrequest.go (100%) create mode 100644 generated/1.20/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go rename generated/1.20/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/zz_generated.deepcopy.go (100%) rename generated/1.20/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/zz_generated.defaults.go (100%) rename generated/{1.18/apis/supervisor/virtual/oauth => 1.20/apis/supervisor/clientsecret}/zz_generated.deepcopy.go (99%) rename generated/1.20/apis/supervisor/{oauth => config}/v1alpha1/types_oidcclient.go (100%) delete mode 100644 generated/1.20/apis/supervisor/oauth/v1alpha1/doc.go delete mode 100644 generated/1.20/apis/supervisor/oauth/v1alpha1/register.go delete mode 100644 generated/1.20/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go delete mode 100644 generated/1.20/apis/supervisor/virtual/oauth/doc.go delete mode 100644 generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go rename generated/{1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go => 1.20/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/clientsecret_client.go} (51%) rename generated/{1.18/client/supervisor/virtual/clientset/versioned/typed/oauth => 1.20/client/supervisor/clientset/versioned/typed/clientsecret}/v1alpha1/doc.go (100%) rename generated/{1.18/client/supervisor/virtual/clientset/versioned/typed/oauth => 1.20/client/supervisor/clientset/versioned/typed/clientsecret}/v1alpha1/fake/doc.go (100%) rename generated/1.20/client/supervisor/clientset/versioned/typed/{oauth/v1alpha1/fake/fake_oauth_client.go => clientsecret/v1alpha1/fake/fake_clientsecret_client.go} (60%) rename generated/1.20/client/supervisor/{virtual/clientset/versioned/typed/oauth => clientset/versioned/typed/clientsecret}/v1alpha1/fake/fake_oidcclientsecretrequest.go (79%) rename generated/1.20/client/supervisor/{virtual/clientset/versioned/typed/oauth => clientset/versioned/typed/clientsecret}/v1alpha1/generated_expansion.go (100%) rename generated/1.20/client/supervisor/{virtual/clientset/versioned/typed/oauth => clientset/versioned/typed/clientsecret}/v1alpha1/oidcclientsecretrequest.go (86%) rename generated/{1.21/client/supervisor/clientset/versioned/typed/oauth => 1.20/client/supervisor/clientset/versioned/typed/config}/v1alpha1/fake/fake_oidcclient.go (92%) rename generated/1.20/client/supervisor/clientset/versioned/typed/{oauth => config}/v1alpha1/oidcclient.go (97%) delete mode 100644 generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go delete mode 100644 generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go rename generated/1.20/client/supervisor/informers/externalversions/{oauth => config}/v1alpha1/oidcclient.go (88%) delete mode 100644 generated/1.20/client/supervisor/informers/externalversions/oauth/interface.go delete mode 100644 generated/1.20/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go rename generated/{1.22/client/supervisor/listers/oauth => 1.20/client/supervisor/listers/config}/v1alpha1/oidcclient.go (97%) delete mode 100644 generated/1.20/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go delete mode 100644 generated/1.20/client/supervisor/virtual/clientset/versioned/clientset.go delete mode 100644 generated/1.20/client/supervisor/virtual/clientset/versioned/doc.go delete mode 100644 generated/1.20/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go delete mode 100644 generated/1.20/client/supervisor/virtual/clientset/versioned/fake/doc.go delete mode 100644 generated/1.20/client/supervisor/virtual/clientset/versioned/fake/register.go delete mode 100644 generated/1.20/client/supervisor/virtual/clientset/versioned/scheme/doc.go delete mode 100644 generated/1.20/client/supervisor/virtual/clientset/versioned/scheme/register.go delete mode 100644 generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go create mode 100644 generated/1.20/crds/config.supervisor.pinniped.dev_oidcclients.yaml delete mode 100644 generated/1.20/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml create mode 100644 generated/1.21/apis/supervisor/clientsecret/doc.go create mode 100644 generated/1.21/apis/supervisor/clientsecret/register.go create mode 100644 generated/1.21/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go rename generated/1.21/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/conversion.go (100%) rename generated/1.21/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/defaults.go (100%) rename generated/1.21/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/doc.go (64%) create mode 100644 generated/1.21/apis/supervisor/clientsecret/v1alpha1/register.go rename generated/1.21/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/types_oidcclientsecretrequest.go (100%) create mode 100644 generated/1.21/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go rename generated/1.21/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/zz_generated.deepcopy.go (100%) rename generated/1.21/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/zz_generated.defaults.go (100%) create mode 100644 generated/1.21/apis/supervisor/clientsecret/zz_generated.deepcopy.go rename generated/1.21/apis/supervisor/{oauth => config}/v1alpha1/types_oidcclient.go (100%) delete mode 100644 generated/1.21/apis/supervisor/oauth/v1alpha1/doc.go delete mode 100644 generated/1.21/apis/supervisor/oauth/v1alpha1/register.go delete mode 100644 generated/1.21/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go delete mode 100644 generated/1.21/apis/supervisor/virtual/oauth/doc.go delete mode 100644 generated/1.21/apis/supervisor/virtual/oauth/register.go delete mode 100644 generated/1.21/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go delete mode 100644 generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/register.go delete mode 100644 generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go delete mode 100644 generated/1.21/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go create mode 100644 generated/1.21/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/clientsecret_client.go rename generated/{1.19/client/supervisor/clientset/versioned/typed/oauth => 1.21/client/supervisor/clientset/versioned/typed/clientsecret}/v1alpha1/doc.go (100%) rename generated/{1.19/client/supervisor/clientset/versioned/typed/oauth => 1.21/client/supervisor/clientset/versioned/typed/clientsecret}/v1alpha1/fake/doc.go (100%) rename generated/1.21/client/supervisor/clientset/versioned/typed/{oauth/v1alpha1/fake/fake_oauth_client.go => clientsecret/v1alpha1/fake/fake_clientsecret_client.go} (60%) rename generated/{1.19/client/supervisor/virtual/clientset/versioned/typed/oauth => 1.21/client/supervisor/clientset/versioned/typed/clientsecret}/v1alpha1/fake/fake_oidcclientsecretrequest.go (79%) rename generated/1.21/client/supervisor/{virtual/clientset/versioned/typed/oauth => clientset/versioned/typed/clientsecret}/v1alpha1/generated_expansion.go (100%) rename generated/1.21/client/supervisor/{virtual/clientset/versioned/typed/oauth => clientset/versioned/typed/clientsecret}/v1alpha1/oidcclientsecretrequest.go (86%) rename generated/{1.20/client/supervisor/clientset/versioned/typed/oauth => 1.21/client/supervisor/clientset/versioned/typed/config}/v1alpha1/fake/fake_oidcclient.go (92%) rename generated/1.21/client/supervisor/clientset/versioned/typed/{oauth => config}/v1alpha1/oidcclient.go (97%) delete mode 100644 generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go delete mode 100644 generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go rename generated/1.21/client/supervisor/informers/externalversions/{oauth => config}/v1alpha1/oidcclient.go (88%) delete mode 100644 generated/1.21/client/supervisor/informers/externalversions/oauth/interface.go delete mode 100644 generated/1.21/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go rename generated/{1.19/client/supervisor/listers/oauth => 1.21/client/supervisor/listers/config}/v1alpha1/oidcclient.go (97%) delete mode 100644 generated/1.21/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go delete mode 100644 generated/1.21/client/supervisor/virtual/clientset/versioned/clientset.go delete mode 100644 generated/1.21/client/supervisor/virtual/clientset/versioned/doc.go delete mode 100644 generated/1.21/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go delete mode 100644 generated/1.21/client/supervisor/virtual/clientset/versioned/fake/doc.go delete mode 100644 generated/1.21/client/supervisor/virtual/clientset/versioned/fake/register.go delete mode 100644 generated/1.21/client/supervisor/virtual/clientset/versioned/scheme/doc.go delete mode 100644 generated/1.21/client/supervisor/virtual/clientset/versioned/scheme/register.go delete mode 100644 generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go delete mode 100644 generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go delete mode 100644 generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go delete mode 100644 generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go create mode 100644 generated/1.21/crds/config.supervisor.pinniped.dev_oidcclients.yaml delete mode 100644 generated/1.21/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml create mode 100644 generated/1.22/apis/supervisor/clientsecret/doc.go create mode 100644 generated/1.22/apis/supervisor/clientsecret/register.go create mode 100644 generated/1.22/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go rename generated/1.22/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/conversion.go (100%) rename generated/1.22/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/defaults.go (100%) rename generated/1.22/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/doc.go (64%) create mode 100644 generated/1.22/apis/supervisor/clientsecret/v1alpha1/register.go rename generated/1.22/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/types_oidcclientsecretrequest.go (100%) create mode 100644 generated/1.22/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go rename generated/1.22/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/zz_generated.deepcopy.go (100%) rename generated/1.22/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/zz_generated.defaults.go (100%) create mode 100644 generated/1.22/apis/supervisor/clientsecret/zz_generated.deepcopy.go rename generated/1.22/apis/supervisor/{oauth => config}/v1alpha1/types_oidcclient.go (100%) delete mode 100644 generated/1.22/apis/supervisor/oauth/v1alpha1/doc.go delete mode 100644 generated/1.22/apis/supervisor/oauth/v1alpha1/register.go delete mode 100644 generated/1.22/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go delete mode 100644 generated/1.22/apis/supervisor/virtual/oauth/doc.go delete mode 100644 generated/1.22/apis/supervisor/virtual/oauth/register.go delete mode 100644 generated/1.22/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go delete mode 100644 generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/register.go delete mode 100644 generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go delete mode 100644 generated/1.22/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go create mode 100644 generated/1.22/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/clientsecret_client.go rename generated/{1.19/client/supervisor/virtual/clientset/versioned/typed/oauth => 1.22/client/supervisor/clientset/versioned/typed/clientsecret}/v1alpha1/doc.go (100%) rename generated/{1.19/client/supervisor/virtual/clientset/versioned/typed/oauth => 1.22/client/supervisor/clientset/versioned/typed/clientsecret}/v1alpha1/fake/doc.go (100%) rename generated/1.22/client/supervisor/clientset/versioned/typed/{oauth/v1alpha1/fake/fake_oauth_client.go => clientsecret/v1alpha1/fake/fake_clientsecret_client.go} (60%) create mode 100644 generated/1.22/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_oidcclientsecretrequest.go rename generated/1.22/client/supervisor/{virtual/clientset/versioned/typed/oauth => clientset/versioned/typed/clientsecret}/v1alpha1/generated_expansion.go (100%) create mode 100644 generated/1.22/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/oidcclientsecretrequest.go create mode 100644 generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go rename generated/1.22/client/supervisor/clientset/versioned/typed/{oauth => config}/v1alpha1/oidcclient.go (97%) delete mode 100644 generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go delete mode 100644 generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go delete mode 100644 generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go delete mode 100644 generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go delete mode 100644 generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go rename generated/1.22/client/supervisor/informers/externalversions/{oauth => config}/v1alpha1/oidcclient.go (88%) delete mode 100644 generated/1.22/client/supervisor/informers/externalversions/oauth/interface.go delete mode 100644 generated/1.22/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go rename generated/{1.20/client/supervisor/listers/oauth => 1.22/client/supervisor/listers/config}/v1alpha1/oidcclient.go (97%) delete mode 100644 generated/1.22/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go delete mode 100644 generated/1.22/client/supervisor/virtual/clientset/versioned/clientset.go delete mode 100644 generated/1.22/client/supervisor/virtual/clientset/versioned/doc.go delete mode 100644 generated/1.22/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go delete mode 100644 generated/1.22/client/supervisor/virtual/clientset/versioned/fake/doc.go delete mode 100644 generated/1.22/client/supervisor/virtual/clientset/versioned/fake/register.go delete mode 100644 generated/1.22/client/supervisor/virtual/clientset/versioned/scheme/doc.go delete mode 100644 generated/1.22/client/supervisor/virtual/clientset/versioned/scheme/register.go delete mode 100644 generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go delete mode 100644 generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go delete mode 100644 generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go delete mode 100644 generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go delete mode 100644 generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go delete mode 100644 generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go create mode 100644 generated/1.22/crds/config.supervisor.pinniped.dev_oidcclients.yaml delete mode 100644 generated/1.22/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml create mode 100644 generated/1.23/apis/supervisor/clientsecret/doc.go create mode 100644 generated/1.23/apis/supervisor/clientsecret/register.go create mode 100644 generated/1.23/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go rename generated/1.23/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/conversion.go (100%) rename generated/1.23/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/defaults.go (100%) rename generated/1.23/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/doc.go (64%) create mode 100644 generated/1.23/apis/supervisor/clientsecret/v1alpha1/register.go rename generated/1.23/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/types_oidcclientsecretrequest.go (100%) create mode 100644 generated/1.23/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go rename generated/1.23/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/zz_generated.deepcopy.go (100%) rename generated/1.23/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/zz_generated.defaults.go (100%) create mode 100644 generated/1.23/apis/supervisor/clientsecret/zz_generated.deepcopy.go rename generated/1.23/apis/supervisor/{oauth => config}/v1alpha1/types_oidcclient.go (100%) delete mode 100644 generated/1.23/apis/supervisor/oauth/v1alpha1/doc.go delete mode 100644 generated/1.23/apis/supervisor/oauth/v1alpha1/register.go delete mode 100644 generated/1.23/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go delete mode 100644 generated/1.23/apis/supervisor/virtual/oauth/doc.go delete mode 100644 generated/1.23/apis/supervisor/virtual/oauth/register.go delete mode 100644 generated/1.23/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go delete mode 100644 generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/register.go delete mode 100644 generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go delete mode 100644 generated/1.23/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go rename generated/1.23/client/supervisor/{virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go => clientset/versioned/typed/clientsecret/v1alpha1/clientsecret_client.go} (55%) rename generated/{1.20/client/supervisor/clientset/versioned/typed/oauth => 1.23/client/supervisor/clientset/versioned/typed/clientsecret}/v1alpha1/doc.go (100%) rename generated/{1.20/client/supervisor/clientset/versioned/typed/oauth => 1.23/client/supervisor/clientset/versioned/typed/clientsecret}/v1alpha1/fake/doc.go (100%) rename generated/1.23/client/supervisor/clientset/versioned/typed/{oauth/v1alpha1/fake/fake_oauth_client.go => clientsecret/v1alpha1/fake/fake_clientsecret_client.go} (60%) create mode 100644 generated/1.23/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_oidcclientsecretrequest.go rename generated/1.23/client/supervisor/{virtual/clientset/versioned/typed/oauth => clientset/versioned/typed/clientsecret}/v1alpha1/generated_expansion.go (100%) create mode 100644 generated/1.23/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/oidcclientsecretrequest.go rename generated/1.23/client/supervisor/clientset/versioned/typed/{oauth => config}/v1alpha1/fake/fake_oidcclient.go (92%) rename generated/1.23/client/supervisor/clientset/versioned/typed/{oauth => config}/v1alpha1/oidcclient.go (97%) delete mode 100644 generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go delete mode 100644 generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go delete mode 100644 generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go delete mode 100644 generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go rename generated/1.23/client/supervisor/informers/externalversions/{oauth => config}/v1alpha1/oidcclient.go (88%) delete mode 100644 generated/1.23/client/supervisor/informers/externalversions/oauth/interface.go delete mode 100644 generated/1.23/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go create mode 100644 generated/1.23/client/supervisor/listers/config/v1alpha1/oidcclient.go delete mode 100644 generated/1.23/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go delete mode 100644 generated/1.23/client/supervisor/listers/oauth/v1alpha1/oidcclient.go delete mode 100644 generated/1.23/client/supervisor/virtual/clientset/versioned/clientset.go delete mode 100644 generated/1.23/client/supervisor/virtual/clientset/versioned/doc.go delete mode 100644 generated/1.23/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go delete mode 100644 generated/1.23/client/supervisor/virtual/clientset/versioned/fake/doc.go delete mode 100644 generated/1.23/client/supervisor/virtual/clientset/versioned/fake/register.go delete mode 100644 generated/1.23/client/supervisor/virtual/clientset/versioned/scheme/doc.go delete mode 100644 generated/1.23/client/supervisor/virtual/clientset/versioned/scheme/register.go delete mode 100644 generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go delete mode 100644 generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go delete mode 100644 generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go delete mode 100644 generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go delete mode 100644 generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go create mode 100644 generated/1.23/crds/config.supervisor.pinniped.dev_oidcclients.yaml delete mode 100644 generated/1.23/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml create mode 100644 generated/1.24/apis/supervisor/clientsecret/doc.go create mode 100644 generated/1.24/apis/supervisor/clientsecret/register.go create mode 100644 generated/1.24/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go rename generated/1.24/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/conversion.go (100%) rename generated/1.24/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/defaults.go (100%) rename generated/1.24/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/doc.go (64%) create mode 100644 generated/1.24/apis/supervisor/clientsecret/v1alpha1/register.go rename generated/1.24/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/types_oidcclientsecretrequest.go (100%) create mode 100644 generated/1.24/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go rename generated/1.24/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/zz_generated.deepcopy.go (100%) rename generated/1.24/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/zz_generated.defaults.go (100%) create mode 100644 generated/1.24/apis/supervisor/clientsecret/zz_generated.deepcopy.go rename generated/1.24/apis/supervisor/{oauth => config}/v1alpha1/types_oidcclient.go (100%) delete mode 100644 generated/1.24/apis/supervisor/oauth/v1alpha1/doc.go delete mode 100644 generated/1.24/apis/supervisor/oauth/v1alpha1/register.go delete mode 100644 generated/1.24/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go delete mode 100644 generated/1.24/apis/supervisor/virtual/oauth/doc.go delete mode 100644 generated/1.24/apis/supervisor/virtual/oauth/register.go delete mode 100644 generated/1.24/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go delete mode 100644 generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/register.go delete mode 100644 generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go delete mode 100644 generated/1.24/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go rename generated/{latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go => 1.24/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/clientsecret_client.go} (55%) rename generated/{1.20/client/supervisor/virtual/clientset/versioned/typed/oauth => 1.24/client/supervisor/clientset/versioned/typed/clientsecret}/v1alpha1/doc.go (100%) rename generated/{1.20/client/supervisor/virtual/clientset/versioned/typed/oauth => 1.24/client/supervisor/clientset/versioned/typed/clientsecret}/v1alpha1/fake/doc.go (100%) rename generated/1.24/client/supervisor/clientset/versioned/typed/{oauth/v1alpha1/fake/fake_oauth_client.go => clientsecret/v1alpha1/fake/fake_clientsecret_client.go} (60%) create mode 100644 generated/1.24/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_oidcclientsecretrequest.go rename generated/1.24/client/supervisor/{virtual/clientset/versioned/typed/oauth => clientset/versioned/typed/clientsecret}/v1alpha1/generated_expansion.go (100%) create mode 100644 generated/1.24/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/oidcclientsecretrequest.go rename generated/1.24/client/supervisor/clientset/versioned/typed/{oauth => config}/v1alpha1/fake/fake_oidcclient.go (92%) rename generated/1.24/client/supervisor/clientset/versioned/typed/{oauth => config}/v1alpha1/oidcclient.go (97%) delete mode 100644 generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go delete mode 100644 generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go delete mode 100644 generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go delete mode 100644 generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go rename generated/1.24/client/supervisor/informers/externalversions/{oauth => config}/v1alpha1/oidcclient.go (88%) delete mode 100644 generated/1.24/client/supervisor/informers/externalversions/oauth/interface.go delete mode 100644 generated/1.24/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go create mode 100644 generated/1.24/client/supervisor/listers/config/v1alpha1/oidcclient.go delete mode 100644 generated/1.24/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go delete mode 100644 generated/1.24/client/supervisor/listers/oauth/v1alpha1/oidcclient.go delete mode 100644 generated/1.24/client/supervisor/virtual/clientset/versioned/clientset.go delete mode 100644 generated/1.24/client/supervisor/virtual/clientset/versioned/doc.go delete mode 100644 generated/1.24/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go delete mode 100644 generated/1.24/client/supervisor/virtual/clientset/versioned/fake/doc.go delete mode 100644 generated/1.24/client/supervisor/virtual/clientset/versioned/fake/register.go delete mode 100644 generated/1.24/client/supervisor/virtual/clientset/versioned/scheme/doc.go delete mode 100644 generated/1.24/client/supervisor/virtual/clientset/versioned/scheme/register.go delete mode 100644 generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go delete mode 100644 generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go delete mode 100644 generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go delete mode 100644 generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go delete mode 100644 generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go create mode 100644 generated/1.24/crds/config.supervisor.pinniped.dev_oidcclients.yaml delete mode 100644 generated/1.24/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml create mode 100644 generated/latest/apis/supervisor/clientsecret/doc.go create mode 100644 generated/latest/apis/supervisor/clientsecret/register.go create mode 100644 generated/latest/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go rename generated/latest/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/conversion.go (100%) rename generated/latest/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/defaults.go (100%) rename generated/latest/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/doc.go (64%) create mode 100644 generated/latest/apis/supervisor/clientsecret/v1alpha1/register.go rename generated/latest/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/types_oidcclientsecretrequest.go (100%) create mode 100644 generated/latest/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go rename generated/latest/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/zz_generated.deepcopy.go (100%) rename generated/latest/apis/supervisor/{virtual/oauth => clientsecret}/v1alpha1/zz_generated.defaults.go (100%) create mode 100644 generated/latest/apis/supervisor/clientsecret/zz_generated.deepcopy.go rename generated/latest/apis/supervisor/{oauth => config}/v1alpha1/types_oidcclient.go (100%) delete mode 100644 generated/latest/apis/supervisor/oauth/v1alpha1/doc.go delete mode 100644 generated/latest/apis/supervisor/oauth/v1alpha1/register.go delete mode 100644 generated/latest/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go delete mode 100644 generated/latest/apis/supervisor/virtual/oauth/doc.go delete mode 100644 generated/latest/apis/supervisor/virtual/oauth/register.go delete mode 100644 generated/latest/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go delete mode 100644 generated/latest/apis/supervisor/virtual/oauth/v1alpha1/register.go delete mode 100644 generated/latest/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go delete mode 100644 generated/latest/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go rename generated/{1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go => latest/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/clientsecret_client.go} (55%) rename generated/{1.21/client/supervisor/clientset/versioned/typed/oauth => latest/client/supervisor/clientset/versioned/typed/clientsecret}/v1alpha1/doc.go (100%) rename generated/{1.21/client/supervisor/clientset/versioned/typed/oauth => latest/client/supervisor/clientset/versioned/typed/clientsecret}/v1alpha1/fake/doc.go (100%) rename generated/latest/client/supervisor/clientset/versioned/typed/{oauth/v1alpha1/fake/fake_oauth_client.go => clientsecret/v1alpha1/fake/fake_clientsecret_client.go} (60%) create mode 100644 generated/latest/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_oidcclientsecretrequest.go rename generated/latest/client/supervisor/{virtual/clientset/versioned/typed/oauth => clientset/versioned/typed/clientsecret}/v1alpha1/generated_expansion.go (100%) create mode 100644 generated/latest/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/oidcclientsecretrequest.go rename generated/latest/client/supervisor/clientset/versioned/typed/{oauth => config}/v1alpha1/fake/fake_oidcclient.go (92%) rename generated/latest/client/supervisor/clientset/versioned/typed/{oauth => config}/v1alpha1/oidcclient.go (97%) delete mode 100644 generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go delete mode 100644 generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go delete mode 100644 generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go delete mode 100644 generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go rename generated/latest/client/supervisor/informers/externalversions/{oauth => config}/v1alpha1/oidcclient.go (88%) delete mode 100644 generated/latest/client/supervisor/informers/externalversions/oauth/interface.go delete mode 100644 generated/latest/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go create mode 100644 generated/latest/client/supervisor/listers/config/v1alpha1/oidcclient.go delete mode 100644 generated/latest/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go delete mode 100644 generated/latest/client/supervisor/listers/oauth/v1alpha1/oidcclient.go delete mode 100644 generated/latest/client/supervisor/virtual/clientset/versioned/clientset.go delete mode 100644 generated/latest/client/supervisor/virtual/clientset/versioned/doc.go delete mode 100644 generated/latest/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go delete mode 100644 generated/latest/client/supervisor/virtual/clientset/versioned/fake/doc.go delete mode 100644 generated/latest/client/supervisor/virtual/clientset/versioned/fake/register.go delete mode 100644 generated/latest/client/supervisor/virtual/clientset/versioned/scheme/doc.go delete mode 100644 generated/latest/client/supervisor/virtual/clientset/versioned/scheme/register.go delete mode 100644 generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go delete mode 100644 generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go delete mode 100644 generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go delete mode 100644 generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go delete mode 100644 generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go diff --git a/apis/supervisor/clientsecret/doc.go.tmpl b/apis/supervisor/clientsecret/doc.go.tmpl new file mode 100644 index 00000000..c536bc75 --- /dev/null +++ b/apis/supervisor/clientsecret/doc.go.tmpl @@ -0,0 +1,8 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:deepcopy-gen=package +// +groupName=clientsecret.supervisor.pinniped.dev + +// Package clientsecret is the internal version of the Pinniped client secret API. +package clientsecret diff --git a/apis/supervisor/virtual/oauth/register.go.tmpl b/apis/supervisor/clientsecret/register.go.tmpl similarity index 93% rename from apis/supervisor/virtual/oauth/register.go.tmpl rename to apis/supervisor/clientsecret/register.go.tmpl index a238d85f..4a1c0173 100644 --- a/apis/supervisor/virtual/oauth/register.go.tmpl +++ b/apis/supervisor/clientsecret/register.go.tmpl @@ -1,14 +1,14 @@ // Copyright 2022 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -package oauth +package clientsecret import ( "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" ) -const GroupName = "oauth.virtual.supervisor.pinniped.dev" +const GroupName = "clientsecret.supervisor.pinniped.dev" // SchemeGroupVersion is group version used to register these objects. var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal} diff --git a/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go.tmpl b/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go.tmpl similarity index 97% rename from apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go.tmpl rename to apis/supervisor/clientsecret/types_oidcclientsecretrequest.go.tmpl index ac54a93c..7fd1eb65 100644 --- a/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go.tmpl +++ b/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go.tmpl @@ -1,7 +1,7 @@ // Copyright 2022 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -package oauth +package clientsecret import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" diff --git a/apis/supervisor/virtual/oauth/v1alpha1/conversion.go.tmpl b/apis/supervisor/clientsecret/v1alpha1/conversion.go.tmpl similarity index 100% rename from apis/supervisor/virtual/oauth/v1alpha1/conversion.go.tmpl rename to apis/supervisor/clientsecret/v1alpha1/conversion.go.tmpl diff --git a/apis/supervisor/virtual/oauth/v1alpha1/defaults.go.tmpl b/apis/supervisor/clientsecret/v1alpha1/defaults.go.tmpl similarity index 100% rename from apis/supervisor/virtual/oauth/v1alpha1/defaults.go.tmpl rename to apis/supervisor/clientsecret/v1alpha1/defaults.go.tmpl diff --git a/apis/supervisor/virtual/oauth/v1alpha1/doc.go.tmpl b/apis/supervisor/clientsecret/v1alpha1/doc.go.tmpl similarity index 64% rename from apis/supervisor/virtual/oauth/v1alpha1/doc.go.tmpl rename to apis/supervisor/clientsecret/v1alpha1/doc.go.tmpl index c94cc7b7..68beee50 100644 --- a/apis/supervisor/virtual/oauth/v1alpha1/doc.go.tmpl +++ b/apis/supervisor/clientsecret/v1alpha1/doc.go.tmpl @@ -3,9 +3,9 @@ // +k8s:openapi-gen=true // +k8s:deepcopy-gen=package -// +k8s:conversion-gen=go.pinniped.dev/GENERATED_PKG/apis/supervisor/virtual/oauth +// +k8s:conversion-gen=go.pinniped.dev/GENERATED_PKG/apis/supervisor/clientsecret // +k8s:defaulter-gen=TypeMeta -// +groupName=oauth.virtual.supervisor.pinniped.dev +// +groupName=clientsecret.supervisor.pinniped.dev -// Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API. +// Package v1alpha1 is the v1alpha1 version of the Pinniped client secret API. package v1alpha1 diff --git a/apis/supervisor/virtual/oauth/v1alpha1/register.go.tmpl b/apis/supervisor/clientsecret/v1alpha1/register.go.tmpl similarity index 95% rename from apis/supervisor/virtual/oauth/v1alpha1/register.go.tmpl rename to apis/supervisor/clientsecret/v1alpha1/register.go.tmpl index ecc75a08..49602125 100644 --- a/apis/supervisor/virtual/oauth/v1alpha1/register.go.tmpl +++ b/apis/supervisor/clientsecret/v1alpha1/register.go.tmpl @@ -9,7 +9,7 @@ import ( "k8s.io/apimachinery/pkg/runtime/schema" ) -const GroupName = "oauth.virtual.supervisor.pinniped.dev" +const GroupName = "clientsecret.supervisor.pinniped.dev" // SchemeGroupVersion is group version used to register these objects. var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} diff --git a/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go.tmpl b/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go.tmpl similarity index 100% rename from apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go.tmpl rename to apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go.tmpl diff --git a/apis/supervisor/config/v1alpha1/register.go.tmpl b/apis/supervisor/config/v1alpha1/register.go.tmpl index 69045298..54c51699 100644 --- a/apis/supervisor/config/v1alpha1/register.go.tmpl +++ b/apis/supervisor/config/v1alpha1/register.go.tmpl @@ -32,6 +32,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &FederationDomain{}, &FederationDomainList{}, + &OIDCClient{}, + &OIDCClientList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/apis/supervisor/oauth/v1alpha1/types_oidcclient.go.tmpl b/apis/supervisor/config/v1alpha1/types_oidcclient.go.tmpl similarity index 100% rename from apis/supervisor/oauth/v1alpha1/types_oidcclient.go.tmpl rename to apis/supervisor/config/v1alpha1/types_oidcclient.go.tmpl diff --git a/apis/supervisor/oauth/v1alpha1/doc.go.tmpl b/apis/supervisor/oauth/v1alpha1/doc.go.tmpl deleted file mode 100644 index 75580481..00000000 --- a/apis/supervisor/oauth/v1alpha1/doc.go.tmpl +++ /dev/null @@ -1,10 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// +k8s:openapi-gen=true -// +k8s:deepcopy-gen=package -// +k8s:defaulter-gen=TypeMeta -// +groupName=oauth.supervisor.pinniped.dev - -// Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. -package v1alpha1 diff --git a/apis/supervisor/oauth/v1alpha1/register.go.tmpl b/apis/supervisor/oauth/v1alpha1/register.go.tmpl deleted file mode 100644 index 37ae1fbf..00000000 --- a/apis/supervisor/oauth/v1alpha1/register.go.tmpl +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -package v1alpha1 - -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" -) - -const GroupName = "oauth.supervisor.pinniped.dev" - -// SchemeGroupVersion is group version used to register these objects. -var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} - -var ( - SchemeBuilder runtime.SchemeBuilder - localSchemeBuilder = &SchemeBuilder - AddToScheme = localSchemeBuilder.AddToScheme -) - -func init() { - // We only register manually written functions here. The registration of the - // generated functions takes place in the generated files. The separation - // makes the code compile even when the generated files are missing. - localSchemeBuilder.Register(addKnownTypes) -} - -// Adds the list of known types to the given scheme. -func addKnownTypes(scheme *runtime.Scheme) error { - scheme.AddKnownTypes(SchemeGroupVersion, - &OIDCClient{}, - &OIDCClientList{}, - ) - metav1.AddToGroupVersion(scheme, SchemeGroupVersion) - return nil -} - -// Resource takes an unqualified resource and returns a Group qualified GroupResource. -func Resource(resource string) schema.GroupResource { - return SchemeGroupVersion.WithResource(resource).GroupResource() -} diff --git a/apis/supervisor/virtual/oauth/doc.go.tmpl b/apis/supervisor/virtual/oauth/doc.go.tmpl deleted file mode 100644 index ca4e9a63..00000000 --- a/apis/supervisor/virtual/oauth/doc.go.tmpl +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// +k8s:deepcopy-gen=package -// +groupName=oauth.virtual.supervisor.pinniped.dev - -// Package oauth is the internal version of the Pinniped virtual oauth API. -package oauth diff --git a/deploy/supervisor/oauth.supervisor.pinniped.dev_oidcclients.yaml b/deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml similarity index 98% rename from deploy/supervisor/oauth.supervisor.pinniped.dev_oidcclients.yaml rename to deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml index 589a9154..4efa445e 100644 --- a/deploy/supervisor/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml @@ -5,9 +5,9 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null - name: oidcclients.oauth.supervisor.pinniped.dev + name: oidcclients.config.supervisor.pinniped.dev spec: - group: oauth.supervisor.pinniped.dev + group: config.supervisor.pinniped.dev names: categories: - pinniped diff --git a/deploy/supervisor/deployment.yaml b/deploy/supervisor/deployment.yaml index e125771a..e693dd62 100644 --- a/deploy/supervisor/deployment.yaml +++ b/deploy/supervisor/deployment.yaml @@ -197,11 +197,11 @@ spec: apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: - name: #@ pinnipedDevAPIGroupWithPrefix("v1alpha1.oauth.virtual.supervisor") + name: #@ pinnipedDevAPIGroupWithPrefix("v1alpha1.clientsecret.supervisor") labels: #@ labels() spec: version: v1alpha1 - group: #@ pinnipedDevAPIGroupWithPrefix("oauth.virtual.supervisor") + group: #@ pinnipedDevAPIGroupWithPrefix("clientsecret.supervisor") groupPriorityMinimum: 9900 versionPriority: 15 #! caBundle: Do not include this key here. Starts out null, will be updated/owned by the golang code. diff --git a/deploy/supervisor/z0_crd_overlay.yaml b/deploy/supervisor/z0_crd_overlay.yaml index 130f780d..a658091b 100644 --- a/deploy/supervisor/z0_crd_overlay.yaml +++ b/deploy/supervisor/z0_crd_overlay.yaml @@ -41,11 +41,11 @@ metadata: spec: group: #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor") -#@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"oidcclients.oauth.supervisor.pinniped.dev"}}), expects=1 +#@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"oidcclients.config.supervisor.pinniped.dev"}}), expects=1 --- metadata: #@overlay/match missing_ok=True labels: #@ labels() - name: #@ pinnipedDevAPIGroupWithPrefix("oidcclients.oauth.supervisor") + name: #@ pinnipedDevAPIGroupWithPrefix("oidcclients.config.supervisor") spec: - group: #@ pinnipedDevAPIGroupWithPrefix("oauth.supervisor") + group: #@ pinnipedDevAPIGroupWithPrefix("config.supervisor") diff --git a/generated/1.17/README.adoc b/generated/1.17/README.adoc index 0b90292d..739a669e 100644 --- a/generated/1.17/README.adoc +++ b/generated/1.17/README.adoc @@ -6,15 +6,14 @@ .Packages - xref:{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1[$$authentication.concierge.pinniped.dev/v1alpha1$$] +- xref:{anchor_prefix}-clientsecret-supervisor-pinniped-dev-clientsecret[$$clientsecret.supervisor.pinniped.dev/clientsecret$$] +- xref:{anchor_prefix}-clientsecret-supervisor-pinniped-dev-v1alpha1[$$clientsecret.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-config-concierge-pinniped-dev-v1alpha1[$$config.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-config-supervisor-pinniped-dev-v1alpha1[$$config.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-identity-concierge-pinniped-dev-identity[$$identity.concierge.pinniped.dev/identity$$] - xref:{anchor_prefix}-identity-concierge-pinniped-dev-v1alpha1[$$identity.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1[$$idp.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$] -- xref:{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1[$$oauth.supervisor.pinniped.dev/v1alpha1$$] -- xref:{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-oauth[$$oauth.virtual.supervisor.pinniped.dev/oauth$$] -- xref:{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-v1alpha1[$$oauth.virtual.supervisor.pinniped.dev/v1alpha1$$] [id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"] @@ -213,6 +212,98 @@ Status of a webhook authenticator. +[id="{anchor_prefix}-clientsecret-supervisor-pinniped-dev-clientsecret"] +=== clientsecret.supervisor.pinniped.dev/clientsecret + +Package clientsecret is the internal version of the Pinniped client secret API. + + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-clientsecret-oidcclientsecretrequestspec"] +==== OIDCClientSecretRequestSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-clientsecret-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generateNewSecret`* __boolean__ | +| *`revokeOldSecrets`* __boolean__ | +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-clientsecret-oidcclientsecretrequeststatus"] +==== OIDCClientSecretRequestStatus + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-clientsecret-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generatedSecret`* __string__ | +| *`totalClientSecrets`* __integer__ | +|=== + + + +[id="{anchor_prefix}-clientsecret-supervisor-pinniped-dev-v1alpha1"] +=== clientsecret.supervisor.pinniped.dev/v1alpha1 + +Package v1alpha1 is the v1alpha1 version of the Pinniped client secret API. + + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestspec"] +==== OIDCClientSecretRequestSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generateNewSecret`* __boolean__ | +| *`revokeOldSecrets`* __boolean__ | +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequeststatus"] +==== OIDCClientSecretRequestStatus + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generatedSecret`* __string__ | +| *`totalClientSecrets`* __integer__ | +|=== + + + [id="{anchor_prefix}-config-concierge-pinniped-dev-v1alpha1"] === config.concierge.pinniped.dev/v1alpha1 @@ -546,6 +637,51 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcclient"] +==== OIDCClient + +OIDCClient describes the configuration of an OIDC client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcclientlist[$$OIDCClientList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC client. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC client. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcclientspec"] +==== OIDCClientSpec + +OIDCClientSpec is a struct that describes an OIDC Client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcclient[$$OIDCClient$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. +| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. +| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. +|=== + + + + [id="{anchor_prefix}-identity-concierge-pinniped-dev-identity"] === identity.concierge.pinniped.dev/identity @@ -1335,148 +1471,3 @@ TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned |=== - -[id="{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1"] -=== oauth.supervisor.pinniped.dev/v1alpha1 - -Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-oauth-v1alpha1-oidcclient"] -==== OIDCClient - -OIDCClient describes the configuration of an OIDC client. - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-oauth-v1alpha1-oidcclientlist[$$OIDCClientList$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. - -| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-oauth-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC client. -| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-oauth-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC client. -|=== - - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-oauth-v1alpha1-oidcclientspec"] -==== OIDCClientSpec - -OIDCClientSpec is a struct that describes an OIDC Client. - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-oauth-v1alpha1-oidcclient[$$OIDCClient$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. -| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. -| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. -|=== - - - - - -[id="{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-oauth"] -=== oauth.virtual.supervisor.pinniped.dev/oauth - -Package oauth is the internal version of the Pinniped virtual oauth API. - - - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-virtual-oauth-oidcclientsecretrequestspec"] -==== OIDCClientSecretRequestSpec - - - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-virtual-oauth-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`generateNewSecret`* __boolean__ | -| *`revokeOldSecrets`* __boolean__ | -|=== - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-virtual-oauth-oidcclientsecretrequeststatus"] -==== OIDCClientSecretRequestStatus - - - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-virtual-oauth-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`generatedSecret`* __string__ | -| *`totalClientSecrets`* __integer__ | -|=== - - - -[id="{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-v1alpha1"] -=== oauth.virtual.supervisor.pinniped.dev/v1alpha1 - -Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API. - - - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequestspec"] -==== OIDCClientSecretRequestSpec - - - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`generateNewSecret`* __boolean__ | -| *`revokeOldSecrets`* __boolean__ | -|=== - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequeststatus"] -==== OIDCClientSecretRequestStatus - - - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`generatedSecret`* __string__ | -| *`totalClientSecrets`* __integer__ | -|=== - - diff --git a/generated/1.17/apis/supervisor/clientsecret/doc.go b/generated/1.17/apis/supervisor/clientsecret/doc.go new file mode 100644 index 00000000..c536bc75 --- /dev/null +++ b/generated/1.17/apis/supervisor/clientsecret/doc.go @@ -0,0 +1,8 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:deepcopy-gen=package +// +groupName=clientsecret.supervisor.pinniped.dev + +// Package clientsecret is the internal version of the Pinniped client secret API. +package clientsecret diff --git a/generated/1.18/apis/supervisor/virtual/oauth/register.go b/generated/1.17/apis/supervisor/clientsecret/register.go similarity index 93% rename from generated/1.18/apis/supervisor/virtual/oauth/register.go rename to generated/1.17/apis/supervisor/clientsecret/register.go index a238d85f..4a1c0173 100644 --- a/generated/1.18/apis/supervisor/virtual/oauth/register.go +++ b/generated/1.17/apis/supervisor/clientsecret/register.go @@ -1,14 +1,14 @@ // Copyright 2022 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -package oauth +package clientsecret import ( "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" ) -const GroupName = "oauth.virtual.supervisor.pinniped.dev" +const GroupName = "clientsecret.supervisor.pinniped.dev" // SchemeGroupVersion is group version used to register these objects. var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal} diff --git a/generated/1.19/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go b/generated/1.17/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go similarity index 97% rename from generated/1.19/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go rename to generated/1.17/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go index ac54a93c..7fd1eb65 100644 --- a/generated/1.19/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go +++ b/generated/1.17/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go @@ -1,7 +1,7 @@ // Copyright 2022 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -package oauth +package clientsecret import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" diff --git a/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/conversion.go b/generated/1.17/apis/supervisor/clientsecret/v1alpha1/conversion.go similarity index 100% rename from generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/conversion.go rename to generated/1.17/apis/supervisor/clientsecret/v1alpha1/conversion.go diff --git a/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/defaults.go b/generated/1.17/apis/supervisor/clientsecret/v1alpha1/defaults.go similarity index 100% rename from generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/defaults.go rename to generated/1.17/apis/supervisor/clientsecret/v1alpha1/defaults.go diff --git a/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/doc.go b/generated/1.17/apis/supervisor/clientsecret/v1alpha1/doc.go similarity index 64% rename from generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/doc.go rename to generated/1.17/apis/supervisor/clientsecret/v1alpha1/doc.go index 6437db4d..f008eec0 100644 --- a/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/doc.go +++ b/generated/1.17/apis/supervisor/clientsecret/v1alpha1/doc.go @@ -3,9 +3,9 @@ // +k8s:openapi-gen=true // +k8s:deepcopy-gen=package -// +k8s:conversion-gen=go.pinniped.dev/generated/1.17/apis/supervisor/virtual/oauth +// +k8s:conversion-gen=go.pinniped.dev/generated/1.17/apis/supervisor/clientsecret // +k8s:defaulter-gen=TypeMeta -// +groupName=oauth.virtual.supervisor.pinniped.dev +// +groupName=clientsecret.supervisor.pinniped.dev -// Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API. +// Package v1alpha1 is the v1alpha1 version of the Pinniped client secret API. package v1alpha1 diff --git a/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/register.go b/generated/1.17/apis/supervisor/clientsecret/v1alpha1/register.go similarity index 95% rename from generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/register.go rename to generated/1.17/apis/supervisor/clientsecret/v1alpha1/register.go index ecc75a08..49602125 100644 --- a/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/register.go +++ b/generated/1.17/apis/supervisor/clientsecret/v1alpha1/register.go @@ -9,7 +9,7 @@ import ( "k8s.io/apimachinery/pkg/runtime/schema" ) -const GroupName = "oauth.virtual.supervisor.pinniped.dev" +const GroupName = "clientsecret.supervisor.pinniped.dev" // SchemeGroupVersion is group version used to register these objects. var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} diff --git a/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go b/generated/1.17/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go similarity index 100% rename from generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go rename to generated/1.17/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go diff --git a/generated/1.17/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go b/generated/1.17/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go new file mode 100644 index 00000000..c559d1c2 --- /dev/null +++ b/generated/1.17/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go @@ -0,0 +1,131 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by conversion-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + clientsecret "go.pinniped.dev/generated/1.17/apis/supervisor/clientsecret" + conversion "k8s.io/apimachinery/pkg/conversion" + runtime "k8s.io/apimachinery/pkg/runtime" +) + +func init() { + localSchemeBuilder.Register(RegisterConversions) +} + +// RegisterConversions adds conversion functions to the given scheme. +// Public to allow building arbitrary schemes. +func RegisterConversions(s *runtime.Scheme) error { + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequest)(nil), (*clientsecret.OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(a.(*OIDCClientSecretRequest), b.(*clientsecret.OIDCClientSecretRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequest)(nil), (*OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(a.(*clientsecret.OIDCClientSecretRequest), b.(*OIDCClientSecretRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*clientsecret.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*clientsecret.OIDCClientSecretRequestSpec), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequestSpec)(nil), (*OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(a.(*clientsecret.OIDCClientSecretRequestSpec), b.(*OIDCClientSecretRequestSpec), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestStatus)(nil), (*clientsecret.OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(a.(*OIDCClientSecretRequestStatus), b.(*clientsecret.OIDCClientSecretRequestStatus), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequestStatus)(nil), (*OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(a.(*clientsecret.OIDCClientSecretRequestStatus), b.(*OIDCClientSecretRequestStatus), scope) + }); err != nil { + return err + } + return nil +} + +func autoConvert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *clientsecret.OIDCClientSecretRequest, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { + return err + } + if err := Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *clientsecret.OIDCClientSecretRequest, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(in, out, s) +} + +func autoConvert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *clientsecret.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { + return err + } + if err := Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest is an autogenerated conversion function. +func Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *clientsecret.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { + return autoConvert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s) +} + +func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *clientsecret.OIDCClientSecretRequestSpec, s conversion.Scope) error { + out.GenerateNewSecret = in.GenerateNewSecret + out.RevokeOldSecrets = in.RevokeOldSecrets + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *clientsecret.OIDCClientSecretRequestSpec, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in, out, s) +} + +func autoConvert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *clientsecret.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { + out.GenerateNewSecret = in.GenerateNewSecret + out.RevokeOldSecrets = in.RevokeOldSecrets + return nil +} + +// Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec is an autogenerated conversion function. +func Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *clientsecret.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { + return autoConvert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in, out, s) +} + +func autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *clientsecret.OIDCClientSecretRequestStatus, s conversion.Scope) error { + out.GeneratedSecret = in.GeneratedSecret + out.TotalClientSecrets = in.TotalClientSecrets + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *clientsecret.OIDCClientSecretRequestStatus, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(in, out, s) +} + +func autoConvert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *clientsecret.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { + out.GeneratedSecret = in.GeneratedSecret + out.TotalClientSecrets = in.TotalClientSecrets + return nil +} + +// Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus is an autogenerated conversion function. +func Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *clientsecret.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { + return autoConvert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in, out, s) +} diff --git a/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.17/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go similarity index 100% rename from generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go rename to generated/1.17/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go diff --git a/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go b/generated/1.17/apis/supervisor/clientsecret/v1alpha1/zz_generated.defaults.go similarity index 100% rename from generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go rename to generated/1.17/apis/supervisor/clientsecret/v1alpha1/zz_generated.defaults.go diff --git a/generated/1.19/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go b/generated/1.17/apis/supervisor/clientsecret/zz_generated.deepcopy.go similarity index 99% rename from generated/1.19/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go rename to generated/1.17/apis/supervisor/clientsecret/zz_generated.deepcopy.go index 24b58e7b..e0dc7d68 100644 --- a/generated/1.19/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go +++ b/generated/1.17/apis/supervisor/clientsecret/zz_generated.deepcopy.go @@ -6,7 +6,7 @@ // Code generated by deepcopy-gen. DO NOT EDIT. -package oauth +package clientsecret import ( runtime "k8s.io/apimachinery/pkg/runtime" diff --git a/generated/1.17/apis/supervisor/config/v1alpha1/register.go b/generated/1.17/apis/supervisor/config/v1alpha1/register.go index 69045298..54c51699 100644 --- a/generated/1.17/apis/supervisor/config/v1alpha1/register.go +++ b/generated/1.17/apis/supervisor/config/v1alpha1/register.go @@ -32,6 +32,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &FederationDomain{}, &FederationDomainList{}, + &OIDCClient{}, + &OIDCClientList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.17/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.17/apis/supervisor/config/v1alpha1/types_oidcclient.go similarity index 100% rename from generated/1.17/apis/supervisor/oauth/v1alpha1/types_oidcclient.go rename to generated/1.17/apis/supervisor/config/v1alpha1/types_oidcclient.go diff --git a/generated/1.17/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.17/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go index 856b8988..a55d88e7 100644 --- a/generated/1.17/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.17/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go @@ -150,3 +150,111 @@ func (in *FederationDomainTLSSpec) DeepCopy() *FederationDomainTLSSpec { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. +func (in *OIDCClient) DeepCopy() *OIDCClient { + if in == nil { + return nil + } + out := new(OIDCClient) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClient) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClient, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. +func (in *OIDCClientList) DeepCopy() *OIDCClientList { + if in == nil { + return nil + } + out := new(OIDCClientList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { + *out = *in + if in.AllowedRedirectURIs != nil { + in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.AllowedGrantTypes != nil { + in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes + *out = make([]GrantType, len(*in)) + copy(*out, *in) + } + if in.AllowedScopes != nil { + in, out := &in.AllowedScopes, &out.AllowedScopes + *out = make([]Scope, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. +func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { + if in == nil { + return nil + } + out := new(OIDCClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. +func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { + if in == nil { + return nil + } + out := new(OIDCClientStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.17/apis/supervisor/oauth/v1alpha1/doc.go b/generated/1.17/apis/supervisor/oauth/v1alpha1/doc.go deleted file mode 100644 index 75580481..00000000 --- a/generated/1.17/apis/supervisor/oauth/v1alpha1/doc.go +++ /dev/null @@ -1,10 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// +k8s:openapi-gen=true -// +k8s:deepcopy-gen=package -// +k8s:defaulter-gen=TypeMeta -// +groupName=oauth.supervisor.pinniped.dev - -// Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. -package v1alpha1 diff --git a/generated/1.17/apis/supervisor/oauth/v1alpha1/register.go b/generated/1.17/apis/supervisor/oauth/v1alpha1/register.go deleted file mode 100644 index 37ae1fbf..00000000 --- a/generated/1.17/apis/supervisor/oauth/v1alpha1/register.go +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -package v1alpha1 - -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" -) - -const GroupName = "oauth.supervisor.pinniped.dev" - -// SchemeGroupVersion is group version used to register these objects. -var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} - -var ( - SchemeBuilder runtime.SchemeBuilder - localSchemeBuilder = &SchemeBuilder - AddToScheme = localSchemeBuilder.AddToScheme -) - -func init() { - // We only register manually written functions here. The registration of the - // generated functions takes place in the generated files. The separation - // makes the code compile even when the generated files are missing. - localSchemeBuilder.Register(addKnownTypes) -} - -// Adds the list of known types to the given scheme. -func addKnownTypes(scheme *runtime.Scheme) error { - scheme.AddKnownTypes(SchemeGroupVersion, - &OIDCClient{}, - &OIDCClientList{}, - ) - metav1.AddToGroupVersion(scheme, SchemeGroupVersion) - return nil -} - -// Resource takes an unqualified resource and returns a Group qualified GroupResource. -func Resource(resource string) schema.GroupResource { - return SchemeGroupVersion.WithResource(resource).GroupResource() -} diff --git a/generated/1.17/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.17/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go deleted file mode 100644 index 1aba8aea..00000000 --- a/generated/1.17/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go +++ /dev/null @@ -1,121 +0,0 @@ -//go:build !ignore_autogenerated -// +build !ignore_autogenerated - -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by deepcopy-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - runtime "k8s.io/apimachinery/pkg/runtime" -) - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - in.Spec.DeepCopyInto(&out.Spec) - out.Status = in.Status - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. -func (in *OIDCClient) DeepCopy() *OIDCClient { - if in == nil { - return nil - } - out := new(OIDCClient) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *OIDCClient) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ListMeta.DeepCopyInto(&out.ListMeta) - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]OIDCClient, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. -func (in *OIDCClientList) DeepCopy() *OIDCClientList { - if in == nil { - return nil - } - out := new(OIDCClientList) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *OIDCClientList) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { - *out = *in - if in.AllowedRedirectURIs != nil { - in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.AllowedGrantTypes != nil { - in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes - *out = make([]GrantType, len(*in)) - copy(*out, *in) - } - if in.AllowedScopes != nil { - in, out := &in.AllowedScopes, &out.AllowedScopes - *out = make([]Scope, len(*in)) - copy(*out, *in) - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. -func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { - if in == nil { - return nil - } - out := new(OIDCClientSpec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. -func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { - if in == nil { - return nil - } - out := new(OIDCClientStatus) - in.DeepCopyInto(out) - return out -} diff --git a/generated/1.17/apis/supervisor/virtual/oauth/doc.go b/generated/1.17/apis/supervisor/virtual/oauth/doc.go deleted file mode 100644 index ca4e9a63..00000000 --- a/generated/1.17/apis/supervisor/virtual/oauth/doc.go +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// +k8s:deepcopy-gen=package -// +groupName=oauth.virtual.supervisor.pinniped.dev - -// Package oauth is the internal version of the Pinniped virtual oauth API. -package oauth diff --git a/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go b/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go deleted file mode 100644 index b4f28183..00000000 --- a/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go +++ /dev/null @@ -1,131 +0,0 @@ -//go:build !ignore_autogenerated -// +build !ignore_autogenerated - -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by conversion-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - oauth "go.pinniped.dev/generated/1.17/apis/supervisor/virtual/oauth" - conversion "k8s.io/apimachinery/pkg/conversion" - runtime "k8s.io/apimachinery/pkg/runtime" -) - -func init() { - localSchemeBuilder.Register(RegisterConversions) -} - -// RegisterConversions adds conversion functions to the given scheme. -// Public to allow building arbitrary schemes. -func RegisterConversions(s *runtime.Scheme) error { - if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequest)(nil), (*oauth.OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(a.(*OIDCClientSecretRequest), b.(*oauth.OIDCClientSecretRequest), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequest)(nil), (*OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(a.(*oauth.OIDCClientSecretRequest), b.(*OIDCClientSecretRequest), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*oauth.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*oauth.OIDCClientSecretRequestSpec), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequestSpec)(nil), (*OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(a.(*oauth.OIDCClientSecretRequestSpec), b.(*OIDCClientSecretRequestSpec), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestStatus)(nil), (*oauth.OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(a.(*OIDCClientSecretRequestStatus), b.(*oauth.OIDCClientSecretRequestStatus), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequestStatus)(nil), (*OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(a.(*oauth.OIDCClientSecretRequestStatus), b.(*OIDCClientSecretRequestStatus), scope) - }); err != nil { - return err - } - return nil -} - -func autoConvert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *oauth.OIDCClientSecretRequest, s conversion.Scope) error { - out.ObjectMeta = in.ObjectMeta - if err := Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { - return err - } - if err := Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { - return err - } - return nil -} - -// Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest is an autogenerated conversion function. -func Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *oauth.OIDCClientSecretRequest, s conversion.Scope) error { - return autoConvert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in, out, s) -} - -func autoConvert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *oauth.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { - out.ObjectMeta = in.ObjectMeta - if err := Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { - return err - } - if err := Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { - return err - } - return nil -} - -// Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest is an autogenerated conversion function. -func Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *oauth.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { - return autoConvert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s) -} - -func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *oauth.OIDCClientSecretRequestSpec, s conversion.Scope) error { - out.GenerateNewSecret = in.GenerateNewSecret - out.RevokeOldSecrets = in.RevokeOldSecrets - return nil -} - -// Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec is an autogenerated conversion function. -func Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *oauth.OIDCClientSecretRequestSpec, s conversion.Scope) error { - return autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in, out, s) -} - -func autoConvert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *oauth.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { - out.GenerateNewSecret = in.GenerateNewSecret - out.RevokeOldSecrets = in.RevokeOldSecrets - return nil -} - -// Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec is an autogenerated conversion function. -func Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *oauth.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { - return autoConvert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in, out, s) -} - -func autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *oauth.OIDCClientSecretRequestStatus, s conversion.Scope) error { - out.GeneratedSecret = in.GeneratedSecret - out.TotalClientSecrets = in.TotalClientSecrets - return nil -} - -// Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus is an autogenerated conversion function. -func Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *oauth.OIDCClientSecretRequestStatus, s conversion.Scope) error { - return autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in, out, s) -} - -func autoConvert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *oauth.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { - out.GeneratedSecret = in.GeneratedSecret - out.TotalClientSecrets = in.TotalClientSecrets - return nil -} - -// Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus is an autogenerated conversion function. -func Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *oauth.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { - return autoConvert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in, out, s) -} diff --git a/generated/1.17/client/supervisor/clientset/versioned/clientset.go b/generated/1.17/client/supervisor/clientset/versioned/clientset.go index c51ef35e..bcd6f61e 100644 --- a/generated/1.17/client/supervisor/clientset/versioned/clientset.go +++ b/generated/1.17/client/supervisor/clientset/versioned/clientset.go @@ -8,9 +8,9 @@ package versioned import ( "fmt" + clientsecretv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1" configv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" discovery "k8s.io/client-go/discovery" rest "k8s.io/client-go/rest" flowcontrol "k8s.io/client-go/util/flowcontrol" @@ -18,18 +18,23 @@ import ( type Interface interface { Discovery() discovery.DiscoveryInterface + ClientsecretV1alpha1() clientsecretv1alpha1.ClientsecretV1alpha1Interface ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface - OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface } // Clientset contains the clients for groups. Each group has exactly one // version included in a Clientset. type Clientset struct { *discovery.DiscoveryClient - configV1alpha1 *configv1alpha1.ConfigV1alpha1Client - iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client - oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client + clientsecretV1alpha1 *clientsecretv1alpha1.ClientsecretV1alpha1Client + configV1alpha1 *configv1alpha1.ConfigV1alpha1Client + iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client +} + +// ClientsecretV1alpha1 retrieves the ClientsecretV1alpha1Client +func (c *Clientset) ClientsecretV1alpha1() clientsecretv1alpha1.ClientsecretV1alpha1Interface { + return c.clientsecretV1alpha1 } // ConfigV1alpha1 retrieves the ConfigV1alpha1Client @@ -42,11 +47,6 @@ func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return c.iDPV1alpha1 } -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return c.oauthV1alpha1 -} - // Discovery retrieves the DiscoveryClient func (c *Clientset) Discovery() discovery.DiscoveryInterface { if c == nil { @@ -68,6 +68,10 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { } var cs Clientset var err error + cs.clientsecretV1alpha1, err = clientsecretv1alpha1.NewForConfig(&configShallowCopy) + if err != nil { + return nil, err + } cs.configV1alpha1, err = configv1alpha1.NewForConfig(&configShallowCopy) if err != nil { return nil, err @@ -76,10 +80,6 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { if err != nil { return nil, err } - cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfig(&configShallowCopy) - if err != nil { - return nil, err - } cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfig(&configShallowCopy) if err != nil { @@ -92,9 +92,9 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { // panics if there is an error in the config. func NewForConfigOrDie(c *rest.Config) *Clientset { var cs Clientset + cs.clientsecretV1alpha1 = clientsecretv1alpha1.NewForConfigOrDie(c) cs.configV1alpha1 = configv1alpha1.NewForConfigOrDie(c) cs.iDPV1alpha1 = idpv1alpha1.NewForConfigOrDie(c) - cs.oauthV1alpha1 = oauthv1alpha1.NewForConfigOrDie(c) cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c) return &cs @@ -103,9 +103,9 @@ func NewForConfigOrDie(c *rest.Config) *Clientset { // New creates a new Clientset for the given RESTClient. func New(c rest.Interface) *Clientset { var cs Clientset + cs.clientsecretV1alpha1 = clientsecretv1alpha1.New(c) cs.configV1alpha1 = configv1alpha1.New(c) cs.iDPV1alpha1 = idpv1alpha1.New(c) - cs.oauthV1alpha1 = oauthv1alpha1.New(c) cs.DiscoveryClient = discovery.NewDiscoveryClient(c) return &cs diff --git a/generated/1.17/client/supervisor/clientset/versioned/fake/clientset_generated.go b/generated/1.17/client/supervisor/clientset/versioned/fake/clientset_generated.go index 7139764c..045c1e4c 100644 --- a/generated/1.17/client/supervisor/clientset/versioned/fake/clientset_generated.go +++ b/generated/1.17/client/supervisor/clientset/versioned/fake/clientset_generated.go @@ -7,12 +7,12 @@ package fake import ( clientset "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned" + clientsecretv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1" + fakeclientsecretv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake" configv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1" fakeconfigv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake" idpv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1" fakeidpv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake" - oauthv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" - fakeoauthv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/watch" "k8s.io/client-go/discovery" @@ -67,6 +67,11 @@ func (c *Clientset) Tracker() testing.ObjectTracker { var _ clientset.Interface = &Clientset{} +// ClientsecretV1alpha1 retrieves the ClientsecretV1alpha1Client +func (c *Clientset) ClientsecretV1alpha1() clientsecretv1alpha1.ClientsecretV1alpha1Interface { + return &fakeclientsecretv1alpha1.FakeClientsecretV1alpha1{Fake: &c.Fake} +} + // ConfigV1alpha1 retrieves the ConfigV1alpha1Client func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { return &fakeconfigv1alpha1.FakeConfigV1alpha1{Fake: &c.Fake} @@ -76,8 +81,3 @@ func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake} } - -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} -} diff --git a/generated/1.17/client/supervisor/clientset/versioned/fake/register.go b/generated/1.17/client/supervisor/clientset/versioned/fake/register.go index 980ce98f..fce7627c 100644 --- a/generated/1.17/client/supervisor/clientset/versioned/fake/register.go +++ b/generated/1.17/client/supervisor/clientset/versioned/fake/register.go @@ -6,9 +6,9 @@ package fake import ( + clientsecretv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/clientsecret/v1alpha1" configv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -20,9 +20,9 @@ var scheme = runtime.NewScheme() var codecs = serializer.NewCodecFactory(scheme) var parameterCodec = runtime.NewParameterCodec(scheme) var localSchemeBuilder = runtime.SchemeBuilder{ + clientsecretv1alpha1.AddToScheme, configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, - oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.17/client/supervisor/clientset/versioned/scheme/register.go b/generated/1.17/client/supervisor/clientset/versioned/scheme/register.go index 676b0aae..ceb48b35 100644 --- a/generated/1.17/client/supervisor/clientset/versioned/scheme/register.go +++ b/generated/1.17/client/supervisor/clientset/versioned/scheme/register.go @@ -6,9 +6,9 @@ package scheme import ( + clientsecretv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/clientsecret/v1alpha1" configv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -20,9 +20,9 @@ var Scheme = runtime.NewScheme() var Codecs = serializer.NewCodecFactory(Scheme) var ParameterCodec = runtime.NewParameterCodec(Scheme) var localSchemeBuilder = runtime.SchemeBuilder{ + clientsecretv1alpha1.AddToScheme, configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, - oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/1.17/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/clientsecret_client.go similarity index 51% rename from generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go rename to generated/1.17/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/clientsecret_client.go index b3a80cae..30ba79b9 100644 --- a/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go +++ b/generated/1.17/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/clientsecret_client.go @@ -6,27 +6,27 @@ package v1alpha1 import ( - v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1" - "go.pinniped.dev/generated/1.17/client/supervisor/virtual/clientset/versioned/scheme" + v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/clientsecret/v1alpha1" + "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/scheme" rest "k8s.io/client-go/rest" ) -type OauthV1alpha1Interface interface { +type ClientsecretV1alpha1Interface interface { RESTClient() rest.Interface OIDCClientSecretRequestsGetter } -// OauthV1alpha1Client is used to interact with features provided by the oauth.virtual.supervisor.pinniped.dev group. -type OauthV1alpha1Client struct { +// ClientsecretV1alpha1Client is used to interact with features provided by the clientsecret.supervisor.pinniped.dev group. +type ClientsecretV1alpha1Client struct { restClient rest.Interface } -func (c *OauthV1alpha1Client) OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface { +func (c *ClientsecretV1alpha1Client) OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface { return newOIDCClientSecretRequests(c, namespace) } -// NewForConfig creates a new OauthV1alpha1Client for the given config. -func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { +// NewForConfig creates a new ClientsecretV1alpha1Client for the given config. +func NewForConfig(c *rest.Config) (*ClientsecretV1alpha1Client, error) { config := *c if err := setConfigDefaults(&config); err != nil { return nil, err @@ -35,12 +35,12 @@ func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { if err != nil { return nil, err } - return &OauthV1alpha1Client{client}, nil + return &ClientsecretV1alpha1Client{client}, nil } -// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and +// NewForConfigOrDie creates a new ClientsecretV1alpha1Client for the given config and // panics if there is an error in the config. -func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { +func NewForConfigOrDie(c *rest.Config) *ClientsecretV1alpha1Client { client, err := NewForConfig(c) if err != nil { panic(err) @@ -48,9 +48,9 @@ func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { return client } -// New creates a new OauthV1alpha1Client for the given RESTClient. -func New(c rest.Interface) *OauthV1alpha1Client { - return &OauthV1alpha1Client{c} +// New creates a new ClientsecretV1alpha1Client for the given RESTClient. +func New(c rest.Interface) *ClientsecretV1alpha1Client { + return &ClientsecretV1alpha1Client{c} } func setConfigDefaults(config *rest.Config) error { @@ -68,7 +68,7 @@ func setConfigDefaults(config *rest.Config) error { // RESTClient returns a RESTClient that is used to communicate // with API server by this client implementation. -func (c *OauthV1alpha1Client) RESTClient() rest.Interface { +func (c *ClientsecretV1alpha1Client) RESTClient() rest.Interface { if c == nil { return nil } diff --git a/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/1.17/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/doc.go similarity index 100% rename from generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go rename to generated/1.17/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/doc.go diff --git a/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/1.17/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/doc.go similarity index 100% rename from generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go rename to generated/1.17/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/doc.go diff --git a/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/1.17/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_clientsecret_client.go similarity index 60% rename from generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go rename to generated/1.17/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_clientsecret_client.go index 1625045c..1d464f9d 100644 --- a/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go +++ b/generated/1.17/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_clientsecret_client.go @@ -6,22 +6,22 @@ package fake import ( - v1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1" rest "k8s.io/client-go/rest" testing "k8s.io/client-go/testing" ) -type FakeOauthV1alpha1 struct { +type FakeClientsecretV1alpha1 struct { *testing.Fake } -func (c *FakeOauthV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { - return &FakeOIDCClients{c, namespace} +func (c *FakeClientsecretV1alpha1) OIDCClientSecretRequests(namespace string) v1alpha1.OIDCClientSecretRequestInterface { + return &FakeOIDCClientSecretRequests{c, namespace} } // RESTClient returns a RESTClient that is used to communicate // with API server by this client implementation. -func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { +func (c *FakeClientsecretV1alpha1) RESTClient() rest.Interface { var ret *rest.RESTClient return ret } diff --git a/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go b/generated/1.17/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_oidcclientsecretrequest.go similarity index 77% rename from generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go rename to generated/1.17/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_oidcclientsecretrequest.go index f2450f9b..2538b264 100644 --- a/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go +++ b/generated/1.17/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_oidcclientsecretrequest.go @@ -6,20 +6,20 @@ package fake import ( - v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/clientsecret/v1alpha1" schema "k8s.io/apimachinery/pkg/runtime/schema" testing "k8s.io/client-go/testing" ) // FakeOIDCClientSecretRequests implements OIDCClientSecretRequestInterface type FakeOIDCClientSecretRequests struct { - Fake *FakeOauthV1alpha1 + Fake *FakeClientsecretV1alpha1 ns string } -var oidcclientsecretrequestsResource = schema.GroupVersionResource{Group: "oauth.virtual.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclientsecretrequests"} +var oidcclientsecretrequestsResource = schema.GroupVersionResource{Group: "clientsecret.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclientsecretrequests"} -var oidcclientsecretrequestsKind = schema.GroupVersionKind{Group: "oauth.virtual.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClientSecretRequest"} +var oidcclientsecretrequestsKind = schema.GroupVersionKind{Group: "clientsecret.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClientSecretRequest"} // Create takes the representation of a oIDCClientSecretRequest and creates it. Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any. func (c *FakeOIDCClientSecretRequests) Create(oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest) (result *v1alpha1.OIDCClientSecretRequest, err error) { diff --git a/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/1.17/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/generated_expansion.go similarity index 100% rename from generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go rename to generated/1.17/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/generated_expansion.go diff --git a/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go b/generated/1.17/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/oidcclientsecretrequest.go similarity index 89% rename from generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go rename to generated/1.17/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/oidcclientsecretrequest.go index 97031447..431919f9 100644 --- a/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go +++ b/generated/1.17/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/oidcclientsecretrequest.go @@ -6,7 +6,7 @@ package v1alpha1 import ( - v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/clientsecret/v1alpha1" rest "k8s.io/client-go/rest" ) @@ -29,7 +29,7 @@ type oIDCClientSecretRequests struct { } // newOIDCClientSecretRequests returns a OIDCClientSecretRequests -func newOIDCClientSecretRequests(c *OauthV1alpha1Client, namespace string) *oIDCClientSecretRequests { +func newOIDCClientSecretRequests(c *ClientsecretV1alpha1Client, namespace string) *oIDCClientSecretRequests { return &oIDCClientSecretRequests{ client: c.RESTClient(), ns: namespace, diff --git a/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go b/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go index f5c35bf5..49fcccef 100644 --- a/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go +++ b/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go @@ -14,6 +14,7 @@ import ( type ConfigV1alpha1Interface interface { RESTClient() rest.Interface FederationDomainsGetter + OIDCClientsGetter } // ConfigV1alpha1Client is used to interact with features provided by the config.supervisor.pinniped.dev group. @@ -25,6 +26,10 @@ func (c *ConfigV1alpha1Client) FederationDomains(namespace string) FederationDom return newFederationDomains(c, namespace) } +func (c *ConfigV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { + return newOIDCClients(c, namespace) +} + // NewForConfig creates a new ConfigV1alpha1Client for the given config. func NewForConfig(c *rest.Config) (*ConfigV1alpha1Client, error) { config := *c diff --git a/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go b/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go index 406fcd8c..2a586f92 100644 --- a/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go +++ b/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go @@ -19,6 +19,10 @@ func (c *FakeConfigV1alpha1) FederationDomains(namespace string) v1alpha1.Federa return &FakeFederationDomains{c, namespace} } +func (c *FakeConfigV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { + return &FakeOIDCClients{c, namespace} +} + // RESTClient returns a RESTClient that is used to communicate // with API server by this client implementation. func (c *FakeConfigV1alpha1) RESTClient() rest.Interface { diff --git a/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go b/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go similarity index 92% rename from generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go rename to generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go index 69c8555d..8acb613c 100644 --- a/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go +++ b/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go @@ -6,7 +6,7 @@ package fake import ( - v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" labels "k8s.io/apimachinery/pkg/labels" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -17,13 +17,13 @@ import ( // FakeOIDCClients implements OIDCClientInterface type FakeOIDCClients struct { - Fake *FakeOauthV1alpha1 + Fake *FakeConfigV1alpha1 ns string } -var oidcclientsResource = schema.GroupVersionResource{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} +var oidcclientsResource = schema.GroupVersionResource{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} -var oidcclientsKind = schema.GroupVersionKind{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} +var oidcclientsKind = schema.GroupVersionKind{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} // Get takes name of the oIDCClient, and returns the corresponding oIDCClient object, and an error if there is any. func (c *FakeOIDCClients) Get(name string, options v1.GetOptions) (result *v1alpha1.OIDCClient, err error) { diff --git a/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go b/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go index ba9c9173..35b9ee3d 100644 --- a/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go +++ b/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go @@ -6,3 +6,5 @@ package v1alpha1 type FederationDomainExpansion interface{} + +type OIDCClientExpansion interface{} diff --git a/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go b/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go similarity index 97% rename from generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go rename to generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go index 322bcb9d..95c4ebfb 100644 --- a/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go +++ b/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go @@ -8,7 +8,7 @@ package v1alpha1 import ( "time" - v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1" scheme "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/scheme" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" types "k8s.io/apimachinery/pkg/types" @@ -43,7 +43,7 @@ type oIDCClients struct { } // newOIDCClients returns a OIDCClients -func newOIDCClients(c *OauthV1alpha1Client, namespace string) *oIDCClients { +func newOIDCClients(c *ConfigV1alpha1Client, namespace string) *oIDCClients { return &oIDCClients{ client: c.RESTClient(), ns: namespace, diff --git a/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go deleted file mode 100644 index 87d22ea9..00000000 --- a/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -type OIDCClientExpansion interface{} diff --git a/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go deleted file mode 100644 index 32dae26a..00000000 --- a/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go +++ /dev/null @@ -1,76 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/oauth/v1alpha1" - "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/scheme" - rest "k8s.io/client-go/rest" -) - -type OauthV1alpha1Interface interface { - RESTClient() rest.Interface - OIDCClientsGetter -} - -// OauthV1alpha1Client is used to interact with features provided by the oauth.supervisor.pinniped.dev group. -type OauthV1alpha1Client struct { - restClient rest.Interface -} - -func (c *OauthV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { - return newOIDCClients(c, namespace) -} - -// NewForConfig creates a new OauthV1alpha1Client for the given config. -func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { - config := *c - if err := setConfigDefaults(&config); err != nil { - return nil, err - } - client, err := rest.RESTClientFor(&config) - if err != nil { - return nil, err - } - return &OauthV1alpha1Client{client}, nil -} - -// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and -// panics if there is an error in the config. -func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { - client, err := NewForConfig(c) - if err != nil { - panic(err) - } - return client -} - -// New creates a new OauthV1alpha1Client for the given RESTClient. -func New(c rest.Interface) *OauthV1alpha1Client { - return &OauthV1alpha1Client{c} -} - -func setConfigDefaults(config *rest.Config) error { - gv := v1alpha1.SchemeGroupVersion - config.GroupVersion = &gv - config.APIPath = "/apis" - config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() - - if config.UserAgent == "" { - config.UserAgent = rest.DefaultKubernetesUserAgent() - } - - return nil -} - -// RESTClient returns a RESTClient that is used to communicate -// with API server by this client implementation. -func (c *OauthV1alpha1Client) RESTClient() rest.Interface { - if c == nil { - return nil - } - return c.restClient -} diff --git a/generated/1.17/client/supervisor/informers/externalversions/config/v1alpha1/interface.go b/generated/1.17/client/supervisor/informers/externalversions/config/v1alpha1/interface.go index ae8561df..33ffbf70 100644 --- a/generated/1.17/client/supervisor/informers/externalversions/config/v1alpha1/interface.go +++ b/generated/1.17/client/supervisor/informers/externalversions/config/v1alpha1/interface.go @@ -13,6 +13,8 @@ import ( type Interface interface { // FederationDomains returns a FederationDomainInformer. FederationDomains() FederationDomainInformer + // OIDCClients returns a OIDCClientInformer. + OIDCClients() OIDCClientInformer } type version struct { @@ -30,3 +32,8 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList func (v *version) FederationDomains() FederationDomainInformer { return &federationDomainInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } + +// OIDCClients returns a OIDCClientInformer. +func (v *version) OIDCClients() OIDCClientInformer { + return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} diff --git a/generated/1.17/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go b/generated/1.17/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go similarity index 89% rename from generated/1.17/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go rename to generated/1.17/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go index 1996f202..c6e9344f 100644 --- a/generated/1.17/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go +++ b/generated/1.17/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go @@ -8,10 +8,10 @@ package v1alpha1 import ( time "time" - oauthv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/oauth/v1alpha1" + configv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1" versioned "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned" internalinterfaces "go.pinniped.dev/generated/1.17/client/supervisor/informers/externalversions/internalinterfaces" - v1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/listers/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/listers/config/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" watch "k8s.io/apimachinery/pkg/watch" @@ -48,16 +48,16 @@ func NewFilteredOIDCClientInformer(client versioned.Interface, namespace string, if tweakListOptions != nil { tweakListOptions(&options) } - return client.OauthV1alpha1().OIDCClients(namespace).List(options) + return client.ConfigV1alpha1().OIDCClients(namespace).List(options) }, WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { if tweakListOptions != nil { tweakListOptions(&options) } - return client.OauthV1alpha1().OIDCClients(namespace).Watch(options) + return client.ConfigV1alpha1().OIDCClients(namespace).Watch(options) }, }, - &oauthv1alpha1.OIDCClient{}, + &configv1alpha1.OIDCClient{}, resyncPeriod, indexers, ) @@ -68,7 +68,7 @@ func (f *oIDCClientInformer) defaultInformer(client versioned.Interface, resyncP } func (f *oIDCClientInformer) Informer() cache.SharedIndexInformer { - return f.factory.InformerFor(&oauthv1alpha1.OIDCClient{}, f.defaultInformer) + return f.factory.InformerFor(&configv1alpha1.OIDCClient{}, f.defaultInformer) } func (f *oIDCClientInformer) Lister() v1alpha1.OIDCClientLister { diff --git a/generated/1.17/client/supervisor/informers/externalversions/factory.go b/generated/1.17/client/supervisor/informers/externalversions/factory.go index ac94e186..10a7bf92 100644 --- a/generated/1.17/client/supervisor/informers/externalversions/factory.go +++ b/generated/1.17/client/supervisor/informers/externalversions/factory.go @@ -14,7 +14,6 @@ import ( config "go.pinniped.dev/generated/1.17/client/supervisor/informers/externalversions/config" idp "go.pinniped.dev/generated/1.17/client/supervisor/informers/externalversions/idp" internalinterfaces "go.pinniped.dev/generated/1.17/client/supervisor/informers/externalversions/internalinterfaces" - oauth "go.pinniped.dev/generated/1.17/client/supervisor/informers/externalversions/oauth" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -163,7 +162,6 @@ type SharedInformerFactory interface { Config() config.Interface IDP() idp.Interface - Oauth() oauth.Interface } func (f *sharedInformerFactory) Config() config.Interface { @@ -173,7 +171,3 @@ func (f *sharedInformerFactory) Config() config.Interface { func (f *sharedInformerFactory) IDP() idp.Interface { return idp.New(f, f.namespace, f.tweakListOptions) } - -func (f *sharedInformerFactory) Oauth() oauth.Interface { - return oauth.New(f, f.namespace, f.tweakListOptions) -} diff --git a/generated/1.17/client/supervisor/informers/externalversions/generic.go b/generated/1.17/client/supervisor/informers/externalversions/generic.go index 4f5c74e4..befa67ca 100644 --- a/generated/1.17/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.17/client/supervisor/informers/externalversions/generic.go @@ -10,7 +10,6 @@ import ( v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/oauth/v1alpha1" schema "k8s.io/apimachinery/pkg/runtime/schema" cache "k8s.io/client-go/tools/cache" ) @@ -44,6 +43,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource // Group=config.supervisor.pinniped.dev, Version=v1alpha1 case v1alpha1.SchemeGroupVersion.WithResource("federationdomains"): return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().FederationDomains().Informer()}, nil + case v1alpha1.SchemeGroupVersion.WithResource("oidcclients"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCClients().Informer()}, nil // Group=idp.supervisor.pinniped.dev, Version=v1alpha1 case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"): @@ -53,10 +54,6 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().OIDCIdentityProviders().Informer()}, nil - // Group=oauth.supervisor.pinniped.dev, Version=v1alpha1 - case oauthv1alpha1.SchemeGroupVersion.WithResource("oidcclients"): - return &genericInformer{resource: resource.GroupResource(), informer: f.Oauth().V1alpha1().OIDCClients().Informer()}, nil - } return nil, fmt.Errorf("no informer found for %v", resource) diff --git a/generated/1.17/client/supervisor/informers/externalversions/oauth/interface.go b/generated/1.17/client/supervisor/informers/externalversions/oauth/interface.go deleted file mode 100644 index 06b9370b..00000000 --- a/generated/1.17/client/supervisor/informers/externalversions/oauth/interface.go +++ /dev/null @@ -1,33 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by informer-gen. DO NOT EDIT. - -package oauth - -import ( - internalinterfaces "go.pinniped.dev/generated/1.17/client/supervisor/informers/externalversions/internalinterfaces" - v1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/informers/externalversions/oauth/v1alpha1" -) - -// Interface provides access to each of this group's versions. -type Interface interface { - // V1alpha1 provides access to shared informers for resources in V1alpha1. - V1alpha1() v1alpha1.Interface -} - -type group struct { - factory internalinterfaces.SharedInformerFactory - namespace string - tweakListOptions internalinterfaces.TweakListOptionsFunc -} - -// New returns a new Interface. -func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { - return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} -} - -// V1alpha1 returns a new v1alpha1.Interface. -func (g *group) V1alpha1() v1alpha1.Interface { - return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions) -} diff --git a/generated/1.17/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go b/generated/1.17/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go deleted file mode 100644 index 46d19a40..00000000 --- a/generated/1.17/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go +++ /dev/null @@ -1,32 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by informer-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - internalinterfaces "go.pinniped.dev/generated/1.17/client/supervisor/informers/externalversions/internalinterfaces" -) - -// Interface provides access to all the informers in this group version. -type Interface interface { - // OIDCClients returns a OIDCClientInformer. - OIDCClients() OIDCClientInformer -} - -type version struct { - factory internalinterfaces.SharedInformerFactory - namespace string - tweakListOptions internalinterfaces.TweakListOptionsFunc -} - -// New returns a new Interface. -func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { - return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} -} - -// OIDCClients returns a OIDCClientInformer. -func (v *version) OIDCClients() OIDCClientInformer { - return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} -} diff --git a/generated/1.17/client/supervisor/listers/config/v1alpha1/expansion_generated.go b/generated/1.17/client/supervisor/listers/config/v1alpha1/expansion_generated.go index d59892c4..bda2f20e 100644 --- a/generated/1.17/client/supervisor/listers/config/v1alpha1/expansion_generated.go +++ b/generated/1.17/client/supervisor/listers/config/v1alpha1/expansion_generated.go @@ -12,3 +12,11 @@ type FederationDomainListerExpansion interface{} // FederationDomainNamespaceListerExpansion allows custom methods to be added to // FederationDomainNamespaceLister. type FederationDomainNamespaceListerExpansion interface{} + +// OIDCClientListerExpansion allows custom methods to be added to +// OIDCClientLister. +type OIDCClientListerExpansion interface{} + +// OIDCClientNamespaceListerExpansion allows custom methods to be added to +// OIDCClientNamespaceLister. +type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/1.18/client/supervisor/listers/oauth/v1alpha1/oidcclient.go b/generated/1.17/client/supervisor/listers/config/v1alpha1/oidcclient.go similarity index 97% rename from generated/1.18/client/supervisor/listers/oauth/v1alpha1/oidcclient.go rename to generated/1.17/client/supervisor/listers/config/v1alpha1/oidcclient.go index 77d38f1e..08c2ab25 100644 --- a/generated/1.18/client/supervisor/listers/oauth/v1alpha1/oidcclient.go +++ b/generated/1.17/client/supervisor/listers/config/v1alpha1/oidcclient.go @@ -6,7 +6,7 @@ package v1alpha1 import ( - v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1" "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/labels" "k8s.io/client-go/tools/cache" diff --git a/generated/1.17/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go b/generated/1.17/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go deleted file mode 100644 index c19310da..00000000 --- a/generated/1.17/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go +++ /dev/null @@ -1,14 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by lister-gen. DO NOT EDIT. - -package v1alpha1 - -// OIDCClientListerExpansion allows custom methods to be added to -// OIDCClientLister. -type OIDCClientListerExpansion interface{} - -// OIDCClientNamespaceListerExpansion allows custom methods to be added to -// OIDCClientNamespaceLister. -type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/1.17/client/supervisor/virtual/clientset/versioned/clientset.go b/generated/1.17/client/supervisor/virtual/clientset/versioned/clientset.go deleted file mode 100644 index 61281edb..00000000 --- a/generated/1.17/client/supervisor/virtual/clientset/versioned/clientset.go +++ /dev/null @@ -1,84 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package versioned - -import ( - "fmt" - - oauthv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" - discovery "k8s.io/client-go/discovery" - rest "k8s.io/client-go/rest" - flowcontrol "k8s.io/client-go/util/flowcontrol" -) - -type Interface interface { - Discovery() discovery.DiscoveryInterface - OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface -} - -// Clientset contains the clients for groups. Each group has exactly one -// version included in a Clientset. -type Clientset struct { - *discovery.DiscoveryClient - oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client -} - -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return c.oauthV1alpha1 -} - -// Discovery retrieves the DiscoveryClient -func (c *Clientset) Discovery() discovery.DiscoveryInterface { - if c == nil { - return nil - } - return c.DiscoveryClient -} - -// NewForConfig creates a new Clientset for the given config. -// If config's RateLimiter is not set and QPS and Burst are acceptable, -// NewForConfig will generate a rate-limiter in configShallowCopy. -func NewForConfig(c *rest.Config) (*Clientset, error) { - configShallowCopy := *c - if configShallowCopy.RateLimiter == nil && configShallowCopy.QPS > 0 { - if configShallowCopy.Burst <= 0 { - return nil, fmt.Errorf("Burst is required to be greater than 0 when RateLimiter is not set and QPS is set to greater than 0") - } - configShallowCopy.RateLimiter = flowcontrol.NewTokenBucketRateLimiter(configShallowCopy.QPS, configShallowCopy.Burst) - } - var cs Clientset - var err error - cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfig(&configShallowCopy) - if err != nil { - return nil, err - } - - cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfig(&configShallowCopy) - if err != nil { - return nil, err - } - return &cs, nil -} - -// NewForConfigOrDie creates a new Clientset for the given config and -// panics if there is an error in the config. -func NewForConfigOrDie(c *rest.Config) *Clientset { - var cs Clientset - cs.oauthV1alpha1 = oauthv1alpha1.NewForConfigOrDie(c) - - cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c) - return &cs -} - -// New creates a new Clientset for the given RESTClient. -func New(c rest.Interface) *Clientset { - var cs Clientset - cs.oauthV1alpha1 = oauthv1alpha1.New(c) - - cs.DiscoveryClient = discovery.NewDiscoveryClient(c) - return &cs -} diff --git a/generated/1.17/client/supervisor/virtual/clientset/versioned/doc.go b/generated/1.17/client/supervisor/virtual/clientset/versioned/doc.go deleted file mode 100644 index 5dc02e6e..00000000 --- a/generated/1.17/client/supervisor/virtual/clientset/versioned/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package has the automatically generated clientset. -package versioned diff --git a/generated/1.17/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go b/generated/1.17/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go deleted file mode 100644 index 40b8c342..00000000 --- a/generated/1.17/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go +++ /dev/null @@ -1,69 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - clientset "go.pinniped.dev/generated/1.17/client/supervisor/virtual/clientset/versioned" - oauthv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" - fakeoauthv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/watch" - "k8s.io/client-go/discovery" - fakediscovery "k8s.io/client-go/discovery/fake" - "k8s.io/client-go/testing" -) - -// NewSimpleClientset returns a clientset that will respond with the provided objects. -// It's backed by a very simple object tracker that processes creates, updates and deletions as-is, -// without applying any validations and/or defaults. It shouldn't be considered a replacement -// for a real clientset and is mostly useful in simple unit tests. -func NewSimpleClientset(objects ...runtime.Object) *Clientset { - o := testing.NewObjectTracker(scheme, codecs.UniversalDecoder()) - for _, obj := range objects { - if err := o.Add(obj); err != nil { - panic(err) - } - } - - cs := &Clientset{tracker: o} - cs.discovery = &fakediscovery.FakeDiscovery{Fake: &cs.Fake} - cs.AddReactor("*", "*", testing.ObjectReaction(o)) - cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) { - gvr := action.GetResource() - ns := action.GetNamespace() - watch, err := o.Watch(gvr, ns) - if err != nil { - return false, nil, err - } - return true, watch, nil - }) - - return cs -} - -// Clientset implements clientset.Interface. Meant to be embedded into a -// struct to get a default implementation. This makes faking out just the method -// you want to test easier. -type Clientset struct { - testing.Fake - discovery *fakediscovery.FakeDiscovery - tracker testing.ObjectTracker -} - -func (c *Clientset) Discovery() discovery.DiscoveryInterface { - return c.discovery -} - -func (c *Clientset) Tracker() testing.ObjectTracker { - return c.tracker -} - -var _ clientset.Interface = &Clientset{} - -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} -} diff --git a/generated/1.17/client/supervisor/virtual/clientset/versioned/fake/doc.go b/generated/1.17/client/supervisor/virtual/clientset/versioned/fake/doc.go deleted file mode 100644 index 7c9538fd..00000000 --- a/generated/1.17/client/supervisor/virtual/clientset/versioned/fake/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package has the automatically generated fake clientset. -package fake diff --git a/generated/1.17/client/supervisor/virtual/clientset/versioned/fake/register.go b/generated/1.17/client/supervisor/virtual/clientset/versioned/fake/register.go deleted file mode 100644 index 675d744f..00000000 --- a/generated/1.17/client/supervisor/virtual/clientset/versioned/fake/register.go +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - oauthv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - runtime "k8s.io/apimachinery/pkg/runtime" - schema "k8s.io/apimachinery/pkg/runtime/schema" - serializer "k8s.io/apimachinery/pkg/runtime/serializer" - utilruntime "k8s.io/apimachinery/pkg/util/runtime" -) - -var scheme = runtime.NewScheme() -var codecs = serializer.NewCodecFactory(scheme) -var parameterCodec = runtime.NewParameterCodec(scheme) -var localSchemeBuilder = runtime.SchemeBuilder{ - oauthv1alpha1.AddToScheme, -} - -// AddToScheme adds all types of this clientset into the given scheme. This allows composition -// of clientsets, like in: -// -// import ( -// "k8s.io/client-go/kubernetes" -// clientsetscheme "k8s.io/client-go/kubernetes/scheme" -// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" -// ) -// -// kclientset, _ := kubernetes.NewForConfig(c) -// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) -// -// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types -// correctly. -var AddToScheme = localSchemeBuilder.AddToScheme - -func init() { - v1.AddToGroupVersion(scheme, schema.GroupVersion{Version: "v1"}) - utilruntime.Must(AddToScheme(scheme)) -} diff --git a/generated/1.17/client/supervisor/virtual/clientset/versioned/scheme/doc.go b/generated/1.17/client/supervisor/virtual/clientset/versioned/scheme/doc.go deleted file mode 100644 index cc02f1d3..00000000 --- a/generated/1.17/client/supervisor/virtual/clientset/versioned/scheme/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package contains the scheme of the automatically generated clientset. -package scheme diff --git a/generated/1.17/client/supervisor/virtual/clientset/versioned/scheme/register.go b/generated/1.17/client/supervisor/virtual/clientset/versioned/scheme/register.go deleted file mode 100644 index f027d173..00000000 --- a/generated/1.17/client/supervisor/virtual/clientset/versioned/scheme/register.go +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package scheme - -import ( - oauthv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - runtime "k8s.io/apimachinery/pkg/runtime" - schema "k8s.io/apimachinery/pkg/runtime/schema" - serializer "k8s.io/apimachinery/pkg/runtime/serializer" - utilruntime "k8s.io/apimachinery/pkg/util/runtime" -) - -var Scheme = runtime.NewScheme() -var Codecs = serializer.NewCodecFactory(Scheme) -var ParameterCodec = runtime.NewParameterCodec(Scheme) -var localSchemeBuilder = runtime.SchemeBuilder{ - oauthv1alpha1.AddToScheme, -} - -// AddToScheme adds all types of this clientset into the given scheme. This allows composition -// of clientsets, like in: -// -// import ( -// "k8s.io/client-go/kubernetes" -// clientsetscheme "k8s.io/client-go/kubernetes/scheme" -// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" -// ) -// -// kclientset, _ := kubernetes.NewForConfig(c) -// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) -// -// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types -// correctly. -var AddToScheme = localSchemeBuilder.AddToScheme - -func init() { - v1.AddToGroupVersion(Scheme, schema.GroupVersion{Version: "v1"}) - utilruntime.Must(AddToScheme(Scheme)) -} diff --git a/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go deleted file mode 100644 index 97afc436..00000000 --- a/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go +++ /dev/null @@ -1,27 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - v1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" - rest "k8s.io/client-go/rest" - testing "k8s.io/client-go/testing" -) - -type FakeOauthV1alpha1 struct { - *testing.Fake -} - -func (c *FakeOauthV1alpha1) OIDCClientSecretRequests(namespace string) v1alpha1.OIDCClientSecretRequestInterface { - return &FakeOIDCClientSecretRequests{c, namespace} -} - -// RESTClient returns a RESTClient that is used to communicate -// with API server by this client implementation. -func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { - var ret *rest.RESTClient - return ret -} diff --git a/generated/1.17/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.17/crds/config.supervisor.pinniped.dev_oidcclients.yaml similarity index 98% rename from generated/1.17/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml rename to generated/1.17/crds/config.supervisor.pinniped.dev_oidcclients.yaml index 589a9154..4efa445e 100644 --- a/generated/1.17/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.17/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -5,9 +5,9 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null - name: oidcclients.oauth.supervisor.pinniped.dev + name: oidcclients.config.supervisor.pinniped.dev spec: - group: oauth.supervisor.pinniped.dev + group: config.supervisor.pinniped.dev names: categories: - pinniped diff --git a/generated/1.18/README.adoc b/generated/1.18/README.adoc index db96bb48..21512761 100644 --- a/generated/1.18/README.adoc +++ b/generated/1.18/README.adoc @@ -6,15 +6,14 @@ .Packages - xref:{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1[$$authentication.concierge.pinniped.dev/v1alpha1$$] +- xref:{anchor_prefix}-clientsecret-supervisor-pinniped-dev-clientsecret[$$clientsecret.supervisor.pinniped.dev/clientsecret$$] +- xref:{anchor_prefix}-clientsecret-supervisor-pinniped-dev-v1alpha1[$$clientsecret.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-config-concierge-pinniped-dev-v1alpha1[$$config.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-config-supervisor-pinniped-dev-v1alpha1[$$config.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-identity-concierge-pinniped-dev-identity[$$identity.concierge.pinniped.dev/identity$$] - xref:{anchor_prefix}-identity-concierge-pinniped-dev-v1alpha1[$$identity.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1[$$idp.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$] -- xref:{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1[$$oauth.supervisor.pinniped.dev/v1alpha1$$] -- xref:{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-oauth[$$oauth.virtual.supervisor.pinniped.dev/oauth$$] -- xref:{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-v1alpha1[$$oauth.virtual.supervisor.pinniped.dev/v1alpha1$$] [id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"] @@ -213,6 +212,98 @@ Status of a webhook authenticator. +[id="{anchor_prefix}-clientsecret-supervisor-pinniped-dev-clientsecret"] +=== clientsecret.supervisor.pinniped.dev/clientsecret + +Package clientsecret is the internal version of the Pinniped client secret API. + + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-clientsecret-oidcclientsecretrequestspec"] +==== OIDCClientSecretRequestSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-clientsecret-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generateNewSecret`* __boolean__ | +| *`revokeOldSecrets`* __boolean__ | +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-clientsecret-oidcclientsecretrequeststatus"] +==== OIDCClientSecretRequestStatus + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-clientsecret-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generatedSecret`* __string__ | +| *`totalClientSecrets`* __integer__ | +|=== + + + +[id="{anchor_prefix}-clientsecret-supervisor-pinniped-dev-v1alpha1"] +=== clientsecret.supervisor.pinniped.dev/v1alpha1 + +Package v1alpha1 is the v1alpha1 version of the Pinniped client secret API. + + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestspec"] +==== OIDCClientSecretRequestSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generateNewSecret`* __boolean__ | +| *`revokeOldSecrets`* __boolean__ | +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequeststatus"] +==== OIDCClientSecretRequestStatus + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generatedSecret`* __string__ | +| *`totalClientSecrets`* __integer__ | +|=== + + + [id="{anchor_prefix}-config-concierge-pinniped-dev-v1alpha1"] === config.concierge.pinniped.dev/v1alpha1 @@ -546,6 +637,51 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcclient"] +==== OIDCClient + +OIDCClient describes the configuration of an OIDC client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcclientlist[$$OIDCClientList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC client. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC client. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcclientspec"] +==== OIDCClientSpec + +OIDCClientSpec is a struct that describes an OIDC Client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcclient[$$OIDCClient$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. +| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. +| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. +|=== + + + + [id="{anchor_prefix}-identity-concierge-pinniped-dev-identity"] === identity.concierge.pinniped.dev/identity @@ -1335,148 +1471,3 @@ TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned |=== - -[id="{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1"] -=== oauth.supervisor.pinniped.dev/v1alpha1 - -Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-oauth-v1alpha1-oidcclient"] -==== OIDCClient - -OIDCClient describes the configuration of an OIDC client. - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-oauth-v1alpha1-oidcclientlist[$$OIDCClientList$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. - -| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-oauth-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC client. -| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-oauth-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC client. -|=== - - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-oauth-v1alpha1-oidcclientspec"] -==== OIDCClientSpec - -OIDCClientSpec is a struct that describes an OIDC Client. - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-oauth-v1alpha1-oidcclient[$$OIDCClient$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. -| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. -| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. -|=== - - - - - -[id="{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-oauth"] -=== oauth.virtual.supervisor.pinniped.dev/oauth - -Package oauth is the internal version of the Pinniped virtual oauth API. - - - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-virtual-oauth-oidcclientsecretrequestspec"] -==== OIDCClientSecretRequestSpec - - - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-virtual-oauth-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`generateNewSecret`* __boolean__ | -| *`revokeOldSecrets`* __boolean__ | -|=== - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-virtual-oauth-oidcclientsecretrequeststatus"] -==== OIDCClientSecretRequestStatus - - - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-virtual-oauth-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`generatedSecret`* __string__ | -| *`totalClientSecrets`* __integer__ | -|=== - - - -[id="{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-v1alpha1"] -=== oauth.virtual.supervisor.pinniped.dev/v1alpha1 - -Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API. - - - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequestspec"] -==== OIDCClientSecretRequestSpec - - - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`generateNewSecret`* __boolean__ | -| *`revokeOldSecrets`* __boolean__ | -|=== - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequeststatus"] -==== OIDCClientSecretRequestStatus - - - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`generatedSecret`* __string__ | -| *`totalClientSecrets`* __integer__ | -|=== - - diff --git a/generated/1.18/apis/supervisor/clientsecret/doc.go b/generated/1.18/apis/supervisor/clientsecret/doc.go new file mode 100644 index 00000000..c536bc75 --- /dev/null +++ b/generated/1.18/apis/supervisor/clientsecret/doc.go @@ -0,0 +1,8 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:deepcopy-gen=package +// +groupName=clientsecret.supervisor.pinniped.dev + +// Package clientsecret is the internal version of the Pinniped client secret API. +package clientsecret diff --git a/generated/1.17/apis/supervisor/virtual/oauth/register.go b/generated/1.18/apis/supervisor/clientsecret/register.go similarity index 93% rename from generated/1.17/apis/supervisor/virtual/oauth/register.go rename to generated/1.18/apis/supervisor/clientsecret/register.go index a238d85f..4a1c0173 100644 --- a/generated/1.17/apis/supervisor/virtual/oauth/register.go +++ b/generated/1.18/apis/supervisor/clientsecret/register.go @@ -1,14 +1,14 @@ // Copyright 2022 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -package oauth +package clientsecret import ( "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" ) -const GroupName = "oauth.virtual.supervisor.pinniped.dev" +const GroupName = "clientsecret.supervisor.pinniped.dev" // SchemeGroupVersion is group version used to register these objects. var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal} diff --git a/generated/1.20/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go b/generated/1.18/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go similarity index 97% rename from generated/1.20/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go rename to generated/1.18/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go index ac54a93c..7fd1eb65 100644 --- a/generated/1.20/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go +++ b/generated/1.18/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go @@ -1,7 +1,7 @@ // Copyright 2022 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -package oauth +package clientsecret import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" diff --git a/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/conversion.go b/generated/1.18/apis/supervisor/clientsecret/v1alpha1/conversion.go similarity index 100% rename from generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/conversion.go rename to generated/1.18/apis/supervisor/clientsecret/v1alpha1/conversion.go diff --git a/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/defaults.go b/generated/1.18/apis/supervisor/clientsecret/v1alpha1/defaults.go similarity index 100% rename from generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/defaults.go rename to generated/1.18/apis/supervisor/clientsecret/v1alpha1/defaults.go diff --git a/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/doc.go b/generated/1.18/apis/supervisor/clientsecret/v1alpha1/doc.go similarity index 64% rename from generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/doc.go rename to generated/1.18/apis/supervisor/clientsecret/v1alpha1/doc.go index 215e4edf..9347ef46 100644 --- a/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/doc.go +++ b/generated/1.18/apis/supervisor/clientsecret/v1alpha1/doc.go @@ -3,9 +3,9 @@ // +k8s:openapi-gen=true // +k8s:deepcopy-gen=package -// +k8s:conversion-gen=go.pinniped.dev/generated/1.18/apis/supervisor/virtual/oauth +// +k8s:conversion-gen=go.pinniped.dev/generated/1.18/apis/supervisor/clientsecret // +k8s:defaulter-gen=TypeMeta -// +groupName=oauth.virtual.supervisor.pinniped.dev +// +groupName=clientsecret.supervisor.pinniped.dev -// Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API. +// Package v1alpha1 is the v1alpha1 version of the Pinniped client secret API. package v1alpha1 diff --git a/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/register.go b/generated/1.18/apis/supervisor/clientsecret/v1alpha1/register.go similarity index 95% rename from generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/register.go rename to generated/1.18/apis/supervisor/clientsecret/v1alpha1/register.go index ecc75a08..49602125 100644 --- a/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/register.go +++ b/generated/1.18/apis/supervisor/clientsecret/v1alpha1/register.go @@ -9,7 +9,7 @@ import ( "k8s.io/apimachinery/pkg/runtime/schema" ) -const GroupName = "oauth.virtual.supervisor.pinniped.dev" +const GroupName = "clientsecret.supervisor.pinniped.dev" // SchemeGroupVersion is group version used to register these objects. var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} diff --git a/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go b/generated/1.18/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go similarity index 100% rename from generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go rename to generated/1.18/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go diff --git a/generated/1.18/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go b/generated/1.18/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go new file mode 100644 index 00000000..990c4deb --- /dev/null +++ b/generated/1.18/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go @@ -0,0 +1,131 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by conversion-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + clientsecret "go.pinniped.dev/generated/1.18/apis/supervisor/clientsecret" + conversion "k8s.io/apimachinery/pkg/conversion" + runtime "k8s.io/apimachinery/pkg/runtime" +) + +func init() { + localSchemeBuilder.Register(RegisterConversions) +} + +// RegisterConversions adds conversion functions to the given scheme. +// Public to allow building arbitrary schemes. +func RegisterConversions(s *runtime.Scheme) error { + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequest)(nil), (*clientsecret.OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(a.(*OIDCClientSecretRequest), b.(*clientsecret.OIDCClientSecretRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequest)(nil), (*OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(a.(*clientsecret.OIDCClientSecretRequest), b.(*OIDCClientSecretRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*clientsecret.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*clientsecret.OIDCClientSecretRequestSpec), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequestSpec)(nil), (*OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(a.(*clientsecret.OIDCClientSecretRequestSpec), b.(*OIDCClientSecretRequestSpec), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestStatus)(nil), (*clientsecret.OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(a.(*OIDCClientSecretRequestStatus), b.(*clientsecret.OIDCClientSecretRequestStatus), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequestStatus)(nil), (*OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(a.(*clientsecret.OIDCClientSecretRequestStatus), b.(*OIDCClientSecretRequestStatus), scope) + }); err != nil { + return err + } + return nil +} + +func autoConvert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *clientsecret.OIDCClientSecretRequest, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { + return err + } + if err := Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *clientsecret.OIDCClientSecretRequest, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(in, out, s) +} + +func autoConvert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *clientsecret.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { + return err + } + if err := Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest is an autogenerated conversion function. +func Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *clientsecret.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { + return autoConvert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s) +} + +func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *clientsecret.OIDCClientSecretRequestSpec, s conversion.Scope) error { + out.GenerateNewSecret = in.GenerateNewSecret + out.RevokeOldSecrets = in.RevokeOldSecrets + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *clientsecret.OIDCClientSecretRequestSpec, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in, out, s) +} + +func autoConvert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *clientsecret.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { + out.GenerateNewSecret = in.GenerateNewSecret + out.RevokeOldSecrets = in.RevokeOldSecrets + return nil +} + +// Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec is an autogenerated conversion function. +func Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *clientsecret.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { + return autoConvert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in, out, s) +} + +func autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *clientsecret.OIDCClientSecretRequestStatus, s conversion.Scope) error { + out.GeneratedSecret = in.GeneratedSecret + out.TotalClientSecrets = in.TotalClientSecrets + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *clientsecret.OIDCClientSecretRequestStatus, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(in, out, s) +} + +func autoConvert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *clientsecret.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { + out.GeneratedSecret = in.GeneratedSecret + out.TotalClientSecrets = in.TotalClientSecrets + return nil +} + +// Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus is an autogenerated conversion function. +func Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *clientsecret.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { + return autoConvert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in, out, s) +} diff --git a/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.18/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go similarity index 100% rename from generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go rename to generated/1.18/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go diff --git a/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go b/generated/1.18/apis/supervisor/clientsecret/v1alpha1/zz_generated.defaults.go similarity index 100% rename from generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go rename to generated/1.18/apis/supervisor/clientsecret/v1alpha1/zz_generated.defaults.go diff --git a/generated/1.17/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go b/generated/1.18/apis/supervisor/clientsecret/zz_generated.deepcopy.go similarity index 99% rename from generated/1.17/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go rename to generated/1.18/apis/supervisor/clientsecret/zz_generated.deepcopy.go index 24b58e7b..e0dc7d68 100644 --- a/generated/1.17/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go +++ b/generated/1.18/apis/supervisor/clientsecret/zz_generated.deepcopy.go @@ -6,7 +6,7 @@ // Code generated by deepcopy-gen. DO NOT EDIT. -package oauth +package clientsecret import ( runtime "k8s.io/apimachinery/pkg/runtime" diff --git a/generated/1.18/apis/supervisor/config/v1alpha1/register.go b/generated/1.18/apis/supervisor/config/v1alpha1/register.go index 69045298..54c51699 100644 --- a/generated/1.18/apis/supervisor/config/v1alpha1/register.go +++ b/generated/1.18/apis/supervisor/config/v1alpha1/register.go @@ -32,6 +32,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &FederationDomain{}, &FederationDomainList{}, + &OIDCClient{}, + &OIDCClientList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.18/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.18/apis/supervisor/config/v1alpha1/types_oidcclient.go similarity index 100% rename from generated/1.18/apis/supervisor/oauth/v1alpha1/types_oidcclient.go rename to generated/1.18/apis/supervisor/config/v1alpha1/types_oidcclient.go diff --git a/generated/1.18/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.18/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go index 856b8988..a55d88e7 100644 --- a/generated/1.18/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.18/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go @@ -150,3 +150,111 @@ func (in *FederationDomainTLSSpec) DeepCopy() *FederationDomainTLSSpec { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. +func (in *OIDCClient) DeepCopy() *OIDCClient { + if in == nil { + return nil + } + out := new(OIDCClient) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClient) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClient, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. +func (in *OIDCClientList) DeepCopy() *OIDCClientList { + if in == nil { + return nil + } + out := new(OIDCClientList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { + *out = *in + if in.AllowedRedirectURIs != nil { + in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.AllowedGrantTypes != nil { + in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes + *out = make([]GrantType, len(*in)) + copy(*out, *in) + } + if in.AllowedScopes != nil { + in, out := &in.AllowedScopes, &out.AllowedScopes + *out = make([]Scope, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. +func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { + if in == nil { + return nil + } + out := new(OIDCClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. +func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { + if in == nil { + return nil + } + out := new(OIDCClientStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.18/apis/supervisor/oauth/v1alpha1/doc.go b/generated/1.18/apis/supervisor/oauth/v1alpha1/doc.go deleted file mode 100644 index 75580481..00000000 --- a/generated/1.18/apis/supervisor/oauth/v1alpha1/doc.go +++ /dev/null @@ -1,10 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// +k8s:openapi-gen=true -// +k8s:deepcopy-gen=package -// +k8s:defaulter-gen=TypeMeta -// +groupName=oauth.supervisor.pinniped.dev - -// Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. -package v1alpha1 diff --git a/generated/1.18/apis/supervisor/oauth/v1alpha1/register.go b/generated/1.18/apis/supervisor/oauth/v1alpha1/register.go deleted file mode 100644 index 37ae1fbf..00000000 --- a/generated/1.18/apis/supervisor/oauth/v1alpha1/register.go +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -package v1alpha1 - -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" -) - -const GroupName = "oauth.supervisor.pinniped.dev" - -// SchemeGroupVersion is group version used to register these objects. -var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} - -var ( - SchemeBuilder runtime.SchemeBuilder - localSchemeBuilder = &SchemeBuilder - AddToScheme = localSchemeBuilder.AddToScheme -) - -func init() { - // We only register manually written functions here. The registration of the - // generated functions takes place in the generated files. The separation - // makes the code compile even when the generated files are missing. - localSchemeBuilder.Register(addKnownTypes) -} - -// Adds the list of known types to the given scheme. -func addKnownTypes(scheme *runtime.Scheme) error { - scheme.AddKnownTypes(SchemeGroupVersion, - &OIDCClient{}, - &OIDCClientList{}, - ) - metav1.AddToGroupVersion(scheme, SchemeGroupVersion) - return nil -} - -// Resource takes an unqualified resource and returns a Group qualified GroupResource. -func Resource(resource string) schema.GroupResource { - return SchemeGroupVersion.WithResource(resource).GroupResource() -} diff --git a/generated/1.18/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.18/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go deleted file mode 100644 index 1aba8aea..00000000 --- a/generated/1.18/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go +++ /dev/null @@ -1,121 +0,0 @@ -//go:build !ignore_autogenerated -// +build !ignore_autogenerated - -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by deepcopy-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - runtime "k8s.io/apimachinery/pkg/runtime" -) - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - in.Spec.DeepCopyInto(&out.Spec) - out.Status = in.Status - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. -func (in *OIDCClient) DeepCopy() *OIDCClient { - if in == nil { - return nil - } - out := new(OIDCClient) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *OIDCClient) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ListMeta.DeepCopyInto(&out.ListMeta) - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]OIDCClient, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. -func (in *OIDCClientList) DeepCopy() *OIDCClientList { - if in == nil { - return nil - } - out := new(OIDCClientList) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *OIDCClientList) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { - *out = *in - if in.AllowedRedirectURIs != nil { - in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.AllowedGrantTypes != nil { - in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes - *out = make([]GrantType, len(*in)) - copy(*out, *in) - } - if in.AllowedScopes != nil { - in, out := &in.AllowedScopes, &out.AllowedScopes - *out = make([]Scope, len(*in)) - copy(*out, *in) - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. -func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { - if in == nil { - return nil - } - out := new(OIDCClientSpec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. -func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { - if in == nil { - return nil - } - out := new(OIDCClientStatus) - in.DeepCopyInto(out) - return out -} diff --git a/generated/1.18/apis/supervisor/virtual/oauth/doc.go b/generated/1.18/apis/supervisor/virtual/oauth/doc.go deleted file mode 100644 index ca4e9a63..00000000 --- a/generated/1.18/apis/supervisor/virtual/oauth/doc.go +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// +k8s:deepcopy-gen=package -// +groupName=oauth.virtual.supervisor.pinniped.dev - -// Package oauth is the internal version of the Pinniped virtual oauth API. -package oauth diff --git a/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go b/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go deleted file mode 100644 index d71f1e76..00000000 --- a/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go +++ /dev/null @@ -1,131 +0,0 @@ -//go:build !ignore_autogenerated -// +build !ignore_autogenerated - -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by conversion-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - oauth "go.pinniped.dev/generated/1.18/apis/supervisor/virtual/oauth" - conversion "k8s.io/apimachinery/pkg/conversion" - runtime "k8s.io/apimachinery/pkg/runtime" -) - -func init() { - localSchemeBuilder.Register(RegisterConversions) -} - -// RegisterConversions adds conversion functions to the given scheme. -// Public to allow building arbitrary schemes. -func RegisterConversions(s *runtime.Scheme) error { - if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequest)(nil), (*oauth.OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(a.(*OIDCClientSecretRequest), b.(*oauth.OIDCClientSecretRequest), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequest)(nil), (*OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(a.(*oauth.OIDCClientSecretRequest), b.(*OIDCClientSecretRequest), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*oauth.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*oauth.OIDCClientSecretRequestSpec), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequestSpec)(nil), (*OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(a.(*oauth.OIDCClientSecretRequestSpec), b.(*OIDCClientSecretRequestSpec), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestStatus)(nil), (*oauth.OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(a.(*OIDCClientSecretRequestStatus), b.(*oauth.OIDCClientSecretRequestStatus), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequestStatus)(nil), (*OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(a.(*oauth.OIDCClientSecretRequestStatus), b.(*OIDCClientSecretRequestStatus), scope) - }); err != nil { - return err - } - return nil -} - -func autoConvert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *oauth.OIDCClientSecretRequest, s conversion.Scope) error { - out.ObjectMeta = in.ObjectMeta - if err := Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { - return err - } - if err := Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { - return err - } - return nil -} - -// Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest is an autogenerated conversion function. -func Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *oauth.OIDCClientSecretRequest, s conversion.Scope) error { - return autoConvert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in, out, s) -} - -func autoConvert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *oauth.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { - out.ObjectMeta = in.ObjectMeta - if err := Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { - return err - } - if err := Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { - return err - } - return nil -} - -// Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest is an autogenerated conversion function. -func Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *oauth.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { - return autoConvert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s) -} - -func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *oauth.OIDCClientSecretRequestSpec, s conversion.Scope) error { - out.GenerateNewSecret = in.GenerateNewSecret - out.RevokeOldSecrets = in.RevokeOldSecrets - return nil -} - -// Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec is an autogenerated conversion function. -func Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *oauth.OIDCClientSecretRequestSpec, s conversion.Scope) error { - return autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in, out, s) -} - -func autoConvert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *oauth.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { - out.GenerateNewSecret = in.GenerateNewSecret - out.RevokeOldSecrets = in.RevokeOldSecrets - return nil -} - -// Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec is an autogenerated conversion function. -func Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *oauth.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { - return autoConvert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in, out, s) -} - -func autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *oauth.OIDCClientSecretRequestStatus, s conversion.Scope) error { - out.GeneratedSecret = in.GeneratedSecret - out.TotalClientSecrets = in.TotalClientSecrets - return nil -} - -// Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus is an autogenerated conversion function. -func Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *oauth.OIDCClientSecretRequestStatus, s conversion.Scope) error { - return autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in, out, s) -} - -func autoConvert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *oauth.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { - out.GeneratedSecret = in.GeneratedSecret - out.TotalClientSecrets = in.TotalClientSecrets - return nil -} - -// Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus is an autogenerated conversion function. -func Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *oauth.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { - return autoConvert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in, out, s) -} diff --git a/generated/1.18/client/supervisor/clientset/versioned/clientset.go b/generated/1.18/client/supervisor/clientset/versioned/clientset.go index d9bb8ce9..efa026f9 100644 --- a/generated/1.18/client/supervisor/clientset/versioned/clientset.go +++ b/generated/1.18/client/supervisor/clientset/versioned/clientset.go @@ -8,9 +8,9 @@ package versioned import ( "fmt" + clientsecretv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1" configv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" discovery "k8s.io/client-go/discovery" rest "k8s.io/client-go/rest" flowcontrol "k8s.io/client-go/util/flowcontrol" @@ -18,18 +18,23 @@ import ( type Interface interface { Discovery() discovery.DiscoveryInterface + ClientsecretV1alpha1() clientsecretv1alpha1.ClientsecretV1alpha1Interface ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface - OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface } // Clientset contains the clients for groups. Each group has exactly one // version included in a Clientset. type Clientset struct { *discovery.DiscoveryClient - configV1alpha1 *configv1alpha1.ConfigV1alpha1Client - iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client - oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client + clientsecretV1alpha1 *clientsecretv1alpha1.ClientsecretV1alpha1Client + configV1alpha1 *configv1alpha1.ConfigV1alpha1Client + iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client +} + +// ClientsecretV1alpha1 retrieves the ClientsecretV1alpha1Client +func (c *Clientset) ClientsecretV1alpha1() clientsecretv1alpha1.ClientsecretV1alpha1Interface { + return c.clientsecretV1alpha1 } // ConfigV1alpha1 retrieves the ConfigV1alpha1Client @@ -42,11 +47,6 @@ func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return c.iDPV1alpha1 } -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return c.oauthV1alpha1 -} - // Discovery retrieves the DiscoveryClient func (c *Clientset) Discovery() discovery.DiscoveryInterface { if c == nil { @@ -68,6 +68,10 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { } var cs Clientset var err error + cs.clientsecretV1alpha1, err = clientsecretv1alpha1.NewForConfig(&configShallowCopy) + if err != nil { + return nil, err + } cs.configV1alpha1, err = configv1alpha1.NewForConfig(&configShallowCopy) if err != nil { return nil, err @@ -76,10 +80,6 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { if err != nil { return nil, err } - cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfig(&configShallowCopy) - if err != nil { - return nil, err - } cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfig(&configShallowCopy) if err != nil { @@ -92,9 +92,9 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { // panics if there is an error in the config. func NewForConfigOrDie(c *rest.Config) *Clientset { var cs Clientset + cs.clientsecretV1alpha1 = clientsecretv1alpha1.NewForConfigOrDie(c) cs.configV1alpha1 = configv1alpha1.NewForConfigOrDie(c) cs.iDPV1alpha1 = idpv1alpha1.NewForConfigOrDie(c) - cs.oauthV1alpha1 = oauthv1alpha1.NewForConfigOrDie(c) cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c) return &cs @@ -103,9 +103,9 @@ func NewForConfigOrDie(c *rest.Config) *Clientset { // New creates a new Clientset for the given RESTClient. func New(c rest.Interface) *Clientset { var cs Clientset + cs.clientsecretV1alpha1 = clientsecretv1alpha1.New(c) cs.configV1alpha1 = configv1alpha1.New(c) cs.iDPV1alpha1 = idpv1alpha1.New(c) - cs.oauthV1alpha1 = oauthv1alpha1.New(c) cs.DiscoveryClient = discovery.NewDiscoveryClient(c) return &cs diff --git a/generated/1.18/client/supervisor/clientset/versioned/fake/clientset_generated.go b/generated/1.18/client/supervisor/clientset/versioned/fake/clientset_generated.go index be0ba580..5245f5ae 100644 --- a/generated/1.18/client/supervisor/clientset/versioned/fake/clientset_generated.go +++ b/generated/1.18/client/supervisor/clientset/versioned/fake/clientset_generated.go @@ -7,12 +7,12 @@ package fake import ( clientset "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned" + clientsecretv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1" + fakeclientsecretv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake" configv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1" fakeconfigv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake" idpv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1" fakeidpv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake" - oauthv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" - fakeoauthv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/watch" "k8s.io/client-go/discovery" @@ -67,6 +67,11 @@ func (c *Clientset) Tracker() testing.ObjectTracker { var _ clientset.Interface = &Clientset{} +// ClientsecretV1alpha1 retrieves the ClientsecretV1alpha1Client +func (c *Clientset) ClientsecretV1alpha1() clientsecretv1alpha1.ClientsecretV1alpha1Interface { + return &fakeclientsecretv1alpha1.FakeClientsecretV1alpha1{Fake: &c.Fake} +} + // ConfigV1alpha1 retrieves the ConfigV1alpha1Client func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { return &fakeconfigv1alpha1.FakeConfigV1alpha1{Fake: &c.Fake} @@ -76,8 +81,3 @@ func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake} } - -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} -} diff --git a/generated/1.18/client/supervisor/clientset/versioned/fake/register.go b/generated/1.18/client/supervisor/clientset/versioned/fake/register.go index 9a64a8a9..33d9c9bb 100644 --- a/generated/1.18/client/supervisor/clientset/versioned/fake/register.go +++ b/generated/1.18/client/supervisor/clientset/versioned/fake/register.go @@ -6,9 +6,9 @@ package fake import ( + clientsecretv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/clientsecret/v1alpha1" configv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -20,9 +20,9 @@ var scheme = runtime.NewScheme() var codecs = serializer.NewCodecFactory(scheme) var parameterCodec = runtime.NewParameterCodec(scheme) var localSchemeBuilder = runtime.SchemeBuilder{ + clientsecretv1alpha1.AddToScheme, configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, - oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.18/client/supervisor/clientset/versioned/scheme/register.go b/generated/1.18/client/supervisor/clientset/versioned/scheme/register.go index 1de4c05d..cfb2a59f 100644 --- a/generated/1.18/client/supervisor/clientset/versioned/scheme/register.go +++ b/generated/1.18/client/supervisor/clientset/versioned/scheme/register.go @@ -6,9 +6,9 @@ package scheme import ( + clientsecretv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/clientsecret/v1alpha1" configv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -20,9 +20,9 @@ var Scheme = runtime.NewScheme() var Codecs = serializer.NewCodecFactory(Scheme) var ParameterCodec = runtime.NewParameterCodec(Scheme) var localSchemeBuilder = runtime.SchemeBuilder{ + clientsecretv1alpha1.AddToScheme, configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, - oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/1.18/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/clientsecret_client.go similarity index 51% rename from generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go rename to generated/1.18/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/clientsecret_client.go index f0d93b95..300b26e4 100644 --- a/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go +++ b/generated/1.18/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/clientsecret_client.go @@ -6,27 +6,27 @@ package v1alpha1 import ( - v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1" - "go.pinniped.dev/generated/1.19/client/supervisor/virtual/clientset/versioned/scheme" + v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/clientsecret/v1alpha1" + "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/scheme" rest "k8s.io/client-go/rest" ) -type OauthV1alpha1Interface interface { +type ClientsecretV1alpha1Interface interface { RESTClient() rest.Interface OIDCClientSecretRequestsGetter } -// OauthV1alpha1Client is used to interact with features provided by the oauth.virtual.supervisor.pinniped.dev group. -type OauthV1alpha1Client struct { +// ClientsecretV1alpha1Client is used to interact with features provided by the clientsecret.supervisor.pinniped.dev group. +type ClientsecretV1alpha1Client struct { restClient rest.Interface } -func (c *OauthV1alpha1Client) OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface { +func (c *ClientsecretV1alpha1Client) OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface { return newOIDCClientSecretRequests(c, namespace) } -// NewForConfig creates a new OauthV1alpha1Client for the given config. -func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { +// NewForConfig creates a new ClientsecretV1alpha1Client for the given config. +func NewForConfig(c *rest.Config) (*ClientsecretV1alpha1Client, error) { config := *c if err := setConfigDefaults(&config); err != nil { return nil, err @@ -35,12 +35,12 @@ func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { if err != nil { return nil, err } - return &OauthV1alpha1Client{client}, nil + return &ClientsecretV1alpha1Client{client}, nil } -// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and +// NewForConfigOrDie creates a new ClientsecretV1alpha1Client for the given config and // panics if there is an error in the config. -func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { +func NewForConfigOrDie(c *rest.Config) *ClientsecretV1alpha1Client { client, err := NewForConfig(c) if err != nil { panic(err) @@ -48,9 +48,9 @@ func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { return client } -// New creates a new OauthV1alpha1Client for the given RESTClient. -func New(c rest.Interface) *OauthV1alpha1Client { - return &OauthV1alpha1Client{c} +// New creates a new ClientsecretV1alpha1Client for the given RESTClient. +func New(c rest.Interface) *ClientsecretV1alpha1Client { + return &ClientsecretV1alpha1Client{c} } func setConfigDefaults(config *rest.Config) error { @@ -68,7 +68,7 @@ func setConfigDefaults(config *rest.Config) error { // RESTClient returns a RESTClient that is used to communicate // with API server by this client implementation. -func (c *OauthV1alpha1Client) RESTClient() rest.Interface { +func (c *ClientsecretV1alpha1Client) RESTClient() rest.Interface { if c == nil { return nil } diff --git a/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/1.18/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/doc.go similarity index 100% rename from generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go rename to generated/1.18/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/doc.go diff --git a/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/1.18/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/doc.go similarity index 100% rename from generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go rename to generated/1.18/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/doc.go diff --git a/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/1.18/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_clientsecret_client.go similarity index 60% rename from generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go rename to generated/1.18/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_clientsecret_client.go index 0483f163..db5d3099 100644 --- a/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go +++ b/generated/1.18/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_clientsecret_client.go @@ -6,22 +6,22 @@ package fake import ( - v1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1" rest "k8s.io/client-go/rest" testing "k8s.io/client-go/testing" ) -type FakeOauthV1alpha1 struct { +type FakeClientsecretV1alpha1 struct { *testing.Fake } -func (c *FakeOauthV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { - return &FakeOIDCClients{c, namespace} +func (c *FakeClientsecretV1alpha1) OIDCClientSecretRequests(namespace string) v1alpha1.OIDCClientSecretRequestInterface { + return &FakeOIDCClientSecretRequests{c, namespace} } // RESTClient returns a RESTClient that is used to communicate // with API server by this client implementation. -func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { +func (c *FakeClientsecretV1alpha1) RESTClient() rest.Interface { var ret *rest.RESTClient return ret } diff --git a/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go b/generated/1.18/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_oidcclientsecretrequest.go similarity index 79% rename from generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go rename to generated/1.18/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_oidcclientsecretrequest.go index 8094fcf0..55a4c288 100644 --- a/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go +++ b/generated/1.18/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_oidcclientsecretrequest.go @@ -8,7 +8,7 @@ package fake import ( "context" - v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/clientsecret/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" schema "k8s.io/apimachinery/pkg/runtime/schema" testing "k8s.io/client-go/testing" @@ -16,13 +16,13 @@ import ( // FakeOIDCClientSecretRequests implements OIDCClientSecretRequestInterface type FakeOIDCClientSecretRequests struct { - Fake *FakeOauthV1alpha1 + Fake *FakeClientsecretV1alpha1 ns string } -var oidcclientsecretrequestsResource = schema.GroupVersionResource{Group: "oauth.virtual.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclientsecretrequests"} +var oidcclientsecretrequestsResource = schema.GroupVersionResource{Group: "clientsecret.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclientsecretrequests"} -var oidcclientsecretrequestsKind = schema.GroupVersionKind{Group: "oauth.virtual.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClientSecretRequest"} +var oidcclientsecretrequestsKind = schema.GroupVersionKind{Group: "clientsecret.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClientSecretRequest"} // Create takes the representation of a oIDCClientSecretRequest and creates it. Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any. func (c *FakeOIDCClientSecretRequests) Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (result *v1alpha1.OIDCClientSecretRequest, err error) { diff --git a/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/1.18/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/generated_expansion.go similarity index 100% rename from generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go rename to generated/1.18/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/generated_expansion.go diff --git a/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go b/generated/1.18/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/oidcclientsecretrequest.go similarity index 86% rename from generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go rename to generated/1.18/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/oidcclientsecretrequest.go index 160ae6da..28ba2721 100644 --- a/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go +++ b/generated/1.18/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/oidcclientsecretrequest.go @@ -8,8 +8,8 @@ package v1alpha1 import ( "context" - v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1" - scheme "go.pinniped.dev/generated/1.19/client/supervisor/virtual/clientset/versioned/scheme" + v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/clientsecret/v1alpha1" + scheme "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/scheme" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" rest "k8s.io/client-go/rest" ) @@ -33,7 +33,7 @@ type oIDCClientSecretRequests struct { } // newOIDCClientSecretRequests returns a OIDCClientSecretRequests -func newOIDCClientSecretRequests(c *OauthV1alpha1Client, namespace string) *oIDCClientSecretRequests { +func newOIDCClientSecretRequests(c *ClientsecretV1alpha1Client, namespace string) *oIDCClientSecretRequests { return &oIDCClientSecretRequests{ client: c.RESTClient(), ns: namespace, diff --git a/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go b/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go index 1bdb3362..24c1c6bf 100644 --- a/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go +++ b/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go @@ -14,6 +14,7 @@ import ( type ConfigV1alpha1Interface interface { RESTClient() rest.Interface FederationDomainsGetter + OIDCClientsGetter } // ConfigV1alpha1Client is used to interact with features provided by the config.supervisor.pinniped.dev group. @@ -25,6 +26,10 @@ func (c *ConfigV1alpha1Client) FederationDomains(namespace string) FederationDom return newFederationDomains(c, namespace) } +func (c *ConfigV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { + return newOIDCClients(c, namespace) +} + // NewForConfig creates a new ConfigV1alpha1Client for the given config. func NewForConfig(c *rest.Config) (*ConfigV1alpha1Client, error) { config := *c diff --git a/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go b/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go index 0aeb5048..a653b66e 100644 --- a/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go +++ b/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go @@ -19,6 +19,10 @@ func (c *FakeConfigV1alpha1) FederationDomains(namespace string) v1alpha1.Federa return &FakeFederationDomains{c, namespace} } +func (c *FakeConfigV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { + return &FakeOIDCClients{c, namespace} +} + // RESTClient returns a RESTClient that is used to communicate // with API server by this client implementation. func (c *FakeConfigV1alpha1) RESTClient() rest.Interface { diff --git a/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go b/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go similarity index 92% rename from generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go rename to generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go index 078ab176..f04ffb6d 100644 --- a/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go +++ b/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go @@ -8,7 +8,7 @@ package fake import ( "context" - v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" labels "k8s.io/apimachinery/pkg/labels" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -19,13 +19,13 @@ import ( // FakeOIDCClients implements OIDCClientInterface type FakeOIDCClients struct { - Fake *FakeOauthV1alpha1 + Fake *FakeConfigV1alpha1 ns string } -var oidcclientsResource = schema.GroupVersionResource{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} +var oidcclientsResource = schema.GroupVersionResource{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} -var oidcclientsKind = schema.GroupVersionKind{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} +var oidcclientsKind = schema.GroupVersionKind{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} // Get takes name of the oIDCClient, and returns the corresponding oIDCClient object, and an error if there is any. func (c *FakeOIDCClients) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCClient, err error) { diff --git a/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go b/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go index ba9c9173..35b9ee3d 100644 --- a/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go +++ b/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go @@ -6,3 +6,5 @@ package v1alpha1 type FederationDomainExpansion interface{} + +type OIDCClientExpansion interface{} diff --git a/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go b/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go similarity index 97% rename from generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go rename to generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go index 26026924..1e65bfbf 100644 --- a/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go +++ b/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go @@ -9,7 +9,7 @@ import ( "context" "time" - v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1" scheme "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/scheme" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" types "k8s.io/apimachinery/pkg/types" @@ -44,7 +44,7 @@ type oIDCClients struct { } // newOIDCClients returns a OIDCClients -func newOIDCClients(c *OauthV1alpha1Client, namespace string) *oIDCClients { +func newOIDCClients(c *ConfigV1alpha1Client, namespace string) *oIDCClients { return &oIDCClients{ client: c.RESTClient(), ns: namespace, diff --git a/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go deleted file mode 100644 index 87d22ea9..00000000 --- a/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -type OIDCClientExpansion interface{} diff --git a/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go deleted file mode 100644 index 17d59cf4..00000000 --- a/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go +++ /dev/null @@ -1,76 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/oauth/v1alpha1" - "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/scheme" - rest "k8s.io/client-go/rest" -) - -type OauthV1alpha1Interface interface { - RESTClient() rest.Interface - OIDCClientsGetter -} - -// OauthV1alpha1Client is used to interact with features provided by the oauth.supervisor.pinniped.dev group. -type OauthV1alpha1Client struct { - restClient rest.Interface -} - -func (c *OauthV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { - return newOIDCClients(c, namespace) -} - -// NewForConfig creates a new OauthV1alpha1Client for the given config. -func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { - config := *c - if err := setConfigDefaults(&config); err != nil { - return nil, err - } - client, err := rest.RESTClientFor(&config) - if err != nil { - return nil, err - } - return &OauthV1alpha1Client{client}, nil -} - -// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and -// panics if there is an error in the config. -func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { - client, err := NewForConfig(c) - if err != nil { - panic(err) - } - return client -} - -// New creates a new OauthV1alpha1Client for the given RESTClient. -func New(c rest.Interface) *OauthV1alpha1Client { - return &OauthV1alpha1Client{c} -} - -func setConfigDefaults(config *rest.Config) error { - gv := v1alpha1.SchemeGroupVersion - config.GroupVersion = &gv - config.APIPath = "/apis" - config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() - - if config.UserAgent == "" { - config.UserAgent = rest.DefaultKubernetesUserAgent() - } - - return nil -} - -// RESTClient returns a RESTClient that is used to communicate -// with API server by this client implementation. -func (c *OauthV1alpha1Client) RESTClient() rest.Interface { - if c == nil { - return nil - } - return c.restClient -} diff --git a/generated/1.18/client/supervisor/informers/externalversions/config/v1alpha1/interface.go b/generated/1.18/client/supervisor/informers/externalversions/config/v1alpha1/interface.go index 54d42593..af4b30aa 100644 --- a/generated/1.18/client/supervisor/informers/externalversions/config/v1alpha1/interface.go +++ b/generated/1.18/client/supervisor/informers/externalversions/config/v1alpha1/interface.go @@ -13,6 +13,8 @@ import ( type Interface interface { // FederationDomains returns a FederationDomainInformer. FederationDomains() FederationDomainInformer + // OIDCClients returns a OIDCClientInformer. + OIDCClients() OIDCClientInformer } type version struct { @@ -30,3 +32,8 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList func (v *version) FederationDomains() FederationDomainInformer { return &federationDomainInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } + +// OIDCClients returns a OIDCClientInformer. +func (v *version) OIDCClients() OIDCClientInformer { + return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} diff --git a/generated/1.18/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go b/generated/1.18/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go similarity index 88% rename from generated/1.18/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go rename to generated/1.18/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go index c5869b86..bf495ab0 100644 --- a/generated/1.18/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go +++ b/generated/1.18/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go @@ -9,10 +9,10 @@ import ( "context" time "time" - oauthv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/oauth/v1alpha1" + configv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1" versioned "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned" internalinterfaces "go.pinniped.dev/generated/1.18/client/supervisor/informers/externalversions/internalinterfaces" - v1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/listers/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/listers/config/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" watch "k8s.io/apimachinery/pkg/watch" @@ -49,16 +49,16 @@ func NewFilteredOIDCClientInformer(client versioned.Interface, namespace string, if tweakListOptions != nil { tweakListOptions(&options) } - return client.OauthV1alpha1().OIDCClients(namespace).List(context.TODO(), options) + return client.ConfigV1alpha1().OIDCClients(namespace).List(context.TODO(), options) }, WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { if tweakListOptions != nil { tweakListOptions(&options) } - return client.OauthV1alpha1().OIDCClients(namespace).Watch(context.TODO(), options) + return client.ConfigV1alpha1().OIDCClients(namespace).Watch(context.TODO(), options) }, }, - &oauthv1alpha1.OIDCClient{}, + &configv1alpha1.OIDCClient{}, resyncPeriod, indexers, ) @@ -69,7 +69,7 @@ func (f *oIDCClientInformer) defaultInformer(client versioned.Interface, resyncP } func (f *oIDCClientInformer) Informer() cache.SharedIndexInformer { - return f.factory.InformerFor(&oauthv1alpha1.OIDCClient{}, f.defaultInformer) + return f.factory.InformerFor(&configv1alpha1.OIDCClient{}, f.defaultInformer) } func (f *oIDCClientInformer) Lister() v1alpha1.OIDCClientLister { diff --git a/generated/1.18/client/supervisor/informers/externalversions/factory.go b/generated/1.18/client/supervisor/informers/externalversions/factory.go index 158fded5..997de893 100644 --- a/generated/1.18/client/supervisor/informers/externalversions/factory.go +++ b/generated/1.18/client/supervisor/informers/externalversions/factory.go @@ -14,7 +14,6 @@ import ( config "go.pinniped.dev/generated/1.18/client/supervisor/informers/externalversions/config" idp "go.pinniped.dev/generated/1.18/client/supervisor/informers/externalversions/idp" internalinterfaces "go.pinniped.dev/generated/1.18/client/supervisor/informers/externalversions/internalinterfaces" - oauth "go.pinniped.dev/generated/1.18/client/supervisor/informers/externalversions/oauth" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -163,7 +162,6 @@ type SharedInformerFactory interface { Config() config.Interface IDP() idp.Interface - Oauth() oauth.Interface } func (f *sharedInformerFactory) Config() config.Interface { @@ -173,7 +171,3 @@ func (f *sharedInformerFactory) Config() config.Interface { func (f *sharedInformerFactory) IDP() idp.Interface { return idp.New(f, f.namespace, f.tweakListOptions) } - -func (f *sharedInformerFactory) Oauth() oauth.Interface { - return oauth.New(f, f.namespace, f.tweakListOptions) -} diff --git a/generated/1.18/client/supervisor/informers/externalversions/generic.go b/generated/1.18/client/supervisor/informers/externalversions/generic.go index 43579b43..395cc6a8 100644 --- a/generated/1.18/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.18/client/supervisor/informers/externalversions/generic.go @@ -10,7 +10,6 @@ import ( v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/oauth/v1alpha1" schema "k8s.io/apimachinery/pkg/runtime/schema" cache "k8s.io/client-go/tools/cache" ) @@ -44,6 +43,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource // Group=config.supervisor.pinniped.dev, Version=v1alpha1 case v1alpha1.SchemeGroupVersion.WithResource("federationdomains"): return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().FederationDomains().Informer()}, nil + case v1alpha1.SchemeGroupVersion.WithResource("oidcclients"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCClients().Informer()}, nil // Group=idp.supervisor.pinniped.dev, Version=v1alpha1 case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"): @@ -53,10 +54,6 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().OIDCIdentityProviders().Informer()}, nil - // Group=oauth.supervisor.pinniped.dev, Version=v1alpha1 - case oauthv1alpha1.SchemeGroupVersion.WithResource("oidcclients"): - return &genericInformer{resource: resource.GroupResource(), informer: f.Oauth().V1alpha1().OIDCClients().Informer()}, nil - } return nil, fmt.Errorf("no informer found for %v", resource) diff --git a/generated/1.18/client/supervisor/informers/externalversions/oauth/interface.go b/generated/1.18/client/supervisor/informers/externalversions/oauth/interface.go deleted file mode 100644 index 7a2b6531..00000000 --- a/generated/1.18/client/supervisor/informers/externalversions/oauth/interface.go +++ /dev/null @@ -1,33 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by informer-gen. DO NOT EDIT. - -package oauth - -import ( - internalinterfaces "go.pinniped.dev/generated/1.18/client/supervisor/informers/externalversions/internalinterfaces" - v1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/informers/externalversions/oauth/v1alpha1" -) - -// Interface provides access to each of this group's versions. -type Interface interface { - // V1alpha1 provides access to shared informers for resources in V1alpha1. - V1alpha1() v1alpha1.Interface -} - -type group struct { - factory internalinterfaces.SharedInformerFactory - namespace string - tweakListOptions internalinterfaces.TweakListOptionsFunc -} - -// New returns a new Interface. -func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { - return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} -} - -// V1alpha1 returns a new v1alpha1.Interface. -func (g *group) V1alpha1() v1alpha1.Interface { - return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions) -} diff --git a/generated/1.18/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go b/generated/1.18/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go deleted file mode 100644 index 86b4efd0..00000000 --- a/generated/1.18/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go +++ /dev/null @@ -1,32 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by informer-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - internalinterfaces "go.pinniped.dev/generated/1.18/client/supervisor/informers/externalversions/internalinterfaces" -) - -// Interface provides access to all the informers in this group version. -type Interface interface { - // OIDCClients returns a OIDCClientInformer. - OIDCClients() OIDCClientInformer -} - -type version struct { - factory internalinterfaces.SharedInformerFactory - namespace string - tweakListOptions internalinterfaces.TweakListOptionsFunc -} - -// New returns a new Interface. -func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { - return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} -} - -// OIDCClients returns a OIDCClientInformer. -func (v *version) OIDCClients() OIDCClientInformer { - return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} -} diff --git a/generated/1.18/client/supervisor/listers/config/v1alpha1/expansion_generated.go b/generated/1.18/client/supervisor/listers/config/v1alpha1/expansion_generated.go index d59892c4..bda2f20e 100644 --- a/generated/1.18/client/supervisor/listers/config/v1alpha1/expansion_generated.go +++ b/generated/1.18/client/supervisor/listers/config/v1alpha1/expansion_generated.go @@ -12,3 +12,11 @@ type FederationDomainListerExpansion interface{} // FederationDomainNamespaceListerExpansion allows custom methods to be added to // FederationDomainNamespaceLister. type FederationDomainNamespaceListerExpansion interface{} + +// OIDCClientListerExpansion allows custom methods to be added to +// OIDCClientLister. +type OIDCClientListerExpansion interface{} + +// OIDCClientNamespaceListerExpansion allows custom methods to be added to +// OIDCClientNamespaceLister. +type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/1.17/client/supervisor/listers/oauth/v1alpha1/oidcclient.go b/generated/1.18/client/supervisor/listers/config/v1alpha1/oidcclient.go similarity index 97% rename from generated/1.17/client/supervisor/listers/oauth/v1alpha1/oidcclient.go rename to generated/1.18/client/supervisor/listers/config/v1alpha1/oidcclient.go index 8395809f..79278890 100644 --- a/generated/1.17/client/supervisor/listers/oauth/v1alpha1/oidcclient.go +++ b/generated/1.18/client/supervisor/listers/config/v1alpha1/oidcclient.go @@ -6,7 +6,7 @@ package v1alpha1 import ( - v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1" "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/labels" "k8s.io/client-go/tools/cache" diff --git a/generated/1.18/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go b/generated/1.18/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go deleted file mode 100644 index c19310da..00000000 --- a/generated/1.18/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go +++ /dev/null @@ -1,14 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by lister-gen. DO NOT EDIT. - -package v1alpha1 - -// OIDCClientListerExpansion allows custom methods to be added to -// OIDCClientLister. -type OIDCClientListerExpansion interface{} - -// OIDCClientNamespaceListerExpansion allows custom methods to be added to -// OIDCClientNamespaceLister. -type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/1.18/client/supervisor/virtual/clientset/versioned/clientset.go b/generated/1.18/client/supervisor/virtual/clientset/versioned/clientset.go deleted file mode 100644 index f5038211..00000000 --- a/generated/1.18/client/supervisor/virtual/clientset/versioned/clientset.go +++ /dev/null @@ -1,84 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package versioned - -import ( - "fmt" - - oauthv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" - discovery "k8s.io/client-go/discovery" - rest "k8s.io/client-go/rest" - flowcontrol "k8s.io/client-go/util/flowcontrol" -) - -type Interface interface { - Discovery() discovery.DiscoveryInterface - OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface -} - -// Clientset contains the clients for groups. Each group has exactly one -// version included in a Clientset. -type Clientset struct { - *discovery.DiscoveryClient - oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client -} - -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return c.oauthV1alpha1 -} - -// Discovery retrieves the DiscoveryClient -func (c *Clientset) Discovery() discovery.DiscoveryInterface { - if c == nil { - return nil - } - return c.DiscoveryClient -} - -// NewForConfig creates a new Clientset for the given config. -// If config's RateLimiter is not set and QPS and Burst are acceptable, -// NewForConfig will generate a rate-limiter in configShallowCopy. -func NewForConfig(c *rest.Config) (*Clientset, error) { - configShallowCopy := *c - if configShallowCopy.RateLimiter == nil && configShallowCopy.QPS > 0 { - if configShallowCopy.Burst <= 0 { - return nil, fmt.Errorf("burst is required to be greater than 0 when RateLimiter is not set and QPS is set to greater than 0") - } - configShallowCopy.RateLimiter = flowcontrol.NewTokenBucketRateLimiter(configShallowCopy.QPS, configShallowCopy.Burst) - } - var cs Clientset - var err error - cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfig(&configShallowCopy) - if err != nil { - return nil, err - } - - cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfig(&configShallowCopy) - if err != nil { - return nil, err - } - return &cs, nil -} - -// NewForConfigOrDie creates a new Clientset for the given config and -// panics if there is an error in the config. -func NewForConfigOrDie(c *rest.Config) *Clientset { - var cs Clientset - cs.oauthV1alpha1 = oauthv1alpha1.NewForConfigOrDie(c) - - cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c) - return &cs -} - -// New creates a new Clientset for the given RESTClient. -func New(c rest.Interface) *Clientset { - var cs Clientset - cs.oauthV1alpha1 = oauthv1alpha1.New(c) - - cs.DiscoveryClient = discovery.NewDiscoveryClient(c) - return &cs -} diff --git a/generated/1.18/client/supervisor/virtual/clientset/versioned/doc.go b/generated/1.18/client/supervisor/virtual/clientset/versioned/doc.go deleted file mode 100644 index 5dc02e6e..00000000 --- a/generated/1.18/client/supervisor/virtual/clientset/versioned/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package has the automatically generated clientset. -package versioned diff --git a/generated/1.18/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go b/generated/1.18/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go deleted file mode 100644 index 11c90feb..00000000 --- a/generated/1.18/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go +++ /dev/null @@ -1,69 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - clientset "go.pinniped.dev/generated/1.18/client/supervisor/virtual/clientset/versioned" - oauthv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" - fakeoauthv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/watch" - "k8s.io/client-go/discovery" - fakediscovery "k8s.io/client-go/discovery/fake" - "k8s.io/client-go/testing" -) - -// NewSimpleClientset returns a clientset that will respond with the provided objects. -// It's backed by a very simple object tracker that processes creates, updates and deletions as-is, -// without applying any validations and/or defaults. It shouldn't be considered a replacement -// for a real clientset and is mostly useful in simple unit tests. -func NewSimpleClientset(objects ...runtime.Object) *Clientset { - o := testing.NewObjectTracker(scheme, codecs.UniversalDecoder()) - for _, obj := range objects { - if err := o.Add(obj); err != nil { - panic(err) - } - } - - cs := &Clientset{tracker: o} - cs.discovery = &fakediscovery.FakeDiscovery{Fake: &cs.Fake} - cs.AddReactor("*", "*", testing.ObjectReaction(o)) - cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) { - gvr := action.GetResource() - ns := action.GetNamespace() - watch, err := o.Watch(gvr, ns) - if err != nil { - return false, nil, err - } - return true, watch, nil - }) - - return cs -} - -// Clientset implements clientset.Interface. Meant to be embedded into a -// struct to get a default implementation. This makes faking out just the method -// you want to test easier. -type Clientset struct { - testing.Fake - discovery *fakediscovery.FakeDiscovery - tracker testing.ObjectTracker -} - -func (c *Clientset) Discovery() discovery.DiscoveryInterface { - return c.discovery -} - -func (c *Clientset) Tracker() testing.ObjectTracker { - return c.tracker -} - -var _ clientset.Interface = &Clientset{} - -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} -} diff --git a/generated/1.18/client/supervisor/virtual/clientset/versioned/fake/doc.go b/generated/1.18/client/supervisor/virtual/clientset/versioned/fake/doc.go deleted file mode 100644 index 7c9538fd..00000000 --- a/generated/1.18/client/supervisor/virtual/clientset/versioned/fake/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package has the automatically generated fake clientset. -package fake diff --git a/generated/1.18/client/supervisor/virtual/clientset/versioned/fake/register.go b/generated/1.18/client/supervisor/virtual/clientset/versioned/fake/register.go deleted file mode 100644 index 5a912824..00000000 --- a/generated/1.18/client/supervisor/virtual/clientset/versioned/fake/register.go +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - oauthv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - runtime "k8s.io/apimachinery/pkg/runtime" - schema "k8s.io/apimachinery/pkg/runtime/schema" - serializer "k8s.io/apimachinery/pkg/runtime/serializer" - utilruntime "k8s.io/apimachinery/pkg/util/runtime" -) - -var scheme = runtime.NewScheme() -var codecs = serializer.NewCodecFactory(scheme) -var parameterCodec = runtime.NewParameterCodec(scheme) -var localSchemeBuilder = runtime.SchemeBuilder{ - oauthv1alpha1.AddToScheme, -} - -// AddToScheme adds all types of this clientset into the given scheme. This allows composition -// of clientsets, like in: -// -// import ( -// "k8s.io/client-go/kubernetes" -// clientsetscheme "k8s.io/client-go/kubernetes/scheme" -// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" -// ) -// -// kclientset, _ := kubernetes.NewForConfig(c) -// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) -// -// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types -// correctly. -var AddToScheme = localSchemeBuilder.AddToScheme - -func init() { - v1.AddToGroupVersion(scheme, schema.GroupVersion{Version: "v1"}) - utilruntime.Must(AddToScheme(scheme)) -} diff --git a/generated/1.18/client/supervisor/virtual/clientset/versioned/scheme/doc.go b/generated/1.18/client/supervisor/virtual/clientset/versioned/scheme/doc.go deleted file mode 100644 index cc02f1d3..00000000 --- a/generated/1.18/client/supervisor/virtual/clientset/versioned/scheme/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package contains the scheme of the automatically generated clientset. -package scheme diff --git a/generated/1.18/client/supervisor/virtual/clientset/versioned/scheme/register.go b/generated/1.18/client/supervisor/virtual/clientset/versioned/scheme/register.go deleted file mode 100644 index 81e95f84..00000000 --- a/generated/1.18/client/supervisor/virtual/clientset/versioned/scheme/register.go +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package scheme - -import ( - oauthv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - runtime "k8s.io/apimachinery/pkg/runtime" - schema "k8s.io/apimachinery/pkg/runtime/schema" - serializer "k8s.io/apimachinery/pkg/runtime/serializer" - utilruntime "k8s.io/apimachinery/pkg/util/runtime" -) - -var Scheme = runtime.NewScheme() -var Codecs = serializer.NewCodecFactory(Scheme) -var ParameterCodec = runtime.NewParameterCodec(Scheme) -var localSchemeBuilder = runtime.SchemeBuilder{ - oauthv1alpha1.AddToScheme, -} - -// AddToScheme adds all types of this clientset into the given scheme. This allows composition -// of clientsets, like in: -// -// import ( -// "k8s.io/client-go/kubernetes" -// clientsetscheme "k8s.io/client-go/kubernetes/scheme" -// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" -// ) -// -// kclientset, _ := kubernetes.NewForConfig(c) -// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) -// -// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types -// correctly. -var AddToScheme = localSchemeBuilder.AddToScheme - -func init() { - v1.AddToGroupVersion(Scheme, schema.GroupVersion{Version: "v1"}) - utilruntime.Must(AddToScheme(Scheme)) -} diff --git a/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go deleted file mode 100644 index 99987eec..00000000 --- a/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go +++ /dev/null @@ -1,27 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - v1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" - rest "k8s.io/client-go/rest" - testing "k8s.io/client-go/testing" -) - -type FakeOauthV1alpha1 struct { - *testing.Fake -} - -func (c *FakeOauthV1alpha1) OIDCClientSecretRequests(namespace string) v1alpha1.OIDCClientSecretRequestInterface { - return &FakeOIDCClientSecretRequests{c, namespace} -} - -// RESTClient returns a RESTClient that is used to communicate -// with API server by this client implementation. -func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { - var ret *rest.RESTClient - return ret -} diff --git a/generated/1.18/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.18/crds/config.supervisor.pinniped.dev_oidcclients.yaml similarity index 98% rename from generated/1.18/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml rename to generated/1.18/crds/config.supervisor.pinniped.dev_oidcclients.yaml index 589a9154..4efa445e 100644 --- a/generated/1.18/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.18/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -5,9 +5,9 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null - name: oidcclients.oauth.supervisor.pinniped.dev + name: oidcclients.config.supervisor.pinniped.dev spec: - group: oauth.supervisor.pinniped.dev + group: config.supervisor.pinniped.dev names: categories: - pinniped diff --git a/generated/1.19/README.adoc b/generated/1.19/README.adoc index 29d52abb..bdba4347 100644 --- a/generated/1.19/README.adoc +++ b/generated/1.19/README.adoc @@ -6,15 +6,14 @@ .Packages - xref:{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1[$$authentication.concierge.pinniped.dev/v1alpha1$$] +- xref:{anchor_prefix}-clientsecret-supervisor-pinniped-dev-clientsecret[$$clientsecret.supervisor.pinniped.dev/clientsecret$$] +- xref:{anchor_prefix}-clientsecret-supervisor-pinniped-dev-v1alpha1[$$clientsecret.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-config-concierge-pinniped-dev-v1alpha1[$$config.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-config-supervisor-pinniped-dev-v1alpha1[$$config.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-identity-concierge-pinniped-dev-identity[$$identity.concierge.pinniped.dev/identity$$] - xref:{anchor_prefix}-identity-concierge-pinniped-dev-v1alpha1[$$identity.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1[$$idp.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$] -- xref:{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1[$$oauth.supervisor.pinniped.dev/v1alpha1$$] -- xref:{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-oauth[$$oauth.virtual.supervisor.pinniped.dev/oauth$$] -- xref:{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-v1alpha1[$$oauth.virtual.supervisor.pinniped.dev/v1alpha1$$] [id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"] @@ -213,6 +212,98 @@ Status of a webhook authenticator. +[id="{anchor_prefix}-clientsecret-supervisor-pinniped-dev-clientsecret"] +=== clientsecret.supervisor.pinniped.dev/clientsecret + +Package clientsecret is the internal version of the Pinniped client secret API. + + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-clientsecret-oidcclientsecretrequestspec"] +==== OIDCClientSecretRequestSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-clientsecret-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generateNewSecret`* __boolean__ | +| *`revokeOldSecrets`* __boolean__ | +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-clientsecret-oidcclientsecretrequeststatus"] +==== OIDCClientSecretRequestStatus + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-clientsecret-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generatedSecret`* __string__ | +| *`totalClientSecrets`* __integer__ | +|=== + + + +[id="{anchor_prefix}-clientsecret-supervisor-pinniped-dev-v1alpha1"] +=== clientsecret.supervisor.pinniped.dev/v1alpha1 + +Package v1alpha1 is the v1alpha1 version of the Pinniped client secret API. + + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestspec"] +==== OIDCClientSecretRequestSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generateNewSecret`* __boolean__ | +| *`revokeOldSecrets`* __boolean__ | +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequeststatus"] +==== OIDCClientSecretRequestStatus + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generatedSecret`* __string__ | +| *`totalClientSecrets`* __integer__ | +|=== + + + [id="{anchor_prefix}-config-concierge-pinniped-dev-v1alpha1"] === config.concierge.pinniped.dev/v1alpha1 @@ -546,6 +637,51 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcclient"] +==== OIDCClient + +OIDCClient describes the configuration of an OIDC client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcclientlist[$$OIDCClientList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC client. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC client. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcclientspec"] +==== OIDCClientSpec + +OIDCClientSpec is a struct that describes an OIDC Client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcclient[$$OIDCClient$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. +| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. +| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. +|=== + + + + [id="{anchor_prefix}-identity-concierge-pinniped-dev-identity"] === identity.concierge.pinniped.dev/identity @@ -1335,148 +1471,3 @@ TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned |=== - -[id="{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1"] -=== oauth.supervisor.pinniped.dev/v1alpha1 - -Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-oauth-v1alpha1-oidcclient"] -==== OIDCClient - -OIDCClient describes the configuration of an OIDC client. - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-oauth-v1alpha1-oidcclientlist[$$OIDCClientList$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. - -| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-oauth-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC client. -| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-oauth-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC client. -|=== - - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-oauth-v1alpha1-oidcclientspec"] -==== OIDCClientSpec - -OIDCClientSpec is a struct that describes an OIDC Client. - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-oauth-v1alpha1-oidcclient[$$OIDCClient$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. -| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. -| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. -|=== - - - - - -[id="{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-oauth"] -=== oauth.virtual.supervisor.pinniped.dev/oauth - -Package oauth is the internal version of the Pinniped virtual oauth API. - - - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-virtual-oauth-oidcclientsecretrequestspec"] -==== OIDCClientSecretRequestSpec - - - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-virtual-oauth-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`generateNewSecret`* __boolean__ | -| *`revokeOldSecrets`* __boolean__ | -|=== - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-virtual-oauth-oidcclientsecretrequeststatus"] -==== OIDCClientSecretRequestStatus - - - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-virtual-oauth-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`generatedSecret`* __string__ | -| *`totalClientSecrets`* __integer__ | -|=== - - - -[id="{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-v1alpha1"] -=== oauth.virtual.supervisor.pinniped.dev/v1alpha1 - -Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API. - - - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequestspec"] -==== OIDCClientSecretRequestSpec - - - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`generateNewSecret`* __boolean__ | -| *`revokeOldSecrets`* __boolean__ | -|=== - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequeststatus"] -==== OIDCClientSecretRequestStatus - - - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`generatedSecret`* __string__ | -| *`totalClientSecrets`* __integer__ | -|=== - - diff --git a/generated/1.19/apis/supervisor/clientsecret/doc.go b/generated/1.19/apis/supervisor/clientsecret/doc.go new file mode 100644 index 00000000..c536bc75 --- /dev/null +++ b/generated/1.19/apis/supervisor/clientsecret/doc.go @@ -0,0 +1,8 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:deepcopy-gen=package +// +groupName=clientsecret.supervisor.pinniped.dev + +// Package clientsecret is the internal version of the Pinniped client secret API. +package clientsecret diff --git a/generated/1.19/apis/supervisor/virtual/oauth/register.go b/generated/1.19/apis/supervisor/clientsecret/register.go similarity index 93% rename from generated/1.19/apis/supervisor/virtual/oauth/register.go rename to generated/1.19/apis/supervisor/clientsecret/register.go index a238d85f..4a1c0173 100644 --- a/generated/1.19/apis/supervisor/virtual/oauth/register.go +++ b/generated/1.19/apis/supervisor/clientsecret/register.go @@ -1,14 +1,14 @@ // Copyright 2022 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -package oauth +package clientsecret import ( "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" ) -const GroupName = "oauth.virtual.supervisor.pinniped.dev" +const GroupName = "clientsecret.supervisor.pinniped.dev" // SchemeGroupVersion is group version used to register these objects. var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal} diff --git a/generated/1.17/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go b/generated/1.19/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go similarity index 97% rename from generated/1.17/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go rename to generated/1.19/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go index ac54a93c..7fd1eb65 100644 --- a/generated/1.17/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go +++ b/generated/1.19/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go @@ -1,7 +1,7 @@ // Copyright 2022 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -package oauth +package clientsecret import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" diff --git a/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/conversion.go b/generated/1.19/apis/supervisor/clientsecret/v1alpha1/conversion.go similarity index 100% rename from generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/conversion.go rename to generated/1.19/apis/supervisor/clientsecret/v1alpha1/conversion.go diff --git a/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/defaults.go b/generated/1.19/apis/supervisor/clientsecret/v1alpha1/defaults.go similarity index 100% rename from generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/defaults.go rename to generated/1.19/apis/supervisor/clientsecret/v1alpha1/defaults.go diff --git a/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/doc.go b/generated/1.19/apis/supervisor/clientsecret/v1alpha1/doc.go similarity index 64% rename from generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/doc.go rename to generated/1.19/apis/supervisor/clientsecret/v1alpha1/doc.go index 49c85a15..c87d92c7 100644 --- a/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/doc.go +++ b/generated/1.19/apis/supervisor/clientsecret/v1alpha1/doc.go @@ -3,9 +3,9 @@ // +k8s:openapi-gen=true // +k8s:deepcopy-gen=package -// +k8s:conversion-gen=go.pinniped.dev/generated/1.19/apis/supervisor/virtual/oauth +// +k8s:conversion-gen=go.pinniped.dev/generated/1.19/apis/supervisor/clientsecret // +k8s:defaulter-gen=TypeMeta -// +groupName=oauth.virtual.supervisor.pinniped.dev +// +groupName=clientsecret.supervisor.pinniped.dev -// Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API. +// Package v1alpha1 is the v1alpha1 version of the Pinniped client secret API. package v1alpha1 diff --git a/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/register.go b/generated/1.19/apis/supervisor/clientsecret/v1alpha1/register.go similarity index 95% rename from generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/register.go rename to generated/1.19/apis/supervisor/clientsecret/v1alpha1/register.go index ecc75a08..49602125 100644 --- a/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/register.go +++ b/generated/1.19/apis/supervisor/clientsecret/v1alpha1/register.go @@ -9,7 +9,7 @@ import ( "k8s.io/apimachinery/pkg/runtime/schema" ) -const GroupName = "oauth.virtual.supervisor.pinniped.dev" +const GroupName = "clientsecret.supervisor.pinniped.dev" // SchemeGroupVersion is group version used to register these objects. var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} diff --git a/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go b/generated/1.19/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go similarity index 100% rename from generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go rename to generated/1.19/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go diff --git a/generated/1.19/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go b/generated/1.19/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go new file mode 100644 index 00000000..bf34cde1 --- /dev/null +++ b/generated/1.19/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go @@ -0,0 +1,131 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by conversion-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + clientsecret "go.pinniped.dev/generated/1.19/apis/supervisor/clientsecret" + conversion "k8s.io/apimachinery/pkg/conversion" + runtime "k8s.io/apimachinery/pkg/runtime" +) + +func init() { + localSchemeBuilder.Register(RegisterConversions) +} + +// RegisterConversions adds conversion functions to the given scheme. +// Public to allow building arbitrary schemes. +func RegisterConversions(s *runtime.Scheme) error { + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequest)(nil), (*clientsecret.OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(a.(*OIDCClientSecretRequest), b.(*clientsecret.OIDCClientSecretRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequest)(nil), (*OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(a.(*clientsecret.OIDCClientSecretRequest), b.(*OIDCClientSecretRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*clientsecret.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*clientsecret.OIDCClientSecretRequestSpec), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequestSpec)(nil), (*OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(a.(*clientsecret.OIDCClientSecretRequestSpec), b.(*OIDCClientSecretRequestSpec), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestStatus)(nil), (*clientsecret.OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(a.(*OIDCClientSecretRequestStatus), b.(*clientsecret.OIDCClientSecretRequestStatus), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequestStatus)(nil), (*OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(a.(*clientsecret.OIDCClientSecretRequestStatus), b.(*OIDCClientSecretRequestStatus), scope) + }); err != nil { + return err + } + return nil +} + +func autoConvert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *clientsecret.OIDCClientSecretRequest, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { + return err + } + if err := Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *clientsecret.OIDCClientSecretRequest, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(in, out, s) +} + +func autoConvert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *clientsecret.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { + return err + } + if err := Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest is an autogenerated conversion function. +func Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *clientsecret.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { + return autoConvert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s) +} + +func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *clientsecret.OIDCClientSecretRequestSpec, s conversion.Scope) error { + out.GenerateNewSecret = in.GenerateNewSecret + out.RevokeOldSecrets = in.RevokeOldSecrets + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *clientsecret.OIDCClientSecretRequestSpec, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in, out, s) +} + +func autoConvert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *clientsecret.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { + out.GenerateNewSecret = in.GenerateNewSecret + out.RevokeOldSecrets = in.RevokeOldSecrets + return nil +} + +// Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec is an autogenerated conversion function. +func Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *clientsecret.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { + return autoConvert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in, out, s) +} + +func autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *clientsecret.OIDCClientSecretRequestStatus, s conversion.Scope) error { + out.GeneratedSecret = in.GeneratedSecret + out.TotalClientSecrets = in.TotalClientSecrets + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *clientsecret.OIDCClientSecretRequestStatus, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(in, out, s) +} + +func autoConvert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *clientsecret.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { + out.GeneratedSecret = in.GeneratedSecret + out.TotalClientSecrets = in.TotalClientSecrets + return nil +} + +// Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus is an autogenerated conversion function. +func Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *clientsecret.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { + return autoConvert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in, out, s) +} diff --git a/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.19/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go similarity index 100% rename from generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go rename to generated/1.19/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go diff --git a/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go b/generated/1.19/apis/supervisor/clientsecret/v1alpha1/zz_generated.defaults.go similarity index 100% rename from generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go rename to generated/1.19/apis/supervisor/clientsecret/v1alpha1/zz_generated.defaults.go diff --git a/generated/1.20/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go b/generated/1.19/apis/supervisor/clientsecret/zz_generated.deepcopy.go similarity index 99% rename from generated/1.20/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go rename to generated/1.19/apis/supervisor/clientsecret/zz_generated.deepcopy.go index 24b58e7b..e0dc7d68 100644 --- a/generated/1.20/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go +++ b/generated/1.19/apis/supervisor/clientsecret/zz_generated.deepcopy.go @@ -6,7 +6,7 @@ // Code generated by deepcopy-gen. DO NOT EDIT. -package oauth +package clientsecret import ( runtime "k8s.io/apimachinery/pkg/runtime" diff --git a/generated/1.19/apis/supervisor/config/v1alpha1/register.go b/generated/1.19/apis/supervisor/config/v1alpha1/register.go index 69045298..54c51699 100644 --- a/generated/1.19/apis/supervisor/config/v1alpha1/register.go +++ b/generated/1.19/apis/supervisor/config/v1alpha1/register.go @@ -32,6 +32,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &FederationDomain{}, &FederationDomainList{}, + &OIDCClient{}, + &OIDCClientList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.19/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.19/apis/supervisor/config/v1alpha1/types_oidcclient.go similarity index 100% rename from generated/1.19/apis/supervisor/oauth/v1alpha1/types_oidcclient.go rename to generated/1.19/apis/supervisor/config/v1alpha1/types_oidcclient.go diff --git a/generated/1.19/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.19/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go index 856b8988..a55d88e7 100644 --- a/generated/1.19/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.19/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go @@ -150,3 +150,111 @@ func (in *FederationDomainTLSSpec) DeepCopy() *FederationDomainTLSSpec { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. +func (in *OIDCClient) DeepCopy() *OIDCClient { + if in == nil { + return nil + } + out := new(OIDCClient) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClient) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClient, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. +func (in *OIDCClientList) DeepCopy() *OIDCClientList { + if in == nil { + return nil + } + out := new(OIDCClientList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { + *out = *in + if in.AllowedRedirectURIs != nil { + in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.AllowedGrantTypes != nil { + in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes + *out = make([]GrantType, len(*in)) + copy(*out, *in) + } + if in.AllowedScopes != nil { + in, out := &in.AllowedScopes, &out.AllowedScopes + *out = make([]Scope, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. +func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { + if in == nil { + return nil + } + out := new(OIDCClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. +func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { + if in == nil { + return nil + } + out := new(OIDCClientStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.19/apis/supervisor/oauth/v1alpha1/doc.go b/generated/1.19/apis/supervisor/oauth/v1alpha1/doc.go deleted file mode 100644 index 75580481..00000000 --- a/generated/1.19/apis/supervisor/oauth/v1alpha1/doc.go +++ /dev/null @@ -1,10 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// +k8s:openapi-gen=true -// +k8s:deepcopy-gen=package -// +k8s:defaulter-gen=TypeMeta -// +groupName=oauth.supervisor.pinniped.dev - -// Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. -package v1alpha1 diff --git a/generated/1.19/apis/supervisor/oauth/v1alpha1/register.go b/generated/1.19/apis/supervisor/oauth/v1alpha1/register.go deleted file mode 100644 index 37ae1fbf..00000000 --- a/generated/1.19/apis/supervisor/oauth/v1alpha1/register.go +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -package v1alpha1 - -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" -) - -const GroupName = "oauth.supervisor.pinniped.dev" - -// SchemeGroupVersion is group version used to register these objects. -var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} - -var ( - SchemeBuilder runtime.SchemeBuilder - localSchemeBuilder = &SchemeBuilder - AddToScheme = localSchemeBuilder.AddToScheme -) - -func init() { - // We only register manually written functions here. The registration of the - // generated functions takes place in the generated files. The separation - // makes the code compile even when the generated files are missing. - localSchemeBuilder.Register(addKnownTypes) -} - -// Adds the list of known types to the given scheme. -func addKnownTypes(scheme *runtime.Scheme) error { - scheme.AddKnownTypes(SchemeGroupVersion, - &OIDCClient{}, - &OIDCClientList{}, - ) - metav1.AddToGroupVersion(scheme, SchemeGroupVersion) - return nil -} - -// Resource takes an unqualified resource and returns a Group qualified GroupResource. -func Resource(resource string) schema.GroupResource { - return SchemeGroupVersion.WithResource(resource).GroupResource() -} diff --git a/generated/1.19/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.19/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go deleted file mode 100644 index 1aba8aea..00000000 --- a/generated/1.19/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go +++ /dev/null @@ -1,121 +0,0 @@ -//go:build !ignore_autogenerated -// +build !ignore_autogenerated - -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by deepcopy-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - runtime "k8s.io/apimachinery/pkg/runtime" -) - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - in.Spec.DeepCopyInto(&out.Spec) - out.Status = in.Status - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. -func (in *OIDCClient) DeepCopy() *OIDCClient { - if in == nil { - return nil - } - out := new(OIDCClient) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *OIDCClient) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ListMeta.DeepCopyInto(&out.ListMeta) - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]OIDCClient, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. -func (in *OIDCClientList) DeepCopy() *OIDCClientList { - if in == nil { - return nil - } - out := new(OIDCClientList) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *OIDCClientList) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { - *out = *in - if in.AllowedRedirectURIs != nil { - in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.AllowedGrantTypes != nil { - in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes - *out = make([]GrantType, len(*in)) - copy(*out, *in) - } - if in.AllowedScopes != nil { - in, out := &in.AllowedScopes, &out.AllowedScopes - *out = make([]Scope, len(*in)) - copy(*out, *in) - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. -func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { - if in == nil { - return nil - } - out := new(OIDCClientSpec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. -func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { - if in == nil { - return nil - } - out := new(OIDCClientStatus) - in.DeepCopyInto(out) - return out -} diff --git a/generated/1.19/apis/supervisor/virtual/oauth/doc.go b/generated/1.19/apis/supervisor/virtual/oauth/doc.go deleted file mode 100644 index ca4e9a63..00000000 --- a/generated/1.19/apis/supervisor/virtual/oauth/doc.go +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// +k8s:deepcopy-gen=package -// +groupName=oauth.virtual.supervisor.pinniped.dev - -// Package oauth is the internal version of the Pinniped virtual oauth API. -package oauth diff --git a/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go b/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go deleted file mode 100644 index ae93108c..00000000 --- a/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go +++ /dev/null @@ -1,131 +0,0 @@ -//go:build !ignore_autogenerated -// +build !ignore_autogenerated - -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by conversion-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - oauth "go.pinniped.dev/generated/1.19/apis/supervisor/virtual/oauth" - conversion "k8s.io/apimachinery/pkg/conversion" - runtime "k8s.io/apimachinery/pkg/runtime" -) - -func init() { - localSchemeBuilder.Register(RegisterConversions) -} - -// RegisterConversions adds conversion functions to the given scheme. -// Public to allow building arbitrary schemes. -func RegisterConversions(s *runtime.Scheme) error { - if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequest)(nil), (*oauth.OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(a.(*OIDCClientSecretRequest), b.(*oauth.OIDCClientSecretRequest), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequest)(nil), (*OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(a.(*oauth.OIDCClientSecretRequest), b.(*OIDCClientSecretRequest), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*oauth.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*oauth.OIDCClientSecretRequestSpec), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequestSpec)(nil), (*OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(a.(*oauth.OIDCClientSecretRequestSpec), b.(*OIDCClientSecretRequestSpec), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestStatus)(nil), (*oauth.OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(a.(*OIDCClientSecretRequestStatus), b.(*oauth.OIDCClientSecretRequestStatus), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequestStatus)(nil), (*OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(a.(*oauth.OIDCClientSecretRequestStatus), b.(*OIDCClientSecretRequestStatus), scope) - }); err != nil { - return err - } - return nil -} - -func autoConvert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *oauth.OIDCClientSecretRequest, s conversion.Scope) error { - out.ObjectMeta = in.ObjectMeta - if err := Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { - return err - } - if err := Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { - return err - } - return nil -} - -// Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest is an autogenerated conversion function. -func Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *oauth.OIDCClientSecretRequest, s conversion.Scope) error { - return autoConvert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in, out, s) -} - -func autoConvert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *oauth.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { - out.ObjectMeta = in.ObjectMeta - if err := Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { - return err - } - if err := Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { - return err - } - return nil -} - -// Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest is an autogenerated conversion function. -func Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *oauth.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { - return autoConvert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s) -} - -func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *oauth.OIDCClientSecretRequestSpec, s conversion.Scope) error { - out.GenerateNewSecret = in.GenerateNewSecret - out.RevokeOldSecrets = in.RevokeOldSecrets - return nil -} - -// Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec is an autogenerated conversion function. -func Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *oauth.OIDCClientSecretRequestSpec, s conversion.Scope) error { - return autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in, out, s) -} - -func autoConvert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *oauth.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { - out.GenerateNewSecret = in.GenerateNewSecret - out.RevokeOldSecrets = in.RevokeOldSecrets - return nil -} - -// Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec is an autogenerated conversion function. -func Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *oauth.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { - return autoConvert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in, out, s) -} - -func autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *oauth.OIDCClientSecretRequestStatus, s conversion.Scope) error { - out.GeneratedSecret = in.GeneratedSecret - out.TotalClientSecrets = in.TotalClientSecrets - return nil -} - -// Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus is an autogenerated conversion function. -func Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *oauth.OIDCClientSecretRequestStatus, s conversion.Scope) error { - return autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in, out, s) -} - -func autoConvert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *oauth.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { - out.GeneratedSecret = in.GeneratedSecret - out.TotalClientSecrets = in.TotalClientSecrets - return nil -} - -// Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus is an autogenerated conversion function. -func Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *oauth.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { - return autoConvert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in, out, s) -} diff --git a/generated/1.19/client/supervisor/clientset/versioned/clientset.go b/generated/1.19/client/supervisor/clientset/versioned/clientset.go index 09f209c0..c163069e 100644 --- a/generated/1.19/client/supervisor/clientset/versioned/clientset.go +++ b/generated/1.19/client/supervisor/clientset/versioned/clientset.go @@ -8,9 +8,9 @@ package versioned import ( "fmt" + clientsecretv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1" configv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" discovery "k8s.io/client-go/discovery" rest "k8s.io/client-go/rest" flowcontrol "k8s.io/client-go/util/flowcontrol" @@ -18,18 +18,23 @@ import ( type Interface interface { Discovery() discovery.DiscoveryInterface + ClientsecretV1alpha1() clientsecretv1alpha1.ClientsecretV1alpha1Interface ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface - OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface } // Clientset contains the clients for groups. Each group has exactly one // version included in a Clientset. type Clientset struct { *discovery.DiscoveryClient - configV1alpha1 *configv1alpha1.ConfigV1alpha1Client - iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client - oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client + clientsecretV1alpha1 *clientsecretv1alpha1.ClientsecretV1alpha1Client + configV1alpha1 *configv1alpha1.ConfigV1alpha1Client + iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client +} + +// ClientsecretV1alpha1 retrieves the ClientsecretV1alpha1Client +func (c *Clientset) ClientsecretV1alpha1() clientsecretv1alpha1.ClientsecretV1alpha1Interface { + return c.clientsecretV1alpha1 } // ConfigV1alpha1 retrieves the ConfigV1alpha1Client @@ -42,11 +47,6 @@ func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return c.iDPV1alpha1 } -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return c.oauthV1alpha1 -} - // Discovery retrieves the DiscoveryClient func (c *Clientset) Discovery() discovery.DiscoveryInterface { if c == nil { @@ -68,6 +68,10 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { } var cs Clientset var err error + cs.clientsecretV1alpha1, err = clientsecretv1alpha1.NewForConfig(&configShallowCopy) + if err != nil { + return nil, err + } cs.configV1alpha1, err = configv1alpha1.NewForConfig(&configShallowCopy) if err != nil { return nil, err @@ -76,10 +80,6 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { if err != nil { return nil, err } - cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfig(&configShallowCopy) - if err != nil { - return nil, err - } cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfig(&configShallowCopy) if err != nil { @@ -92,9 +92,9 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { // panics if there is an error in the config. func NewForConfigOrDie(c *rest.Config) *Clientset { var cs Clientset + cs.clientsecretV1alpha1 = clientsecretv1alpha1.NewForConfigOrDie(c) cs.configV1alpha1 = configv1alpha1.NewForConfigOrDie(c) cs.iDPV1alpha1 = idpv1alpha1.NewForConfigOrDie(c) - cs.oauthV1alpha1 = oauthv1alpha1.NewForConfigOrDie(c) cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c) return &cs @@ -103,9 +103,9 @@ func NewForConfigOrDie(c *rest.Config) *Clientset { // New creates a new Clientset for the given RESTClient. func New(c rest.Interface) *Clientset { var cs Clientset + cs.clientsecretV1alpha1 = clientsecretv1alpha1.New(c) cs.configV1alpha1 = configv1alpha1.New(c) cs.iDPV1alpha1 = idpv1alpha1.New(c) - cs.oauthV1alpha1 = oauthv1alpha1.New(c) cs.DiscoveryClient = discovery.NewDiscoveryClient(c) return &cs diff --git a/generated/1.19/client/supervisor/clientset/versioned/fake/clientset_generated.go b/generated/1.19/client/supervisor/clientset/versioned/fake/clientset_generated.go index cc7334de..18e8b09d 100644 --- a/generated/1.19/client/supervisor/clientset/versioned/fake/clientset_generated.go +++ b/generated/1.19/client/supervisor/clientset/versioned/fake/clientset_generated.go @@ -7,12 +7,12 @@ package fake import ( clientset "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned" + clientsecretv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1" + fakeclientsecretv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake" configv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1" fakeconfigv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake" idpv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1" fakeidpv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake" - oauthv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" - fakeoauthv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/watch" "k8s.io/client-go/discovery" @@ -67,6 +67,11 @@ func (c *Clientset) Tracker() testing.ObjectTracker { var _ clientset.Interface = &Clientset{} +// ClientsecretV1alpha1 retrieves the ClientsecretV1alpha1Client +func (c *Clientset) ClientsecretV1alpha1() clientsecretv1alpha1.ClientsecretV1alpha1Interface { + return &fakeclientsecretv1alpha1.FakeClientsecretV1alpha1{Fake: &c.Fake} +} + // ConfigV1alpha1 retrieves the ConfigV1alpha1Client func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { return &fakeconfigv1alpha1.FakeConfigV1alpha1{Fake: &c.Fake} @@ -76,8 +81,3 @@ func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake} } - -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} -} diff --git a/generated/1.19/client/supervisor/clientset/versioned/fake/register.go b/generated/1.19/client/supervisor/clientset/versioned/fake/register.go index 31bd0f0b..639af836 100644 --- a/generated/1.19/client/supervisor/clientset/versioned/fake/register.go +++ b/generated/1.19/client/supervisor/clientset/versioned/fake/register.go @@ -6,9 +6,9 @@ package fake import ( + clientsecretv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/clientsecret/v1alpha1" configv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -20,9 +20,9 @@ var scheme = runtime.NewScheme() var codecs = serializer.NewCodecFactory(scheme) var localSchemeBuilder = runtime.SchemeBuilder{ + clientsecretv1alpha1.AddToScheme, configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, - oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.19/client/supervisor/clientset/versioned/scheme/register.go b/generated/1.19/client/supervisor/clientset/versioned/scheme/register.go index bd2ef62e..59c7435f 100644 --- a/generated/1.19/client/supervisor/clientset/versioned/scheme/register.go +++ b/generated/1.19/client/supervisor/clientset/versioned/scheme/register.go @@ -6,9 +6,9 @@ package scheme import ( + clientsecretv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/clientsecret/v1alpha1" configv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -20,9 +20,9 @@ var Scheme = runtime.NewScheme() var Codecs = serializer.NewCodecFactory(Scheme) var ParameterCodec = runtime.NewParameterCodec(Scheme) var localSchemeBuilder = runtime.SchemeBuilder{ + clientsecretv1alpha1.AddToScheme, configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, - oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/1.19/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/clientsecret_client.go similarity index 51% rename from generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go rename to generated/1.19/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/clientsecret_client.go index 8141d975..dc1749cf 100644 --- a/generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go +++ b/generated/1.19/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/clientsecret_client.go @@ -6,27 +6,27 @@ package v1alpha1 import ( - v1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1" - "go.pinniped.dev/generated/1.20/client/supervisor/virtual/clientset/versioned/scheme" + v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/clientsecret/v1alpha1" + "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/scheme" rest "k8s.io/client-go/rest" ) -type OauthV1alpha1Interface interface { +type ClientsecretV1alpha1Interface interface { RESTClient() rest.Interface OIDCClientSecretRequestsGetter } -// OauthV1alpha1Client is used to interact with features provided by the oauth.virtual.supervisor.pinniped.dev group. -type OauthV1alpha1Client struct { +// ClientsecretV1alpha1Client is used to interact with features provided by the clientsecret.supervisor.pinniped.dev group. +type ClientsecretV1alpha1Client struct { restClient rest.Interface } -func (c *OauthV1alpha1Client) OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface { +func (c *ClientsecretV1alpha1Client) OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface { return newOIDCClientSecretRequests(c, namespace) } -// NewForConfig creates a new OauthV1alpha1Client for the given config. -func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { +// NewForConfig creates a new ClientsecretV1alpha1Client for the given config. +func NewForConfig(c *rest.Config) (*ClientsecretV1alpha1Client, error) { config := *c if err := setConfigDefaults(&config); err != nil { return nil, err @@ -35,12 +35,12 @@ func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { if err != nil { return nil, err } - return &OauthV1alpha1Client{client}, nil + return &ClientsecretV1alpha1Client{client}, nil } -// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and +// NewForConfigOrDie creates a new ClientsecretV1alpha1Client for the given config and // panics if there is an error in the config. -func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { +func NewForConfigOrDie(c *rest.Config) *ClientsecretV1alpha1Client { client, err := NewForConfig(c) if err != nil { panic(err) @@ -48,9 +48,9 @@ func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { return client } -// New creates a new OauthV1alpha1Client for the given RESTClient. -func New(c rest.Interface) *OauthV1alpha1Client { - return &OauthV1alpha1Client{c} +// New creates a new ClientsecretV1alpha1Client for the given RESTClient. +func New(c rest.Interface) *ClientsecretV1alpha1Client { + return &ClientsecretV1alpha1Client{c} } func setConfigDefaults(config *rest.Config) error { @@ -68,7 +68,7 @@ func setConfigDefaults(config *rest.Config) error { // RESTClient returns a RESTClient that is used to communicate // with API server by this client implementation. -func (c *OauthV1alpha1Client) RESTClient() rest.Interface { +func (c *ClientsecretV1alpha1Client) RESTClient() rest.Interface { if c == nil { return nil } diff --git a/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/1.19/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/doc.go similarity index 100% rename from generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go rename to generated/1.19/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/doc.go diff --git a/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/1.19/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/doc.go similarity index 100% rename from generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go rename to generated/1.19/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/doc.go diff --git a/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/1.19/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_clientsecret_client.go similarity index 60% rename from generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go rename to generated/1.19/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_clientsecret_client.go index 9430b71b..3a526ea6 100644 --- a/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go +++ b/generated/1.19/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_clientsecret_client.go @@ -6,22 +6,22 @@ package fake import ( - v1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1" rest "k8s.io/client-go/rest" testing "k8s.io/client-go/testing" ) -type FakeOauthV1alpha1 struct { +type FakeClientsecretV1alpha1 struct { *testing.Fake } -func (c *FakeOauthV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { - return &FakeOIDCClients{c, namespace} +func (c *FakeClientsecretV1alpha1) OIDCClientSecretRequests(namespace string) v1alpha1.OIDCClientSecretRequestInterface { + return &FakeOIDCClientSecretRequests{c, namespace} } // RESTClient returns a RESTClient that is used to communicate // with API server by this client implementation. -func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { +func (c *FakeClientsecretV1alpha1) RESTClient() rest.Interface { var ret *rest.RESTClient return ret } diff --git a/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go b/generated/1.19/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_oidcclientsecretrequest.go similarity index 79% rename from generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go rename to generated/1.19/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_oidcclientsecretrequest.go index 28997757..1fbf5f2c 100644 --- a/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go +++ b/generated/1.19/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_oidcclientsecretrequest.go @@ -8,7 +8,7 @@ package fake import ( "context" - v1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/clientsecret/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" schema "k8s.io/apimachinery/pkg/runtime/schema" testing "k8s.io/client-go/testing" @@ -16,13 +16,13 @@ import ( // FakeOIDCClientSecretRequests implements OIDCClientSecretRequestInterface type FakeOIDCClientSecretRequests struct { - Fake *FakeOauthV1alpha1 + Fake *FakeClientsecretV1alpha1 ns string } -var oidcclientsecretrequestsResource = schema.GroupVersionResource{Group: "oauth.virtual.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclientsecretrequests"} +var oidcclientsecretrequestsResource = schema.GroupVersionResource{Group: "clientsecret.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclientsecretrequests"} -var oidcclientsecretrequestsKind = schema.GroupVersionKind{Group: "oauth.virtual.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClientSecretRequest"} +var oidcclientsecretrequestsKind = schema.GroupVersionKind{Group: "clientsecret.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClientSecretRequest"} // Create takes the representation of a oIDCClientSecretRequest and creates it. Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any. func (c *FakeOIDCClientSecretRequests) Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (result *v1alpha1.OIDCClientSecretRequest, err error) { diff --git a/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/1.19/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/generated_expansion.go similarity index 100% rename from generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go rename to generated/1.19/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/generated_expansion.go diff --git a/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go b/generated/1.19/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/oidcclientsecretrequest.go similarity index 86% rename from generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go rename to generated/1.19/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/oidcclientsecretrequest.go index c4382045..2487d180 100644 --- a/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go +++ b/generated/1.19/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/oidcclientsecretrequest.go @@ -8,8 +8,8 @@ package v1alpha1 import ( "context" - v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1" - scheme "go.pinniped.dev/generated/1.18/client/supervisor/virtual/clientset/versioned/scheme" + v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/clientsecret/v1alpha1" + scheme "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/scheme" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" rest "k8s.io/client-go/rest" ) @@ -33,7 +33,7 @@ type oIDCClientSecretRequests struct { } // newOIDCClientSecretRequests returns a OIDCClientSecretRequests -func newOIDCClientSecretRequests(c *OauthV1alpha1Client, namespace string) *oIDCClientSecretRequests { +func newOIDCClientSecretRequests(c *ClientsecretV1alpha1Client, namespace string) *oIDCClientSecretRequests { return &oIDCClientSecretRequests{ client: c.RESTClient(), ns: namespace, diff --git a/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go b/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go index ecfa976c..b34ed0d7 100644 --- a/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go +++ b/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go @@ -14,6 +14,7 @@ import ( type ConfigV1alpha1Interface interface { RESTClient() rest.Interface FederationDomainsGetter + OIDCClientsGetter } // ConfigV1alpha1Client is used to interact with features provided by the config.supervisor.pinniped.dev group. @@ -25,6 +26,10 @@ func (c *ConfigV1alpha1Client) FederationDomains(namespace string) FederationDom return newFederationDomains(c, namespace) } +func (c *ConfigV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { + return newOIDCClients(c, namespace) +} + // NewForConfig creates a new ConfigV1alpha1Client for the given config. func NewForConfig(c *rest.Config) (*ConfigV1alpha1Client, error) { config := *c diff --git a/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go b/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go index c725f508..eb035c6e 100644 --- a/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go +++ b/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go @@ -19,6 +19,10 @@ func (c *FakeConfigV1alpha1) FederationDomains(namespace string) v1alpha1.Federa return &FakeFederationDomains{c, namespace} } +func (c *FakeConfigV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { + return &FakeOIDCClients{c, namespace} +} + // RESTClient returns a RESTClient that is used to communicate // with API server by this client implementation. func (c *FakeConfigV1alpha1) RESTClient() rest.Interface { diff --git a/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go b/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go similarity index 92% rename from generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go rename to generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go index a177ce4a..ce4d4348 100644 --- a/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go +++ b/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go @@ -8,7 +8,7 @@ package fake import ( "context" - v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" labels "k8s.io/apimachinery/pkg/labels" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -19,13 +19,13 @@ import ( // FakeOIDCClients implements OIDCClientInterface type FakeOIDCClients struct { - Fake *FakeOauthV1alpha1 + Fake *FakeConfigV1alpha1 ns string } -var oidcclientsResource = schema.GroupVersionResource{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} +var oidcclientsResource = schema.GroupVersionResource{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} -var oidcclientsKind = schema.GroupVersionKind{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} +var oidcclientsKind = schema.GroupVersionKind{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} // Get takes name of the oIDCClient, and returns the corresponding oIDCClient object, and an error if there is any. func (c *FakeOIDCClients) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCClient, err error) { diff --git a/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go b/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go index ba9c9173..35b9ee3d 100644 --- a/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go +++ b/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go @@ -6,3 +6,5 @@ package v1alpha1 type FederationDomainExpansion interface{} + +type OIDCClientExpansion interface{} diff --git a/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go b/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go similarity index 97% rename from generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go rename to generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go index 93cd5805..eff0aae4 100644 --- a/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go +++ b/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go @@ -9,7 +9,7 @@ import ( "context" "time" - v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1" scheme "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/scheme" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" types "k8s.io/apimachinery/pkg/types" @@ -44,7 +44,7 @@ type oIDCClients struct { } // newOIDCClients returns a OIDCClients -func newOIDCClients(c *OauthV1alpha1Client, namespace string) *oIDCClients { +func newOIDCClients(c *ConfigV1alpha1Client, namespace string) *oIDCClients { return &oIDCClients{ client: c.RESTClient(), ns: namespace, diff --git a/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go deleted file mode 100644 index 87d22ea9..00000000 --- a/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -type OIDCClientExpansion interface{} diff --git a/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go deleted file mode 100644 index 0e347f19..00000000 --- a/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go +++ /dev/null @@ -1,76 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/oauth/v1alpha1" - "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/scheme" - rest "k8s.io/client-go/rest" -) - -type OauthV1alpha1Interface interface { - RESTClient() rest.Interface - OIDCClientsGetter -} - -// OauthV1alpha1Client is used to interact with features provided by the oauth.supervisor.pinniped.dev group. -type OauthV1alpha1Client struct { - restClient rest.Interface -} - -func (c *OauthV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { - return newOIDCClients(c, namespace) -} - -// NewForConfig creates a new OauthV1alpha1Client for the given config. -func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { - config := *c - if err := setConfigDefaults(&config); err != nil { - return nil, err - } - client, err := rest.RESTClientFor(&config) - if err != nil { - return nil, err - } - return &OauthV1alpha1Client{client}, nil -} - -// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and -// panics if there is an error in the config. -func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { - client, err := NewForConfig(c) - if err != nil { - panic(err) - } - return client -} - -// New creates a new OauthV1alpha1Client for the given RESTClient. -func New(c rest.Interface) *OauthV1alpha1Client { - return &OauthV1alpha1Client{c} -} - -func setConfigDefaults(config *rest.Config) error { - gv := v1alpha1.SchemeGroupVersion - config.GroupVersion = &gv - config.APIPath = "/apis" - config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() - - if config.UserAgent == "" { - config.UserAgent = rest.DefaultKubernetesUserAgent() - } - - return nil -} - -// RESTClient returns a RESTClient that is used to communicate -// with API server by this client implementation. -func (c *OauthV1alpha1Client) RESTClient() rest.Interface { - if c == nil { - return nil - } - return c.restClient -} diff --git a/generated/1.19/client/supervisor/informers/externalversions/config/v1alpha1/interface.go b/generated/1.19/client/supervisor/informers/externalversions/config/v1alpha1/interface.go index 33b72e12..76ca860c 100644 --- a/generated/1.19/client/supervisor/informers/externalversions/config/v1alpha1/interface.go +++ b/generated/1.19/client/supervisor/informers/externalversions/config/v1alpha1/interface.go @@ -13,6 +13,8 @@ import ( type Interface interface { // FederationDomains returns a FederationDomainInformer. FederationDomains() FederationDomainInformer + // OIDCClients returns a OIDCClientInformer. + OIDCClients() OIDCClientInformer } type version struct { @@ -30,3 +32,8 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList func (v *version) FederationDomains() FederationDomainInformer { return &federationDomainInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } + +// OIDCClients returns a OIDCClientInformer. +func (v *version) OIDCClients() OIDCClientInformer { + return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} diff --git a/generated/1.19/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go b/generated/1.19/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go similarity index 88% rename from generated/1.19/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go rename to generated/1.19/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go index 749b0977..f1e4d5b9 100644 --- a/generated/1.19/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go +++ b/generated/1.19/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go @@ -9,10 +9,10 @@ import ( "context" time "time" - oauthv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/oauth/v1alpha1" + configv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1" versioned "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned" internalinterfaces "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/internalinterfaces" - v1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/listers/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/listers/config/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" watch "k8s.io/apimachinery/pkg/watch" @@ -49,16 +49,16 @@ func NewFilteredOIDCClientInformer(client versioned.Interface, namespace string, if tweakListOptions != nil { tweakListOptions(&options) } - return client.OauthV1alpha1().OIDCClients(namespace).List(context.TODO(), options) + return client.ConfigV1alpha1().OIDCClients(namespace).List(context.TODO(), options) }, WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { if tweakListOptions != nil { tweakListOptions(&options) } - return client.OauthV1alpha1().OIDCClients(namespace).Watch(context.TODO(), options) + return client.ConfigV1alpha1().OIDCClients(namespace).Watch(context.TODO(), options) }, }, - &oauthv1alpha1.OIDCClient{}, + &configv1alpha1.OIDCClient{}, resyncPeriod, indexers, ) @@ -69,7 +69,7 @@ func (f *oIDCClientInformer) defaultInformer(client versioned.Interface, resyncP } func (f *oIDCClientInformer) Informer() cache.SharedIndexInformer { - return f.factory.InformerFor(&oauthv1alpha1.OIDCClient{}, f.defaultInformer) + return f.factory.InformerFor(&configv1alpha1.OIDCClient{}, f.defaultInformer) } func (f *oIDCClientInformer) Lister() v1alpha1.OIDCClientLister { diff --git a/generated/1.19/client/supervisor/informers/externalversions/factory.go b/generated/1.19/client/supervisor/informers/externalversions/factory.go index 90fff5ef..0ad18aae 100644 --- a/generated/1.19/client/supervisor/informers/externalversions/factory.go +++ b/generated/1.19/client/supervisor/informers/externalversions/factory.go @@ -14,7 +14,6 @@ import ( config "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/config" idp "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/idp" internalinterfaces "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/internalinterfaces" - oauth "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/oauth" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -163,7 +162,6 @@ type SharedInformerFactory interface { Config() config.Interface IDP() idp.Interface - Oauth() oauth.Interface } func (f *sharedInformerFactory) Config() config.Interface { @@ -173,7 +171,3 @@ func (f *sharedInformerFactory) Config() config.Interface { func (f *sharedInformerFactory) IDP() idp.Interface { return idp.New(f, f.namespace, f.tweakListOptions) } - -func (f *sharedInformerFactory) Oauth() oauth.Interface { - return oauth.New(f, f.namespace, f.tweakListOptions) -} diff --git a/generated/1.19/client/supervisor/informers/externalversions/generic.go b/generated/1.19/client/supervisor/informers/externalversions/generic.go index ffc852ca..6b246a62 100644 --- a/generated/1.19/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.19/client/supervisor/informers/externalversions/generic.go @@ -10,7 +10,6 @@ import ( v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/oauth/v1alpha1" schema "k8s.io/apimachinery/pkg/runtime/schema" cache "k8s.io/client-go/tools/cache" ) @@ -44,6 +43,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource // Group=config.supervisor.pinniped.dev, Version=v1alpha1 case v1alpha1.SchemeGroupVersion.WithResource("federationdomains"): return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().FederationDomains().Informer()}, nil + case v1alpha1.SchemeGroupVersion.WithResource("oidcclients"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCClients().Informer()}, nil // Group=idp.supervisor.pinniped.dev, Version=v1alpha1 case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"): @@ -53,10 +54,6 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().OIDCIdentityProviders().Informer()}, nil - // Group=oauth.supervisor.pinniped.dev, Version=v1alpha1 - case oauthv1alpha1.SchemeGroupVersion.WithResource("oidcclients"): - return &genericInformer{resource: resource.GroupResource(), informer: f.Oauth().V1alpha1().OIDCClients().Informer()}, nil - } return nil, fmt.Errorf("no informer found for %v", resource) diff --git a/generated/1.19/client/supervisor/informers/externalversions/oauth/interface.go b/generated/1.19/client/supervisor/informers/externalversions/oauth/interface.go deleted file mode 100644 index 2b6d2943..00000000 --- a/generated/1.19/client/supervisor/informers/externalversions/oauth/interface.go +++ /dev/null @@ -1,33 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by informer-gen. DO NOT EDIT. - -package oauth - -import ( - internalinterfaces "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/internalinterfaces" - v1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/oauth/v1alpha1" -) - -// Interface provides access to each of this group's versions. -type Interface interface { - // V1alpha1 provides access to shared informers for resources in V1alpha1. - V1alpha1() v1alpha1.Interface -} - -type group struct { - factory internalinterfaces.SharedInformerFactory - namespace string - tweakListOptions internalinterfaces.TweakListOptionsFunc -} - -// New returns a new Interface. -func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { - return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} -} - -// V1alpha1 returns a new v1alpha1.Interface. -func (g *group) V1alpha1() v1alpha1.Interface { - return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions) -} diff --git a/generated/1.19/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go b/generated/1.19/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go deleted file mode 100644 index 3db762a4..00000000 --- a/generated/1.19/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go +++ /dev/null @@ -1,32 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by informer-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - internalinterfaces "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/internalinterfaces" -) - -// Interface provides access to all the informers in this group version. -type Interface interface { - // OIDCClients returns a OIDCClientInformer. - OIDCClients() OIDCClientInformer -} - -type version struct { - factory internalinterfaces.SharedInformerFactory - namespace string - tweakListOptions internalinterfaces.TweakListOptionsFunc -} - -// New returns a new Interface. -func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { - return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} -} - -// OIDCClients returns a OIDCClientInformer. -func (v *version) OIDCClients() OIDCClientInformer { - return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} -} diff --git a/generated/1.19/client/supervisor/listers/config/v1alpha1/expansion_generated.go b/generated/1.19/client/supervisor/listers/config/v1alpha1/expansion_generated.go index d59892c4..bda2f20e 100644 --- a/generated/1.19/client/supervisor/listers/config/v1alpha1/expansion_generated.go +++ b/generated/1.19/client/supervisor/listers/config/v1alpha1/expansion_generated.go @@ -12,3 +12,11 @@ type FederationDomainListerExpansion interface{} // FederationDomainNamespaceListerExpansion allows custom methods to be added to // FederationDomainNamespaceLister. type FederationDomainNamespaceListerExpansion interface{} + +// OIDCClientListerExpansion allows custom methods to be added to +// OIDCClientLister. +type OIDCClientListerExpansion interface{} + +// OIDCClientNamespaceListerExpansion allows custom methods to be added to +// OIDCClientNamespaceLister. +type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/1.21/client/supervisor/listers/oauth/v1alpha1/oidcclient.go b/generated/1.19/client/supervisor/listers/config/v1alpha1/oidcclient.go similarity index 97% rename from generated/1.21/client/supervisor/listers/oauth/v1alpha1/oidcclient.go rename to generated/1.19/client/supervisor/listers/config/v1alpha1/oidcclient.go index ac6047cd..db99f57c 100644 --- a/generated/1.21/client/supervisor/listers/oauth/v1alpha1/oidcclient.go +++ b/generated/1.19/client/supervisor/listers/config/v1alpha1/oidcclient.go @@ -6,7 +6,7 @@ package v1alpha1 import ( - v1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1" "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/labels" "k8s.io/client-go/tools/cache" diff --git a/generated/1.19/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go b/generated/1.19/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go deleted file mode 100644 index c19310da..00000000 --- a/generated/1.19/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go +++ /dev/null @@ -1,14 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by lister-gen. DO NOT EDIT. - -package v1alpha1 - -// OIDCClientListerExpansion allows custom methods to be added to -// OIDCClientLister. -type OIDCClientListerExpansion interface{} - -// OIDCClientNamespaceListerExpansion allows custom methods to be added to -// OIDCClientNamespaceLister. -type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/1.19/client/supervisor/virtual/clientset/versioned/clientset.go b/generated/1.19/client/supervisor/virtual/clientset/versioned/clientset.go deleted file mode 100644 index b4890903..00000000 --- a/generated/1.19/client/supervisor/virtual/clientset/versioned/clientset.go +++ /dev/null @@ -1,84 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package versioned - -import ( - "fmt" - - oauthv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" - discovery "k8s.io/client-go/discovery" - rest "k8s.io/client-go/rest" - flowcontrol "k8s.io/client-go/util/flowcontrol" -) - -type Interface interface { - Discovery() discovery.DiscoveryInterface - OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface -} - -// Clientset contains the clients for groups. Each group has exactly one -// version included in a Clientset. -type Clientset struct { - *discovery.DiscoveryClient - oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client -} - -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return c.oauthV1alpha1 -} - -// Discovery retrieves the DiscoveryClient -func (c *Clientset) Discovery() discovery.DiscoveryInterface { - if c == nil { - return nil - } - return c.DiscoveryClient -} - -// NewForConfig creates a new Clientset for the given config. -// If config's RateLimiter is not set and QPS and Burst are acceptable, -// NewForConfig will generate a rate-limiter in configShallowCopy. -func NewForConfig(c *rest.Config) (*Clientset, error) { - configShallowCopy := *c - if configShallowCopy.RateLimiter == nil && configShallowCopy.QPS > 0 { - if configShallowCopy.Burst <= 0 { - return nil, fmt.Errorf("burst is required to be greater than 0 when RateLimiter is not set and QPS is set to greater than 0") - } - configShallowCopy.RateLimiter = flowcontrol.NewTokenBucketRateLimiter(configShallowCopy.QPS, configShallowCopy.Burst) - } - var cs Clientset - var err error - cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfig(&configShallowCopy) - if err != nil { - return nil, err - } - - cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfig(&configShallowCopy) - if err != nil { - return nil, err - } - return &cs, nil -} - -// NewForConfigOrDie creates a new Clientset for the given config and -// panics if there is an error in the config. -func NewForConfigOrDie(c *rest.Config) *Clientset { - var cs Clientset - cs.oauthV1alpha1 = oauthv1alpha1.NewForConfigOrDie(c) - - cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c) - return &cs -} - -// New creates a new Clientset for the given RESTClient. -func New(c rest.Interface) *Clientset { - var cs Clientset - cs.oauthV1alpha1 = oauthv1alpha1.New(c) - - cs.DiscoveryClient = discovery.NewDiscoveryClient(c) - return &cs -} diff --git a/generated/1.19/client/supervisor/virtual/clientset/versioned/doc.go b/generated/1.19/client/supervisor/virtual/clientset/versioned/doc.go deleted file mode 100644 index 5dc02e6e..00000000 --- a/generated/1.19/client/supervisor/virtual/clientset/versioned/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package has the automatically generated clientset. -package versioned diff --git a/generated/1.19/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go b/generated/1.19/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go deleted file mode 100644 index 3686b807..00000000 --- a/generated/1.19/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go +++ /dev/null @@ -1,69 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - clientset "go.pinniped.dev/generated/1.19/client/supervisor/virtual/clientset/versioned" - oauthv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" - fakeoauthv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/watch" - "k8s.io/client-go/discovery" - fakediscovery "k8s.io/client-go/discovery/fake" - "k8s.io/client-go/testing" -) - -// NewSimpleClientset returns a clientset that will respond with the provided objects. -// It's backed by a very simple object tracker that processes creates, updates and deletions as-is, -// without applying any validations and/or defaults. It shouldn't be considered a replacement -// for a real clientset and is mostly useful in simple unit tests. -func NewSimpleClientset(objects ...runtime.Object) *Clientset { - o := testing.NewObjectTracker(scheme, codecs.UniversalDecoder()) - for _, obj := range objects { - if err := o.Add(obj); err != nil { - panic(err) - } - } - - cs := &Clientset{tracker: o} - cs.discovery = &fakediscovery.FakeDiscovery{Fake: &cs.Fake} - cs.AddReactor("*", "*", testing.ObjectReaction(o)) - cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) { - gvr := action.GetResource() - ns := action.GetNamespace() - watch, err := o.Watch(gvr, ns) - if err != nil { - return false, nil, err - } - return true, watch, nil - }) - - return cs -} - -// Clientset implements clientset.Interface. Meant to be embedded into a -// struct to get a default implementation. This makes faking out just the method -// you want to test easier. -type Clientset struct { - testing.Fake - discovery *fakediscovery.FakeDiscovery - tracker testing.ObjectTracker -} - -func (c *Clientset) Discovery() discovery.DiscoveryInterface { - return c.discovery -} - -func (c *Clientset) Tracker() testing.ObjectTracker { - return c.tracker -} - -var _ clientset.Interface = &Clientset{} - -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} -} diff --git a/generated/1.19/client/supervisor/virtual/clientset/versioned/fake/doc.go b/generated/1.19/client/supervisor/virtual/clientset/versioned/fake/doc.go deleted file mode 100644 index 7c9538fd..00000000 --- a/generated/1.19/client/supervisor/virtual/clientset/versioned/fake/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package has the automatically generated fake clientset. -package fake diff --git a/generated/1.19/client/supervisor/virtual/clientset/versioned/fake/register.go b/generated/1.19/client/supervisor/virtual/clientset/versioned/fake/register.go deleted file mode 100644 index bec66892..00000000 --- a/generated/1.19/client/supervisor/virtual/clientset/versioned/fake/register.go +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - oauthv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - runtime "k8s.io/apimachinery/pkg/runtime" - schema "k8s.io/apimachinery/pkg/runtime/schema" - serializer "k8s.io/apimachinery/pkg/runtime/serializer" - utilruntime "k8s.io/apimachinery/pkg/util/runtime" -) - -var scheme = runtime.NewScheme() -var codecs = serializer.NewCodecFactory(scheme) - -var localSchemeBuilder = runtime.SchemeBuilder{ - oauthv1alpha1.AddToScheme, -} - -// AddToScheme adds all types of this clientset into the given scheme. This allows composition -// of clientsets, like in: -// -// import ( -// "k8s.io/client-go/kubernetes" -// clientsetscheme "k8s.io/client-go/kubernetes/scheme" -// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" -// ) -// -// kclientset, _ := kubernetes.NewForConfig(c) -// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) -// -// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types -// correctly. -var AddToScheme = localSchemeBuilder.AddToScheme - -func init() { - v1.AddToGroupVersion(scheme, schema.GroupVersion{Version: "v1"}) - utilruntime.Must(AddToScheme(scheme)) -} diff --git a/generated/1.19/client/supervisor/virtual/clientset/versioned/scheme/doc.go b/generated/1.19/client/supervisor/virtual/clientset/versioned/scheme/doc.go deleted file mode 100644 index cc02f1d3..00000000 --- a/generated/1.19/client/supervisor/virtual/clientset/versioned/scheme/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package contains the scheme of the automatically generated clientset. -package scheme diff --git a/generated/1.19/client/supervisor/virtual/clientset/versioned/scheme/register.go b/generated/1.19/client/supervisor/virtual/clientset/versioned/scheme/register.go deleted file mode 100644 index da92b144..00000000 --- a/generated/1.19/client/supervisor/virtual/clientset/versioned/scheme/register.go +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package scheme - -import ( - oauthv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - runtime "k8s.io/apimachinery/pkg/runtime" - schema "k8s.io/apimachinery/pkg/runtime/schema" - serializer "k8s.io/apimachinery/pkg/runtime/serializer" - utilruntime "k8s.io/apimachinery/pkg/util/runtime" -) - -var Scheme = runtime.NewScheme() -var Codecs = serializer.NewCodecFactory(Scheme) -var ParameterCodec = runtime.NewParameterCodec(Scheme) -var localSchemeBuilder = runtime.SchemeBuilder{ - oauthv1alpha1.AddToScheme, -} - -// AddToScheme adds all types of this clientset into the given scheme. This allows composition -// of clientsets, like in: -// -// import ( -// "k8s.io/client-go/kubernetes" -// clientsetscheme "k8s.io/client-go/kubernetes/scheme" -// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" -// ) -// -// kclientset, _ := kubernetes.NewForConfig(c) -// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) -// -// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types -// correctly. -var AddToScheme = localSchemeBuilder.AddToScheme - -func init() { - v1.AddToGroupVersion(Scheme, schema.GroupVersion{Version: "v1"}) - utilruntime.Must(AddToScheme(Scheme)) -} diff --git a/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go deleted file mode 100644 index 0220e89e..00000000 --- a/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go +++ /dev/null @@ -1,27 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - v1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" - rest "k8s.io/client-go/rest" - testing "k8s.io/client-go/testing" -) - -type FakeOauthV1alpha1 struct { - *testing.Fake -} - -func (c *FakeOauthV1alpha1) OIDCClientSecretRequests(namespace string) v1alpha1.OIDCClientSecretRequestInterface { - return &FakeOIDCClientSecretRequests{c, namespace} -} - -// RESTClient returns a RESTClient that is used to communicate -// with API server by this client implementation. -func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { - var ret *rest.RESTClient - return ret -} diff --git a/generated/1.19/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.19/crds/config.supervisor.pinniped.dev_oidcclients.yaml similarity index 98% rename from generated/1.19/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml rename to generated/1.19/crds/config.supervisor.pinniped.dev_oidcclients.yaml index 589a9154..4efa445e 100644 --- a/generated/1.19/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.19/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -5,9 +5,9 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null - name: oidcclients.oauth.supervisor.pinniped.dev + name: oidcclients.config.supervisor.pinniped.dev spec: - group: oauth.supervisor.pinniped.dev + group: config.supervisor.pinniped.dev names: categories: - pinniped diff --git a/generated/1.20/README.adoc b/generated/1.20/README.adoc index f58d5ad8..958b952c 100644 --- a/generated/1.20/README.adoc +++ b/generated/1.20/README.adoc @@ -6,15 +6,14 @@ .Packages - xref:{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1[$$authentication.concierge.pinniped.dev/v1alpha1$$] +- xref:{anchor_prefix}-clientsecret-supervisor-pinniped-dev-clientsecret[$$clientsecret.supervisor.pinniped.dev/clientsecret$$] +- xref:{anchor_prefix}-clientsecret-supervisor-pinniped-dev-v1alpha1[$$clientsecret.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-config-concierge-pinniped-dev-v1alpha1[$$config.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-config-supervisor-pinniped-dev-v1alpha1[$$config.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-identity-concierge-pinniped-dev-identity[$$identity.concierge.pinniped.dev/identity$$] - xref:{anchor_prefix}-identity-concierge-pinniped-dev-v1alpha1[$$identity.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1[$$idp.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$] -- xref:{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1[$$oauth.supervisor.pinniped.dev/v1alpha1$$] -- xref:{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-oauth[$$oauth.virtual.supervisor.pinniped.dev/oauth$$] -- xref:{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-v1alpha1[$$oauth.virtual.supervisor.pinniped.dev/v1alpha1$$] [id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"] @@ -213,6 +212,98 @@ Status of a webhook authenticator. +[id="{anchor_prefix}-clientsecret-supervisor-pinniped-dev-clientsecret"] +=== clientsecret.supervisor.pinniped.dev/clientsecret + +Package clientsecret is the internal version of the Pinniped client secret API. + + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-clientsecret-oidcclientsecretrequestspec"] +==== OIDCClientSecretRequestSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-clientsecret-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generateNewSecret`* __boolean__ | +| *`revokeOldSecrets`* __boolean__ | +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-clientsecret-oidcclientsecretrequeststatus"] +==== OIDCClientSecretRequestStatus + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-clientsecret-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generatedSecret`* __string__ | +| *`totalClientSecrets`* __integer__ | +|=== + + + +[id="{anchor_prefix}-clientsecret-supervisor-pinniped-dev-v1alpha1"] +=== clientsecret.supervisor.pinniped.dev/v1alpha1 + +Package v1alpha1 is the v1alpha1 version of the Pinniped client secret API. + + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestspec"] +==== OIDCClientSecretRequestSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generateNewSecret`* __boolean__ | +| *`revokeOldSecrets`* __boolean__ | +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequeststatus"] +==== OIDCClientSecretRequestStatus + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generatedSecret`* __string__ | +| *`totalClientSecrets`* __integer__ | +|=== + + + [id="{anchor_prefix}-config-concierge-pinniped-dev-v1alpha1"] === config.concierge.pinniped.dev/v1alpha1 @@ -546,6 +637,51 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-config-v1alpha1-oidcclient"] +==== OIDCClient + +OIDCClient describes the configuration of an OIDC client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-config-v1alpha1-oidcclientlist[$$OIDCClientList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.2/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-config-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC client. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-config-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC client. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-config-v1alpha1-oidcclientspec"] +==== OIDCClientSpec + +OIDCClientSpec is a struct that describes an OIDC Client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-config-v1alpha1-oidcclient[$$OIDCClient$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. +| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. +| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. +|=== + + + + [id="{anchor_prefix}-identity-concierge-pinniped-dev-identity"] === identity.concierge.pinniped.dev/identity @@ -1335,148 +1471,3 @@ TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned |=== - -[id="{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1"] -=== oauth.supervisor.pinniped.dev/v1alpha1 - -Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-oauth-v1alpha1-oidcclient"] -==== OIDCClient - -OIDCClient describes the configuration of an OIDC client. - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-oauth-v1alpha1-oidcclientlist[$$OIDCClientList$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.2/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. - -| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-oauth-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC client. -| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-oauth-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC client. -|=== - - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-oauth-v1alpha1-oidcclientspec"] -==== OIDCClientSpec - -OIDCClientSpec is a struct that describes an OIDC Client. - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-oauth-v1alpha1-oidcclient[$$OIDCClient$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. -| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. -| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. -|=== - - - - - -[id="{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-oauth"] -=== oauth.virtual.supervisor.pinniped.dev/oauth - -Package oauth is the internal version of the Pinniped virtual oauth API. - - - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-virtual-oauth-oidcclientsecretrequestspec"] -==== OIDCClientSecretRequestSpec - - - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-virtual-oauth-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`generateNewSecret`* __boolean__ | -| *`revokeOldSecrets`* __boolean__ | -|=== - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-virtual-oauth-oidcclientsecretrequeststatus"] -==== OIDCClientSecretRequestStatus - - - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-virtual-oauth-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`generatedSecret`* __string__ | -| *`totalClientSecrets`* __integer__ | -|=== - - - -[id="{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-v1alpha1"] -=== oauth.virtual.supervisor.pinniped.dev/v1alpha1 - -Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API. - - - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequestspec"] -==== OIDCClientSecretRequestSpec - - - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`generateNewSecret`* __boolean__ | -| *`revokeOldSecrets`* __boolean__ | -|=== - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequeststatus"] -==== OIDCClientSecretRequestStatus - - - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`generatedSecret`* __string__ | -| *`totalClientSecrets`* __integer__ | -|=== - - diff --git a/generated/1.20/apis/supervisor/clientsecret/doc.go b/generated/1.20/apis/supervisor/clientsecret/doc.go new file mode 100644 index 00000000..c536bc75 --- /dev/null +++ b/generated/1.20/apis/supervisor/clientsecret/doc.go @@ -0,0 +1,8 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:deepcopy-gen=package +// +groupName=clientsecret.supervisor.pinniped.dev + +// Package clientsecret is the internal version of the Pinniped client secret API. +package clientsecret diff --git a/generated/1.20/apis/supervisor/virtual/oauth/register.go b/generated/1.20/apis/supervisor/clientsecret/register.go similarity index 93% rename from generated/1.20/apis/supervisor/virtual/oauth/register.go rename to generated/1.20/apis/supervisor/clientsecret/register.go index a238d85f..4a1c0173 100644 --- a/generated/1.20/apis/supervisor/virtual/oauth/register.go +++ b/generated/1.20/apis/supervisor/clientsecret/register.go @@ -1,14 +1,14 @@ // Copyright 2022 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -package oauth +package clientsecret import ( "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" ) -const GroupName = "oauth.virtual.supervisor.pinniped.dev" +const GroupName = "clientsecret.supervisor.pinniped.dev" // SchemeGroupVersion is group version used to register these objects. var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal} diff --git a/generated/1.18/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go b/generated/1.20/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go similarity index 97% rename from generated/1.18/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go rename to generated/1.20/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go index ac54a93c..7fd1eb65 100644 --- a/generated/1.18/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go +++ b/generated/1.20/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go @@ -1,7 +1,7 @@ // Copyright 2022 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -package oauth +package clientsecret import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" diff --git a/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/conversion.go b/generated/1.20/apis/supervisor/clientsecret/v1alpha1/conversion.go similarity index 100% rename from generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/conversion.go rename to generated/1.20/apis/supervisor/clientsecret/v1alpha1/conversion.go diff --git a/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/defaults.go b/generated/1.20/apis/supervisor/clientsecret/v1alpha1/defaults.go similarity index 100% rename from generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/defaults.go rename to generated/1.20/apis/supervisor/clientsecret/v1alpha1/defaults.go diff --git a/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/doc.go b/generated/1.20/apis/supervisor/clientsecret/v1alpha1/doc.go similarity index 64% rename from generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/doc.go rename to generated/1.20/apis/supervisor/clientsecret/v1alpha1/doc.go index 009dec5a..2c270252 100644 --- a/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/doc.go +++ b/generated/1.20/apis/supervisor/clientsecret/v1alpha1/doc.go @@ -3,9 +3,9 @@ // +k8s:openapi-gen=true // +k8s:deepcopy-gen=package -// +k8s:conversion-gen=go.pinniped.dev/generated/1.20/apis/supervisor/virtual/oauth +// +k8s:conversion-gen=go.pinniped.dev/generated/1.20/apis/supervisor/clientsecret // +k8s:defaulter-gen=TypeMeta -// +groupName=oauth.virtual.supervisor.pinniped.dev +// +groupName=clientsecret.supervisor.pinniped.dev -// Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API. +// Package v1alpha1 is the v1alpha1 version of the Pinniped client secret API. package v1alpha1 diff --git a/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/register.go b/generated/1.20/apis/supervisor/clientsecret/v1alpha1/register.go similarity index 95% rename from generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/register.go rename to generated/1.20/apis/supervisor/clientsecret/v1alpha1/register.go index ecc75a08..49602125 100644 --- a/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/register.go +++ b/generated/1.20/apis/supervisor/clientsecret/v1alpha1/register.go @@ -9,7 +9,7 @@ import ( "k8s.io/apimachinery/pkg/runtime/schema" ) -const GroupName = "oauth.virtual.supervisor.pinniped.dev" +const GroupName = "clientsecret.supervisor.pinniped.dev" // SchemeGroupVersion is group version used to register these objects. var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} diff --git a/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go b/generated/1.20/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go similarity index 100% rename from generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go rename to generated/1.20/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go diff --git a/generated/1.20/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go b/generated/1.20/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go new file mode 100644 index 00000000..f33c9a56 --- /dev/null +++ b/generated/1.20/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go @@ -0,0 +1,131 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by conversion-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + clientsecret "go.pinniped.dev/generated/1.20/apis/supervisor/clientsecret" + conversion "k8s.io/apimachinery/pkg/conversion" + runtime "k8s.io/apimachinery/pkg/runtime" +) + +func init() { + localSchemeBuilder.Register(RegisterConversions) +} + +// RegisterConversions adds conversion functions to the given scheme. +// Public to allow building arbitrary schemes. +func RegisterConversions(s *runtime.Scheme) error { + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequest)(nil), (*clientsecret.OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(a.(*OIDCClientSecretRequest), b.(*clientsecret.OIDCClientSecretRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequest)(nil), (*OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(a.(*clientsecret.OIDCClientSecretRequest), b.(*OIDCClientSecretRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*clientsecret.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*clientsecret.OIDCClientSecretRequestSpec), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequestSpec)(nil), (*OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(a.(*clientsecret.OIDCClientSecretRequestSpec), b.(*OIDCClientSecretRequestSpec), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestStatus)(nil), (*clientsecret.OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(a.(*OIDCClientSecretRequestStatus), b.(*clientsecret.OIDCClientSecretRequestStatus), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequestStatus)(nil), (*OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(a.(*clientsecret.OIDCClientSecretRequestStatus), b.(*OIDCClientSecretRequestStatus), scope) + }); err != nil { + return err + } + return nil +} + +func autoConvert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *clientsecret.OIDCClientSecretRequest, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { + return err + } + if err := Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *clientsecret.OIDCClientSecretRequest, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(in, out, s) +} + +func autoConvert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *clientsecret.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { + return err + } + if err := Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest is an autogenerated conversion function. +func Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *clientsecret.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { + return autoConvert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s) +} + +func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *clientsecret.OIDCClientSecretRequestSpec, s conversion.Scope) error { + out.GenerateNewSecret = in.GenerateNewSecret + out.RevokeOldSecrets = in.RevokeOldSecrets + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *clientsecret.OIDCClientSecretRequestSpec, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in, out, s) +} + +func autoConvert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *clientsecret.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { + out.GenerateNewSecret = in.GenerateNewSecret + out.RevokeOldSecrets = in.RevokeOldSecrets + return nil +} + +// Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec is an autogenerated conversion function. +func Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *clientsecret.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { + return autoConvert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in, out, s) +} + +func autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *clientsecret.OIDCClientSecretRequestStatus, s conversion.Scope) error { + out.GeneratedSecret = in.GeneratedSecret + out.TotalClientSecrets = in.TotalClientSecrets + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *clientsecret.OIDCClientSecretRequestStatus, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(in, out, s) +} + +func autoConvert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *clientsecret.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { + out.GeneratedSecret = in.GeneratedSecret + out.TotalClientSecrets = in.TotalClientSecrets + return nil +} + +// Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus is an autogenerated conversion function. +func Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *clientsecret.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { + return autoConvert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in, out, s) +} diff --git a/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.20/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go similarity index 100% rename from generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go rename to generated/1.20/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go diff --git a/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go b/generated/1.20/apis/supervisor/clientsecret/v1alpha1/zz_generated.defaults.go similarity index 100% rename from generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go rename to generated/1.20/apis/supervisor/clientsecret/v1alpha1/zz_generated.defaults.go diff --git a/generated/1.18/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go b/generated/1.20/apis/supervisor/clientsecret/zz_generated.deepcopy.go similarity index 99% rename from generated/1.18/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go rename to generated/1.20/apis/supervisor/clientsecret/zz_generated.deepcopy.go index 24b58e7b..e0dc7d68 100644 --- a/generated/1.18/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go +++ b/generated/1.20/apis/supervisor/clientsecret/zz_generated.deepcopy.go @@ -6,7 +6,7 @@ // Code generated by deepcopy-gen. DO NOT EDIT. -package oauth +package clientsecret import ( runtime "k8s.io/apimachinery/pkg/runtime" diff --git a/generated/1.20/apis/supervisor/config/v1alpha1/register.go b/generated/1.20/apis/supervisor/config/v1alpha1/register.go index 69045298..54c51699 100644 --- a/generated/1.20/apis/supervisor/config/v1alpha1/register.go +++ b/generated/1.20/apis/supervisor/config/v1alpha1/register.go @@ -32,6 +32,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &FederationDomain{}, &FederationDomainList{}, + &OIDCClient{}, + &OIDCClientList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.20/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.20/apis/supervisor/config/v1alpha1/types_oidcclient.go similarity index 100% rename from generated/1.20/apis/supervisor/oauth/v1alpha1/types_oidcclient.go rename to generated/1.20/apis/supervisor/config/v1alpha1/types_oidcclient.go diff --git a/generated/1.20/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.20/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go index 856b8988..a55d88e7 100644 --- a/generated/1.20/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.20/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go @@ -150,3 +150,111 @@ func (in *FederationDomainTLSSpec) DeepCopy() *FederationDomainTLSSpec { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. +func (in *OIDCClient) DeepCopy() *OIDCClient { + if in == nil { + return nil + } + out := new(OIDCClient) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClient) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClient, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. +func (in *OIDCClientList) DeepCopy() *OIDCClientList { + if in == nil { + return nil + } + out := new(OIDCClientList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { + *out = *in + if in.AllowedRedirectURIs != nil { + in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.AllowedGrantTypes != nil { + in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes + *out = make([]GrantType, len(*in)) + copy(*out, *in) + } + if in.AllowedScopes != nil { + in, out := &in.AllowedScopes, &out.AllowedScopes + *out = make([]Scope, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. +func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { + if in == nil { + return nil + } + out := new(OIDCClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. +func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { + if in == nil { + return nil + } + out := new(OIDCClientStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.20/apis/supervisor/oauth/v1alpha1/doc.go b/generated/1.20/apis/supervisor/oauth/v1alpha1/doc.go deleted file mode 100644 index 75580481..00000000 --- a/generated/1.20/apis/supervisor/oauth/v1alpha1/doc.go +++ /dev/null @@ -1,10 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// +k8s:openapi-gen=true -// +k8s:deepcopy-gen=package -// +k8s:defaulter-gen=TypeMeta -// +groupName=oauth.supervisor.pinniped.dev - -// Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. -package v1alpha1 diff --git a/generated/1.20/apis/supervisor/oauth/v1alpha1/register.go b/generated/1.20/apis/supervisor/oauth/v1alpha1/register.go deleted file mode 100644 index 37ae1fbf..00000000 --- a/generated/1.20/apis/supervisor/oauth/v1alpha1/register.go +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -package v1alpha1 - -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" -) - -const GroupName = "oauth.supervisor.pinniped.dev" - -// SchemeGroupVersion is group version used to register these objects. -var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} - -var ( - SchemeBuilder runtime.SchemeBuilder - localSchemeBuilder = &SchemeBuilder - AddToScheme = localSchemeBuilder.AddToScheme -) - -func init() { - // We only register manually written functions here. The registration of the - // generated functions takes place in the generated files. The separation - // makes the code compile even when the generated files are missing. - localSchemeBuilder.Register(addKnownTypes) -} - -// Adds the list of known types to the given scheme. -func addKnownTypes(scheme *runtime.Scheme) error { - scheme.AddKnownTypes(SchemeGroupVersion, - &OIDCClient{}, - &OIDCClientList{}, - ) - metav1.AddToGroupVersion(scheme, SchemeGroupVersion) - return nil -} - -// Resource takes an unqualified resource and returns a Group qualified GroupResource. -func Resource(resource string) schema.GroupResource { - return SchemeGroupVersion.WithResource(resource).GroupResource() -} diff --git a/generated/1.20/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.20/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go deleted file mode 100644 index 1aba8aea..00000000 --- a/generated/1.20/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go +++ /dev/null @@ -1,121 +0,0 @@ -//go:build !ignore_autogenerated -// +build !ignore_autogenerated - -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by deepcopy-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - runtime "k8s.io/apimachinery/pkg/runtime" -) - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - in.Spec.DeepCopyInto(&out.Spec) - out.Status = in.Status - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. -func (in *OIDCClient) DeepCopy() *OIDCClient { - if in == nil { - return nil - } - out := new(OIDCClient) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *OIDCClient) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ListMeta.DeepCopyInto(&out.ListMeta) - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]OIDCClient, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. -func (in *OIDCClientList) DeepCopy() *OIDCClientList { - if in == nil { - return nil - } - out := new(OIDCClientList) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *OIDCClientList) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { - *out = *in - if in.AllowedRedirectURIs != nil { - in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.AllowedGrantTypes != nil { - in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes - *out = make([]GrantType, len(*in)) - copy(*out, *in) - } - if in.AllowedScopes != nil { - in, out := &in.AllowedScopes, &out.AllowedScopes - *out = make([]Scope, len(*in)) - copy(*out, *in) - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. -func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { - if in == nil { - return nil - } - out := new(OIDCClientSpec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. -func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { - if in == nil { - return nil - } - out := new(OIDCClientStatus) - in.DeepCopyInto(out) - return out -} diff --git a/generated/1.20/apis/supervisor/virtual/oauth/doc.go b/generated/1.20/apis/supervisor/virtual/oauth/doc.go deleted file mode 100644 index ca4e9a63..00000000 --- a/generated/1.20/apis/supervisor/virtual/oauth/doc.go +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// +k8s:deepcopy-gen=package -// +groupName=oauth.virtual.supervisor.pinniped.dev - -// Package oauth is the internal version of the Pinniped virtual oauth API. -package oauth diff --git a/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go b/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go deleted file mode 100644 index b98d6b36..00000000 --- a/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go +++ /dev/null @@ -1,131 +0,0 @@ -//go:build !ignore_autogenerated -// +build !ignore_autogenerated - -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by conversion-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - oauth "go.pinniped.dev/generated/1.20/apis/supervisor/virtual/oauth" - conversion "k8s.io/apimachinery/pkg/conversion" - runtime "k8s.io/apimachinery/pkg/runtime" -) - -func init() { - localSchemeBuilder.Register(RegisterConversions) -} - -// RegisterConversions adds conversion functions to the given scheme. -// Public to allow building arbitrary schemes. -func RegisterConversions(s *runtime.Scheme) error { - if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequest)(nil), (*oauth.OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(a.(*OIDCClientSecretRequest), b.(*oauth.OIDCClientSecretRequest), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequest)(nil), (*OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(a.(*oauth.OIDCClientSecretRequest), b.(*OIDCClientSecretRequest), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*oauth.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*oauth.OIDCClientSecretRequestSpec), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequestSpec)(nil), (*OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(a.(*oauth.OIDCClientSecretRequestSpec), b.(*OIDCClientSecretRequestSpec), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestStatus)(nil), (*oauth.OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(a.(*OIDCClientSecretRequestStatus), b.(*oauth.OIDCClientSecretRequestStatus), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequestStatus)(nil), (*OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(a.(*oauth.OIDCClientSecretRequestStatus), b.(*OIDCClientSecretRequestStatus), scope) - }); err != nil { - return err - } - return nil -} - -func autoConvert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *oauth.OIDCClientSecretRequest, s conversion.Scope) error { - out.ObjectMeta = in.ObjectMeta - if err := Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { - return err - } - if err := Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { - return err - } - return nil -} - -// Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest is an autogenerated conversion function. -func Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *oauth.OIDCClientSecretRequest, s conversion.Scope) error { - return autoConvert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in, out, s) -} - -func autoConvert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *oauth.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { - out.ObjectMeta = in.ObjectMeta - if err := Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { - return err - } - if err := Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { - return err - } - return nil -} - -// Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest is an autogenerated conversion function. -func Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *oauth.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { - return autoConvert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s) -} - -func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *oauth.OIDCClientSecretRequestSpec, s conversion.Scope) error { - out.GenerateNewSecret = in.GenerateNewSecret - out.RevokeOldSecrets = in.RevokeOldSecrets - return nil -} - -// Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec is an autogenerated conversion function. -func Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *oauth.OIDCClientSecretRequestSpec, s conversion.Scope) error { - return autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in, out, s) -} - -func autoConvert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *oauth.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { - out.GenerateNewSecret = in.GenerateNewSecret - out.RevokeOldSecrets = in.RevokeOldSecrets - return nil -} - -// Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec is an autogenerated conversion function. -func Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *oauth.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { - return autoConvert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in, out, s) -} - -func autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *oauth.OIDCClientSecretRequestStatus, s conversion.Scope) error { - out.GeneratedSecret = in.GeneratedSecret - out.TotalClientSecrets = in.TotalClientSecrets - return nil -} - -// Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus is an autogenerated conversion function. -func Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *oauth.OIDCClientSecretRequestStatus, s conversion.Scope) error { - return autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in, out, s) -} - -func autoConvert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *oauth.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { - out.GeneratedSecret = in.GeneratedSecret - out.TotalClientSecrets = in.TotalClientSecrets - return nil -} - -// Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus is an autogenerated conversion function. -func Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *oauth.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { - return autoConvert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in, out, s) -} diff --git a/generated/1.20/client/supervisor/clientset/versioned/clientset.go b/generated/1.20/client/supervisor/clientset/versioned/clientset.go index ec78cd88..15281108 100644 --- a/generated/1.20/client/supervisor/clientset/versioned/clientset.go +++ b/generated/1.20/client/supervisor/clientset/versioned/clientset.go @@ -8,9 +8,9 @@ package versioned import ( "fmt" + clientsecretv1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1" configv1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned/typed/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" discovery "k8s.io/client-go/discovery" rest "k8s.io/client-go/rest" flowcontrol "k8s.io/client-go/util/flowcontrol" @@ -18,18 +18,23 @@ import ( type Interface interface { Discovery() discovery.DiscoveryInterface + ClientsecretV1alpha1() clientsecretv1alpha1.ClientsecretV1alpha1Interface ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface - OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface } // Clientset contains the clients for groups. Each group has exactly one // version included in a Clientset. type Clientset struct { *discovery.DiscoveryClient - configV1alpha1 *configv1alpha1.ConfigV1alpha1Client - iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client - oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client + clientsecretV1alpha1 *clientsecretv1alpha1.ClientsecretV1alpha1Client + configV1alpha1 *configv1alpha1.ConfigV1alpha1Client + iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client +} + +// ClientsecretV1alpha1 retrieves the ClientsecretV1alpha1Client +func (c *Clientset) ClientsecretV1alpha1() clientsecretv1alpha1.ClientsecretV1alpha1Interface { + return c.clientsecretV1alpha1 } // ConfigV1alpha1 retrieves the ConfigV1alpha1Client @@ -42,11 +47,6 @@ func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return c.iDPV1alpha1 } -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return c.oauthV1alpha1 -} - // Discovery retrieves the DiscoveryClient func (c *Clientset) Discovery() discovery.DiscoveryInterface { if c == nil { @@ -68,6 +68,10 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { } var cs Clientset var err error + cs.clientsecretV1alpha1, err = clientsecretv1alpha1.NewForConfig(&configShallowCopy) + if err != nil { + return nil, err + } cs.configV1alpha1, err = configv1alpha1.NewForConfig(&configShallowCopy) if err != nil { return nil, err @@ -76,10 +80,6 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { if err != nil { return nil, err } - cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfig(&configShallowCopy) - if err != nil { - return nil, err - } cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfig(&configShallowCopy) if err != nil { @@ -92,9 +92,9 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { // panics if there is an error in the config. func NewForConfigOrDie(c *rest.Config) *Clientset { var cs Clientset + cs.clientsecretV1alpha1 = clientsecretv1alpha1.NewForConfigOrDie(c) cs.configV1alpha1 = configv1alpha1.NewForConfigOrDie(c) cs.iDPV1alpha1 = idpv1alpha1.NewForConfigOrDie(c) - cs.oauthV1alpha1 = oauthv1alpha1.NewForConfigOrDie(c) cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c) return &cs @@ -103,9 +103,9 @@ func NewForConfigOrDie(c *rest.Config) *Clientset { // New creates a new Clientset for the given RESTClient. func New(c rest.Interface) *Clientset { var cs Clientset + cs.clientsecretV1alpha1 = clientsecretv1alpha1.New(c) cs.configV1alpha1 = configv1alpha1.New(c) cs.iDPV1alpha1 = idpv1alpha1.New(c) - cs.oauthV1alpha1 = oauthv1alpha1.New(c) cs.DiscoveryClient = discovery.NewDiscoveryClient(c) return &cs diff --git a/generated/1.20/client/supervisor/clientset/versioned/fake/clientset_generated.go b/generated/1.20/client/supervisor/clientset/versioned/fake/clientset_generated.go index cee1ca0d..50219e6d 100644 --- a/generated/1.20/client/supervisor/clientset/versioned/fake/clientset_generated.go +++ b/generated/1.20/client/supervisor/clientset/versioned/fake/clientset_generated.go @@ -7,12 +7,12 @@ package fake import ( clientset "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned" + clientsecretv1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1" + fakeclientsecretv1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake" configv1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1" fakeconfigv1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake" idpv1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned/typed/idp/v1alpha1" fakeidpv1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake" - oauthv1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" - fakeoauthv1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/watch" "k8s.io/client-go/discovery" @@ -67,6 +67,11 @@ func (c *Clientset) Tracker() testing.ObjectTracker { var _ clientset.Interface = &Clientset{} +// ClientsecretV1alpha1 retrieves the ClientsecretV1alpha1Client +func (c *Clientset) ClientsecretV1alpha1() clientsecretv1alpha1.ClientsecretV1alpha1Interface { + return &fakeclientsecretv1alpha1.FakeClientsecretV1alpha1{Fake: &c.Fake} +} + // ConfigV1alpha1 retrieves the ConfigV1alpha1Client func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { return &fakeconfigv1alpha1.FakeConfigV1alpha1{Fake: &c.Fake} @@ -76,8 +81,3 @@ func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake} } - -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} -} diff --git a/generated/1.20/client/supervisor/clientset/versioned/fake/register.go b/generated/1.20/client/supervisor/clientset/versioned/fake/register.go index b9ea3ea8..5d95dc5d 100644 --- a/generated/1.20/client/supervisor/clientset/versioned/fake/register.go +++ b/generated/1.20/client/supervisor/clientset/versioned/fake/register.go @@ -6,9 +6,9 @@ package fake import ( + clientsecretv1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/clientsecret/v1alpha1" configv1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -20,9 +20,9 @@ var scheme = runtime.NewScheme() var codecs = serializer.NewCodecFactory(scheme) var localSchemeBuilder = runtime.SchemeBuilder{ + clientsecretv1alpha1.AddToScheme, configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, - oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.20/client/supervisor/clientset/versioned/scheme/register.go b/generated/1.20/client/supervisor/clientset/versioned/scheme/register.go index cd769223..bf02ac0a 100644 --- a/generated/1.20/client/supervisor/clientset/versioned/scheme/register.go +++ b/generated/1.20/client/supervisor/clientset/versioned/scheme/register.go @@ -6,9 +6,9 @@ package scheme import ( + clientsecretv1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/clientsecret/v1alpha1" configv1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -20,9 +20,9 @@ var Scheme = runtime.NewScheme() var Codecs = serializer.NewCodecFactory(Scheme) var ParameterCodec = runtime.NewParameterCodec(Scheme) var localSchemeBuilder = runtime.SchemeBuilder{ + clientsecretv1alpha1.AddToScheme, configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, - oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/1.20/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/clientsecret_client.go similarity index 51% rename from generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go rename to generated/1.20/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/clientsecret_client.go index 9d839dfb..388cfe1d 100644 --- a/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go +++ b/generated/1.20/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/clientsecret_client.go @@ -6,27 +6,27 @@ package v1alpha1 import ( - v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1" - "go.pinniped.dev/generated/1.18/client/supervisor/virtual/clientset/versioned/scheme" + v1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/clientsecret/v1alpha1" + "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned/scheme" rest "k8s.io/client-go/rest" ) -type OauthV1alpha1Interface interface { +type ClientsecretV1alpha1Interface interface { RESTClient() rest.Interface OIDCClientSecretRequestsGetter } -// OauthV1alpha1Client is used to interact with features provided by the oauth.virtual.supervisor.pinniped.dev group. -type OauthV1alpha1Client struct { +// ClientsecretV1alpha1Client is used to interact with features provided by the clientsecret.supervisor.pinniped.dev group. +type ClientsecretV1alpha1Client struct { restClient rest.Interface } -func (c *OauthV1alpha1Client) OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface { +func (c *ClientsecretV1alpha1Client) OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface { return newOIDCClientSecretRequests(c, namespace) } -// NewForConfig creates a new OauthV1alpha1Client for the given config. -func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { +// NewForConfig creates a new ClientsecretV1alpha1Client for the given config. +func NewForConfig(c *rest.Config) (*ClientsecretV1alpha1Client, error) { config := *c if err := setConfigDefaults(&config); err != nil { return nil, err @@ -35,12 +35,12 @@ func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { if err != nil { return nil, err } - return &OauthV1alpha1Client{client}, nil + return &ClientsecretV1alpha1Client{client}, nil } -// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and +// NewForConfigOrDie creates a new ClientsecretV1alpha1Client for the given config and // panics if there is an error in the config. -func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { +func NewForConfigOrDie(c *rest.Config) *ClientsecretV1alpha1Client { client, err := NewForConfig(c) if err != nil { panic(err) @@ -48,9 +48,9 @@ func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { return client } -// New creates a new OauthV1alpha1Client for the given RESTClient. -func New(c rest.Interface) *OauthV1alpha1Client { - return &OauthV1alpha1Client{c} +// New creates a new ClientsecretV1alpha1Client for the given RESTClient. +func New(c rest.Interface) *ClientsecretV1alpha1Client { + return &ClientsecretV1alpha1Client{c} } func setConfigDefaults(config *rest.Config) error { @@ -68,7 +68,7 @@ func setConfigDefaults(config *rest.Config) error { // RESTClient returns a RESTClient that is used to communicate // with API server by this client implementation. -func (c *OauthV1alpha1Client) RESTClient() rest.Interface { +func (c *ClientsecretV1alpha1Client) RESTClient() rest.Interface { if c == nil { return nil } diff --git a/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/1.20/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/doc.go similarity index 100% rename from generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go rename to generated/1.20/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/doc.go diff --git a/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/1.20/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/doc.go similarity index 100% rename from generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go rename to generated/1.20/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/doc.go diff --git a/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/1.20/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_clientsecret_client.go similarity index 60% rename from generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go rename to generated/1.20/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_clientsecret_client.go index 3bc1da70..60d8b02b 100644 --- a/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go +++ b/generated/1.20/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_clientsecret_client.go @@ -6,22 +6,22 @@ package fake import ( - v1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1" rest "k8s.io/client-go/rest" testing "k8s.io/client-go/testing" ) -type FakeOauthV1alpha1 struct { +type FakeClientsecretV1alpha1 struct { *testing.Fake } -func (c *FakeOauthV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { - return &FakeOIDCClients{c, namespace} +func (c *FakeClientsecretV1alpha1) OIDCClientSecretRequests(namespace string) v1alpha1.OIDCClientSecretRequestInterface { + return &FakeOIDCClientSecretRequests{c, namespace} } // RESTClient returns a RESTClient that is used to communicate // with API server by this client implementation. -func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { +func (c *FakeClientsecretV1alpha1) RESTClient() rest.Interface { var ret *rest.RESTClient return ret } diff --git a/generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go b/generated/1.20/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_oidcclientsecretrequest.go similarity index 79% rename from generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go rename to generated/1.20/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_oidcclientsecretrequest.go index 6c7a7829..2ee6bebc 100644 --- a/generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go +++ b/generated/1.20/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_oidcclientsecretrequest.go @@ -8,7 +8,7 @@ package fake import ( "context" - v1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/clientsecret/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" schema "k8s.io/apimachinery/pkg/runtime/schema" testing "k8s.io/client-go/testing" @@ -16,13 +16,13 @@ import ( // FakeOIDCClientSecretRequests implements OIDCClientSecretRequestInterface type FakeOIDCClientSecretRequests struct { - Fake *FakeOauthV1alpha1 + Fake *FakeClientsecretV1alpha1 ns string } -var oidcclientsecretrequestsResource = schema.GroupVersionResource{Group: "oauth.virtual.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclientsecretrequests"} +var oidcclientsecretrequestsResource = schema.GroupVersionResource{Group: "clientsecret.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclientsecretrequests"} -var oidcclientsecretrequestsKind = schema.GroupVersionKind{Group: "oauth.virtual.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClientSecretRequest"} +var oidcclientsecretrequestsKind = schema.GroupVersionKind{Group: "clientsecret.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClientSecretRequest"} // Create takes the representation of a oIDCClientSecretRequest and creates it. Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any. func (c *FakeOIDCClientSecretRequests) Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (result *v1alpha1.OIDCClientSecretRequest, err error) { diff --git a/generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/1.20/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/generated_expansion.go similarity index 100% rename from generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go rename to generated/1.20/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/generated_expansion.go diff --git a/generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go b/generated/1.20/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/oidcclientsecretrequest.go similarity index 86% rename from generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go rename to generated/1.20/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/oidcclientsecretrequest.go index c9e5804d..fc774da6 100644 --- a/generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go +++ b/generated/1.20/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/oidcclientsecretrequest.go @@ -8,8 +8,8 @@ package v1alpha1 import ( "context" - v1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1" - scheme "go.pinniped.dev/generated/1.20/client/supervisor/virtual/clientset/versioned/scheme" + v1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/clientsecret/v1alpha1" + scheme "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned/scheme" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" rest "k8s.io/client-go/rest" ) @@ -33,7 +33,7 @@ type oIDCClientSecretRequests struct { } // newOIDCClientSecretRequests returns a OIDCClientSecretRequests -func newOIDCClientSecretRequests(c *OauthV1alpha1Client, namespace string) *oIDCClientSecretRequests { +func newOIDCClientSecretRequests(c *ClientsecretV1alpha1Client, namespace string) *oIDCClientSecretRequests { return &oIDCClientSecretRequests{ client: c.RESTClient(), ns: namespace, diff --git a/generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go b/generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go index 5baa9401..0af8db5d 100644 --- a/generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go +++ b/generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go @@ -14,6 +14,7 @@ import ( type ConfigV1alpha1Interface interface { RESTClient() rest.Interface FederationDomainsGetter + OIDCClientsGetter } // ConfigV1alpha1Client is used to interact with features provided by the config.supervisor.pinniped.dev group. @@ -25,6 +26,10 @@ func (c *ConfigV1alpha1Client) FederationDomains(namespace string) FederationDom return newFederationDomains(c, namespace) } +func (c *ConfigV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { + return newOIDCClients(c, namespace) +} + // NewForConfig creates a new ConfigV1alpha1Client for the given config. func NewForConfig(c *rest.Config) (*ConfigV1alpha1Client, error) { config := *c diff --git a/generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go b/generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go index 67628cf9..68debe9b 100644 --- a/generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go +++ b/generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go @@ -19,6 +19,10 @@ func (c *FakeConfigV1alpha1) FederationDomains(namespace string) v1alpha1.Federa return &FakeFederationDomains{c, namespace} } +func (c *FakeConfigV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { + return &FakeOIDCClients{c, namespace} +} + // RESTClient returns a RESTClient that is used to communicate // with API server by this client implementation. func (c *FakeConfigV1alpha1) RESTClient() rest.Interface { diff --git a/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go b/generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go similarity index 92% rename from generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go rename to generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go index cdd06d71..b481c9ec 100644 --- a/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go +++ b/generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go @@ -8,7 +8,7 @@ package fake import ( "context" - v1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/config/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" labels "k8s.io/apimachinery/pkg/labels" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -19,13 +19,13 @@ import ( // FakeOIDCClients implements OIDCClientInterface type FakeOIDCClients struct { - Fake *FakeOauthV1alpha1 + Fake *FakeConfigV1alpha1 ns string } -var oidcclientsResource = schema.GroupVersionResource{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} +var oidcclientsResource = schema.GroupVersionResource{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} -var oidcclientsKind = schema.GroupVersionKind{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} +var oidcclientsKind = schema.GroupVersionKind{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} // Get takes name of the oIDCClient, and returns the corresponding oIDCClient object, and an error if there is any. func (c *FakeOIDCClients) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCClient, err error) { diff --git a/generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go b/generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go index ba9c9173..35b9ee3d 100644 --- a/generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go +++ b/generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go @@ -6,3 +6,5 @@ package v1alpha1 type FederationDomainExpansion interface{} + +type OIDCClientExpansion interface{} diff --git a/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go b/generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go similarity index 97% rename from generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go rename to generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go index 32503911..2b2e4e9e 100644 --- a/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go +++ b/generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go @@ -9,7 +9,7 @@ import ( "context" "time" - v1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/config/v1alpha1" scheme "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned/scheme" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" types "k8s.io/apimachinery/pkg/types" @@ -44,7 +44,7 @@ type oIDCClients struct { } // newOIDCClients returns a OIDCClients -func newOIDCClients(c *OauthV1alpha1Client, namespace string) *oIDCClients { +func newOIDCClients(c *ConfigV1alpha1Client, namespace string) *oIDCClients { return &oIDCClients{ client: c.RESTClient(), ns: namespace, diff --git a/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go deleted file mode 100644 index 87d22ea9..00000000 --- a/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -type OIDCClientExpansion interface{} diff --git a/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go deleted file mode 100644 index ca9d2cf5..00000000 --- a/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go +++ /dev/null @@ -1,76 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - v1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/oauth/v1alpha1" - "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned/scheme" - rest "k8s.io/client-go/rest" -) - -type OauthV1alpha1Interface interface { - RESTClient() rest.Interface - OIDCClientsGetter -} - -// OauthV1alpha1Client is used to interact with features provided by the oauth.supervisor.pinniped.dev group. -type OauthV1alpha1Client struct { - restClient rest.Interface -} - -func (c *OauthV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { - return newOIDCClients(c, namespace) -} - -// NewForConfig creates a new OauthV1alpha1Client for the given config. -func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { - config := *c - if err := setConfigDefaults(&config); err != nil { - return nil, err - } - client, err := rest.RESTClientFor(&config) - if err != nil { - return nil, err - } - return &OauthV1alpha1Client{client}, nil -} - -// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and -// panics if there is an error in the config. -func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { - client, err := NewForConfig(c) - if err != nil { - panic(err) - } - return client -} - -// New creates a new OauthV1alpha1Client for the given RESTClient. -func New(c rest.Interface) *OauthV1alpha1Client { - return &OauthV1alpha1Client{c} -} - -func setConfigDefaults(config *rest.Config) error { - gv := v1alpha1.SchemeGroupVersion - config.GroupVersion = &gv - config.APIPath = "/apis" - config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() - - if config.UserAgent == "" { - config.UserAgent = rest.DefaultKubernetesUserAgent() - } - - return nil -} - -// RESTClient returns a RESTClient that is used to communicate -// with API server by this client implementation. -func (c *OauthV1alpha1Client) RESTClient() rest.Interface { - if c == nil { - return nil - } - return c.restClient -} diff --git a/generated/1.20/client/supervisor/informers/externalversions/config/v1alpha1/interface.go b/generated/1.20/client/supervisor/informers/externalversions/config/v1alpha1/interface.go index 399bc958..37340c6b 100644 --- a/generated/1.20/client/supervisor/informers/externalversions/config/v1alpha1/interface.go +++ b/generated/1.20/client/supervisor/informers/externalversions/config/v1alpha1/interface.go @@ -13,6 +13,8 @@ import ( type Interface interface { // FederationDomains returns a FederationDomainInformer. FederationDomains() FederationDomainInformer + // OIDCClients returns a OIDCClientInformer. + OIDCClients() OIDCClientInformer } type version struct { @@ -30,3 +32,8 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList func (v *version) FederationDomains() FederationDomainInformer { return &federationDomainInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } + +// OIDCClients returns a OIDCClientInformer. +func (v *version) OIDCClients() OIDCClientInformer { + return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} diff --git a/generated/1.20/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go b/generated/1.20/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go similarity index 88% rename from generated/1.20/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go rename to generated/1.20/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go index 37efa298..0ebc789f 100644 --- a/generated/1.20/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go +++ b/generated/1.20/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go @@ -9,10 +9,10 @@ import ( "context" time "time" - oauthv1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/oauth/v1alpha1" + configv1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/config/v1alpha1" versioned "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned" internalinterfaces "go.pinniped.dev/generated/1.20/client/supervisor/informers/externalversions/internalinterfaces" - v1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/listers/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/listers/config/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" watch "k8s.io/apimachinery/pkg/watch" @@ -49,16 +49,16 @@ func NewFilteredOIDCClientInformer(client versioned.Interface, namespace string, if tweakListOptions != nil { tweakListOptions(&options) } - return client.OauthV1alpha1().OIDCClients(namespace).List(context.TODO(), options) + return client.ConfigV1alpha1().OIDCClients(namespace).List(context.TODO(), options) }, WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { if tweakListOptions != nil { tweakListOptions(&options) } - return client.OauthV1alpha1().OIDCClients(namespace).Watch(context.TODO(), options) + return client.ConfigV1alpha1().OIDCClients(namespace).Watch(context.TODO(), options) }, }, - &oauthv1alpha1.OIDCClient{}, + &configv1alpha1.OIDCClient{}, resyncPeriod, indexers, ) @@ -69,7 +69,7 @@ func (f *oIDCClientInformer) defaultInformer(client versioned.Interface, resyncP } func (f *oIDCClientInformer) Informer() cache.SharedIndexInformer { - return f.factory.InformerFor(&oauthv1alpha1.OIDCClient{}, f.defaultInformer) + return f.factory.InformerFor(&configv1alpha1.OIDCClient{}, f.defaultInformer) } func (f *oIDCClientInformer) Lister() v1alpha1.OIDCClientLister { diff --git a/generated/1.20/client/supervisor/informers/externalversions/factory.go b/generated/1.20/client/supervisor/informers/externalversions/factory.go index 6e6fffaa..60395f1f 100644 --- a/generated/1.20/client/supervisor/informers/externalversions/factory.go +++ b/generated/1.20/client/supervisor/informers/externalversions/factory.go @@ -14,7 +14,6 @@ import ( config "go.pinniped.dev/generated/1.20/client/supervisor/informers/externalversions/config" idp "go.pinniped.dev/generated/1.20/client/supervisor/informers/externalversions/idp" internalinterfaces "go.pinniped.dev/generated/1.20/client/supervisor/informers/externalversions/internalinterfaces" - oauth "go.pinniped.dev/generated/1.20/client/supervisor/informers/externalversions/oauth" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -163,7 +162,6 @@ type SharedInformerFactory interface { Config() config.Interface IDP() idp.Interface - Oauth() oauth.Interface } func (f *sharedInformerFactory) Config() config.Interface { @@ -173,7 +171,3 @@ func (f *sharedInformerFactory) Config() config.Interface { func (f *sharedInformerFactory) IDP() idp.Interface { return idp.New(f, f.namespace, f.tweakListOptions) } - -func (f *sharedInformerFactory) Oauth() oauth.Interface { - return oauth.New(f, f.namespace, f.tweakListOptions) -} diff --git a/generated/1.20/client/supervisor/informers/externalversions/generic.go b/generated/1.20/client/supervisor/informers/externalversions/generic.go index d541574e..d063878c 100644 --- a/generated/1.20/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.20/client/supervisor/informers/externalversions/generic.go @@ -10,7 +10,6 @@ import ( v1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/oauth/v1alpha1" schema "k8s.io/apimachinery/pkg/runtime/schema" cache "k8s.io/client-go/tools/cache" ) @@ -44,6 +43,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource // Group=config.supervisor.pinniped.dev, Version=v1alpha1 case v1alpha1.SchemeGroupVersion.WithResource("federationdomains"): return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().FederationDomains().Informer()}, nil + case v1alpha1.SchemeGroupVersion.WithResource("oidcclients"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCClients().Informer()}, nil // Group=idp.supervisor.pinniped.dev, Version=v1alpha1 case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"): @@ -53,10 +54,6 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().OIDCIdentityProviders().Informer()}, nil - // Group=oauth.supervisor.pinniped.dev, Version=v1alpha1 - case oauthv1alpha1.SchemeGroupVersion.WithResource("oidcclients"): - return &genericInformer{resource: resource.GroupResource(), informer: f.Oauth().V1alpha1().OIDCClients().Informer()}, nil - } return nil, fmt.Errorf("no informer found for %v", resource) diff --git a/generated/1.20/client/supervisor/informers/externalversions/oauth/interface.go b/generated/1.20/client/supervisor/informers/externalversions/oauth/interface.go deleted file mode 100644 index b4cc533e..00000000 --- a/generated/1.20/client/supervisor/informers/externalversions/oauth/interface.go +++ /dev/null @@ -1,33 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by informer-gen. DO NOT EDIT. - -package oauth - -import ( - internalinterfaces "go.pinniped.dev/generated/1.20/client/supervisor/informers/externalversions/internalinterfaces" - v1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/informers/externalversions/oauth/v1alpha1" -) - -// Interface provides access to each of this group's versions. -type Interface interface { - // V1alpha1 provides access to shared informers for resources in V1alpha1. - V1alpha1() v1alpha1.Interface -} - -type group struct { - factory internalinterfaces.SharedInformerFactory - namespace string - tweakListOptions internalinterfaces.TweakListOptionsFunc -} - -// New returns a new Interface. -func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { - return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} -} - -// V1alpha1 returns a new v1alpha1.Interface. -func (g *group) V1alpha1() v1alpha1.Interface { - return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions) -} diff --git a/generated/1.20/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go b/generated/1.20/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go deleted file mode 100644 index ed7eacf5..00000000 --- a/generated/1.20/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go +++ /dev/null @@ -1,32 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by informer-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - internalinterfaces "go.pinniped.dev/generated/1.20/client/supervisor/informers/externalversions/internalinterfaces" -) - -// Interface provides access to all the informers in this group version. -type Interface interface { - // OIDCClients returns a OIDCClientInformer. - OIDCClients() OIDCClientInformer -} - -type version struct { - factory internalinterfaces.SharedInformerFactory - namespace string - tweakListOptions internalinterfaces.TweakListOptionsFunc -} - -// New returns a new Interface. -func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { - return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} -} - -// OIDCClients returns a OIDCClientInformer. -func (v *version) OIDCClients() OIDCClientInformer { - return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} -} diff --git a/generated/1.20/client/supervisor/listers/config/v1alpha1/expansion_generated.go b/generated/1.20/client/supervisor/listers/config/v1alpha1/expansion_generated.go index d59892c4..bda2f20e 100644 --- a/generated/1.20/client/supervisor/listers/config/v1alpha1/expansion_generated.go +++ b/generated/1.20/client/supervisor/listers/config/v1alpha1/expansion_generated.go @@ -12,3 +12,11 @@ type FederationDomainListerExpansion interface{} // FederationDomainNamespaceListerExpansion allows custom methods to be added to // FederationDomainNamespaceLister. type FederationDomainNamespaceListerExpansion interface{} + +// OIDCClientListerExpansion allows custom methods to be added to +// OIDCClientLister. +type OIDCClientListerExpansion interface{} + +// OIDCClientNamespaceListerExpansion allows custom methods to be added to +// OIDCClientNamespaceLister. +type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/1.22/client/supervisor/listers/oauth/v1alpha1/oidcclient.go b/generated/1.20/client/supervisor/listers/config/v1alpha1/oidcclient.go similarity index 97% rename from generated/1.22/client/supervisor/listers/oauth/v1alpha1/oidcclient.go rename to generated/1.20/client/supervisor/listers/config/v1alpha1/oidcclient.go index e73a2114..d3e12885 100644 --- a/generated/1.22/client/supervisor/listers/oauth/v1alpha1/oidcclient.go +++ b/generated/1.20/client/supervisor/listers/config/v1alpha1/oidcclient.go @@ -6,7 +6,7 @@ package v1alpha1 import ( - v1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/config/v1alpha1" "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/labels" "k8s.io/client-go/tools/cache" diff --git a/generated/1.20/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go b/generated/1.20/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go deleted file mode 100644 index c19310da..00000000 --- a/generated/1.20/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go +++ /dev/null @@ -1,14 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by lister-gen. DO NOT EDIT. - -package v1alpha1 - -// OIDCClientListerExpansion allows custom methods to be added to -// OIDCClientLister. -type OIDCClientListerExpansion interface{} - -// OIDCClientNamespaceListerExpansion allows custom methods to be added to -// OIDCClientNamespaceLister. -type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/1.20/client/supervisor/virtual/clientset/versioned/clientset.go b/generated/1.20/client/supervisor/virtual/clientset/versioned/clientset.go deleted file mode 100644 index 3bcc6c36..00000000 --- a/generated/1.20/client/supervisor/virtual/clientset/versioned/clientset.go +++ /dev/null @@ -1,84 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package versioned - -import ( - "fmt" - - oauthv1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" - discovery "k8s.io/client-go/discovery" - rest "k8s.io/client-go/rest" - flowcontrol "k8s.io/client-go/util/flowcontrol" -) - -type Interface interface { - Discovery() discovery.DiscoveryInterface - OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface -} - -// Clientset contains the clients for groups. Each group has exactly one -// version included in a Clientset. -type Clientset struct { - *discovery.DiscoveryClient - oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client -} - -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return c.oauthV1alpha1 -} - -// Discovery retrieves the DiscoveryClient -func (c *Clientset) Discovery() discovery.DiscoveryInterface { - if c == nil { - return nil - } - return c.DiscoveryClient -} - -// NewForConfig creates a new Clientset for the given config. -// If config's RateLimiter is not set and QPS and Burst are acceptable, -// NewForConfig will generate a rate-limiter in configShallowCopy. -func NewForConfig(c *rest.Config) (*Clientset, error) { - configShallowCopy := *c - if configShallowCopy.RateLimiter == nil && configShallowCopy.QPS > 0 { - if configShallowCopy.Burst <= 0 { - return nil, fmt.Errorf("burst is required to be greater than 0 when RateLimiter is not set and QPS is set to greater than 0") - } - configShallowCopy.RateLimiter = flowcontrol.NewTokenBucketRateLimiter(configShallowCopy.QPS, configShallowCopy.Burst) - } - var cs Clientset - var err error - cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfig(&configShallowCopy) - if err != nil { - return nil, err - } - - cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfig(&configShallowCopy) - if err != nil { - return nil, err - } - return &cs, nil -} - -// NewForConfigOrDie creates a new Clientset for the given config and -// panics if there is an error in the config. -func NewForConfigOrDie(c *rest.Config) *Clientset { - var cs Clientset - cs.oauthV1alpha1 = oauthv1alpha1.NewForConfigOrDie(c) - - cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c) - return &cs -} - -// New creates a new Clientset for the given RESTClient. -func New(c rest.Interface) *Clientset { - var cs Clientset - cs.oauthV1alpha1 = oauthv1alpha1.New(c) - - cs.DiscoveryClient = discovery.NewDiscoveryClient(c) - return &cs -} diff --git a/generated/1.20/client/supervisor/virtual/clientset/versioned/doc.go b/generated/1.20/client/supervisor/virtual/clientset/versioned/doc.go deleted file mode 100644 index 5dc02e6e..00000000 --- a/generated/1.20/client/supervisor/virtual/clientset/versioned/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package has the automatically generated clientset. -package versioned diff --git a/generated/1.20/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go b/generated/1.20/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go deleted file mode 100644 index 4bf17f6c..00000000 --- a/generated/1.20/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go +++ /dev/null @@ -1,69 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - clientset "go.pinniped.dev/generated/1.20/client/supervisor/virtual/clientset/versioned" - oauthv1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" - fakeoauthv1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/watch" - "k8s.io/client-go/discovery" - fakediscovery "k8s.io/client-go/discovery/fake" - "k8s.io/client-go/testing" -) - -// NewSimpleClientset returns a clientset that will respond with the provided objects. -// It's backed by a very simple object tracker that processes creates, updates and deletions as-is, -// without applying any validations and/or defaults. It shouldn't be considered a replacement -// for a real clientset and is mostly useful in simple unit tests. -func NewSimpleClientset(objects ...runtime.Object) *Clientset { - o := testing.NewObjectTracker(scheme, codecs.UniversalDecoder()) - for _, obj := range objects { - if err := o.Add(obj); err != nil { - panic(err) - } - } - - cs := &Clientset{tracker: o} - cs.discovery = &fakediscovery.FakeDiscovery{Fake: &cs.Fake} - cs.AddReactor("*", "*", testing.ObjectReaction(o)) - cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) { - gvr := action.GetResource() - ns := action.GetNamespace() - watch, err := o.Watch(gvr, ns) - if err != nil { - return false, nil, err - } - return true, watch, nil - }) - - return cs -} - -// Clientset implements clientset.Interface. Meant to be embedded into a -// struct to get a default implementation. This makes faking out just the method -// you want to test easier. -type Clientset struct { - testing.Fake - discovery *fakediscovery.FakeDiscovery - tracker testing.ObjectTracker -} - -func (c *Clientset) Discovery() discovery.DiscoveryInterface { - return c.discovery -} - -func (c *Clientset) Tracker() testing.ObjectTracker { - return c.tracker -} - -var _ clientset.Interface = &Clientset{} - -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} -} diff --git a/generated/1.20/client/supervisor/virtual/clientset/versioned/fake/doc.go b/generated/1.20/client/supervisor/virtual/clientset/versioned/fake/doc.go deleted file mode 100644 index 7c9538fd..00000000 --- a/generated/1.20/client/supervisor/virtual/clientset/versioned/fake/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package has the automatically generated fake clientset. -package fake diff --git a/generated/1.20/client/supervisor/virtual/clientset/versioned/fake/register.go b/generated/1.20/client/supervisor/virtual/clientset/versioned/fake/register.go deleted file mode 100644 index 089583bd..00000000 --- a/generated/1.20/client/supervisor/virtual/clientset/versioned/fake/register.go +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - oauthv1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - runtime "k8s.io/apimachinery/pkg/runtime" - schema "k8s.io/apimachinery/pkg/runtime/schema" - serializer "k8s.io/apimachinery/pkg/runtime/serializer" - utilruntime "k8s.io/apimachinery/pkg/util/runtime" -) - -var scheme = runtime.NewScheme() -var codecs = serializer.NewCodecFactory(scheme) - -var localSchemeBuilder = runtime.SchemeBuilder{ - oauthv1alpha1.AddToScheme, -} - -// AddToScheme adds all types of this clientset into the given scheme. This allows composition -// of clientsets, like in: -// -// import ( -// "k8s.io/client-go/kubernetes" -// clientsetscheme "k8s.io/client-go/kubernetes/scheme" -// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" -// ) -// -// kclientset, _ := kubernetes.NewForConfig(c) -// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) -// -// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types -// correctly. -var AddToScheme = localSchemeBuilder.AddToScheme - -func init() { - v1.AddToGroupVersion(scheme, schema.GroupVersion{Version: "v1"}) - utilruntime.Must(AddToScheme(scheme)) -} diff --git a/generated/1.20/client/supervisor/virtual/clientset/versioned/scheme/doc.go b/generated/1.20/client/supervisor/virtual/clientset/versioned/scheme/doc.go deleted file mode 100644 index cc02f1d3..00000000 --- a/generated/1.20/client/supervisor/virtual/clientset/versioned/scheme/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package contains the scheme of the automatically generated clientset. -package scheme diff --git a/generated/1.20/client/supervisor/virtual/clientset/versioned/scheme/register.go b/generated/1.20/client/supervisor/virtual/clientset/versioned/scheme/register.go deleted file mode 100644 index 913e9c9a..00000000 --- a/generated/1.20/client/supervisor/virtual/clientset/versioned/scheme/register.go +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package scheme - -import ( - oauthv1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/virtual/oauth/v1alpha1" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - runtime "k8s.io/apimachinery/pkg/runtime" - schema "k8s.io/apimachinery/pkg/runtime/schema" - serializer "k8s.io/apimachinery/pkg/runtime/serializer" - utilruntime "k8s.io/apimachinery/pkg/util/runtime" -) - -var Scheme = runtime.NewScheme() -var Codecs = serializer.NewCodecFactory(Scheme) -var ParameterCodec = runtime.NewParameterCodec(Scheme) -var localSchemeBuilder = runtime.SchemeBuilder{ - oauthv1alpha1.AddToScheme, -} - -// AddToScheme adds all types of this clientset into the given scheme. This allows composition -// of clientsets, like in: -// -// import ( -// "k8s.io/client-go/kubernetes" -// clientsetscheme "k8s.io/client-go/kubernetes/scheme" -// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" -// ) -// -// kclientset, _ := kubernetes.NewForConfig(c) -// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) -// -// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types -// correctly. -var AddToScheme = localSchemeBuilder.AddToScheme - -func init() { - v1.AddToGroupVersion(Scheme, schema.GroupVersion{Version: "v1"}) - utilruntime.Must(AddToScheme(Scheme)) -} diff --git a/generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go deleted file mode 100644 index d6e9ee9a..00000000 --- a/generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go +++ /dev/null @@ -1,27 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - v1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" - rest "k8s.io/client-go/rest" - testing "k8s.io/client-go/testing" -) - -type FakeOauthV1alpha1 struct { - *testing.Fake -} - -func (c *FakeOauthV1alpha1) OIDCClientSecretRequests(namespace string) v1alpha1.OIDCClientSecretRequestInterface { - return &FakeOIDCClientSecretRequests{c, namespace} -} - -// RESTClient returns a RESTClient that is used to communicate -// with API server by this client implementation. -func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { - var ret *rest.RESTClient - return ret -} diff --git a/generated/1.20/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.20/crds/config.supervisor.pinniped.dev_oidcclients.yaml new file mode 100644 index 00000000..4efa445e --- /dev/null +++ b/generated/1.20/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -0,0 +1,125 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: oidcclients.config.supervisor.pinniped.dev +spec: + group: config.supervisor.pinniped.dev + names: + categories: + - pinniped + kind: OIDCClient + listKind: OIDCClientList + plural: oidcclients + singular: oidcclient + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: OIDCClient describes the configuration of an OIDC client. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec of the OIDC client. + properties: + allowedGrantTypes: + description: "allowedGrantTypes is a list of the allowed grant_type + param values that should be accepted during OIDC flows with this + client. \n Must only contain the following values: - authorization_code: + allows the client to perform the authorization code grant flow, + i.e. allows the webapp to authenticate users. This grant must always + be listed. - refresh_token: allows the client to perform refresh + grants for the user to extend the user's session. This grant must + be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: + allows the client to perform RFC8693 token exchange, which is a + step in the process to be able to get a cluster credential for the + user. This grant must be listed if allowedScopes lists pinniped:request-audience." + items: + enum: + - authorization_code + - refresh_token + - urn:ietf:params:oauth:grant-type:token-exchange + type: string + minItems: 1 + type: array + allowedRedirectURIs: + description: allowedRedirectURIs is a list of the allowed redirect_uri + param values that should be accepted during OIDC flows with this + client. Any other uris will be rejected. Must be https, unless it + is a loopback. + items: + type: string + minItems: 1 + type: array + allowedScopes: + description: "allowedScopes is a list of the allowed scopes param + values that should be accepted during OIDC flows with this client. + \n Must only contain the following values: - openid: The client + is allowed to request ID tokens. ID tokens only include the required + claims by default (iss, sub, aud, exp, iat). This scope must always + be listed. - offline_access: The client is allowed to request an + initial refresh token during the authorization code grant flow. + This scope must be listed if allowedGrantTypes lists refresh_token. + - pinniped:request-audience: The client is allowed to request a + new audience value during a RFC8693 token exchange, which is a step + in the process to be able to get a cluster credential for the user. + openid, username and groups scopes must be listed when this scope + is present. This scope must be listed if allowedGrantTypes lists + urn:ietf:params:oauth:grant-type:token-exchange. - username: The + client is allowed to request that ID tokens contain the user's username. + Without the username scope being requested and allowed, the ID token + will not contain the user's username. - groups: The client is allowed + to request that ID tokens contain the user's group membership, if + their group membership is discoverable by the Supervisor. Without + the groups scope being requested and allowed, the ID token will + not contain groups." + items: + enum: + - openid + - offline_access + - username + - groups + - pinniped:request-audience + type: string + minItems: 1 + type: array + required: + - allowedGrantTypes + - allowedRedirectURIs + - allowedScopes + type: object + status: + description: Status of the OIDC client. + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/generated/1.20/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.20/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml deleted file mode 100644 index 589a9154..00000000 --- a/generated/1.20/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ /dev/null @@ -1,125 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.8.0 - creationTimestamp: null - name: oidcclients.oauth.supervisor.pinniped.dev -spec: - group: oauth.supervisor.pinniped.dev - names: - categories: - - pinniped - kind: OIDCClient - listKind: OIDCClientList - plural: oidcclients - singular: oidcclient - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: OIDCClient describes the configuration of an OIDC client. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec of the OIDC client. - properties: - allowedGrantTypes: - description: "allowedGrantTypes is a list of the allowed grant_type - param values that should be accepted during OIDC flows with this - client. \n Must only contain the following values: - authorization_code: - allows the client to perform the authorization code grant flow, - i.e. allows the webapp to authenticate users. This grant must always - be listed. - refresh_token: allows the client to perform refresh - grants for the user to extend the user's session. This grant must - be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: - allows the client to perform RFC8693 token exchange, which is a - step in the process to be able to get a cluster credential for the - user. This grant must be listed if allowedScopes lists pinniped:request-audience." - items: - enum: - - authorization_code - - refresh_token - - urn:ietf:params:oauth:grant-type:token-exchange - type: string - minItems: 1 - type: array - allowedRedirectURIs: - description: allowedRedirectURIs is a list of the allowed redirect_uri - param values that should be accepted during OIDC flows with this - client. Any other uris will be rejected. Must be https, unless it - is a loopback. - items: - type: string - minItems: 1 - type: array - allowedScopes: - description: "allowedScopes is a list of the allowed scopes param - values that should be accepted during OIDC flows with this client. - \n Must only contain the following values: - openid: The client - is allowed to request ID tokens. ID tokens only include the required - claims by default (iss, sub, aud, exp, iat). This scope must always - be listed. - offline_access: The client is allowed to request an - initial refresh token during the authorization code grant flow. - This scope must be listed if allowedGrantTypes lists refresh_token. - - pinniped:request-audience: The client is allowed to request a - new audience value during a RFC8693 token exchange, which is a step - in the process to be able to get a cluster credential for the user. - openid, username and groups scopes must be listed when this scope - is present. This scope must be listed if allowedGrantTypes lists - urn:ietf:params:oauth:grant-type:token-exchange. - username: The - client is allowed to request that ID tokens contain the user's username. - Without the username scope being requested and allowed, the ID token - will not contain the user's username. - groups: The client is allowed - to request that ID tokens contain the user's group membership, if - their group membership is discoverable by the Supervisor. Without - the groups scope being requested and allowed, the ID token will - not contain groups." - items: - enum: - - openid - - offline_access - - username - - groups - - pinniped:request-audience - type: string - minItems: 1 - type: array - required: - - allowedGrantTypes - - allowedRedirectURIs - - allowedScopes - type: object - status: - description: Status of the OIDC client. - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/generated/1.21/README.adoc b/generated/1.21/README.adoc index e83a59ea..9eb23eb5 100644 --- a/generated/1.21/README.adoc +++ b/generated/1.21/README.adoc @@ -6,15 +6,14 @@ .Packages - xref:{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1[$$authentication.concierge.pinniped.dev/v1alpha1$$] +- xref:{anchor_prefix}-clientsecret-supervisor-pinniped-dev-clientsecret[$$clientsecret.supervisor.pinniped.dev/clientsecret$$] +- xref:{anchor_prefix}-clientsecret-supervisor-pinniped-dev-v1alpha1[$$clientsecret.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-config-concierge-pinniped-dev-v1alpha1[$$config.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-config-supervisor-pinniped-dev-v1alpha1[$$config.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-identity-concierge-pinniped-dev-identity[$$identity.concierge.pinniped.dev/identity$$] - xref:{anchor_prefix}-identity-concierge-pinniped-dev-v1alpha1[$$identity.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1[$$idp.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$] -- xref:{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1[$$oauth.supervisor.pinniped.dev/v1alpha1$$] -- xref:{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-oauth[$$oauth.virtual.supervisor.pinniped.dev/oauth$$] -- xref:{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-v1alpha1[$$oauth.virtual.supervisor.pinniped.dev/v1alpha1$$] [id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"] @@ -213,6 +212,98 @@ Status of a webhook authenticator. +[id="{anchor_prefix}-clientsecret-supervisor-pinniped-dev-clientsecret"] +=== clientsecret.supervisor.pinniped.dev/clientsecret + +Package clientsecret is the internal version of the Pinniped client secret API. + + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-clientsecret-oidcclientsecretrequestspec"] +==== OIDCClientSecretRequestSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-clientsecret-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generateNewSecret`* __boolean__ | +| *`revokeOldSecrets`* __boolean__ | +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-clientsecret-oidcclientsecretrequeststatus"] +==== OIDCClientSecretRequestStatus + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-clientsecret-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generatedSecret`* __string__ | +| *`totalClientSecrets`* __integer__ | +|=== + + + +[id="{anchor_prefix}-clientsecret-supervisor-pinniped-dev-v1alpha1"] +=== clientsecret.supervisor.pinniped.dev/v1alpha1 + +Package v1alpha1 is the v1alpha1 version of the Pinniped client secret API. + + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestspec"] +==== OIDCClientSecretRequestSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generateNewSecret`* __boolean__ | +| *`revokeOldSecrets`* __boolean__ | +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequeststatus"] +==== OIDCClientSecretRequestStatus + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generatedSecret`* __string__ | +| *`totalClientSecrets`* __integer__ | +|=== + + + [id="{anchor_prefix}-config-concierge-pinniped-dev-v1alpha1"] === config.concierge.pinniped.dev/v1alpha1 @@ -546,6 +637,51 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-oidcclient"] +==== OIDCClient + +OIDCClient describes the configuration of an OIDC client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-oidcclientlist[$$OIDCClientList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC client. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC client. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-oidcclientspec"] +==== OIDCClientSpec + +OIDCClientSpec is a struct that describes an OIDC Client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-oidcclient[$$OIDCClient$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. +| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. +| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. +|=== + + + + [id="{anchor_prefix}-identity-concierge-pinniped-dev-identity"] === identity.concierge.pinniped.dev/identity @@ -1335,148 +1471,3 @@ TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned |=== - -[id="{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1"] -=== oauth.supervisor.pinniped.dev/v1alpha1 - -Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-oauth-v1alpha1-oidcclient"] -==== OIDCClient - -OIDCClient describes the configuration of an OIDC client. - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-oauth-v1alpha1-oidcclientlist[$$OIDCClientList$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. - -| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-oauth-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC client. -| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-oauth-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC client. -|=== - - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-oauth-v1alpha1-oidcclientspec"] -==== OIDCClientSpec - -OIDCClientSpec is a struct that describes an OIDC Client. - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-oauth-v1alpha1-oidcclient[$$OIDCClient$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. -| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. -| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. -|=== - - - - - -[id="{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-oauth"] -=== oauth.virtual.supervisor.pinniped.dev/oauth - -Package oauth is the internal version of the Pinniped virtual oauth API. - - - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-virtual-oauth-oidcclientsecretrequestspec"] -==== OIDCClientSecretRequestSpec - - - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-virtual-oauth-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`generateNewSecret`* __boolean__ | -| *`revokeOldSecrets`* __boolean__ | -|=== - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-virtual-oauth-oidcclientsecretrequeststatus"] -==== OIDCClientSecretRequestStatus - - - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-virtual-oauth-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`generatedSecret`* __string__ | -| *`totalClientSecrets`* __integer__ | -|=== - - - -[id="{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-v1alpha1"] -=== oauth.virtual.supervisor.pinniped.dev/v1alpha1 - -Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API. - - - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequestspec"] -==== OIDCClientSecretRequestSpec - - - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`generateNewSecret`* __boolean__ | -| *`revokeOldSecrets`* __boolean__ | -|=== - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequeststatus"] -==== OIDCClientSecretRequestStatus - - - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`generatedSecret`* __string__ | -| *`totalClientSecrets`* __integer__ | -|=== - - diff --git a/generated/1.21/apis/supervisor/clientsecret/doc.go b/generated/1.21/apis/supervisor/clientsecret/doc.go new file mode 100644 index 00000000..c536bc75 --- /dev/null +++ b/generated/1.21/apis/supervisor/clientsecret/doc.go @@ -0,0 +1,8 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:deepcopy-gen=package +// +groupName=clientsecret.supervisor.pinniped.dev + +// Package clientsecret is the internal version of the Pinniped client secret API. +package clientsecret diff --git a/generated/1.21/apis/supervisor/clientsecret/register.go b/generated/1.21/apis/supervisor/clientsecret/register.go new file mode 100644 index 00000000..4a1c0173 --- /dev/null +++ b/generated/1.21/apis/supervisor/clientsecret/register.go @@ -0,0 +1,37 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package clientsecret + +import ( + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "clientsecret.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal} + +// Kind takes an unqualified kind and returns back a Group qualified GroupKind. +func Kind(kind string) schema.GroupKind { + return SchemeGroupVersion.WithKind(kind).GroupKind() +} + +// Resource takes an unqualified resource and returns back a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} + +var ( + SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) + AddToScheme = SchemeBuilder.AddToScheme +) + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClientSecretRequest{}, + ) + return nil +} diff --git a/generated/1.21/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go b/generated/1.21/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go new file mode 100644 index 00000000..7fd1eb65 --- /dev/null +++ b/generated/1.21/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go @@ -0,0 +1,25 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package clientsecret + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +type OIDCClientSecretRequestSpec struct { + GenerateNewSecret bool `json:"generateNewSecret"` + RevokeOldSecrets bool `json:"revokeOldSecrets"` +} + +type OIDCClientSecretRequestStatus struct { + GeneratedSecret string `json:"generatedSecret,omitempty"` + TotalClientSecrets int `json:"totalClientSecrets"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequest struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID + + Spec OIDCClientSecretRequestSpec `json:"spec"` + Status OIDCClientSecretRequestStatus `json:"status"` +} diff --git a/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/conversion.go b/generated/1.21/apis/supervisor/clientsecret/v1alpha1/conversion.go similarity index 100% rename from generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/conversion.go rename to generated/1.21/apis/supervisor/clientsecret/v1alpha1/conversion.go diff --git a/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/defaults.go b/generated/1.21/apis/supervisor/clientsecret/v1alpha1/defaults.go similarity index 100% rename from generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/defaults.go rename to generated/1.21/apis/supervisor/clientsecret/v1alpha1/defaults.go diff --git a/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/doc.go b/generated/1.21/apis/supervisor/clientsecret/v1alpha1/doc.go similarity index 64% rename from generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/doc.go rename to generated/1.21/apis/supervisor/clientsecret/v1alpha1/doc.go index b3cb2440..a8a2f252 100644 --- a/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/doc.go +++ b/generated/1.21/apis/supervisor/clientsecret/v1alpha1/doc.go @@ -3,9 +3,9 @@ // +k8s:openapi-gen=true // +k8s:deepcopy-gen=package -// +k8s:conversion-gen=go.pinniped.dev/generated/1.21/apis/supervisor/virtual/oauth +// +k8s:conversion-gen=go.pinniped.dev/generated/1.21/apis/supervisor/clientsecret // +k8s:defaulter-gen=TypeMeta -// +groupName=oauth.virtual.supervisor.pinniped.dev +// +groupName=clientsecret.supervisor.pinniped.dev -// Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API. +// Package v1alpha1 is the v1alpha1 version of the Pinniped client secret API. package v1alpha1 diff --git a/generated/1.21/apis/supervisor/clientsecret/v1alpha1/register.go b/generated/1.21/apis/supervisor/clientsecret/v1alpha1/register.go new file mode 100644 index 00000000..49602125 --- /dev/null +++ b/generated/1.21/apis/supervisor/clientsecret/v1alpha1/register.go @@ -0,0 +1,42 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "clientsecret.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = SchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClientSecretRequest{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns back a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go b/generated/1.21/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go similarity index 100% rename from generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go rename to generated/1.21/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go diff --git a/generated/1.21/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go b/generated/1.21/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go new file mode 100644 index 00000000..a5fbb3bb --- /dev/null +++ b/generated/1.21/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go @@ -0,0 +1,131 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by conversion-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + clientsecret "go.pinniped.dev/generated/1.21/apis/supervisor/clientsecret" + conversion "k8s.io/apimachinery/pkg/conversion" + runtime "k8s.io/apimachinery/pkg/runtime" +) + +func init() { + localSchemeBuilder.Register(RegisterConversions) +} + +// RegisterConversions adds conversion functions to the given scheme. +// Public to allow building arbitrary schemes. +func RegisterConversions(s *runtime.Scheme) error { + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequest)(nil), (*clientsecret.OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(a.(*OIDCClientSecretRequest), b.(*clientsecret.OIDCClientSecretRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequest)(nil), (*OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(a.(*clientsecret.OIDCClientSecretRequest), b.(*OIDCClientSecretRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*clientsecret.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*clientsecret.OIDCClientSecretRequestSpec), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequestSpec)(nil), (*OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(a.(*clientsecret.OIDCClientSecretRequestSpec), b.(*OIDCClientSecretRequestSpec), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestStatus)(nil), (*clientsecret.OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(a.(*OIDCClientSecretRequestStatus), b.(*clientsecret.OIDCClientSecretRequestStatus), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequestStatus)(nil), (*OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(a.(*clientsecret.OIDCClientSecretRequestStatus), b.(*OIDCClientSecretRequestStatus), scope) + }); err != nil { + return err + } + return nil +} + +func autoConvert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *clientsecret.OIDCClientSecretRequest, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { + return err + } + if err := Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *clientsecret.OIDCClientSecretRequest, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(in, out, s) +} + +func autoConvert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *clientsecret.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { + return err + } + if err := Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest is an autogenerated conversion function. +func Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *clientsecret.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { + return autoConvert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s) +} + +func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *clientsecret.OIDCClientSecretRequestSpec, s conversion.Scope) error { + out.GenerateNewSecret = in.GenerateNewSecret + out.RevokeOldSecrets = in.RevokeOldSecrets + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *clientsecret.OIDCClientSecretRequestSpec, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in, out, s) +} + +func autoConvert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *clientsecret.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { + out.GenerateNewSecret = in.GenerateNewSecret + out.RevokeOldSecrets = in.RevokeOldSecrets + return nil +} + +// Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec is an autogenerated conversion function. +func Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *clientsecret.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { + return autoConvert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in, out, s) +} + +func autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *clientsecret.OIDCClientSecretRequestStatus, s conversion.Scope) error { + out.GeneratedSecret = in.GeneratedSecret + out.TotalClientSecrets = in.TotalClientSecrets + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *clientsecret.OIDCClientSecretRequestStatus, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(in, out, s) +} + +func autoConvert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *clientsecret.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { + out.GeneratedSecret = in.GeneratedSecret + out.TotalClientSecrets = in.TotalClientSecrets + return nil +} + +// Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus is an autogenerated conversion function. +func Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *clientsecret.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { + return autoConvert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in, out, s) +} diff --git a/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.21/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go similarity index 100% rename from generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go rename to generated/1.21/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go diff --git a/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go b/generated/1.21/apis/supervisor/clientsecret/v1alpha1/zz_generated.defaults.go similarity index 100% rename from generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go rename to generated/1.21/apis/supervisor/clientsecret/v1alpha1/zz_generated.defaults.go diff --git a/generated/1.21/apis/supervisor/clientsecret/zz_generated.deepcopy.go b/generated/1.21/apis/supervisor/clientsecret/zz_generated.deepcopy.go new file mode 100644 index 00000000..e0dc7d68 --- /dev/null +++ b/generated/1.21/apis/supervisor/clientsecret/zz_generated.deepcopy.go @@ -0,0 +1,73 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package clientsecret + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequest) DeepCopyInto(out *OIDCClientSecretRequest) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + out.Spec = in.Spec + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequest. +func (in *OIDCClientSecretRequest) DeepCopy() *OIDCClientSecretRequest { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequest) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestSpec. +func (in *OIDCClientSecretRequestSpec) DeepCopy() *OIDCClientSecretRequestSpec { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestStatus) DeepCopyInto(out *OIDCClientSecretRequestStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestStatus. +func (in *OIDCClientSecretRequestStatus) DeepCopy() *OIDCClientSecretRequestStatus { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.21/apis/supervisor/config/v1alpha1/register.go b/generated/1.21/apis/supervisor/config/v1alpha1/register.go index 69045298..54c51699 100644 --- a/generated/1.21/apis/supervisor/config/v1alpha1/register.go +++ b/generated/1.21/apis/supervisor/config/v1alpha1/register.go @@ -32,6 +32,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &FederationDomain{}, &FederationDomainList{}, + &OIDCClient{}, + &OIDCClientList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.21/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.21/apis/supervisor/config/v1alpha1/types_oidcclient.go similarity index 100% rename from generated/1.21/apis/supervisor/oauth/v1alpha1/types_oidcclient.go rename to generated/1.21/apis/supervisor/config/v1alpha1/types_oidcclient.go diff --git a/generated/1.21/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.21/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go index 856b8988..a55d88e7 100644 --- a/generated/1.21/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.21/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go @@ -150,3 +150,111 @@ func (in *FederationDomainTLSSpec) DeepCopy() *FederationDomainTLSSpec { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. +func (in *OIDCClient) DeepCopy() *OIDCClient { + if in == nil { + return nil + } + out := new(OIDCClient) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClient) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClient, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. +func (in *OIDCClientList) DeepCopy() *OIDCClientList { + if in == nil { + return nil + } + out := new(OIDCClientList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { + *out = *in + if in.AllowedRedirectURIs != nil { + in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.AllowedGrantTypes != nil { + in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes + *out = make([]GrantType, len(*in)) + copy(*out, *in) + } + if in.AllowedScopes != nil { + in, out := &in.AllowedScopes, &out.AllowedScopes + *out = make([]Scope, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. +func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { + if in == nil { + return nil + } + out := new(OIDCClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. +func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { + if in == nil { + return nil + } + out := new(OIDCClientStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.21/apis/supervisor/oauth/v1alpha1/doc.go b/generated/1.21/apis/supervisor/oauth/v1alpha1/doc.go deleted file mode 100644 index 75580481..00000000 --- a/generated/1.21/apis/supervisor/oauth/v1alpha1/doc.go +++ /dev/null @@ -1,10 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// +k8s:openapi-gen=true -// +k8s:deepcopy-gen=package -// +k8s:defaulter-gen=TypeMeta -// +groupName=oauth.supervisor.pinniped.dev - -// Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. -package v1alpha1 diff --git a/generated/1.21/apis/supervisor/oauth/v1alpha1/register.go b/generated/1.21/apis/supervisor/oauth/v1alpha1/register.go deleted file mode 100644 index 37ae1fbf..00000000 --- a/generated/1.21/apis/supervisor/oauth/v1alpha1/register.go +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -package v1alpha1 - -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" -) - -const GroupName = "oauth.supervisor.pinniped.dev" - -// SchemeGroupVersion is group version used to register these objects. -var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} - -var ( - SchemeBuilder runtime.SchemeBuilder - localSchemeBuilder = &SchemeBuilder - AddToScheme = localSchemeBuilder.AddToScheme -) - -func init() { - // We only register manually written functions here. The registration of the - // generated functions takes place in the generated files. The separation - // makes the code compile even when the generated files are missing. - localSchemeBuilder.Register(addKnownTypes) -} - -// Adds the list of known types to the given scheme. -func addKnownTypes(scheme *runtime.Scheme) error { - scheme.AddKnownTypes(SchemeGroupVersion, - &OIDCClient{}, - &OIDCClientList{}, - ) - metav1.AddToGroupVersion(scheme, SchemeGroupVersion) - return nil -} - -// Resource takes an unqualified resource and returns a Group qualified GroupResource. -func Resource(resource string) schema.GroupResource { - return SchemeGroupVersion.WithResource(resource).GroupResource() -} diff --git a/generated/1.21/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.21/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go deleted file mode 100644 index 1aba8aea..00000000 --- a/generated/1.21/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go +++ /dev/null @@ -1,121 +0,0 @@ -//go:build !ignore_autogenerated -// +build !ignore_autogenerated - -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by deepcopy-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - runtime "k8s.io/apimachinery/pkg/runtime" -) - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - in.Spec.DeepCopyInto(&out.Spec) - out.Status = in.Status - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. -func (in *OIDCClient) DeepCopy() *OIDCClient { - if in == nil { - return nil - } - out := new(OIDCClient) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *OIDCClient) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ListMeta.DeepCopyInto(&out.ListMeta) - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]OIDCClient, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. -func (in *OIDCClientList) DeepCopy() *OIDCClientList { - if in == nil { - return nil - } - out := new(OIDCClientList) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *OIDCClientList) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { - *out = *in - if in.AllowedRedirectURIs != nil { - in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.AllowedGrantTypes != nil { - in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes - *out = make([]GrantType, len(*in)) - copy(*out, *in) - } - if in.AllowedScopes != nil { - in, out := &in.AllowedScopes, &out.AllowedScopes - *out = make([]Scope, len(*in)) - copy(*out, *in) - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. -func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { - if in == nil { - return nil - } - out := new(OIDCClientSpec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. -func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { - if in == nil { - return nil - } - out := new(OIDCClientStatus) - in.DeepCopyInto(out) - return out -} diff --git a/generated/1.21/apis/supervisor/virtual/oauth/doc.go b/generated/1.21/apis/supervisor/virtual/oauth/doc.go deleted file mode 100644 index ca4e9a63..00000000 --- a/generated/1.21/apis/supervisor/virtual/oauth/doc.go +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// +k8s:deepcopy-gen=package -// +groupName=oauth.virtual.supervisor.pinniped.dev - -// Package oauth is the internal version of the Pinniped virtual oauth API. -package oauth diff --git a/generated/1.21/apis/supervisor/virtual/oauth/register.go b/generated/1.21/apis/supervisor/virtual/oauth/register.go deleted file mode 100644 index a238d85f..00000000 --- a/generated/1.21/apis/supervisor/virtual/oauth/register.go +++ /dev/null @@ -1,37 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -package oauth - -import ( - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" -) - -const GroupName = "oauth.virtual.supervisor.pinniped.dev" - -// SchemeGroupVersion is group version used to register these objects. -var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal} - -// Kind takes an unqualified kind and returns back a Group qualified GroupKind. -func Kind(kind string) schema.GroupKind { - return SchemeGroupVersion.WithKind(kind).GroupKind() -} - -// Resource takes an unqualified resource and returns back a Group qualified GroupResource. -func Resource(resource string) schema.GroupResource { - return SchemeGroupVersion.WithResource(resource).GroupResource() -} - -var ( - SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) - AddToScheme = SchemeBuilder.AddToScheme -) - -// Adds the list of known types to the given scheme. -func addKnownTypes(scheme *runtime.Scheme) error { - scheme.AddKnownTypes(SchemeGroupVersion, - &OIDCClientSecretRequest{}, - ) - return nil -} diff --git a/generated/1.21/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go b/generated/1.21/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go deleted file mode 100644 index ac54a93c..00000000 --- a/generated/1.21/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go +++ /dev/null @@ -1,25 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -package oauth - -import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - -type OIDCClientSecretRequestSpec struct { - GenerateNewSecret bool `json:"generateNewSecret"` - RevokeOldSecrets bool `json:"revokeOldSecrets"` -} - -type OIDCClientSecretRequestStatus struct { - GeneratedSecret string `json:"generatedSecret,omitempty"` - TotalClientSecrets int `json:"totalClientSecrets"` -} - -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object -type OIDCClientSecretRequest struct { - metav1.TypeMeta `json:",inline"` - metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID - - Spec OIDCClientSecretRequestSpec `json:"spec"` - Status OIDCClientSecretRequestStatus `json:"status"` -} diff --git a/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/register.go b/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/register.go deleted file mode 100644 index ecc75a08..00000000 --- a/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/register.go +++ /dev/null @@ -1,42 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -package v1alpha1 - -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" -) - -const GroupName = "oauth.virtual.supervisor.pinniped.dev" - -// SchemeGroupVersion is group version used to register these objects. -var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} - -var ( - SchemeBuilder runtime.SchemeBuilder - localSchemeBuilder = &SchemeBuilder - AddToScheme = SchemeBuilder.AddToScheme -) - -func init() { - // We only register manually written functions here. The registration of the - // generated functions takes place in the generated files. The separation - // makes the code compile even when the generated files are missing. - localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs) -} - -// Adds the list of known types to the given scheme. -func addKnownTypes(scheme *runtime.Scheme) error { - scheme.AddKnownTypes(SchemeGroupVersion, - &OIDCClientSecretRequest{}, - ) - metav1.AddToGroupVersion(scheme, SchemeGroupVersion) - return nil -} - -// Resource takes an unqualified resource and returns back a Group qualified GroupResource. -func Resource(resource string) schema.GroupResource { - return SchemeGroupVersion.WithResource(resource).GroupResource() -} diff --git a/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go b/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go deleted file mode 100644 index 384717d0..00000000 --- a/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go +++ /dev/null @@ -1,131 +0,0 @@ -//go:build !ignore_autogenerated -// +build !ignore_autogenerated - -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by conversion-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - oauth "go.pinniped.dev/generated/1.21/apis/supervisor/virtual/oauth" - conversion "k8s.io/apimachinery/pkg/conversion" - runtime "k8s.io/apimachinery/pkg/runtime" -) - -func init() { - localSchemeBuilder.Register(RegisterConversions) -} - -// RegisterConversions adds conversion functions to the given scheme. -// Public to allow building arbitrary schemes. -func RegisterConversions(s *runtime.Scheme) error { - if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequest)(nil), (*oauth.OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(a.(*OIDCClientSecretRequest), b.(*oauth.OIDCClientSecretRequest), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequest)(nil), (*OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(a.(*oauth.OIDCClientSecretRequest), b.(*OIDCClientSecretRequest), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*oauth.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*oauth.OIDCClientSecretRequestSpec), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequestSpec)(nil), (*OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(a.(*oauth.OIDCClientSecretRequestSpec), b.(*OIDCClientSecretRequestSpec), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestStatus)(nil), (*oauth.OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(a.(*OIDCClientSecretRequestStatus), b.(*oauth.OIDCClientSecretRequestStatus), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequestStatus)(nil), (*OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(a.(*oauth.OIDCClientSecretRequestStatus), b.(*OIDCClientSecretRequestStatus), scope) - }); err != nil { - return err - } - return nil -} - -func autoConvert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *oauth.OIDCClientSecretRequest, s conversion.Scope) error { - out.ObjectMeta = in.ObjectMeta - if err := Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { - return err - } - if err := Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { - return err - } - return nil -} - -// Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest is an autogenerated conversion function. -func Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *oauth.OIDCClientSecretRequest, s conversion.Scope) error { - return autoConvert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in, out, s) -} - -func autoConvert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *oauth.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { - out.ObjectMeta = in.ObjectMeta - if err := Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { - return err - } - if err := Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { - return err - } - return nil -} - -// Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest is an autogenerated conversion function. -func Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *oauth.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { - return autoConvert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s) -} - -func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *oauth.OIDCClientSecretRequestSpec, s conversion.Scope) error { - out.GenerateNewSecret = in.GenerateNewSecret - out.RevokeOldSecrets = in.RevokeOldSecrets - return nil -} - -// Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec is an autogenerated conversion function. -func Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *oauth.OIDCClientSecretRequestSpec, s conversion.Scope) error { - return autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in, out, s) -} - -func autoConvert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *oauth.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { - out.GenerateNewSecret = in.GenerateNewSecret - out.RevokeOldSecrets = in.RevokeOldSecrets - return nil -} - -// Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec is an autogenerated conversion function. -func Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *oauth.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { - return autoConvert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in, out, s) -} - -func autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *oauth.OIDCClientSecretRequestStatus, s conversion.Scope) error { - out.GeneratedSecret = in.GeneratedSecret - out.TotalClientSecrets = in.TotalClientSecrets - return nil -} - -// Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus is an autogenerated conversion function. -func Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *oauth.OIDCClientSecretRequestStatus, s conversion.Scope) error { - return autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in, out, s) -} - -func autoConvert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *oauth.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { - out.GeneratedSecret = in.GeneratedSecret - out.TotalClientSecrets = in.TotalClientSecrets - return nil -} - -// Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus is an autogenerated conversion function. -func Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *oauth.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { - return autoConvert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in, out, s) -} diff --git a/generated/1.21/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go b/generated/1.21/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go deleted file mode 100644 index 24b58e7b..00000000 --- a/generated/1.21/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go +++ /dev/null @@ -1,73 +0,0 @@ -//go:build !ignore_autogenerated -// +build !ignore_autogenerated - -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by deepcopy-gen. DO NOT EDIT. - -package oauth - -import ( - runtime "k8s.io/apimachinery/pkg/runtime" -) - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientSecretRequest) DeepCopyInto(out *OIDCClientSecretRequest) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - out.Spec = in.Spec - out.Status = in.Status - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequest. -func (in *OIDCClientSecretRequest) DeepCopy() *OIDCClientSecretRequest { - if in == nil { - return nil - } - out := new(OIDCClientSecretRequest) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestSpec. -func (in *OIDCClientSecretRequestSpec) DeepCopy() *OIDCClientSecretRequestSpec { - if in == nil { - return nil - } - out := new(OIDCClientSecretRequestSpec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientSecretRequestStatus) DeepCopyInto(out *OIDCClientSecretRequestStatus) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestStatus. -func (in *OIDCClientSecretRequestStatus) DeepCopy() *OIDCClientSecretRequestStatus { - if in == nil { - return nil - } - out := new(OIDCClientSecretRequestStatus) - in.DeepCopyInto(out) - return out -} diff --git a/generated/1.21/client/supervisor/clientset/versioned/clientset.go b/generated/1.21/client/supervisor/clientset/versioned/clientset.go index 23d76422..c4f6cd91 100644 --- a/generated/1.21/client/supervisor/clientset/versioned/clientset.go +++ b/generated/1.21/client/supervisor/clientset/versioned/clientset.go @@ -8,9 +8,9 @@ package versioned import ( "fmt" + clientsecretv1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1" configv1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" discovery "k8s.io/client-go/discovery" rest "k8s.io/client-go/rest" flowcontrol "k8s.io/client-go/util/flowcontrol" @@ -18,18 +18,23 @@ import ( type Interface interface { Discovery() discovery.DiscoveryInterface + ClientsecretV1alpha1() clientsecretv1alpha1.ClientsecretV1alpha1Interface ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface - OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface } // Clientset contains the clients for groups. Each group has exactly one // version included in a Clientset. type Clientset struct { *discovery.DiscoveryClient - configV1alpha1 *configv1alpha1.ConfigV1alpha1Client - iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client - oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client + clientsecretV1alpha1 *clientsecretv1alpha1.ClientsecretV1alpha1Client + configV1alpha1 *configv1alpha1.ConfigV1alpha1Client + iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client +} + +// ClientsecretV1alpha1 retrieves the ClientsecretV1alpha1Client +func (c *Clientset) ClientsecretV1alpha1() clientsecretv1alpha1.ClientsecretV1alpha1Interface { + return c.clientsecretV1alpha1 } // ConfigV1alpha1 retrieves the ConfigV1alpha1Client @@ -42,11 +47,6 @@ func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return c.iDPV1alpha1 } -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return c.oauthV1alpha1 -} - // Discovery retrieves the DiscoveryClient func (c *Clientset) Discovery() discovery.DiscoveryInterface { if c == nil { @@ -68,6 +68,10 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { } var cs Clientset var err error + cs.clientsecretV1alpha1, err = clientsecretv1alpha1.NewForConfig(&configShallowCopy) + if err != nil { + return nil, err + } cs.configV1alpha1, err = configv1alpha1.NewForConfig(&configShallowCopy) if err != nil { return nil, err @@ -76,10 +80,6 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { if err != nil { return nil, err } - cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfig(&configShallowCopy) - if err != nil { - return nil, err - } cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfig(&configShallowCopy) if err != nil { @@ -92,9 +92,9 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { // panics if there is an error in the config. func NewForConfigOrDie(c *rest.Config) *Clientset { var cs Clientset + cs.clientsecretV1alpha1 = clientsecretv1alpha1.NewForConfigOrDie(c) cs.configV1alpha1 = configv1alpha1.NewForConfigOrDie(c) cs.iDPV1alpha1 = idpv1alpha1.NewForConfigOrDie(c) - cs.oauthV1alpha1 = oauthv1alpha1.NewForConfigOrDie(c) cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c) return &cs @@ -103,9 +103,9 @@ func NewForConfigOrDie(c *rest.Config) *Clientset { // New creates a new Clientset for the given RESTClient. func New(c rest.Interface) *Clientset { var cs Clientset + cs.clientsecretV1alpha1 = clientsecretv1alpha1.New(c) cs.configV1alpha1 = configv1alpha1.New(c) cs.iDPV1alpha1 = idpv1alpha1.New(c) - cs.oauthV1alpha1 = oauthv1alpha1.New(c) cs.DiscoveryClient = discovery.NewDiscoveryClient(c) return &cs diff --git a/generated/1.21/client/supervisor/clientset/versioned/fake/clientset_generated.go b/generated/1.21/client/supervisor/clientset/versioned/fake/clientset_generated.go index 6a40aa3e..6d7f5f4b 100644 --- a/generated/1.21/client/supervisor/clientset/versioned/fake/clientset_generated.go +++ b/generated/1.21/client/supervisor/clientset/versioned/fake/clientset_generated.go @@ -7,12 +7,12 @@ package fake import ( clientset "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned" + clientsecretv1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1" + fakeclientsecretv1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake" configv1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1" fakeconfigv1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake" idpv1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1" fakeidpv1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake" - oauthv1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" - fakeoauthv1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/watch" "k8s.io/client-go/discovery" @@ -67,6 +67,11 @@ func (c *Clientset) Tracker() testing.ObjectTracker { var _ clientset.Interface = &Clientset{} +// ClientsecretV1alpha1 retrieves the ClientsecretV1alpha1Client +func (c *Clientset) ClientsecretV1alpha1() clientsecretv1alpha1.ClientsecretV1alpha1Interface { + return &fakeclientsecretv1alpha1.FakeClientsecretV1alpha1{Fake: &c.Fake} +} + // ConfigV1alpha1 retrieves the ConfigV1alpha1Client func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { return &fakeconfigv1alpha1.FakeConfigV1alpha1{Fake: &c.Fake} @@ -76,8 +81,3 @@ func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake} } - -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} -} diff --git a/generated/1.21/client/supervisor/clientset/versioned/fake/register.go b/generated/1.21/client/supervisor/clientset/versioned/fake/register.go index 8fb2f241..85bd10d3 100644 --- a/generated/1.21/client/supervisor/clientset/versioned/fake/register.go +++ b/generated/1.21/client/supervisor/clientset/versioned/fake/register.go @@ -6,9 +6,9 @@ package fake import ( + clientsecretv1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/clientsecret/v1alpha1" configv1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -20,9 +20,9 @@ var scheme = runtime.NewScheme() var codecs = serializer.NewCodecFactory(scheme) var localSchemeBuilder = runtime.SchemeBuilder{ + clientsecretv1alpha1.AddToScheme, configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, - oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.21/client/supervisor/clientset/versioned/scheme/register.go b/generated/1.21/client/supervisor/clientset/versioned/scheme/register.go index ca3c854a..304f3c6a 100644 --- a/generated/1.21/client/supervisor/clientset/versioned/scheme/register.go +++ b/generated/1.21/client/supervisor/clientset/versioned/scheme/register.go @@ -6,9 +6,9 @@ package scheme import ( + clientsecretv1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/clientsecret/v1alpha1" configv1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -20,9 +20,9 @@ var Scheme = runtime.NewScheme() var Codecs = serializer.NewCodecFactory(Scheme) var ParameterCodec = runtime.NewParameterCodec(Scheme) var localSchemeBuilder = runtime.SchemeBuilder{ + clientsecretv1alpha1.AddToScheme, configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, - oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.21/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/clientsecret_client.go b/generated/1.21/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/clientsecret_client.go new file mode 100644 index 00000000..d9db843c --- /dev/null +++ b/generated/1.21/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/clientsecret_client.go @@ -0,0 +1,76 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/clientsecret/v1alpha1" + "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/scheme" + rest "k8s.io/client-go/rest" +) + +type ClientsecretV1alpha1Interface interface { + RESTClient() rest.Interface + OIDCClientSecretRequestsGetter +} + +// ClientsecretV1alpha1Client is used to interact with features provided by the clientsecret.supervisor.pinniped.dev group. +type ClientsecretV1alpha1Client struct { + restClient rest.Interface +} + +func (c *ClientsecretV1alpha1Client) OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface { + return newOIDCClientSecretRequests(c, namespace) +} + +// NewForConfig creates a new ClientsecretV1alpha1Client for the given config. +func NewForConfig(c *rest.Config) (*ClientsecretV1alpha1Client, error) { + config := *c + if err := setConfigDefaults(&config); err != nil { + return nil, err + } + client, err := rest.RESTClientFor(&config) + if err != nil { + return nil, err + } + return &ClientsecretV1alpha1Client{client}, nil +} + +// NewForConfigOrDie creates a new ClientsecretV1alpha1Client for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *ClientsecretV1alpha1Client { + client, err := NewForConfig(c) + if err != nil { + panic(err) + } + return client +} + +// New creates a new ClientsecretV1alpha1Client for the given RESTClient. +func New(c rest.Interface) *ClientsecretV1alpha1Client { + return &ClientsecretV1alpha1Client{c} +} + +func setConfigDefaults(config *rest.Config) error { + gv := v1alpha1.SchemeGroupVersion + config.GroupVersion = &gv + config.APIPath = "/apis" + config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() + + if config.UserAgent == "" { + config.UserAgent = rest.DefaultKubernetesUserAgent() + } + + return nil +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *ClientsecretV1alpha1Client) RESTClient() rest.Interface { + if c == nil { + return nil + } + return c.restClient +} diff --git a/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/1.21/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/doc.go similarity index 100% rename from generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go rename to generated/1.21/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/doc.go diff --git a/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/1.21/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/doc.go similarity index 100% rename from generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go rename to generated/1.21/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/doc.go diff --git a/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/1.21/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_clientsecret_client.go similarity index 60% rename from generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go rename to generated/1.21/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_clientsecret_client.go index 8e56072b..b35b1015 100644 --- a/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go +++ b/generated/1.21/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_clientsecret_client.go @@ -6,22 +6,22 @@ package fake import ( - v1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1" rest "k8s.io/client-go/rest" testing "k8s.io/client-go/testing" ) -type FakeOauthV1alpha1 struct { +type FakeClientsecretV1alpha1 struct { *testing.Fake } -func (c *FakeOauthV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { - return &FakeOIDCClients{c, namespace} +func (c *FakeClientsecretV1alpha1) OIDCClientSecretRequests(namespace string) v1alpha1.OIDCClientSecretRequestInterface { + return &FakeOIDCClientSecretRequests{c, namespace} } // RESTClient returns a RESTClient that is used to communicate // with API server by this client implementation. -func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { +func (c *FakeClientsecretV1alpha1) RESTClient() rest.Interface { var ret *rest.RESTClient return ret } diff --git a/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go b/generated/1.21/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_oidcclientsecretrequest.go similarity index 79% rename from generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go rename to generated/1.21/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_oidcclientsecretrequest.go index 6560769b..adb64142 100644 --- a/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go +++ b/generated/1.21/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_oidcclientsecretrequest.go @@ -8,7 +8,7 @@ package fake import ( "context" - v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/clientsecret/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" schema "k8s.io/apimachinery/pkg/runtime/schema" testing "k8s.io/client-go/testing" @@ -16,13 +16,13 @@ import ( // FakeOIDCClientSecretRequests implements OIDCClientSecretRequestInterface type FakeOIDCClientSecretRequests struct { - Fake *FakeOauthV1alpha1 + Fake *FakeClientsecretV1alpha1 ns string } -var oidcclientsecretrequestsResource = schema.GroupVersionResource{Group: "oauth.virtual.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclientsecretrequests"} +var oidcclientsecretrequestsResource = schema.GroupVersionResource{Group: "clientsecret.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclientsecretrequests"} -var oidcclientsecretrequestsKind = schema.GroupVersionKind{Group: "oauth.virtual.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClientSecretRequest"} +var oidcclientsecretrequestsKind = schema.GroupVersionKind{Group: "clientsecret.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClientSecretRequest"} // Create takes the representation of a oIDCClientSecretRequest and creates it. Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any. func (c *FakeOIDCClientSecretRequests) Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (result *v1alpha1.OIDCClientSecretRequest, err error) { diff --git a/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/1.21/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/generated_expansion.go similarity index 100% rename from generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go rename to generated/1.21/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/generated_expansion.go diff --git a/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go b/generated/1.21/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/oidcclientsecretrequest.go similarity index 86% rename from generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go rename to generated/1.21/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/oidcclientsecretrequest.go index 3b8b2f84..7fc447f4 100644 --- a/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go +++ b/generated/1.21/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/oidcclientsecretrequest.go @@ -8,8 +8,8 @@ package v1alpha1 import ( "context" - v1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1" - scheme "go.pinniped.dev/generated/1.21/client/supervisor/virtual/clientset/versioned/scheme" + v1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/clientsecret/v1alpha1" + scheme "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/scheme" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" rest "k8s.io/client-go/rest" ) @@ -33,7 +33,7 @@ type oIDCClientSecretRequests struct { } // newOIDCClientSecretRequests returns a OIDCClientSecretRequests -func newOIDCClientSecretRequests(c *OauthV1alpha1Client, namespace string) *oIDCClientSecretRequests { +func newOIDCClientSecretRequests(c *ClientsecretV1alpha1Client, namespace string) *oIDCClientSecretRequests { return &oIDCClientSecretRequests{ client: c.RESTClient(), ns: namespace, diff --git a/generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go b/generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go index cdfc9c9a..d2b845f9 100644 --- a/generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go +++ b/generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go @@ -14,6 +14,7 @@ import ( type ConfigV1alpha1Interface interface { RESTClient() rest.Interface FederationDomainsGetter + OIDCClientsGetter } // ConfigV1alpha1Client is used to interact with features provided by the config.supervisor.pinniped.dev group. @@ -25,6 +26,10 @@ func (c *ConfigV1alpha1Client) FederationDomains(namespace string) FederationDom return newFederationDomains(c, namespace) } +func (c *ConfigV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { + return newOIDCClients(c, namespace) +} + // NewForConfig creates a new ConfigV1alpha1Client for the given config. func NewForConfig(c *rest.Config) (*ConfigV1alpha1Client, error) { config := *c diff --git a/generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go b/generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go index 8bf53fea..d8bf41b3 100644 --- a/generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go +++ b/generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go @@ -19,6 +19,10 @@ func (c *FakeConfigV1alpha1) FederationDomains(namespace string) v1alpha1.Federa return &FakeFederationDomains{c, namespace} } +func (c *FakeConfigV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { + return &FakeOIDCClients{c, namespace} +} + // RESTClient returns a RESTClient that is used to communicate // with API server by this client implementation. func (c *FakeConfigV1alpha1) RESTClient() rest.Interface { diff --git a/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go b/generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go similarity index 92% rename from generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go rename to generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go index 38aac300..7dbc152b 100644 --- a/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go +++ b/generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go @@ -8,7 +8,7 @@ package fake import ( "context" - v1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/config/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" labels "k8s.io/apimachinery/pkg/labels" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -19,13 +19,13 @@ import ( // FakeOIDCClients implements OIDCClientInterface type FakeOIDCClients struct { - Fake *FakeOauthV1alpha1 + Fake *FakeConfigV1alpha1 ns string } -var oidcclientsResource = schema.GroupVersionResource{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} +var oidcclientsResource = schema.GroupVersionResource{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} -var oidcclientsKind = schema.GroupVersionKind{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} +var oidcclientsKind = schema.GroupVersionKind{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} // Get takes name of the oIDCClient, and returns the corresponding oIDCClient object, and an error if there is any. func (c *FakeOIDCClients) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCClient, err error) { diff --git a/generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go b/generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go index ba9c9173..35b9ee3d 100644 --- a/generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go +++ b/generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go @@ -6,3 +6,5 @@ package v1alpha1 type FederationDomainExpansion interface{} + +type OIDCClientExpansion interface{} diff --git a/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go b/generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go similarity index 97% rename from generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go rename to generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go index c7e2f82b..10f97b4f 100644 --- a/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go +++ b/generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go @@ -9,7 +9,7 @@ import ( "context" "time" - v1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/config/v1alpha1" scheme "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/scheme" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" types "k8s.io/apimachinery/pkg/types" @@ -44,7 +44,7 @@ type oIDCClients struct { } // newOIDCClients returns a OIDCClients -func newOIDCClients(c *OauthV1alpha1Client, namespace string) *oIDCClients { +func newOIDCClients(c *ConfigV1alpha1Client, namespace string) *oIDCClients { return &oIDCClients{ client: c.RESTClient(), ns: namespace, diff --git a/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go deleted file mode 100644 index 87d22ea9..00000000 --- a/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -type OIDCClientExpansion interface{} diff --git a/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go deleted file mode 100644 index 259f1b10..00000000 --- a/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go +++ /dev/null @@ -1,76 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - v1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/oauth/v1alpha1" - "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/scheme" - rest "k8s.io/client-go/rest" -) - -type OauthV1alpha1Interface interface { - RESTClient() rest.Interface - OIDCClientsGetter -} - -// OauthV1alpha1Client is used to interact with features provided by the oauth.supervisor.pinniped.dev group. -type OauthV1alpha1Client struct { - restClient rest.Interface -} - -func (c *OauthV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { - return newOIDCClients(c, namespace) -} - -// NewForConfig creates a new OauthV1alpha1Client for the given config. -func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { - config := *c - if err := setConfigDefaults(&config); err != nil { - return nil, err - } - client, err := rest.RESTClientFor(&config) - if err != nil { - return nil, err - } - return &OauthV1alpha1Client{client}, nil -} - -// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and -// panics if there is an error in the config. -func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { - client, err := NewForConfig(c) - if err != nil { - panic(err) - } - return client -} - -// New creates a new OauthV1alpha1Client for the given RESTClient. -func New(c rest.Interface) *OauthV1alpha1Client { - return &OauthV1alpha1Client{c} -} - -func setConfigDefaults(config *rest.Config) error { - gv := v1alpha1.SchemeGroupVersion - config.GroupVersion = &gv - config.APIPath = "/apis" - config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() - - if config.UserAgent == "" { - config.UserAgent = rest.DefaultKubernetesUserAgent() - } - - return nil -} - -// RESTClient returns a RESTClient that is used to communicate -// with API server by this client implementation. -func (c *OauthV1alpha1Client) RESTClient() rest.Interface { - if c == nil { - return nil - } - return c.restClient -} diff --git a/generated/1.21/client/supervisor/informers/externalversions/config/v1alpha1/interface.go b/generated/1.21/client/supervisor/informers/externalversions/config/v1alpha1/interface.go index e678f3e3..e3cf746d 100644 --- a/generated/1.21/client/supervisor/informers/externalversions/config/v1alpha1/interface.go +++ b/generated/1.21/client/supervisor/informers/externalversions/config/v1alpha1/interface.go @@ -13,6 +13,8 @@ import ( type Interface interface { // FederationDomains returns a FederationDomainInformer. FederationDomains() FederationDomainInformer + // OIDCClients returns a OIDCClientInformer. + OIDCClients() OIDCClientInformer } type version struct { @@ -30,3 +32,8 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList func (v *version) FederationDomains() FederationDomainInformer { return &federationDomainInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } + +// OIDCClients returns a OIDCClientInformer. +func (v *version) OIDCClients() OIDCClientInformer { + return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} diff --git a/generated/1.21/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go b/generated/1.21/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go similarity index 88% rename from generated/1.21/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go rename to generated/1.21/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go index f56b83db..dda5d6d3 100644 --- a/generated/1.21/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go +++ b/generated/1.21/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go @@ -9,10 +9,10 @@ import ( "context" time "time" - oauthv1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/oauth/v1alpha1" + configv1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/config/v1alpha1" versioned "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned" internalinterfaces "go.pinniped.dev/generated/1.21/client/supervisor/informers/externalversions/internalinterfaces" - v1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/listers/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/listers/config/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" watch "k8s.io/apimachinery/pkg/watch" @@ -49,16 +49,16 @@ func NewFilteredOIDCClientInformer(client versioned.Interface, namespace string, if tweakListOptions != nil { tweakListOptions(&options) } - return client.OauthV1alpha1().OIDCClients(namespace).List(context.TODO(), options) + return client.ConfigV1alpha1().OIDCClients(namespace).List(context.TODO(), options) }, WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { if tweakListOptions != nil { tweakListOptions(&options) } - return client.OauthV1alpha1().OIDCClients(namespace).Watch(context.TODO(), options) + return client.ConfigV1alpha1().OIDCClients(namespace).Watch(context.TODO(), options) }, }, - &oauthv1alpha1.OIDCClient{}, + &configv1alpha1.OIDCClient{}, resyncPeriod, indexers, ) @@ -69,7 +69,7 @@ func (f *oIDCClientInformer) defaultInformer(client versioned.Interface, resyncP } func (f *oIDCClientInformer) Informer() cache.SharedIndexInformer { - return f.factory.InformerFor(&oauthv1alpha1.OIDCClient{}, f.defaultInformer) + return f.factory.InformerFor(&configv1alpha1.OIDCClient{}, f.defaultInformer) } func (f *oIDCClientInformer) Lister() v1alpha1.OIDCClientLister { diff --git a/generated/1.21/client/supervisor/informers/externalversions/factory.go b/generated/1.21/client/supervisor/informers/externalversions/factory.go index 5f2301a2..09200fa1 100644 --- a/generated/1.21/client/supervisor/informers/externalversions/factory.go +++ b/generated/1.21/client/supervisor/informers/externalversions/factory.go @@ -14,7 +14,6 @@ import ( config "go.pinniped.dev/generated/1.21/client/supervisor/informers/externalversions/config" idp "go.pinniped.dev/generated/1.21/client/supervisor/informers/externalversions/idp" internalinterfaces "go.pinniped.dev/generated/1.21/client/supervisor/informers/externalversions/internalinterfaces" - oauth "go.pinniped.dev/generated/1.21/client/supervisor/informers/externalversions/oauth" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -163,7 +162,6 @@ type SharedInformerFactory interface { Config() config.Interface IDP() idp.Interface - Oauth() oauth.Interface } func (f *sharedInformerFactory) Config() config.Interface { @@ -173,7 +171,3 @@ func (f *sharedInformerFactory) Config() config.Interface { func (f *sharedInformerFactory) IDP() idp.Interface { return idp.New(f, f.namespace, f.tweakListOptions) } - -func (f *sharedInformerFactory) Oauth() oauth.Interface { - return oauth.New(f, f.namespace, f.tweakListOptions) -} diff --git a/generated/1.21/client/supervisor/informers/externalversions/generic.go b/generated/1.21/client/supervisor/informers/externalversions/generic.go index d08e96cf..7ea48934 100644 --- a/generated/1.21/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.21/client/supervisor/informers/externalversions/generic.go @@ -10,7 +10,6 @@ import ( v1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/oauth/v1alpha1" schema "k8s.io/apimachinery/pkg/runtime/schema" cache "k8s.io/client-go/tools/cache" ) @@ -44,6 +43,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource // Group=config.supervisor.pinniped.dev, Version=v1alpha1 case v1alpha1.SchemeGroupVersion.WithResource("federationdomains"): return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().FederationDomains().Informer()}, nil + case v1alpha1.SchemeGroupVersion.WithResource("oidcclients"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCClients().Informer()}, nil // Group=idp.supervisor.pinniped.dev, Version=v1alpha1 case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"): @@ -53,10 +54,6 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().OIDCIdentityProviders().Informer()}, nil - // Group=oauth.supervisor.pinniped.dev, Version=v1alpha1 - case oauthv1alpha1.SchemeGroupVersion.WithResource("oidcclients"): - return &genericInformer{resource: resource.GroupResource(), informer: f.Oauth().V1alpha1().OIDCClients().Informer()}, nil - } return nil, fmt.Errorf("no informer found for %v", resource) diff --git a/generated/1.21/client/supervisor/informers/externalversions/oauth/interface.go b/generated/1.21/client/supervisor/informers/externalversions/oauth/interface.go deleted file mode 100644 index d734d0d3..00000000 --- a/generated/1.21/client/supervisor/informers/externalversions/oauth/interface.go +++ /dev/null @@ -1,33 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by informer-gen. DO NOT EDIT. - -package oauth - -import ( - internalinterfaces "go.pinniped.dev/generated/1.21/client/supervisor/informers/externalversions/internalinterfaces" - v1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/informers/externalversions/oauth/v1alpha1" -) - -// Interface provides access to each of this group's versions. -type Interface interface { - // V1alpha1 provides access to shared informers for resources in V1alpha1. - V1alpha1() v1alpha1.Interface -} - -type group struct { - factory internalinterfaces.SharedInformerFactory - namespace string - tweakListOptions internalinterfaces.TweakListOptionsFunc -} - -// New returns a new Interface. -func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { - return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} -} - -// V1alpha1 returns a new v1alpha1.Interface. -func (g *group) V1alpha1() v1alpha1.Interface { - return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions) -} diff --git a/generated/1.21/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go b/generated/1.21/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go deleted file mode 100644 index 05ad0a58..00000000 --- a/generated/1.21/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go +++ /dev/null @@ -1,32 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by informer-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - internalinterfaces "go.pinniped.dev/generated/1.21/client/supervisor/informers/externalversions/internalinterfaces" -) - -// Interface provides access to all the informers in this group version. -type Interface interface { - // OIDCClients returns a OIDCClientInformer. - OIDCClients() OIDCClientInformer -} - -type version struct { - factory internalinterfaces.SharedInformerFactory - namespace string - tweakListOptions internalinterfaces.TweakListOptionsFunc -} - -// New returns a new Interface. -func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { - return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} -} - -// OIDCClients returns a OIDCClientInformer. -func (v *version) OIDCClients() OIDCClientInformer { - return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} -} diff --git a/generated/1.21/client/supervisor/listers/config/v1alpha1/expansion_generated.go b/generated/1.21/client/supervisor/listers/config/v1alpha1/expansion_generated.go index d59892c4..bda2f20e 100644 --- a/generated/1.21/client/supervisor/listers/config/v1alpha1/expansion_generated.go +++ b/generated/1.21/client/supervisor/listers/config/v1alpha1/expansion_generated.go @@ -12,3 +12,11 @@ type FederationDomainListerExpansion interface{} // FederationDomainNamespaceListerExpansion allows custom methods to be added to // FederationDomainNamespaceLister. type FederationDomainNamespaceListerExpansion interface{} + +// OIDCClientListerExpansion allows custom methods to be added to +// OIDCClientLister. +type OIDCClientListerExpansion interface{} + +// OIDCClientNamespaceListerExpansion allows custom methods to be added to +// OIDCClientNamespaceLister. +type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/1.19/client/supervisor/listers/oauth/v1alpha1/oidcclient.go b/generated/1.21/client/supervisor/listers/config/v1alpha1/oidcclient.go similarity index 97% rename from generated/1.19/client/supervisor/listers/oauth/v1alpha1/oidcclient.go rename to generated/1.21/client/supervisor/listers/config/v1alpha1/oidcclient.go index 7040f4c9..72abf61d 100644 --- a/generated/1.19/client/supervisor/listers/oauth/v1alpha1/oidcclient.go +++ b/generated/1.21/client/supervisor/listers/config/v1alpha1/oidcclient.go @@ -6,7 +6,7 @@ package v1alpha1 import ( - v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/config/v1alpha1" "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/labels" "k8s.io/client-go/tools/cache" diff --git a/generated/1.21/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go b/generated/1.21/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go deleted file mode 100644 index c19310da..00000000 --- a/generated/1.21/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go +++ /dev/null @@ -1,14 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by lister-gen. DO NOT EDIT. - -package v1alpha1 - -// OIDCClientListerExpansion allows custom methods to be added to -// OIDCClientLister. -type OIDCClientListerExpansion interface{} - -// OIDCClientNamespaceListerExpansion allows custom methods to be added to -// OIDCClientNamespaceLister. -type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/1.21/client/supervisor/virtual/clientset/versioned/clientset.go b/generated/1.21/client/supervisor/virtual/clientset/versioned/clientset.go deleted file mode 100644 index 93a539cc..00000000 --- a/generated/1.21/client/supervisor/virtual/clientset/versioned/clientset.go +++ /dev/null @@ -1,84 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package versioned - -import ( - "fmt" - - oauthv1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" - discovery "k8s.io/client-go/discovery" - rest "k8s.io/client-go/rest" - flowcontrol "k8s.io/client-go/util/flowcontrol" -) - -type Interface interface { - Discovery() discovery.DiscoveryInterface - OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface -} - -// Clientset contains the clients for groups. Each group has exactly one -// version included in a Clientset. -type Clientset struct { - *discovery.DiscoveryClient - oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client -} - -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return c.oauthV1alpha1 -} - -// Discovery retrieves the DiscoveryClient -func (c *Clientset) Discovery() discovery.DiscoveryInterface { - if c == nil { - return nil - } - return c.DiscoveryClient -} - -// NewForConfig creates a new Clientset for the given config. -// If config's RateLimiter is not set and QPS and Burst are acceptable, -// NewForConfig will generate a rate-limiter in configShallowCopy. -func NewForConfig(c *rest.Config) (*Clientset, error) { - configShallowCopy := *c - if configShallowCopy.RateLimiter == nil && configShallowCopy.QPS > 0 { - if configShallowCopy.Burst <= 0 { - return nil, fmt.Errorf("burst is required to be greater than 0 when RateLimiter is not set and QPS is set to greater than 0") - } - configShallowCopy.RateLimiter = flowcontrol.NewTokenBucketRateLimiter(configShallowCopy.QPS, configShallowCopy.Burst) - } - var cs Clientset - var err error - cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfig(&configShallowCopy) - if err != nil { - return nil, err - } - - cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfig(&configShallowCopy) - if err != nil { - return nil, err - } - return &cs, nil -} - -// NewForConfigOrDie creates a new Clientset for the given config and -// panics if there is an error in the config. -func NewForConfigOrDie(c *rest.Config) *Clientset { - var cs Clientset - cs.oauthV1alpha1 = oauthv1alpha1.NewForConfigOrDie(c) - - cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c) - return &cs -} - -// New creates a new Clientset for the given RESTClient. -func New(c rest.Interface) *Clientset { - var cs Clientset - cs.oauthV1alpha1 = oauthv1alpha1.New(c) - - cs.DiscoveryClient = discovery.NewDiscoveryClient(c) - return &cs -} diff --git a/generated/1.21/client/supervisor/virtual/clientset/versioned/doc.go b/generated/1.21/client/supervisor/virtual/clientset/versioned/doc.go deleted file mode 100644 index 5dc02e6e..00000000 --- a/generated/1.21/client/supervisor/virtual/clientset/versioned/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package has the automatically generated clientset. -package versioned diff --git a/generated/1.21/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go b/generated/1.21/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go deleted file mode 100644 index fcf86e29..00000000 --- a/generated/1.21/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go +++ /dev/null @@ -1,69 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - clientset "go.pinniped.dev/generated/1.21/client/supervisor/virtual/clientset/versioned" - oauthv1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" - fakeoauthv1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/watch" - "k8s.io/client-go/discovery" - fakediscovery "k8s.io/client-go/discovery/fake" - "k8s.io/client-go/testing" -) - -// NewSimpleClientset returns a clientset that will respond with the provided objects. -// It's backed by a very simple object tracker that processes creates, updates and deletions as-is, -// without applying any validations and/or defaults. It shouldn't be considered a replacement -// for a real clientset and is mostly useful in simple unit tests. -func NewSimpleClientset(objects ...runtime.Object) *Clientset { - o := testing.NewObjectTracker(scheme, codecs.UniversalDecoder()) - for _, obj := range objects { - if err := o.Add(obj); err != nil { - panic(err) - } - } - - cs := &Clientset{tracker: o} - cs.discovery = &fakediscovery.FakeDiscovery{Fake: &cs.Fake} - cs.AddReactor("*", "*", testing.ObjectReaction(o)) - cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) { - gvr := action.GetResource() - ns := action.GetNamespace() - watch, err := o.Watch(gvr, ns) - if err != nil { - return false, nil, err - } - return true, watch, nil - }) - - return cs -} - -// Clientset implements clientset.Interface. Meant to be embedded into a -// struct to get a default implementation. This makes faking out just the method -// you want to test easier. -type Clientset struct { - testing.Fake - discovery *fakediscovery.FakeDiscovery - tracker testing.ObjectTracker -} - -func (c *Clientset) Discovery() discovery.DiscoveryInterface { - return c.discovery -} - -func (c *Clientset) Tracker() testing.ObjectTracker { - return c.tracker -} - -var _ clientset.Interface = &Clientset{} - -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} -} diff --git a/generated/1.21/client/supervisor/virtual/clientset/versioned/fake/doc.go b/generated/1.21/client/supervisor/virtual/clientset/versioned/fake/doc.go deleted file mode 100644 index 7c9538fd..00000000 --- a/generated/1.21/client/supervisor/virtual/clientset/versioned/fake/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package has the automatically generated fake clientset. -package fake diff --git a/generated/1.21/client/supervisor/virtual/clientset/versioned/fake/register.go b/generated/1.21/client/supervisor/virtual/clientset/versioned/fake/register.go deleted file mode 100644 index c7b66d2c..00000000 --- a/generated/1.21/client/supervisor/virtual/clientset/versioned/fake/register.go +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - oauthv1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - runtime "k8s.io/apimachinery/pkg/runtime" - schema "k8s.io/apimachinery/pkg/runtime/schema" - serializer "k8s.io/apimachinery/pkg/runtime/serializer" - utilruntime "k8s.io/apimachinery/pkg/util/runtime" -) - -var scheme = runtime.NewScheme() -var codecs = serializer.NewCodecFactory(scheme) - -var localSchemeBuilder = runtime.SchemeBuilder{ - oauthv1alpha1.AddToScheme, -} - -// AddToScheme adds all types of this clientset into the given scheme. This allows composition -// of clientsets, like in: -// -// import ( -// "k8s.io/client-go/kubernetes" -// clientsetscheme "k8s.io/client-go/kubernetes/scheme" -// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" -// ) -// -// kclientset, _ := kubernetes.NewForConfig(c) -// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) -// -// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types -// correctly. -var AddToScheme = localSchemeBuilder.AddToScheme - -func init() { - v1.AddToGroupVersion(scheme, schema.GroupVersion{Version: "v1"}) - utilruntime.Must(AddToScheme(scheme)) -} diff --git a/generated/1.21/client/supervisor/virtual/clientset/versioned/scheme/doc.go b/generated/1.21/client/supervisor/virtual/clientset/versioned/scheme/doc.go deleted file mode 100644 index cc02f1d3..00000000 --- a/generated/1.21/client/supervisor/virtual/clientset/versioned/scheme/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package contains the scheme of the automatically generated clientset. -package scheme diff --git a/generated/1.21/client/supervisor/virtual/clientset/versioned/scheme/register.go b/generated/1.21/client/supervisor/virtual/clientset/versioned/scheme/register.go deleted file mode 100644 index 3afd089b..00000000 --- a/generated/1.21/client/supervisor/virtual/clientset/versioned/scheme/register.go +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package scheme - -import ( - oauthv1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - runtime "k8s.io/apimachinery/pkg/runtime" - schema "k8s.io/apimachinery/pkg/runtime/schema" - serializer "k8s.io/apimachinery/pkg/runtime/serializer" - utilruntime "k8s.io/apimachinery/pkg/util/runtime" -) - -var Scheme = runtime.NewScheme() -var Codecs = serializer.NewCodecFactory(Scheme) -var ParameterCodec = runtime.NewParameterCodec(Scheme) -var localSchemeBuilder = runtime.SchemeBuilder{ - oauthv1alpha1.AddToScheme, -} - -// AddToScheme adds all types of this clientset into the given scheme. This allows composition -// of clientsets, like in: -// -// import ( -// "k8s.io/client-go/kubernetes" -// clientsetscheme "k8s.io/client-go/kubernetes/scheme" -// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" -// ) -// -// kclientset, _ := kubernetes.NewForConfig(c) -// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) -// -// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types -// correctly. -var AddToScheme = localSchemeBuilder.AddToScheme - -func init() { - v1.AddToGroupVersion(Scheme, schema.GroupVersion{Version: "v1"}) - utilruntime.Must(AddToScheme(Scheme)) -} diff --git a/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go deleted file mode 100644 index e7a470b6..00000000 --- a/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package has the automatically generated typed clients. -package v1alpha1 diff --git a/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go deleted file mode 100644 index 7906901b..00000000 --- a/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// Package fake has the automatically generated clients. -package fake diff --git a/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go deleted file mode 100644 index 341e6495..00000000 --- a/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go +++ /dev/null @@ -1,27 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - v1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" - rest "k8s.io/client-go/rest" - testing "k8s.io/client-go/testing" -) - -type FakeOauthV1alpha1 struct { - *testing.Fake -} - -func (c *FakeOauthV1alpha1) OIDCClientSecretRequests(namespace string) v1alpha1.OIDCClientSecretRequestInterface { - return &FakeOIDCClientSecretRequests{c, namespace} -} - -// RESTClient returns a RESTClient that is used to communicate -// with API server by this client implementation. -func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { - var ret *rest.RESTClient - return ret -} diff --git a/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go deleted file mode 100644 index 8d4fc39d..00000000 --- a/generated/1.21/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go +++ /dev/null @@ -1,76 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - v1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/virtual/oauth/v1alpha1" - "go.pinniped.dev/generated/1.21/client/supervisor/virtual/clientset/versioned/scheme" - rest "k8s.io/client-go/rest" -) - -type OauthV1alpha1Interface interface { - RESTClient() rest.Interface - OIDCClientSecretRequestsGetter -} - -// OauthV1alpha1Client is used to interact with features provided by the oauth.virtual.supervisor.pinniped.dev group. -type OauthV1alpha1Client struct { - restClient rest.Interface -} - -func (c *OauthV1alpha1Client) OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface { - return newOIDCClientSecretRequests(c, namespace) -} - -// NewForConfig creates a new OauthV1alpha1Client for the given config. -func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { - config := *c - if err := setConfigDefaults(&config); err != nil { - return nil, err - } - client, err := rest.RESTClientFor(&config) - if err != nil { - return nil, err - } - return &OauthV1alpha1Client{client}, nil -} - -// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and -// panics if there is an error in the config. -func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { - client, err := NewForConfig(c) - if err != nil { - panic(err) - } - return client -} - -// New creates a new OauthV1alpha1Client for the given RESTClient. -func New(c rest.Interface) *OauthV1alpha1Client { - return &OauthV1alpha1Client{c} -} - -func setConfigDefaults(config *rest.Config) error { - gv := v1alpha1.SchemeGroupVersion - config.GroupVersion = &gv - config.APIPath = "/apis" - config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() - - if config.UserAgent == "" { - config.UserAgent = rest.DefaultKubernetesUserAgent() - } - - return nil -} - -// RESTClient returns a RESTClient that is used to communicate -// with API server by this client implementation. -func (c *OauthV1alpha1Client) RESTClient() rest.Interface { - if c == nil { - return nil - } - return c.restClient -} diff --git a/generated/1.21/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.21/crds/config.supervisor.pinniped.dev_oidcclients.yaml new file mode 100644 index 00000000..4efa445e --- /dev/null +++ b/generated/1.21/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -0,0 +1,125 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: oidcclients.config.supervisor.pinniped.dev +spec: + group: config.supervisor.pinniped.dev + names: + categories: + - pinniped + kind: OIDCClient + listKind: OIDCClientList + plural: oidcclients + singular: oidcclient + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: OIDCClient describes the configuration of an OIDC client. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec of the OIDC client. + properties: + allowedGrantTypes: + description: "allowedGrantTypes is a list of the allowed grant_type + param values that should be accepted during OIDC flows with this + client. \n Must only contain the following values: - authorization_code: + allows the client to perform the authorization code grant flow, + i.e. allows the webapp to authenticate users. This grant must always + be listed. - refresh_token: allows the client to perform refresh + grants for the user to extend the user's session. This grant must + be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: + allows the client to perform RFC8693 token exchange, which is a + step in the process to be able to get a cluster credential for the + user. This grant must be listed if allowedScopes lists pinniped:request-audience." + items: + enum: + - authorization_code + - refresh_token + - urn:ietf:params:oauth:grant-type:token-exchange + type: string + minItems: 1 + type: array + allowedRedirectURIs: + description: allowedRedirectURIs is a list of the allowed redirect_uri + param values that should be accepted during OIDC flows with this + client. Any other uris will be rejected. Must be https, unless it + is a loopback. + items: + type: string + minItems: 1 + type: array + allowedScopes: + description: "allowedScopes is a list of the allowed scopes param + values that should be accepted during OIDC flows with this client. + \n Must only contain the following values: - openid: The client + is allowed to request ID tokens. ID tokens only include the required + claims by default (iss, sub, aud, exp, iat). This scope must always + be listed. - offline_access: The client is allowed to request an + initial refresh token during the authorization code grant flow. + This scope must be listed if allowedGrantTypes lists refresh_token. + - pinniped:request-audience: The client is allowed to request a + new audience value during a RFC8693 token exchange, which is a step + in the process to be able to get a cluster credential for the user. + openid, username and groups scopes must be listed when this scope + is present. This scope must be listed if allowedGrantTypes lists + urn:ietf:params:oauth:grant-type:token-exchange. - username: The + client is allowed to request that ID tokens contain the user's username. + Without the username scope being requested and allowed, the ID token + will not contain the user's username. - groups: The client is allowed + to request that ID tokens contain the user's group membership, if + their group membership is discoverable by the Supervisor. Without + the groups scope being requested and allowed, the ID token will + not contain groups." + items: + enum: + - openid + - offline_access + - username + - groups + - pinniped:request-audience + type: string + minItems: 1 + type: array + required: + - allowedGrantTypes + - allowedRedirectURIs + - allowedScopes + type: object + status: + description: Status of the OIDC client. + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/generated/1.21/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.21/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml deleted file mode 100644 index 589a9154..00000000 --- a/generated/1.21/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ /dev/null @@ -1,125 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.8.0 - creationTimestamp: null - name: oidcclients.oauth.supervisor.pinniped.dev -spec: - group: oauth.supervisor.pinniped.dev - names: - categories: - - pinniped - kind: OIDCClient - listKind: OIDCClientList - plural: oidcclients - singular: oidcclient - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: OIDCClient describes the configuration of an OIDC client. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec of the OIDC client. - properties: - allowedGrantTypes: - description: "allowedGrantTypes is a list of the allowed grant_type - param values that should be accepted during OIDC flows with this - client. \n Must only contain the following values: - authorization_code: - allows the client to perform the authorization code grant flow, - i.e. allows the webapp to authenticate users. This grant must always - be listed. - refresh_token: allows the client to perform refresh - grants for the user to extend the user's session. This grant must - be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: - allows the client to perform RFC8693 token exchange, which is a - step in the process to be able to get a cluster credential for the - user. This grant must be listed if allowedScopes lists pinniped:request-audience." - items: - enum: - - authorization_code - - refresh_token - - urn:ietf:params:oauth:grant-type:token-exchange - type: string - minItems: 1 - type: array - allowedRedirectURIs: - description: allowedRedirectURIs is a list of the allowed redirect_uri - param values that should be accepted during OIDC flows with this - client. Any other uris will be rejected. Must be https, unless it - is a loopback. - items: - type: string - minItems: 1 - type: array - allowedScopes: - description: "allowedScopes is a list of the allowed scopes param - values that should be accepted during OIDC flows with this client. - \n Must only contain the following values: - openid: The client - is allowed to request ID tokens. ID tokens only include the required - claims by default (iss, sub, aud, exp, iat). This scope must always - be listed. - offline_access: The client is allowed to request an - initial refresh token during the authorization code grant flow. - This scope must be listed if allowedGrantTypes lists refresh_token. - - pinniped:request-audience: The client is allowed to request a - new audience value during a RFC8693 token exchange, which is a step - in the process to be able to get a cluster credential for the user. - openid, username and groups scopes must be listed when this scope - is present. This scope must be listed if allowedGrantTypes lists - urn:ietf:params:oauth:grant-type:token-exchange. - username: The - client is allowed to request that ID tokens contain the user's username. - Without the username scope being requested and allowed, the ID token - will not contain the user's username. - groups: The client is allowed - to request that ID tokens contain the user's group membership, if - their group membership is discoverable by the Supervisor. Without - the groups scope being requested and allowed, the ID token will - not contain groups." - items: - enum: - - openid - - offline_access - - username - - groups - - pinniped:request-audience - type: string - minItems: 1 - type: array - required: - - allowedGrantTypes - - allowedRedirectURIs - - allowedScopes - type: object - status: - description: Status of the OIDC client. - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/generated/1.22/README.adoc b/generated/1.22/README.adoc index 55db1f5b..0a4498b9 100644 --- a/generated/1.22/README.adoc +++ b/generated/1.22/README.adoc @@ -6,15 +6,14 @@ .Packages - xref:{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1[$$authentication.concierge.pinniped.dev/v1alpha1$$] +- xref:{anchor_prefix}-clientsecret-supervisor-pinniped-dev-clientsecret[$$clientsecret.supervisor.pinniped.dev/clientsecret$$] +- xref:{anchor_prefix}-clientsecret-supervisor-pinniped-dev-v1alpha1[$$clientsecret.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-config-concierge-pinniped-dev-v1alpha1[$$config.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-config-supervisor-pinniped-dev-v1alpha1[$$config.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-identity-concierge-pinniped-dev-identity[$$identity.concierge.pinniped.dev/identity$$] - xref:{anchor_prefix}-identity-concierge-pinniped-dev-v1alpha1[$$identity.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1[$$idp.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$] -- xref:{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1[$$oauth.supervisor.pinniped.dev/v1alpha1$$] -- xref:{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-oauth[$$oauth.virtual.supervisor.pinniped.dev/oauth$$] -- xref:{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-v1alpha1[$$oauth.virtual.supervisor.pinniped.dev/v1alpha1$$] [id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"] @@ -213,6 +212,98 @@ Status of a webhook authenticator. +[id="{anchor_prefix}-clientsecret-supervisor-pinniped-dev-clientsecret"] +=== clientsecret.supervisor.pinniped.dev/clientsecret + +Package clientsecret is the internal version of the Pinniped client secret API. + + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-clientsecret-oidcclientsecretrequestspec"] +==== OIDCClientSecretRequestSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-clientsecret-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generateNewSecret`* __boolean__ | +| *`revokeOldSecrets`* __boolean__ | +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-clientsecret-oidcclientsecretrequeststatus"] +==== OIDCClientSecretRequestStatus + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-clientsecret-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generatedSecret`* __string__ | +| *`totalClientSecrets`* __integer__ | +|=== + + + +[id="{anchor_prefix}-clientsecret-supervisor-pinniped-dev-v1alpha1"] +=== clientsecret.supervisor.pinniped.dev/v1alpha1 + +Package v1alpha1 is the v1alpha1 version of the Pinniped client secret API. + + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestspec"] +==== OIDCClientSecretRequestSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generateNewSecret`* __boolean__ | +| *`revokeOldSecrets`* __boolean__ | +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequeststatus"] +==== OIDCClientSecretRequestStatus + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generatedSecret`* __string__ | +| *`totalClientSecrets`* __integer__ | +|=== + + + [id="{anchor_prefix}-config-concierge-pinniped-dev-v1alpha1"] === config.concierge.pinniped.dev/v1alpha1 @@ -546,6 +637,51 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-oidcclient"] +==== OIDCClient + +OIDCClient describes the configuration of an OIDC client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-oidcclientlist[$$OIDCClientList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC client. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC client. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-oidcclientspec"] +==== OIDCClientSpec + +OIDCClientSpec is a struct that describes an OIDC Client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-oidcclient[$$OIDCClient$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. +| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. +| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. +|=== + + + + [id="{anchor_prefix}-identity-concierge-pinniped-dev-identity"] === identity.concierge.pinniped.dev/identity @@ -1335,148 +1471,3 @@ TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned |=== - -[id="{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1"] -=== oauth.supervisor.pinniped.dev/v1alpha1 - -Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-oauth-v1alpha1-oidcclient"] -==== OIDCClient - -OIDCClient describes the configuration of an OIDC client. - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-oauth-v1alpha1-oidcclientlist[$$OIDCClientList$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. - -| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-oauth-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC client. -| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-oauth-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC client. -|=== - - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-oauth-v1alpha1-oidcclientspec"] -==== OIDCClientSpec - -OIDCClientSpec is a struct that describes an OIDC Client. - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-oauth-v1alpha1-oidcclient[$$OIDCClient$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. -| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. -| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. -|=== - - - - - -[id="{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-oauth"] -=== oauth.virtual.supervisor.pinniped.dev/oauth - -Package oauth is the internal version of the Pinniped virtual oauth API. - - - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-virtual-oauth-oidcclientsecretrequestspec"] -==== OIDCClientSecretRequestSpec - - - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-virtual-oauth-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`generateNewSecret`* __boolean__ | -| *`revokeOldSecrets`* __boolean__ | -|=== - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-virtual-oauth-oidcclientsecretrequeststatus"] -==== OIDCClientSecretRequestStatus - - - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-virtual-oauth-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`generatedSecret`* __string__ | -| *`totalClientSecrets`* __integer__ | -|=== - - - -[id="{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-v1alpha1"] -=== oauth.virtual.supervisor.pinniped.dev/v1alpha1 - -Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API. - - - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequestspec"] -==== OIDCClientSecretRequestSpec - - - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`generateNewSecret`* __boolean__ | -| *`revokeOldSecrets`* __boolean__ | -|=== - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequeststatus"] -==== OIDCClientSecretRequestStatus - - - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`generatedSecret`* __string__ | -| *`totalClientSecrets`* __integer__ | -|=== - - diff --git a/generated/1.22/apis/supervisor/clientsecret/doc.go b/generated/1.22/apis/supervisor/clientsecret/doc.go new file mode 100644 index 00000000..c536bc75 --- /dev/null +++ b/generated/1.22/apis/supervisor/clientsecret/doc.go @@ -0,0 +1,8 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:deepcopy-gen=package +// +groupName=clientsecret.supervisor.pinniped.dev + +// Package clientsecret is the internal version of the Pinniped client secret API. +package clientsecret diff --git a/generated/1.22/apis/supervisor/clientsecret/register.go b/generated/1.22/apis/supervisor/clientsecret/register.go new file mode 100644 index 00000000..4a1c0173 --- /dev/null +++ b/generated/1.22/apis/supervisor/clientsecret/register.go @@ -0,0 +1,37 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package clientsecret + +import ( + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "clientsecret.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal} + +// Kind takes an unqualified kind and returns back a Group qualified GroupKind. +func Kind(kind string) schema.GroupKind { + return SchemeGroupVersion.WithKind(kind).GroupKind() +} + +// Resource takes an unqualified resource and returns back a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} + +var ( + SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) + AddToScheme = SchemeBuilder.AddToScheme +) + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClientSecretRequest{}, + ) + return nil +} diff --git a/generated/1.22/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go b/generated/1.22/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go new file mode 100644 index 00000000..7fd1eb65 --- /dev/null +++ b/generated/1.22/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go @@ -0,0 +1,25 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package clientsecret + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +type OIDCClientSecretRequestSpec struct { + GenerateNewSecret bool `json:"generateNewSecret"` + RevokeOldSecrets bool `json:"revokeOldSecrets"` +} + +type OIDCClientSecretRequestStatus struct { + GeneratedSecret string `json:"generatedSecret,omitempty"` + TotalClientSecrets int `json:"totalClientSecrets"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequest struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID + + Spec OIDCClientSecretRequestSpec `json:"spec"` + Status OIDCClientSecretRequestStatus `json:"status"` +} diff --git a/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/conversion.go b/generated/1.22/apis/supervisor/clientsecret/v1alpha1/conversion.go similarity index 100% rename from generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/conversion.go rename to generated/1.22/apis/supervisor/clientsecret/v1alpha1/conversion.go diff --git a/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/defaults.go b/generated/1.22/apis/supervisor/clientsecret/v1alpha1/defaults.go similarity index 100% rename from generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/defaults.go rename to generated/1.22/apis/supervisor/clientsecret/v1alpha1/defaults.go diff --git a/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/doc.go b/generated/1.22/apis/supervisor/clientsecret/v1alpha1/doc.go similarity index 64% rename from generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/doc.go rename to generated/1.22/apis/supervisor/clientsecret/v1alpha1/doc.go index 2529f68c..61920f32 100644 --- a/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/doc.go +++ b/generated/1.22/apis/supervisor/clientsecret/v1alpha1/doc.go @@ -3,9 +3,9 @@ // +k8s:openapi-gen=true // +k8s:deepcopy-gen=package -// +k8s:conversion-gen=go.pinniped.dev/generated/1.22/apis/supervisor/virtual/oauth +// +k8s:conversion-gen=go.pinniped.dev/generated/1.22/apis/supervisor/clientsecret // +k8s:defaulter-gen=TypeMeta -// +groupName=oauth.virtual.supervisor.pinniped.dev +// +groupName=clientsecret.supervisor.pinniped.dev -// Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API. +// Package v1alpha1 is the v1alpha1 version of the Pinniped client secret API. package v1alpha1 diff --git a/generated/1.22/apis/supervisor/clientsecret/v1alpha1/register.go b/generated/1.22/apis/supervisor/clientsecret/v1alpha1/register.go new file mode 100644 index 00000000..49602125 --- /dev/null +++ b/generated/1.22/apis/supervisor/clientsecret/v1alpha1/register.go @@ -0,0 +1,42 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "clientsecret.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = SchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClientSecretRequest{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns back a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go b/generated/1.22/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go similarity index 100% rename from generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go rename to generated/1.22/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go diff --git a/generated/1.22/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go b/generated/1.22/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go new file mode 100644 index 00000000..4071a9d2 --- /dev/null +++ b/generated/1.22/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go @@ -0,0 +1,131 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by conversion-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + clientsecret "go.pinniped.dev/generated/1.22/apis/supervisor/clientsecret" + conversion "k8s.io/apimachinery/pkg/conversion" + runtime "k8s.io/apimachinery/pkg/runtime" +) + +func init() { + localSchemeBuilder.Register(RegisterConversions) +} + +// RegisterConversions adds conversion functions to the given scheme. +// Public to allow building arbitrary schemes. +func RegisterConversions(s *runtime.Scheme) error { + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequest)(nil), (*clientsecret.OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(a.(*OIDCClientSecretRequest), b.(*clientsecret.OIDCClientSecretRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequest)(nil), (*OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(a.(*clientsecret.OIDCClientSecretRequest), b.(*OIDCClientSecretRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*clientsecret.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*clientsecret.OIDCClientSecretRequestSpec), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequestSpec)(nil), (*OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(a.(*clientsecret.OIDCClientSecretRequestSpec), b.(*OIDCClientSecretRequestSpec), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestStatus)(nil), (*clientsecret.OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(a.(*OIDCClientSecretRequestStatus), b.(*clientsecret.OIDCClientSecretRequestStatus), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequestStatus)(nil), (*OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(a.(*clientsecret.OIDCClientSecretRequestStatus), b.(*OIDCClientSecretRequestStatus), scope) + }); err != nil { + return err + } + return nil +} + +func autoConvert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *clientsecret.OIDCClientSecretRequest, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { + return err + } + if err := Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *clientsecret.OIDCClientSecretRequest, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(in, out, s) +} + +func autoConvert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *clientsecret.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { + return err + } + if err := Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest is an autogenerated conversion function. +func Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *clientsecret.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { + return autoConvert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s) +} + +func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *clientsecret.OIDCClientSecretRequestSpec, s conversion.Scope) error { + out.GenerateNewSecret = in.GenerateNewSecret + out.RevokeOldSecrets = in.RevokeOldSecrets + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *clientsecret.OIDCClientSecretRequestSpec, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in, out, s) +} + +func autoConvert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *clientsecret.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { + out.GenerateNewSecret = in.GenerateNewSecret + out.RevokeOldSecrets = in.RevokeOldSecrets + return nil +} + +// Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec is an autogenerated conversion function. +func Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *clientsecret.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { + return autoConvert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in, out, s) +} + +func autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *clientsecret.OIDCClientSecretRequestStatus, s conversion.Scope) error { + out.GeneratedSecret = in.GeneratedSecret + out.TotalClientSecrets = in.TotalClientSecrets + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *clientsecret.OIDCClientSecretRequestStatus, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(in, out, s) +} + +func autoConvert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *clientsecret.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { + out.GeneratedSecret = in.GeneratedSecret + out.TotalClientSecrets = in.TotalClientSecrets + return nil +} + +// Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus is an autogenerated conversion function. +func Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *clientsecret.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { + return autoConvert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in, out, s) +} diff --git a/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.22/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go similarity index 100% rename from generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go rename to generated/1.22/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go diff --git a/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go b/generated/1.22/apis/supervisor/clientsecret/v1alpha1/zz_generated.defaults.go similarity index 100% rename from generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go rename to generated/1.22/apis/supervisor/clientsecret/v1alpha1/zz_generated.defaults.go diff --git a/generated/1.22/apis/supervisor/clientsecret/zz_generated.deepcopy.go b/generated/1.22/apis/supervisor/clientsecret/zz_generated.deepcopy.go new file mode 100644 index 00000000..e0dc7d68 --- /dev/null +++ b/generated/1.22/apis/supervisor/clientsecret/zz_generated.deepcopy.go @@ -0,0 +1,73 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package clientsecret + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequest) DeepCopyInto(out *OIDCClientSecretRequest) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + out.Spec = in.Spec + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequest. +func (in *OIDCClientSecretRequest) DeepCopy() *OIDCClientSecretRequest { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequest) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestSpec. +func (in *OIDCClientSecretRequestSpec) DeepCopy() *OIDCClientSecretRequestSpec { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestStatus) DeepCopyInto(out *OIDCClientSecretRequestStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestStatus. +func (in *OIDCClientSecretRequestStatus) DeepCopy() *OIDCClientSecretRequestStatus { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.22/apis/supervisor/config/v1alpha1/register.go b/generated/1.22/apis/supervisor/config/v1alpha1/register.go index 69045298..54c51699 100644 --- a/generated/1.22/apis/supervisor/config/v1alpha1/register.go +++ b/generated/1.22/apis/supervisor/config/v1alpha1/register.go @@ -32,6 +32,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &FederationDomain{}, &FederationDomainList{}, + &OIDCClient{}, + &OIDCClientList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.22/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.22/apis/supervisor/config/v1alpha1/types_oidcclient.go similarity index 100% rename from generated/1.22/apis/supervisor/oauth/v1alpha1/types_oidcclient.go rename to generated/1.22/apis/supervisor/config/v1alpha1/types_oidcclient.go diff --git a/generated/1.22/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.22/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go index 856b8988..a55d88e7 100644 --- a/generated/1.22/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.22/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go @@ -150,3 +150,111 @@ func (in *FederationDomainTLSSpec) DeepCopy() *FederationDomainTLSSpec { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. +func (in *OIDCClient) DeepCopy() *OIDCClient { + if in == nil { + return nil + } + out := new(OIDCClient) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClient) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClient, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. +func (in *OIDCClientList) DeepCopy() *OIDCClientList { + if in == nil { + return nil + } + out := new(OIDCClientList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { + *out = *in + if in.AllowedRedirectURIs != nil { + in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.AllowedGrantTypes != nil { + in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes + *out = make([]GrantType, len(*in)) + copy(*out, *in) + } + if in.AllowedScopes != nil { + in, out := &in.AllowedScopes, &out.AllowedScopes + *out = make([]Scope, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. +func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { + if in == nil { + return nil + } + out := new(OIDCClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. +func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { + if in == nil { + return nil + } + out := new(OIDCClientStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.22/apis/supervisor/oauth/v1alpha1/doc.go b/generated/1.22/apis/supervisor/oauth/v1alpha1/doc.go deleted file mode 100644 index 75580481..00000000 --- a/generated/1.22/apis/supervisor/oauth/v1alpha1/doc.go +++ /dev/null @@ -1,10 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// +k8s:openapi-gen=true -// +k8s:deepcopy-gen=package -// +k8s:defaulter-gen=TypeMeta -// +groupName=oauth.supervisor.pinniped.dev - -// Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. -package v1alpha1 diff --git a/generated/1.22/apis/supervisor/oauth/v1alpha1/register.go b/generated/1.22/apis/supervisor/oauth/v1alpha1/register.go deleted file mode 100644 index 37ae1fbf..00000000 --- a/generated/1.22/apis/supervisor/oauth/v1alpha1/register.go +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -package v1alpha1 - -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" -) - -const GroupName = "oauth.supervisor.pinniped.dev" - -// SchemeGroupVersion is group version used to register these objects. -var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} - -var ( - SchemeBuilder runtime.SchemeBuilder - localSchemeBuilder = &SchemeBuilder - AddToScheme = localSchemeBuilder.AddToScheme -) - -func init() { - // We only register manually written functions here. The registration of the - // generated functions takes place in the generated files. The separation - // makes the code compile even when the generated files are missing. - localSchemeBuilder.Register(addKnownTypes) -} - -// Adds the list of known types to the given scheme. -func addKnownTypes(scheme *runtime.Scheme) error { - scheme.AddKnownTypes(SchemeGroupVersion, - &OIDCClient{}, - &OIDCClientList{}, - ) - metav1.AddToGroupVersion(scheme, SchemeGroupVersion) - return nil -} - -// Resource takes an unqualified resource and returns a Group qualified GroupResource. -func Resource(resource string) schema.GroupResource { - return SchemeGroupVersion.WithResource(resource).GroupResource() -} diff --git a/generated/1.22/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.22/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go deleted file mode 100644 index 1aba8aea..00000000 --- a/generated/1.22/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go +++ /dev/null @@ -1,121 +0,0 @@ -//go:build !ignore_autogenerated -// +build !ignore_autogenerated - -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by deepcopy-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - runtime "k8s.io/apimachinery/pkg/runtime" -) - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - in.Spec.DeepCopyInto(&out.Spec) - out.Status = in.Status - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. -func (in *OIDCClient) DeepCopy() *OIDCClient { - if in == nil { - return nil - } - out := new(OIDCClient) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *OIDCClient) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ListMeta.DeepCopyInto(&out.ListMeta) - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]OIDCClient, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. -func (in *OIDCClientList) DeepCopy() *OIDCClientList { - if in == nil { - return nil - } - out := new(OIDCClientList) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *OIDCClientList) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { - *out = *in - if in.AllowedRedirectURIs != nil { - in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.AllowedGrantTypes != nil { - in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes - *out = make([]GrantType, len(*in)) - copy(*out, *in) - } - if in.AllowedScopes != nil { - in, out := &in.AllowedScopes, &out.AllowedScopes - *out = make([]Scope, len(*in)) - copy(*out, *in) - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. -func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { - if in == nil { - return nil - } - out := new(OIDCClientSpec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. -func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { - if in == nil { - return nil - } - out := new(OIDCClientStatus) - in.DeepCopyInto(out) - return out -} diff --git a/generated/1.22/apis/supervisor/virtual/oauth/doc.go b/generated/1.22/apis/supervisor/virtual/oauth/doc.go deleted file mode 100644 index ca4e9a63..00000000 --- a/generated/1.22/apis/supervisor/virtual/oauth/doc.go +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// +k8s:deepcopy-gen=package -// +groupName=oauth.virtual.supervisor.pinniped.dev - -// Package oauth is the internal version of the Pinniped virtual oauth API. -package oauth diff --git a/generated/1.22/apis/supervisor/virtual/oauth/register.go b/generated/1.22/apis/supervisor/virtual/oauth/register.go deleted file mode 100644 index a238d85f..00000000 --- a/generated/1.22/apis/supervisor/virtual/oauth/register.go +++ /dev/null @@ -1,37 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -package oauth - -import ( - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" -) - -const GroupName = "oauth.virtual.supervisor.pinniped.dev" - -// SchemeGroupVersion is group version used to register these objects. -var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal} - -// Kind takes an unqualified kind and returns back a Group qualified GroupKind. -func Kind(kind string) schema.GroupKind { - return SchemeGroupVersion.WithKind(kind).GroupKind() -} - -// Resource takes an unqualified resource and returns back a Group qualified GroupResource. -func Resource(resource string) schema.GroupResource { - return SchemeGroupVersion.WithResource(resource).GroupResource() -} - -var ( - SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) - AddToScheme = SchemeBuilder.AddToScheme -) - -// Adds the list of known types to the given scheme. -func addKnownTypes(scheme *runtime.Scheme) error { - scheme.AddKnownTypes(SchemeGroupVersion, - &OIDCClientSecretRequest{}, - ) - return nil -} diff --git a/generated/1.22/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go b/generated/1.22/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go deleted file mode 100644 index ac54a93c..00000000 --- a/generated/1.22/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go +++ /dev/null @@ -1,25 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -package oauth - -import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - -type OIDCClientSecretRequestSpec struct { - GenerateNewSecret bool `json:"generateNewSecret"` - RevokeOldSecrets bool `json:"revokeOldSecrets"` -} - -type OIDCClientSecretRequestStatus struct { - GeneratedSecret string `json:"generatedSecret,omitempty"` - TotalClientSecrets int `json:"totalClientSecrets"` -} - -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object -type OIDCClientSecretRequest struct { - metav1.TypeMeta `json:",inline"` - metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID - - Spec OIDCClientSecretRequestSpec `json:"spec"` - Status OIDCClientSecretRequestStatus `json:"status"` -} diff --git a/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/register.go b/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/register.go deleted file mode 100644 index ecc75a08..00000000 --- a/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/register.go +++ /dev/null @@ -1,42 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -package v1alpha1 - -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" -) - -const GroupName = "oauth.virtual.supervisor.pinniped.dev" - -// SchemeGroupVersion is group version used to register these objects. -var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} - -var ( - SchemeBuilder runtime.SchemeBuilder - localSchemeBuilder = &SchemeBuilder - AddToScheme = SchemeBuilder.AddToScheme -) - -func init() { - // We only register manually written functions here. The registration of the - // generated functions takes place in the generated files. The separation - // makes the code compile even when the generated files are missing. - localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs) -} - -// Adds the list of known types to the given scheme. -func addKnownTypes(scheme *runtime.Scheme) error { - scheme.AddKnownTypes(SchemeGroupVersion, - &OIDCClientSecretRequest{}, - ) - metav1.AddToGroupVersion(scheme, SchemeGroupVersion) - return nil -} - -// Resource takes an unqualified resource and returns back a Group qualified GroupResource. -func Resource(resource string) schema.GroupResource { - return SchemeGroupVersion.WithResource(resource).GroupResource() -} diff --git a/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go b/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go deleted file mode 100644 index a0866234..00000000 --- a/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go +++ /dev/null @@ -1,131 +0,0 @@ -//go:build !ignore_autogenerated -// +build !ignore_autogenerated - -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by conversion-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - oauth "go.pinniped.dev/generated/1.22/apis/supervisor/virtual/oauth" - conversion "k8s.io/apimachinery/pkg/conversion" - runtime "k8s.io/apimachinery/pkg/runtime" -) - -func init() { - localSchemeBuilder.Register(RegisterConversions) -} - -// RegisterConversions adds conversion functions to the given scheme. -// Public to allow building arbitrary schemes. -func RegisterConversions(s *runtime.Scheme) error { - if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequest)(nil), (*oauth.OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(a.(*OIDCClientSecretRequest), b.(*oauth.OIDCClientSecretRequest), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequest)(nil), (*OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(a.(*oauth.OIDCClientSecretRequest), b.(*OIDCClientSecretRequest), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*oauth.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*oauth.OIDCClientSecretRequestSpec), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequestSpec)(nil), (*OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(a.(*oauth.OIDCClientSecretRequestSpec), b.(*OIDCClientSecretRequestSpec), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestStatus)(nil), (*oauth.OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(a.(*OIDCClientSecretRequestStatus), b.(*oauth.OIDCClientSecretRequestStatus), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequestStatus)(nil), (*OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(a.(*oauth.OIDCClientSecretRequestStatus), b.(*OIDCClientSecretRequestStatus), scope) - }); err != nil { - return err - } - return nil -} - -func autoConvert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *oauth.OIDCClientSecretRequest, s conversion.Scope) error { - out.ObjectMeta = in.ObjectMeta - if err := Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { - return err - } - if err := Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { - return err - } - return nil -} - -// Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest is an autogenerated conversion function. -func Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *oauth.OIDCClientSecretRequest, s conversion.Scope) error { - return autoConvert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in, out, s) -} - -func autoConvert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *oauth.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { - out.ObjectMeta = in.ObjectMeta - if err := Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { - return err - } - if err := Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { - return err - } - return nil -} - -// Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest is an autogenerated conversion function. -func Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *oauth.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { - return autoConvert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s) -} - -func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *oauth.OIDCClientSecretRequestSpec, s conversion.Scope) error { - out.GenerateNewSecret = in.GenerateNewSecret - out.RevokeOldSecrets = in.RevokeOldSecrets - return nil -} - -// Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec is an autogenerated conversion function. -func Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *oauth.OIDCClientSecretRequestSpec, s conversion.Scope) error { - return autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in, out, s) -} - -func autoConvert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *oauth.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { - out.GenerateNewSecret = in.GenerateNewSecret - out.RevokeOldSecrets = in.RevokeOldSecrets - return nil -} - -// Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec is an autogenerated conversion function. -func Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *oauth.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { - return autoConvert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in, out, s) -} - -func autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *oauth.OIDCClientSecretRequestStatus, s conversion.Scope) error { - out.GeneratedSecret = in.GeneratedSecret - out.TotalClientSecrets = in.TotalClientSecrets - return nil -} - -// Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus is an autogenerated conversion function. -func Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *oauth.OIDCClientSecretRequestStatus, s conversion.Scope) error { - return autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in, out, s) -} - -func autoConvert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *oauth.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { - out.GeneratedSecret = in.GeneratedSecret - out.TotalClientSecrets = in.TotalClientSecrets - return nil -} - -// Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus is an autogenerated conversion function. -func Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *oauth.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { - return autoConvert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in, out, s) -} diff --git a/generated/1.22/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go b/generated/1.22/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go deleted file mode 100644 index 24b58e7b..00000000 --- a/generated/1.22/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go +++ /dev/null @@ -1,73 +0,0 @@ -//go:build !ignore_autogenerated -// +build !ignore_autogenerated - -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by deepcopy-gen. DO NOT EDIT. - -package oauth - -import ( - runtime "k8s.io/apimachinery/pkg/runtime" -) - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientSecretRequest) DeepCopyInto(out *OIDCClientSecretRequest) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - out.Spec = in.Spec - out.Status = in.Status - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequest. -func (in *OIDCClientSecretRequest) DeepCopy() *OIDCClientSecretRequest { - if in == nil { - return nil - } - out := new(OIDCClientSecretRequest) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestSpec. -func (in *OIDCClientSecretRequestSpec) DeepCopy() *OIDCClientSecretRequestSpec { - if in == nil { - return nil - } - out := new(OIDCClientSecretRequestSpec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientSecretRequestStatus) DeepCopyInto(out *OIDCClientSecretRequestStatus) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestStatus. -func (in *OIDCClientSecretRequestStatus) DeepCopy() *OIDCClientSecretRequestStatus { - if in == nil { - return nil - } - out := new(OIDCClientSecretRequestStatus) - in.DeepCopyInto(out) - return out -} diff --git a/generated/1.22/client/supervisor/clientset/versioned/clientset.go b/generated/1.22/client/supervisor/clientset/versioned/clientset.go index dcdcab22..a9de9109 100644 --- a/generated/1.22/client/supervisor/clientset/versioned/clientset.go +++ b/generated/1.22/client/supervisor/clientset/versioned/clientset.go @@ -8,9 +8,9 @@ package versioned import ( "fmt" + clientsecretv1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1" configv1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" discovery "k8s.io/client-go/discovery" rest "k8s.io/client-go/rest" flowcontrol "k8s.io/client-go/util/flowcontrol" @@ -18,18 +18,23 @@ import ( type Interface interface { Discovery() discovery.DiscoveryInterface + ClientsecretV1alpha1() clientsecretv1alpha1.ClientsecretV1alpha1Interface ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface - OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface } // Clientset contains the clients for groups. Each group has exactly one // version included in a Clientset. type Clientset struct { *discovery.DiscoveryClient - configV1alpha1 *configv1alpha1.ConfigV1alpha1Client - iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client - oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client + clientsecretV1alpha1 *clientsecretv1alpha1.ClientsecretV1alpha1Client + configV1alpha1 *configv1alpha1.ConfigV1alpha1Client + iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client +} + +// ClientsecretV1alpha1 retrieves the ClientsecretV1alpha1Client +func (c *Clientset) ClientsecretV1alpha1() clientsecretv1alpha1.ClientsecretV1alpha1Interface { + return c.clientsecretV1alpha1 } // ConfigV1alpha1 retrieves the ConfigV1alpha1Client @@ -42,11 +47,6 @@ func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return c.iDPV1alpha1 } -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return c.oauthV1alpha1 -} - // Discovery retrieves the DiscoveryClient func (c *Clientset) Discovery() discovery.DiscoveryInterface { if c == nil { @@ -68,6 +68,10 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { } var cs Clientset var err error + cs.clientsecretV1alpha1, err = clientsecretv1alpha1.NewForConfig(&configShallowCopy) + if err != nil { + return nil, err + } cs.configV1alpha1, err = configv1alpha1.NewForConfig(&configShallowCopy) if err != nil { return nil, err @@ -76,10 +80,6 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { if err != nil { return nil, err } - cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfig(&configShallowCopy) - if err != nil { - return nil, err - } cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfig(&configShallowCopy) if err != nil { @@ -92,9 +92,9 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { // panics if there is an error in the config. func NewForConfigOrDie(c *rest.Config) *Clientset { var cs Clientset + cs.clientsecretV1alpha1 = clientsecretv1alpha1.NewForConfigOrDie(c) cs.configV1alpha1 = configv1alpha1.NewForConfigOrDie(c) cs.iDPV1alpha1 = idpv1alpha1.NewForConfigOrDie(c) - cs.oauthV1alpha1 = oauthv1alpha1.NewForConfigOrDie(c) cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c) return &cs @@ -103,9 +103,9 @@ func NewForConfigOrDie(c *rest.Config) *Clientset { // New creates a new Clientset for the given RESTClient. func New(c rest.Interface) *Clientset { var cs Clientset + cs.clientsecretV1alpha1 = clientsecretv1alpha1.New(c) cs.configV1alpha1 = configv1alpha1.New(c) cs.iDPV1alpha1 = idpv1alpha1.New(c) - cs.oauthV1alpha1 = oauthv1alpha1.New(c) cs.DiscoveryClient = discovery.NewDiscoveryClient(c) return &cs diff --git a/generated/1.22/client/supervisor/clientset/versioned/fake/clientset_generated.go b/generated/1.22/client/supervisor/clientset/versioned/fake/clientset_generated.go index 492217cf..019ab12d 100644 --- a/generated/1.22/client/supervisor/clientset/versioned/fake/clientset_generated.go +++ b/generated/1.22/client/supervisor/clientset/versioned/fake/clientset_generated.go @@ -7,12 +7,12 @@ package fake import ( clientset "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned" + clientsecretv1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1" + fakeclientsecretv1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake" configv1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1" fakeconfigv1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake" idpv1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1" fakeidpv1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake" - oauthv1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" - fakeoauthv1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/watch" "k8s.io/client-go/discovery" @@ -70,6 +70,11 @@ var ( _ testing.FakeClient = &Clientset{} ) +// ClientsecretV1alpha1 retrieves the ClientsecretV1alpha1Client +func (c *Clientset) ClientsecretV1alpha1() clientsecretv1alpha1.ClientsecretV1alpha1Interface { + return &fakeclientsecretv1alpha1.FakeClientsecretV1alpha1{Fake: &c.Fake} +} + // ConfigV1alpha1 retrieves the ConfigV1alpha1Client func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { return &fakeconfigv1alpha1.FakeConfigV1alpha1{Fake: &c.Fake} @@ -79,8 +84,3 @@ func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake} } - -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} -} diff --git a/generated/1.22/client/supervisor/clientset/versioned/fake/register.go b/generated/1.22/client/supervisor/clientset/versioned/fake/register.go index 690d6ee3..bb341d36 100644 --- a/generated/1.22/client/supervisor/clientset/versioned/fake/register.go +++ b/generated/1.22/client/supervisor/clientset/versioned/fake/register.go @@ -6,9 +6,9 @@ package fake import ( + clientsecretv1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/clientsecret/v1alpha1" configv1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -20,9 +20,9 @@ var scheme = runtime.NewScheme() var codecs = serializer.NewCodecFactory(scheme) var localSchemeBuilder = runtime.SchemeBuilder{ + clientsecretv1alpha1.AddToScheme, configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, - oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.22/client/supervisor/clientset/versioned/scheme/register.go b/generated/1.22/client/supervisor/clientset/versioned/scheme/register.go index 99bafb85..4cd7f66b 100644 --- a/generated/1.22/client/supervisor/clientset/versioned/scheme/register.go +++ b/generated/1.22/client/supervisor/clientset/versioned/scheme/register.go @@ -6,9 +6,9 @@ package scheme import ( + clientsecretv1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/clientsecret/v1alpha1" configv1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -20,9 +20,9 @@ var Scheme = runtime.NewScheme() var Codecs = serializer.NewCodecFactory(Scheme) var ParameterCodec = runtime.NewParameterCodec(Scheme) var localSchemeBuilder = runtime.SchemeBuilder{ + clientsecretv1alpha1.AddToScheme, configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, - oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.22/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/clientsecret_client.go b/generated/1.22/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/clientsecret_client.go new file mode 100644 index 00000000..e73afeb8 --- /dev/null +++ b/generated/1.22/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/clientsecret_client.go @@ -0,0 +1,76 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/clientsecret/v1alpha1" + "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned/scheme" + rest "k8s.io/client-go/rest" +) + +type ClientsecretV1alpha1Interface interface { + RESTClient() rest.Interface + OIDCClientSecretRequestsGetter +} + +// ClientsecretV1alpha1Client is used to interact with features provided by the clientsecret.supervisor.pinniped.dev group. +type ClientsecretV1alpha1Client struct { + restClient rest.Interface +} + +func (c *ClientsecretV1alpha1Client) OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface { + return newOIDCClientSecretRequests(c, namespace) +} + +// NewForConfig creates a new ClientsecretV1alpha1Client for the given config. +func NewForConfig(c *rest.Config) (*ClientsecretV1alpha1Client, error) { + config := *c + if err := setConfigDefaults(&config); err != nil { + return nil, err + } + client, err := rest.RESTClientFor(&config) + if err != nil { + return nil, err + } + return &ClientsecretV1alpha1Client{client}, nil +} + +// NewForConfigOrDie creates a new ClientsecretV1alpha1Client for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *ClientsecretV1alpha1Client { + client, err := NewForConfig(c) + if err != nil { + panic(err) + } + return client +} + +// New creates a new ClientsecretV1alpha1Client for the given RESTClient. +func New(c rest.Interface) *ClientsecretV1alpha1Client { + return &ClientsecretV1alpha1Client{c} +} + +func setConfigDefaults(config *rest.Config) error { + gv := v1alpha1.SchemeGroupVersion + config.GroupVersion = &gv + config.APIPath = "/apis" + config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() + + if config.UserAgent == "" { + config.UserAgent = rest.DefaultKubernetesUserAgent() + } + + return nil +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *ClientsecretV1alpha1Client) RESTClient() rest.Interface { + if c == nil { + return nil + } + return c.restClient +} diff --git a/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/1.22/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/doc.go similarity index 100% rename from generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go rename to generated/1.22/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/doc.go diff --git a/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/1.22/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/doc.go similarity index 100% rename from generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go rename to generated/1.22/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/doc.go diff --git a/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/1.22/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_clientsecret_client.go similarity index 60% rename from generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go rename to generated/1.22/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_clientsecret_client.go index 7f7620ad..ecc67030 100644 --- a/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go +++ b/generated/1.22/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_clientsecret_client.go @@ -6,22 +6,22 @@ package fake import ( - v1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1" rest "k8s.io/client-go/rest" testing "k8s.io/client-go/testing" ) -type FakeOauthV1alpha1 struct { +type FakeClientsecretV1alpha1 struct { *testing.Fake } -func (c *FakeOauthV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { - return &FakeOIDCClients{c, namespace} +func (c *FakeClientsecretV1alpha1) OIDCClientSecretRequests(namespace string) v1alpha1.OIDCClientSecretRequestInterface { + return &FakeOIDCClientSecretRequests{c, namespace} } // RESTClient returns a RESTClient that is used to communicate // with API server by this client implementation. -func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { +func (c *FakeClientsecretV1alpha1) RESTClient() rest.Interface { var ret *rest.RESTClient return ret } diff --git a/generated/1.22/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_oidcclientsecretrequest.go b/generated/1.22/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_oidcclientsecretrequest.go new file mode 100644 index 00000000..5361ede1 --- /dev/null +++ b/generated/1.22/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_oidcclientsecretrequest.go @@ -0,0 +1,36 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/clientsecret/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + schema "k8s.io/apimachinery/pkg/runtime/schema" + testing "k8s.io/client-go/testing" +) + +// FakeOIDCClientSecretRequests implements OIDCClientSecretRequestInterface +type FakeOIDCClientSecretRequests struct { + Fake *FakeClientsecretV1alpha1 + ns string +} + +var oidcclientsecretrequestsResource = schema.GroupVersionResource{Group: "clientsecret.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclientsecretrequests"} + +var oidcclientsecretrequestsKind = schema.GroupVersionKind{Group: "clientsecret.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClientSecretRequest"} + +// Create takes the representation of a oIDCClientSecretRequest and creates it. Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any. +func (c *FakeOIDCClientSecretRequests) Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (result *v1alpha1.OIDCClientSecretRequest, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(oidcclientsecretrequestsResource, c.ns, oIDCClientSecretRequest), &v1alpha1.OIDCClientSecretRequest{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClientSecretRequest), err +} diff --git a/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/1.22/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/generated_expansion.go similarity index 100% rename from generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go rename to generated/1.22/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/generated_expansion.go diff --git a/generated/1.22/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/oidcclientsecretrequest.go b/generated/1.22/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/oidcclientsecretrequest.go new file mode 100644 index 00000000..7b672a44 --- /dev/null +++ b/generated/1.22/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/oidcclientsecretrequest.go @@ -0,0 +1,54 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/clientsecret/v1alpha1" + scheme "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + rest "k8s.io/client-go/rest" +) + +// OIDCClientSecretRequestsGetter has a method to return a OIDCClientSecretRequestInterface. +// A group's client should implement this interface. +type OIDCClientSecretRequestsGetter interface { + OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface +} + +// OIDCClientSecretRequestInterface has methods to work with OIDCClientSecretRequest resources. +type OIDCClientSecretRequestInterface interface { + Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (*v1alpha1.OIDCClientSecretRequest, error) + OIDCClientSecretRequestExpansion +} + +// oIDCClientSecretRequests implements OIDCClientSecretRequestInterface +type oIDCClientSecretRequests struct { + client rest.Interface + ns string +} + +// newOIDCClientSecretRequests returns a OIDCClientSecretRequests +func newOIDCClientSecretRequests(c *ClientsecretV1alpha1Client, namespace string) *oIDCClientSecretRequests { + return &oIDCClientSecretRequests{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Create takes the representation of a oIDCClientSecretRequest and creates it. Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any. +func (c *oIDCClientSecretRequests) Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (result *v1alpha1.OIDCClientSecretRequest, err error) { + result = &v1alpha1.OIDCClientSecretRequest{} + err = c.client.Post(). + Namespace(c.ns). + Resource("oidcclientsecretrequests"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(oIDCClientSecretRequest). + Do(ctx). + Into(result) + return +} diff --git a/generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go b/generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go index 8b13c709..252b4962 100644 --- a/generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go +++ b/generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go @@ -14,6 +14,7 @@ import ( type ConfigV1alpha1Interface interface { RESTClient() rest.Interface FederationDomainsGetter + OIDCClientsGetter } // ConfigV1alpha1Client is used to interact with features provided by the config.supervisor.pinniped.dev group. @@ -25,6 +26,10 @@ func (c *ConfigV1alpha1Client) FederationDomains(namespace string) FederationDom return newFederationDomains(c, namespace) } +func (c *ConfigV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { + return newOIDCClients(c, namespace) +} + // NewForConfig creates a new ConfigV1alpha1Client for the given config. func NewForConfig(c *rest.Config) (*ConfigV1alpha1Client, error) { config := *c diff --git a/generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go b/generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go index 309e08b8..1ad242eb 100644 --- a/generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go +++ b/generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go @@ -19,6 +19,10 @@ func (c *FakeConfigV1alpha1) FederationDomains(namespace string) v1alpha1.Federa return &FakeFederationDomains{c, namespace} } +func (c *FakeConfigV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { + return &FakeOIDCClients{c, namespace} +} + // RESTClient returns a RESTClient that is used to communicate // with API server by this client implementation. func (c *FakeConfigV1alpha1) RESTClient() rest.Interface { diff --git a/generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go b/generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go new file mode 100644 index 00000000..49ce2584 --- /dev/null +++ b/generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go @@ -0,0 +1,129 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/config/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeOIDCClients implements OIDCClientInterface +type FakeOIDCClients struct { + Fake *FakeConfigV1alpha1 + ns string +} + +var oidcclientsResource = schema.GroupVersionResource{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} + +var oidcclientsKind = schema.GroupVersionKind{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} + +// Get takes name of the oIDCClient, and returns the corresponding oIDCClient object, and an error if there is any. +func (c *FakeOIDCClients) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(oidcclientsResource, c.ns, name), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// List takes label and field selectors, and returns the list of OIDCClients that match those selectors. +func (c *FakeOIDCClients) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.OIDCClientList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(oidcclientsResource, oidcclientsKind, c.ns, opts), &v1alpha1.OIDCClientList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.OIDCClientList{ListMeta: obj.(*v1alpha1.OIDCClientList).ListMeta} + for _, item := range obj.(*v1alpha1.OIDCClientList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested oIDCClients. +func (c *FakeOIDCClients) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(oidcclientsResource, c.ns, opts)) + +} + +// Create takes the representation of a oIDCClient and creates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *FakeOIDCClients) Create(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.CreateOptions) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(oidcclientsResource, c.ns, oIDCClient), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// Update takes the representation of a oIDCClient and updates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *FakeOIDCClients) Update(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(oidcclientsResource, c.ns, oIDCClient), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeOIDCClients) UpdateStatus(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (*v1alpha1.OIDCClient, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(oidcclientsResource, "status", c.ns, oIDCClient), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// Delete takes name of the oIDCClient and deletes it. Returns an error if one occurs. +func (c *FakeOIDCClients) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteAction(oidcclientsResource, c.ns, name), &v1alpha1.OIDCClient{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeOIDCClients) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(oidcclientsResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha1.OIDCClientList{}) + return err +} + +// Patch applies the patch and returns the patched oIDCClient. +func (c *FakeOIDCClients) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(oidcclientsResource, c.ns, name, pt, data, subresources...), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} diff --git a/generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go b/generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go index ba9c9173..35b9ee3d 100644 --- a/generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go +++ b/generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go @@ -6,3 +6,5 @@ package v1alpha1 type FederationDomainExpansion interface{} + +type OIDCClientExpansion interface{} diff --git a/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go b/generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go similarity index 97% rename from generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go rename to generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go index be9f6246..8d5bdab6 100644 --- a/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go +++ b/generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go @@ -9,7 +9,7 @@ import ( "context" "time" - v1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/config/v1alpha1" scheme "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned/scheme" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" types "k8s.io/apimachinery/pkg/types" @@ -44,7 +44,7 @@ type oIDCClients struct { } // newOIDCClients returns a OIDCClients -func newOIDCClients(c *OauthV1alpha1Client, namespace string) *oIDCClients { +func newOIDCClients(c *ConfigV1alpha1Client, namespace string) *oIDCClients { return &oIDCClients{ client: c.RESTClient(), ns: namespace, diff --git a/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go deleted file mode 100644 index e7a470b6..00000000 --- a/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package has the automatically generated typed clients. -package v1alpha1 diff --git a/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go deleted file mode 100644 index 7906901b..00000000 --- a/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// Package fake has the automatically generated clients. -package fake diff --git a/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go b/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go deleted file mode 100644 index afddba32..00000000 --- a/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go +++ /dev/null @@ -1,129 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - "context" - - v1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/oauth/v1alpha1" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - labels "k8s.io/apimachinery/pkg/labels" - schema "k8s.io/apimachinery/pkg/runtime/schema" - types "k8s.io/apimachinery/pkg/types" - watch "k8s.io/apimachinery/pkg/watch" - testing "k8s.io/client-go/testing" -) - -// FakeOIDCClients implements OIDCClientInterface -type FakeOIDCClients struct { - Fake *FakeOauthV1alpha1 - ns string -} - -var oidcclientsResource = schema.GroupVersionResource{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} - -var oidcclientsKind = schema.GroupVersionKind{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} - -// Get takes name of the oIDCClient, and returns the corresponding oIDCClient object, and an error if there is any. -func (c *FakeOIDCClients) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCClient, err error) { - obj, err := c.Fake. - Invokes(testing.NewGetAction(oidcclientsResource, c.ns, name), &v1alpha1.OIDCClient{}) - - if obj == nil { - return nil, err - } - return obj.(*v1alpha1.OIDCClient), err -} - -// List takes label and field selectors, and returns the list of OIDCClients that match those selectors. -func (c *FakeOIDCClients) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.OIDCClientList, err error) { - obj, err := c.Fake. - Invokes(testing.NewListAction(oidcclientsResource, oidcclientsKind, c.ns, opts), &v1alpha1.OIDCClientList{}) - - if obj == nil { - return nil, err - } - - label, _, _ := testing.ExtractFromListOptions(opts) - if label == nil { - label = labels.Everything() - } - list := &v1alpha1.OIDCClientList{ListMeta: obj.(*v1alpha1.OIDCClientList).ListMeta} - for _, item := range obj.(*v1alpha1.OIDCClientList).Items { - if label.Matches(labels.Set(item.Labels)) { - list.Items = append(list.Items, item) - } - } - return list, err -} - -// Watch returns a watch.Interface that watches the requested oIDCClients. -func (c *FakeOIDCClients) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { - return c.Fake. - InvokesWatch(testing.NewWatchAction(oidcclientsResource, c.ns, opts)) - -} - -// Create takes the representation of a oIDCClient and creates it. Returns the server's representation of the oIDCClient, and an error, if there is any. -func (c *FakeOIDCClients) Create(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.CreateOptions) (result *v1alpha1.OIDCClient, err error) { - obj, err := c.Fake. - Invokes(testing.NewCreateAction(oidcclientsResource, c.ns, oIDCClient), &v1alpha1.OIDCClient{}) - - if obj == nil { - return nil, err - } - return obj.(*v1alpha1.OIDCClient), err -} - -// Update takes the representation of a oIDCClient and updates it. Returns the server's representation of the oIDCClient, and an error, if there is any. -func (c *FakeOIDCClients) Update(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (result *v1alpha1.OIDCClient, err error) { - obj, err := c.Fake. - Invokes(testing.NewUpdateAction(oidcclientsResource, c.ns, oIDCClient), &v1alpha1.OIDCClient{}) - - if obj == nil { - return nil, err - } - return obj.(*v1alpha1.OIDCClient), err -} - -// UpdateStatus was generated because the type contains a Status member. -// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). -func (c *FakeOIDCClients) UpdateStatus(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (*v1alpha1.OIDCClient, error) { - obj, err := c.Fake. - Invokes(testing.NewUpdateSubresourceAction(oidcclientsResource, "status", c.ns, oIDCClient), &v1alpha1.OIDCClient{}) - - if obj == nil { - return nil, err - } - return obj.(*v1alpha1.OIDCClient), err -} - -// Delete takes name of the oIDCClient and deletes it. Returns an error if one occurs. -func (c *FakeOIDCClients) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { - _, err := c.Fake. - Invokes(testing.NewDeleteAction(oidcclientsResource, c.ns, name), &v1alpha1.OIDCClient{}) - - return err -} - -// DeleteCollection deletes a collection of objects. -func (c *FakeOIDCClients) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { - action := testing.NewDeleteCollectionAction(oidcclientsResource, c.ns, listOpts) - - _, err := c.Fake.Invokes(action, &v1alpha1.OIDCClientList{}) - return err -} - -// Patch applies the patch and returns the patched oIDCClient. -func (c *FakeOIDCClients) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCClient, err error) { - obj, err := c.Fake. - Invokes(testing.NewPatchSubresourceAction(oidcclientsResource, c.ns, name, pt, data, subresources...), &v1alpha1.OIDCClient{}) - - if obj == nil { - return nil, err - } - return obj.(*v1alpha1.OIDCClient), err -} diff --git a/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go deleted file mode 100644 index 87d22ea9..00000000 --- a/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -type OIDCClientExpansion interface{} diff --git a/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go deleted file mode 100644 index 1bf4eb28..00000000 --- a/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go +++ /dev/null @@ -1,76 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - v1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/oauth/v1alpha1" - "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned/scheme" - rest "k8s.io/client-go/rest" -) - -type OauthV1alpha1Interface interface { - RESTClient() rest.Interface - OIDCClientsGetter -} - -// OauthV1alpha1Client is used to interact with features provided by the oauth.supervisor.pinniped.dev group. -type OauthV1alpha1Client struct { - restClient rest.Interface -} - -func (c *OauthV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { - return newOIDCClients(c, namespace) -} - -// NewForConfig creates a new OauthV1alpha1Client for the given config. -func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { - config := *c - if err := setConfigDefaults(&config); err != nil { - return nil, err - } - client, err := rest.RESTClientFor(&config) - if err != nil { - return nil, err - } - return &OauthV1alpha1Client{client}, nil -} - -// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and -// panics if there is an error in the config. -func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { - client, err := NewForConfig(c) - if err != nil { - panic(err) - } - return client -} - -// New creates a new OauthV1alpha1Client for the given RESTClient. -func New(c rest.Interface) *OauthV1alpha1Client { - return &OauthV1alpha1Client{c} -} - -func setConfigDefaults(config *rest.Config) error { - gv := v1alpha1.SchemeGroupVersion - config.GroupVersion = &gv - config.APIPath = "/apis" - config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() - - if config.UserAgent == "" { - config.UserAgent = rest.DefaultKubernetesUserAgent() - } - - return nil -} - -// RESTClient returns a RESTClient that is used to communicate -// with API server by this client implementation. -func (c *OauthV1alpha1Client) RESTClient() rest.Interface { - if c == nil { - return nil - } - return c.restClient -} diff --git a/generated/1.22/client/supervisor/informers/externalversions/config/v1alpha1/interface.go b/generated/1.22/client/supervisor/informers/externalversions/config/v1alpha1/interface.go index f2d9a689..9659ea3a 100644 --- a/generated/1.22/client/supervisor/informers/externalversions/config/v1alpha1/interface.go +++ b/generated/1.22/client/supervisor/informers/externalversions/config/v1alpha1/interface.go @@ -13,6 +13,8 @@ import ( type Interface interface { // FederationDomains returns a FederationDomainInformer. FederationDomains() FederationDomainInformer + // OIDCClients returns a OIDCClientInformer. + OIDCClients() OIDCClientInformer } type version struct { @@ -30,3 +32,8 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList func (v *version) FederationDomains() FederationDomainInformer { return &federationDomainInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } + +// OIDCClients returns a OIDCClientInformer. +func (v *version) OIDCClients() OIDCClientInformer { + return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} diff --git a/generated/1.22/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go b/generated/1.22/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go similarity index 88% rename from generated/1.22/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go rename to generated/1.22/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go index 73fd8a10..a7d6ba7f 100644 --- a/generated/1.22/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go +++ b/generated/1.22/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go @@ -9,10 +9,10 @@ import ( "context" time "time" - oauthv1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/oauth/v1alpha1" + configv1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/config/v1alpha1" versioned "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned" internalinterfaces "go.pinniped.dev/generated/1.22/client/supervisor/informers/externalversions/internalinterfaces" - v1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/listers/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/listers/config/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" watch "k8s.io/apimachinery/pkg/watch" @@ -49,16 +49,16 @@ func NewFilteredOIDCClientInformer(client versioned.Interface, namespace string, if tweakListOptions != nil { tweakListOptions(&options) } - return client.OauthV1alpha1().OIDCClients(namespace).List(context.TODO(), options) + return client.ConfigV1alpha1().OIDCClients(namespace).List(context.TODO(), options) }, WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { if tweakListOptions != nil { tweakListOptions(&options) } - return client.OauthV1alpha1().OIDCClients(namespace).Watch(context.TODO(), options) + return client.ConfigV1alpha1().OIDCClients(namespace).Watch(context.TODO(), options) }, }, - &oauthv1alpha1.OIDCClient{}, + &configv1alpha1.OIDCClient{}, resyncPeriod, indexers, ) @@ -69,7 +69,7 @@ func (f *oIDCClientInformer) defaultInformer(client versioned.Interface, resyncP } func (f *oIDCClientInformer) Informer() cache.SharedIndexInformer { - return f.factory.InformerFor(&oauthv1alpha1.OIDCClient{}, f.defaultInformer) + return f.factory.InformerFor(&configv1alpha1.OIDCClient{}, f.defaultInformer) } func (f *oIDCClientInformer) Lister() v1alpha1.OIDCClientLister { diff --git a/generated/1.22/client/supervisor/informers/externalversions/factory.go b/generated/1.22/client/supervisor/informers/externalversions/factory.go index b1a59943..1686a18c 100644 --- a/generated/1.22/client/supervisor/informers/externalversions/factory.go +++ b/generated/1.22/client/supervisor/informers/externalversions/factory.go @@ -14,7 +14,6 @@ import ( config "go.pinniped.dev/generated/1.22/client/supervisor/informers/externalversions/config" idp "go.pinniped.dev/generated/1.22/client/supervisor/informers/externalversions/idp" internalinterfaces "go.pinniped.dev/generated/1.22/client/supervisor/informers/externalversions/internalinterfaces" - oauth "go.pinniped.dev/generated/1.22/client/supervisor/informers/externalversions/oauth" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -163,7 +162,6 @@ type SharedInformerFactory interface { Config() config.Interface IDP() idp.Interface - Oauth() oauth.Interface } func (f *sharedInformerFactory) Config() config.Interface { @@ -173,7 +171,3 @@ func (f *sharedInformerFactory) Config() config.Interface { func (f *sharedInformerFactory) IDP() idp.Interface { return idp.New(f, f.namespace, f.tweakListOptions) } - -func (f *sharedInformerFactory) Oauth() oauth.Interface { - return oauth.New(f, f.namespace, f.tweakListOptions) -} diff --git a/generated/1.22/client/supervisor/informers/externalversions/generic.go b/generated/1.22/client/supervisor/informers/externalversions/generic.go index 0380a5b8..9f22e409 100644 --- a/generated/1.22/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.22/client/supervisor/informers/externalversions/generic.go @@ -10,7 +10,6 @@ import ( v1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/oauth/v1alpha1" schema "k8s.io/apimachinery/pkg/runtime/schema" cache "k8s.io/client-go/tools/cache" ) @@ -44,6 +43,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource // Group=config.supervisor.pinniped.dev, Version=v1alpha1 case v1alpha1.SchemeGroupVersion.WithResource("federationdomains"): return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().FederationDomains().Informer()}, nil + case v1alpha1.SchemeGroupVersion.WithResource("oidcclients"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCClients().Informer()}, nil // Group=idp.supervisor.pinniped.dev, Version=v1alpha1 case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"): @@ -53,10 +54,6 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().OIDCIdentityProviders().Informer()}, nil - // Group=oauth.supervisor.pinniped.dev, Version=v1alpha1 - case oauthv1alpha1.SchemeGroupVersion.WithResource("oidcclients"): - return &genericInformer{resource: resource.GroupResource(), informer: f.Oauth().V1alpha1().OIDCClients().Informer()}, nil - } return nil, fmt.Errorf("no informer found for %v", resource) diff --git a/generated/1.22/client/supervisor/informers/externalversions/oauth/interface.go b/generated/1.22/client/supervisor/informers/externalversions/oauth/interface.go deleted file mode 100644 index 97090c7c..00000000 --- a/generated/1.22/client/supervisor/informers/externalversions/oauth/interface.go +++ /dev/null @@ -1,33 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by informer-gen. DO NOT EDIT. - -package oauth - -import ( - internalinterfaces "go.pinniped.dev/generated/1.22/client/supervisor/informers/externalversions/internalinterfaces" - v1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/informers/externalversions/oauth/v1alpha1" -) - -// Interface provides access to each of this group's versions. -type Interface interface { - // V1alpha1 provides access to shared informers for resources in V1alpha1. - V1alpha1() v1alpha1.Interface -} - -type group struct { - factory internalinterfaces.SharedInformerFactory - namespace string - tweakListOptions internalinterfaces.TweakListOptionsFunc -} - -// New returns a new Interface. -func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { - return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} -} - -// V1alpha1 returns a new v1alpha1.Interface. -func (g *group) V1alpha1() v1alpha1.Interface { - return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions) -} diff --git a/generated/1.22/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go b/generated/1.22/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go deleted file mode 100644 index 19d5ccb1..00000000 --- a/generated/1.22/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go +++ /dev/null @@ -1,32 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by informer-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - internalinterfaces "go.pinniped.dev/generated/1.22/client/supervisor/informers/externalversions/internalinterfaces" -) - -// Interface provides access to all the informers in this group version. -type Interface interface { - // OIDCClients returns a OIDCClientInformer. - OIDCClients() OIDCClientInformer -} - -type version struct { - factory internalinterfaces.SharedInformerFactory - namespace string - tweakListOptions internalinterfaces.TweakListOptionsFunc -} - -// New returns a new Interface. -func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { - return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} -} - -// OIDCClients returns a OIDCClientInformer. -func (v *version) OIDCClients() OIDCClientInformer { - return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} -} diff --git a/generated/1.22/client/supervisor/listers/config/v1alpha1/expansion_generated.go b/generated/1.22/client/supervisor/listers/config/v1alpha1/expansion_generated.go index d59892c4..bda2f20e 100644 --- a/generated/1.22/client/supervisor/listers/config/v1alpha1/expansion_generated.go +++ b/generated/1.22/client/supervisor/listers/config/v1alpha1/expansion_generated.go @@ -12,3 +12,11 @@ type FederationDomainListerExpansion interface{} // FederationDomainNamespaceListerExpansion allows custom methods to be added to // FederationDomainNamespaceLister. type FederationDomainNamespaceListerExpansion interface{} + +// OIDCClientListerExpansion allows custom methods to be added to +// OIDCClientLister. +type OIDCClientListerExpansion interface{} + +// OIDCClientNamespaceListerExpansion allows custom methods to be added to +// OIDCClientNamespaceLister. +type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/1.20/client/supervisor/listers/oauth/v1alpha1/oidcclient.go b/generated/1.22/client/supervisor/listers/config/v1alpha1/oidcclient.go similarity index 97% rename from generated/1.20/client/supervisor/listers/oauth/v1alpha1/oidcclient.go rename to generated/1.22/client/supervisor/listers/config/v1alpha1/oidcclient.go index 9cb0fe48..fe4943b0 100644 --- a/generated/1.20/client/supervisor/listers/oauth/v1alpha1/oidcclient.go +++ b/generated/1.22/client/supervisor/listers/config/v1alpha1/oidcclient.go @@ -6,7 +6,7 @@ package v1alpha1 import ( - v1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/config/v1alpha1" "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/labels" "k8s.io/client-go/tools/cache" diff --git a/generated/1.22/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go b/generated/1.22/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go deleted file mode 100644 index c19310da..00000000 --- a/generated/1.22/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go +++ /dev/null @@ -1,14 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by lister-gen. DO NOT EDIT. - -package v1alpha1 - -// OIDCClientListerExpansion allows custom methods to be added to -// OIDCClientLister. -type OIDCClientListerExpansion interface{} - -// OIDCClientNamespaceListerExpansion allows custom methods to be added to -// OIDCClientNamespaceLister. -type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/1.22/client/supervisor/virtual/clientset/versioned/clientset.go b/generated/1.22/client/supervisor/virtual/clientset/versioned/clientset.go deleted file mode 100644 index c9c89465..00000000 --- a/generated/1.22/client/supervisor/virtual/clientset/versioned/clientset.go +++ /dev/null @@ -1,84 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package versioned - -import ( - "fmt" - - oauthv1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" - discovery "k8s.io/client-go/discovery" - rest "k8s.io/client-go/rest" - flowcontrol "k8s.io/client-go/util/flowcontrol" -) - -type Interface interface { - Discovery() discovery.DiscoveryInterface - OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface -} - -// Clientset contains the clients for groups. Each group has exactly one -// version included in a Clientset. -type Clientset struct { - *discovery.DiscoveryClient - oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client -} - -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return c.oauthV1alpha1 -} - -// Discovery retrieves the DiscoveryClient -func (c *Clientset) Discovery() discovery.DiscoveryInterface { - if c == nil { - return nil - } - return c.DiscoveryClient -} - -// NewForConfig creates a new Clientset for the given config. -// If config's RateLimiter is not set and QPS and Burst are acceptable, -// NewForConfig will generate a rate-limiter in configShallowCopy. -func NewForConfig(c *rest.Config) (*Clientset, error) { - configShallowCopy := *c - if configShallowCopy.RateLimiter == nil && configShallowCopy.QPS > 0 { - if configShallowCopy.Burst <= 0 { - return nil, fmt.Errorf("burst is required to be greater than 0 when RateLimiter is not set and QPS is set to greater than 0") - } - configShallowCopy.RateLimiter = flowcontrol.NewTokenBucketRateLimiter(configShallowCopy.QPS, configShallowCopy.Burst) - } - var cs Clientset - var err error - cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfig(&configShallowCopy) - if err != nil { - return nil, err - } - - cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfig(&configShallowCopy) - if err != nil { - return nil, err - } - return &cs, nil -} - -// NewForConfigOrDie creates a new Clientset for the given config and -// panics if there is an error in the config. -func NewForConfigOrDie(c *rest.Config) *Clientset { - var cs Clientset - cs.oauthV1alpha1 = oauthv1alpha1.NewForConfigOrDie(c) - - cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c) - return &cs -} - -// New creates a new Clientset for the given RESTClient. -func New(c rest.Interface) *Clientset { - var cs Clientset - cs.oauthV1alpha1 = oauthv1alpha1.New(c) - - cs.DiscoveryClient = discovery.NewDiscoveryClient(c) - return &cs -} diff --git a/generated/1.22/client/supervisor/virtual/clientset/versioned/doc.go b/generated/1.22/client/supervisor/virtual/clientset/versioned/doc.go deleted file mode 100644 index 5dc02e6e..00000000 --- a/generated/1.22/client/supervisor/virtual/clientset/versioned/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package has the automatically generated clientset. -package versioned diff --git a/generated/1.22/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go b/generated/1.22/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go deleted file mode 100644 index 5cb64013..00000000 --- a/generated/1.22/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go +++ /dev/null @@ -1,72 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - clientset "go.pinniped.dev/generated/1.22/client/supervisor/virtual/clientset/versioned" - oauthv1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" - fakeoauthv1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/watch" - "k8s.io/client-go/discovery" - fakediscovery "k8s.io/client-go/discovery/fake" - "k8s.io/client-go/testing" -) - -// NewSimpleClientset returns a clientset that will respond with the provided objects. -// It's backed by a very simple object tracker that processes creates, updates and deletions as-is, -// without applying any validations and/or defaults. It shouldn't be considered a replacement -// for a real clientset and is mostly useful in simple unit tests. -func NewSimpleClientset(objects ...runtime.Object) *Clientset { - o := testing.NewObjectTracker(scheme, codecs.UniversalDecoder()) - for _, obj := range objects { - if err := o.Add(obj); err != nil { - panic(err) - } - } - - cs := &Clientset{tracker: o} - cs.discovery = &fakediscovery.FakeDiscovery{Fake: &cs.Fake} - cs.AddReactor("*", "*", testing.ObjectReaction(o)) - cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) { - gvr := action.GetResource() - ns := action.GetNamespace() - watch, err := o.Watch(gvr, ns) - if err != nil { - return false, nil, err - } - return true, watch, nil - }) - - return cs -} - -// Clientset implements clientset.Interface. Meant to be embedded into a -// struct to get a default implementation. This makes faking out just the method -// you want to test easier. -type Clientset struct { - testing.Fake - discovery *fakediscovery.FakeDiscovery - tracker testing.ObjectTracker -} - -func (c *Clientset) Discovery() discovery.DiscoveryInterface { - return c.discovery -} - -func (c *Clientset) Tracker() testing.ObjectTracker { - return c.tracker -} - -var ( - _ clientset.Interface = &Clientset{} - _ testing.FakeClient = &Clientset{} -) - -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} -} diff --git a/generated/1.22/client/supervisor/virtual/clientset/versioned/fake/doc.go b/generated/1.22/client/supervisor/virtual/clientset/versioned/fake/doc.go deleted file mode 100644 index 7c9538fd..00000000 --- a/generated/1.22/client/supervisor/virtual/clientset/versioned/fake/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package has the automatically generated fake clientset. -package fake diff --git a/generated/1.22/client/supervisor/virtual/clientset/versioned/fake/register.go b/generated/1.22/client/supervisor/virtual/clientset/versioned/fake/register.go deleted file mode 100644 index 87de2f5a..00000000 --- a/generated/1.22/client/supervisor/virtual/clientset/versioned/fake/register.go +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - oauthv1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - runtime "k8s.io/apimachinery/pkg/runtime" - schema "k8s.io/apimachinery/pkg/runtime/schema" - serializer "k8s.io/apimachinery/pkg/runtime/serializer" - utilruntime "k8s.io/apimachinery/pkg/util/runtime" -) - -var scheme = runtime.NewScheme() -var codecs = serializer.NewCodecFactory(scheme) - -var localSchemeBuilder = runtime.SchemeBuilder{ - oauthv1alpha1.AddToScheme, -} - -// AddToScheme adds all types of this clientset into the given scheme. This allows composition -// of clientsets, like in: -// -// import ( -// "k8s.io/client-go/kubernetes" -// clientsetscheme "k8s.io/client-go/kubernetes/scheme" -// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" -// ) -// -// kclientset, _ := kubernetes.NewForConfig(c) -// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) -// -// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types -// correctly. -var AddToScheme = localSchemeBuilder.AddToScheme - -func init() { - v1.AddToGroupVersion(scheme, schema.GroupVersion{Version: "v1"}) - utilruntime.Must(AddToScheme(scheme)) -} diff --git a/generated/1.22/client/supervisor/virtual/clientset/versioned/scheme/doc.go b/generated/1.22/client/supervisor/virtual/clientset/versioned/scheme/doc.go deleted file mode 100644 index cc02f1d3..00000000 --- a/generated/1.22/client/supervisor/virtual/clientset/versioned/scheme/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package contains the scheme of the automatically generated clientset. -package scheme diff --git a/generated/1.22/client/supervisor/virtual/clientset/versioned/scheme/register.go b/generated/1.22/client/supervisor/virtual/clientset/versioned/scheme/register.go deleted file mode 100644 index 4fcfd7d8..00000000 --- a/generated/1.22/client/supervisor/virtual/clientset/versioned/scheme/register.go +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package scheme - -import ( - oauthv1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - runtime "k8s.io/apimachinery/pkg/runtime" - schema "k8s.io/apimachinery/pkg/runtime/schema" - serializer "k8s.io/apimachinery/pkg/runtime/serializer" - utilruntime "k8s.io/apimachinery/pkg/util/runtime" -) - -var Scheme = runtime.NewScheme() -var Codecs = serializer.NewCodecFactory(Scheme) -var ParameterCodec = runtime.NewParameterCodec(Scheme) -var localSchemeBuilder = runtime.SchemeBuilder{ - oauthv1alpha1.AddToScheme, -} - -// AddToScheme adds all types of this clientset into the given scheme. This allows composition -// of clientsets, like in: -// -// import ( -// "k8s.io/client-go/kubernetes" -// clientsetscheme "k8s.io/client-go/kubernetes/scheme" -// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" -// ) -// -// kclientset, _ := kubernetes.NewForConfig(c) -// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) -// -// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types -// correctly. -var AddToScheme = localSchemeBuilder.AddToScheme - -func init() { - v1.AddToGroupVersion(Scheme, schema.GroupVersion{Version: "v1"}) - utilruntime.Must(AddToScheme(Scheme)) -} diff --git a/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go deleted file mode 100644 index e7a470b6..00000000 --- a/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package has the automatically generated typed clients. -package v1alpha1 diff --git a/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go deleted file mode 100644 index 7906901b..00000000 --- a/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// Package fake has the automatically generated clients. -package fake diff --git a/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go deleted file mode 100644 index 26dd6706..00000000 --- a/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go +++ /dev/null @@ -1,27 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - v1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" - rest "k8s.io/client-go/rest" - testing "k8s.io/client-go/testing" -) - -type FakeOauthV1alpha1 struct { - *testing.Fake -} - -func (c *FakeOauthV1alpha1) OIDCClientSecretRequests(namespace string) v1alpha1.OIDCClientSecretRequestInterface { - return &FakeOIDCClientSecretRequests{c, namespace} -} - -// RESTClient returns a RESTClient that is used to communicate -// with API server by this client implementation. -func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { - var ret *rest.RESTClient - return ret -} diff --git a/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go b/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go deleted file mode 100644 index 1fadc80c..00000000 --- a/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go +++ /dev/null @@ -1,36 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - "context" - - v1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - schema "k8s.io/apimachinery/pkg/runtime/schema" - testing "k8s.io/client-go/testing" -) - -// FakeOIDCClientSecretRequests implements OIDCClientSecretRequestInterface -type FakeOIDCClientSecretRequests struct { - Fake *FakeOauthV1alpha1 - ns string -} - -var oidcclientsecretrequestsResource = schema.GroupVersionResource{Group: "oauth.virtual.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclientsecretrequests"} - -var oidcclientsecretrequestsKind = schema.GroupVersionKind{Group: "oauth.virtual.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClientSecretRequest"} - -// Create takes the representation of a oIDCClientSecretRequest and creates it. Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any. -func (c *FakeOIDCClientSecretRequests) Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (result *v1alpha1.OIDCClientSecretRequest, err error) { - obj, err := c.Fake. - Invokes(testing.NewCreateAction(oidcclientsecretrequestsResource, c.ns, oIDCClientSecretRequest), &v1alpha1.OIDCClientSecretRequest{}) - - if obj == nil { - return nil, err - } - return obj.(*v1alpha1.OIDCClientSecretRequest), err -} diff --git a/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go deleted file mode 100644 index cfb00d3a..00000000 --- a/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go +++ /dev/null @@ -1,76 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - v1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1" - "go.pinniped.dev/generated/1.22/client/supervisor/virtual/clientset/versioned/scheme" - rest "k8s.io/client-go/rest" -) - -type OauthV1alpha1Interface interface { - RESTClient() rest.Interface - OIDCClientSecretRequestsGetter -} - -// OauthV1alpha1Client is used to interact with features provided by the oauth.virtual.supervisor.pinniped.dev group. -type OauthV1alpha1Client struct { - restClient rest.Interface -} - -func (c *OauthV1alpha1Client) OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface { - return newOIDCClientSecretRequests(c, namespace) -} - -// NewForConfig creates a new OauthV1alpha1Client for the given config. -func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { - config := *c - if err := setConfigDefaults(&config); err != nil { - return nil, err - } - client, err := rest.RESTClientFor(&config) - if err != nil { - return nil, err - } - return &OauthV1alpha1Client{client}, nil -} - -// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and -// panics if there is an error in the config. -func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { - client, err := NewForConfig(c) - if err != nil { - panic(err) - } - return client -} - -// New creates a new OauthV1alpha1Client for the given RESTClient. -func New(c rest.Interface) *OauthV1alpha1Client { - return &OauthV1alpha1Client{c} -} - -func setConfigDefaults(config *rest.Config) error { - gv := v1alpha1.SchemeGroupVersion - config.GroupVersion = &gv - config.APIPath = "/apis" - config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() - - if config.UserAgent == "" { - config.UserAgent = rest.DefaultKubernetesUserAgent() - } - - return nil -} - -// RESTClient returns a RESTClient that is used to communicate -// with API server by this client implementation. -func (c *OauthV1alpha1Client) RESTClient() rest.Interface { - if c == nil { - return nil - } - return c.restClient -} diff --git a/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go b/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go deleted file mode 100644 index 995eb80e..00000000 --- a/generated/1.22/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go +++ /dev/null @@ -1,54 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - "context" - - v1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/virtual/oauth/v1alpha1" - scheme "go.pinniped.dev/generated/1.22/client/supervisor/virtual/clientset/versioned/scheme" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - rest "k8s.io/client-go/rest" -) - -// OIDCClientSecretRequestsGetter has a method to return a OIDCClientSecretRequestInterface. -// A group's client should implement this interface. -type OIDCClientSecretRequestsGetter interface { - OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface -} - -// OIDCClientSecretRequestInterface has methods to work with OIDCClientSecretRequest resources. -type OIDCClientSecretRequestInterface interface { - Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (*v1alpha1.OIDCClientSecretRequest, error) - OIDCClientSecretRequestExpansion -} - -// oIDCClientSecretRequests implements OIDCClientSecretRequestInterface -type oIDCClientSecretRequests struct { - client rest.Interface - ns string -} - -// newOIDCClientSecretRequests returns a OIDCClientSecretRequests -func newOIDCClientSecretRequests(c *OauthV1alpha1Client, namespace string) *oIDCClientSecretRequests { - return &oIDCClientSecretRequests{ - client: c.RESTClient(), - ns: namespace, - } -} - -// Create takes the representation of a oIDCClientSecretRequest and creates it. Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any. -func (c *oIDCClientSecretRequests) Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (result *v1alpha1.OIDCClientSecretRequest, err error) { - result = &v1alpha1.OIDCClientSecretRequest{} - err = c.client.Post(). - Namespace(c.ns). - Resource("oidcclientsecretrequests"). - VersionedParams(&opts, scheme.ParameterCodec). - Body(oIDCClientSecretRequest). - Do(ctx). - Into(result) - return -} diff --git a/generated/1.22/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.22/crds/config.supervisor.pinniped.dev_oidcclients.yaml new file mode 100644 index 00000000..4efa445e --- /dev/null +++ b/generated/1.22/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -0,0 +1,125 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: oidcclients.config.supervisor.pinniped.dev +spec: + group: config.supervisor.pinniped.dev + names: + categories: + - pinniped + kind: OIDCClient + listKind: OIDCClientList + plural: oidcclients + singular: oidcclient + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: OIDCClient describes the configuration of an OIDC client. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec of the OIDC client. + properties: + allowedGrantTypes: + description: "allowedGrantTypes is a list of the allowed grant_type + param values that should be accepted during OIDC flows with this + client. \n Must only contain the following values: - authorization_code: + allows the client to perform the authorization code grant flow, + i.e. allows the webapp to authenticate users. This grant must always + be listed. - refresh_token: allows the client to perform refresh + grants for the user to extend the user's session. This grant must + be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: + allows the client to perform RFC8693 token exchange, which is a + step in the process to be able to get a cluster credential for the + user. This grant must be listed if allowedScopes lists pinniped:request-audience." + items: + enum: + - authorization_code + - refresh_token + - urn:ietf:params:oauth:grant-type:token-exchange + type: string + minItems: 1 + type: array + allowedRedirectURIs: + description: allowedRedirectURIs is a list of the allowed redirect_uri + param values that should be accepted during OIDC flows with this + client. Any other uris will be rejected. Must be https, unless it + is a loopback. + items: + type: string + minItems: 1 + type: array + allowedScopes: + description: "allowedScopes is a list of the allowed scopes param + values that should be accepted during OIDC flows with this client. + \n Must only contain the following values: - openid: The client + is allowed to request ID tokens. ID tokens only include the required + claims by default (iss, sub, aud, exp, iat). This scope must always + be listed. - offline_access: The client is allowed to request an + initial refresh token during the authorization code grant flow. + This scope must be listed if allowedGrantTypes lists refresh_token. + - pinniped:request-audience: The client is allowed to request a + new audience value during a RFC8693 token exchange, which is a step + in the process to be able to get a cluster credential for the user. + openid, username and groups scopes must be listed when this scope + is present. This scope must be listed if allowedGrantTypes lists + urn:ietf:params:oauth:grant-type:token-exchange. - username: The + client is allowed to request that ID tokens contain the user's username. + Without the username scope being requested and allowed, the ID token + will not contain the user's username. - groups: The client is allowed + to request that ID tokens contain the user's group membership, if + their group membership is discoverable by the Supervisor. Without + the groups scope being requested and allowed, the ID token will + not contain groups." + items: + enum: + - openid + - offline_access + - username + - groups + - pinniped:request-audience + type: string + minItems: 1 + type: array + required: + - allowedGrantTypes + - allowedRedirectURIs + - allowedScopes + type: object + status: + description: Status of the OIDC client. + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/generated/1.22/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.22/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml deleted file mode 100644 index 589a9154..00000000 --- a/generated/1.22/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ /dev/null @@ -1,125 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.8.0 - creationTimestamp: null - name: oidcclients.oauth.supervisor.pinniped.dev -spec: - group: oauth.supervisor.pinniped.dev - names: - categories: - - pinniped - kind: OIDCClient - listKind: OIDCClientList - plural: oidcclients - singular: oidcclient - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: OIDCClient describes the configuration of an OIDC client. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec of the OIDC client. - properties: - allowedGrantTypes: - description: "allowedGrantTypes is a list of the allowed grant_type - param values that should be accepted during OIDC flows with this - client. \n Must only contain the following values: - authorization_code: - allows the client to perform the authorization code grant flow, - i.e. allows the webapp to authenticate users. This grant must always - be listed. - refresh_token: allows the client to perform refresh - grants for the user to extend the user's session. This grant must - be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: - allows the client to perform RFC8693 token exchange, which is a - step in the process to be able to get a cluster credential for the - user. This grant must be listed if allowedScopes lists pinniped:request-audience." - items: - enum: - - authorization_code - - refresh_token - - urn:ietf:params:oauth:grant-type:token-exchange - type: string - minItems: 1 - type: array - allowedRedirectURIs: - description: allowedRedirectURIs is a list of the allowed redirect_uri - param values that should be accepted during OIDC flows with this - client. Any other uris will be rejected. Must be https, unless it - is a loopback. - items: - type: string - minItems: 1 - type: array - allowedScopes: - description: "allowedScopes is a list of the allowed scopes param - values that should be accepted during OIDC flows with this client. - \n Must only contain the following values: - openid: The client - is allowed to request ID tokens. ID tokens only include the required - claims by default (iss, sub, aud, exp, iat). This scope must always - be listed. - offline_access: The client is allowed to request an - initial refresh token during the authorization code grant flow. - This scope must be listed if allowedGrantTypes lists refresh_token. - - pinniped:request-audience: The client is allowed to request a - new audience value during a RFC8693 token exchange, which is a step - in the process to be able to get a cluster credential for the user. - openid, username and groups scopes must be listed when this scope - is present. This scope must be listed if allowedGrantTypes lists - urn:ietf:params:oauth:grant-type:token-exchange. - username: The - client is allowed to request that ID tokens contain the user's username. - Without the username scope being requested and allowed, the ID token - will not contain the user's username. - groups: The client is allowed - to request that ID tokens contain the user's group membership, if - their group membership is discoverable by the Supervisor. Without - the groups scope being requested and allowed, the ID token will - not contain groups." - items: - enum: - - openid - - offline_access - - username - - groups - - pinniped:request-audience - type: string - minItems: 1 - type: array - required: - - allowedGrantTypes - - allowedRedirectURIs - - allowedScopes - type: object - status: - description: Status of the OIDC client. - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/generated/1.23/README.adoc b/generated/1.23/README.adoc index d078f60c..2e9fde69 100644 --- a/generated/1.23/README.adoc +++ b/generated/1.23/README.adoc @@ -6,15 +6,14 @@ .Packages - xref:{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1[$$authentication.concierge.pinniped.dev/v1alpha1$$] +- xref:{anchor_prefix}-clientsecret-supervisor-pinniped-dev-clientsecret[$$clientsecret.supervisor.pinniped.dev/clientsecret$$] +- xref:{anchor_prefix}-clientsecret-supervisor-pinniped-dev-v1alpha1[$$clientsecret.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-config-concierge-pinniped-dev-v1alpha1[$$config.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-config-supervisor-pinniped-dev-v1alpha1[$$config.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-identity-concierge-pinniped-dev-identity[$$identity.concierge.pinniped.dev/identity$$] - xref:{anchor_prefix}-identity-concierge-pinniped-dev-v1alpha1[$$identity.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1[$$idp.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$] -- xref:{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1[$$oauth.supervisor.pinniped.dev/v1alpha1$$] -- xref:{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-oauth[$$oauth.virtual.supervisor.pinniped.dev/oauth$$] -- xref:{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-v1alpha1[$$oauth.virtual.supervisor.pinniped.dev/v1alpha1$$] [id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"] @@ -213,6 +212,98 @@ Status of a webhook authenticator. +[id="{anchor_prefix}-clientsecret-supervisor-pinniped-dev-clientsecret"] +=== clientsecret.supervisor.pinniped.dev/clientsecret + +Package clientsecret is the internal version of the Pinniped client secret API. + + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-clientsecret-oidcclientsecretrequestspec"] +==== OIDCClientSecretRequestSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-clientsecret-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generateNewSecret`* __boolean__ | +| *`revokeOldSecrets`* __boolean__ | +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-clientsecret-oidcclientsecretrequeststatus"] +==== OIDCClientSecretRequestStatus + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-clientsecret-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generatedSecret`* __string__ | +| *`totalClientSecrets`* __integer__ | +|=== + + + +[id="{anchor_prefix}-clientsecret-supervisor-pinniped-dev-v1alpha1"] +=== clientsecret.supervisor.pinniped.dev/v1alpha1 + +Package v1alpha1 is the v1alpha1 version of the Pinniped client secret API. + + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestspec"] +==== OIDCClientSecretRequestSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generateNewSecret`* __boolean__ | +| *`revokeOldSecrets`* __boolean__ | +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequeststatus"] +==== OIDCClientSecretRequestStatus + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generatedSecret`* __string__ | +| *`totalClientSecrets`* __integer__ | +|=== + + + [id="{anchor_prefix}-config-concierge-pinniped-dev-v1alpha1"] === config.concierge.pinniped.dev/v1alpha1 @@ -546,6 +637,51 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-oidcclient"] +==== OIDCClient + +OIDCClient describes the configuration of an OIDC client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-oidcclientlist[$$OIDCClientList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC client. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC client. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-oidcclientspec"] +==== OIDCClientSpec + +OIDCClientSpec is a struct that describes an OIDC Client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-oidcclient[$$OIDCClient$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. +| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. +| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. +|=== + + + + [id="{anchor_prefix}-identity-concierge-pinniped-dev-identity"] === identity.concierge.pinniped.dev/identity @@ -1335,148 +1471,3 @@ TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned |=== - -[id="{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1"] -=== oauth.supervisor.pinniped.dev/v1alpha1 - -Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-oauth-v1alpha1-oidcclient"] -==== OIDCClient - -OIDCClient describes the configuration of an OIDC client. - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-oauth-v1alpha1-oidcclientlist[$$OIDCClientList$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. - -| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-oauth-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC client. -| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-oauth-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC client. -|=== - - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-oauth-v1alpha1-oidcclientspec"] -==== OIDCClientSpec - -OIDCClientSpec is a struct that describes an OIDC Client. - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-oauth-v1alpha1-oidcclient[$$OIDCClient$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. -| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. -| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. -|=== - - - - - -[id="{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-oauth"] -=== oauth.virtual.supervisor.pinniped.dev/oauth - -Package oauth is the internal version of the Pinniped virtual oauth API. - - - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-virtual-oauth-oidcclientsecretrequestspec"] -==== OIDCClientSecretRequestSpec - - - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-virtual-oauth-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`generateNewSecret`* __boolean__ | -| *`revokeOldSecrets`* __boolean__ | -|=== - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-virtual-oauth-oidcclientsecretrequeststatus"] -==== OIDCClientSecretRequestStatus - - - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-virtual-oauth-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`generatedSecret`* __string__ | -| *`totalClientSecrets`* __integer__ | -|=== - - - -[id="{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-v1alpha1"] -=== oauth.virtual.supervisor.pinniped.dev/v1alpha1 - -Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API. - - - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequestspec"] -==== OIDCClientSecretRequestSpec - - - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`generateNewSecret`* __boolean__ | -| *`revokeOldSecrets`* __boolean__ | -|=== - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequeststatus"] -==== OIDCClientSecretRequestStatus - - - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`generatedSecret`* __string__ | -| *`totalClientSecrets`* __integer__ | -|=== - - diff --git a/generated/1.23/apis/supervisor/clientsecret/doc.go b/generated/1.23/apis/supervisor/clientsecret/doc.go new file mode 100644 index 00000000..c536bc75 --- /dev/null +++ b/generated/1.23/apis/supervisor/clientsecret/doc.go @@ -0,0 +1,8 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:deepcopy-gen=package +// +groupName=clientsecret.supervisor.pinniped.dev + +// Package clientsecret is the internal version of the Pinniped client secret API. +package clientsecret diff --git a/generated/1.23/apis/supervisor/clientsecret/register.go b/generated/1.23/apis/supervisor/clientsecret/register.go new file mode 100644 index 00000000..4a1c0173 --- /dev/null +++ b/generated/1.23/apis/supervisor/clientsecret/register.go @@ -0,0 +1,37 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package clientsecret + +import ( + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "clientsecret.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal} + +// Kind takes an unqualified kind and returns back a Group qualified GroupKind. +func Kind(kind string) schema.GroupKind { + return SchemeGroupVersion.WithKind(kind).GroupKind() +} + +// Resource takes an unqualified resource and returns back a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} + +var ( + SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) + AddToScheme = SchemeBuilder.AddToScheme +) + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClientSecretRequest{}, + ) + return nil +} diff --git a/generated/1.23/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go b/generated/1.23/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go new file mode 100644 index 00000000..7fd1eb65 --- /dev/null +++ b/generated/1.23/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go @@ -0,0 +1,25 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package clientsecret + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +type OIDCClientSecretRequestSpec struct { + GenerateNewSecret bool `json:"generateNewSecret"` + RevokeOldSecrets bool `json:"revokeOldSecrets"` +} + +type OIDCClientSecretRequestStatus struct { + GeneratedSecret string `json:"generatedSecret,omitempty"` + TotalClientSecrets int `json:"totalClientSecrets"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequest struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID + + Spec OIDCClientSecretRequestSpec `json:"spec"` + Status OIDCClientSecretRequestStatus `json:"status"` +} diff --git a/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/conversion.go b/generated/1.23/apis/supervisor/clientsecret/v1alpha1/conversion.go similarity index 100% rename from generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/conversion.go rename to generated/1.23/apis/supervisor/clientsecret/v1alpha1/conversion.go diff --git a/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/defaults.go b/generated/1.23/apis/supervisor/clientsecret/v1alpha1/defaults.go similarity index 100% rename from generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/defaults.go rename to generated/1.23/apis/supervisor/clientsecret/v1alpha1/defaults.go diff --git a/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/doc.go b/generated/1.23/apis/supervisor/clientsecret/v1alpha1/doc.go similarity index 64% rename from generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/doc.go rename to generated/1.23/apis/supervisor/clientsecret/v1alpha1/doc.go index dd351ef9..f59e90ce 100644 --- a/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/doc.go +++ b/generated/1.23/apis/supervisor/clientsecret/v1alpha1/doc.go @@ -3,9 +3,9 @@ // +k8s:openapi-gen=true // +k8s:deepcopy-gen=package -// +k8s:conversion-gen=go.pinniped.dev/generated/1.23/apis/supervisor/virtual/oauth +// +k8s:conversion-gen=go.pinniped.dev/generated/1.23/apis/supervisor/clientsecret // +k8s:defaulter-gen=TypeMeta -// +groupName=oauth.virtual.supervisor.pinniped.dev +// +groupName=clientsecret.supervisor.pinniped.dev -// Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API. +// Package v1alpha1 is the v1alpha1 version of the Pinniped client secret API. package v1alpha1 diff --git a/generated/1.23/apis/supervisor/clientsecret/v1alpha1/register.go b/generated/1.23/apis/supervisor/clientsecret/v1alpha1/register.go new file mode 100644 index 00000000..49602125 --- /dev/null +++ b/generated/1.23/apis/supervisor/clientsecret/v1alpha1/register.go @@ -0,0 +1,42 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "clientsecret.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = SchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClientSecretRequest{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns back a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go b/generated/1.23/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go similarity index 100% rename from generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go rename to generated/1.23/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go diff --git a/generated/1.23/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go b/generated/1.23/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go new file mode 100644 index 00000000..4b0bc6ae --- /dev/null +++ b/generated/1.23/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go @@ -0,0 +1,131 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by conversion-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + clientsecret "go.pinniped.dev/generated/1.23/apis/supervisor/clientsecret" + conversion "k8s.io/apimachinery/pkg/conversion" + runtime "k8s.io/apimachinery/pkg/runtime" +) + +func init() { + localSchemeBuilder.Register(RegisterConversions) +} + +// RegisterConversions adds conversion functions to the given scheme. +// Public to allow building arbitrary schemes. +func RegisterConversions(s *runtime.Scheme) error { + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequest)(nil), (*clientsecret.OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(a.(*OIDCClientSecretRequest), b.(*clientsecret.OIDCClientSecretRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequest)(nil), (*OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(a.(*clientsecret.OIDCClientSecretRequest), b.(*OIDCClientSecretRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*clientsecret.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*clientsecret.OIDCClientSecretRequestSpec), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequestSpec)(nil), (*OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(a.(*clientsecret.OIDCClientSecretRequestSpec), b.(*OIDCClientSecretRequestSpec), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestStatus)(nil), (*clientsecret.OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(a.(*OIDCClientSecretRequestStatus), b.(*clientsecret.OIDCClientSecretRequestStatus), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequestStatus)(nil), (*OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(a.(*clientsecret.OIDCClientSecretRequestStatus), b.(*OIDCClientSecretRequestStatus), scope) + }); err != nil { + return err + } + return nil +} + +func autoConvert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *clientsecret.OIDCClientSecretRequest, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { + return err + } + if err := Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *clientsecret.OIDCClientSecretRequest, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(in, out, s) +} + +func autoConvert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *clientsecret.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { + return err + } + if err := Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest is an autogenerated conversion function. +func Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *clientsecret.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { + return autoConvert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s) +} + +func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *clientsecret.OIDCClientSecretRequestSpec, s conversion.Scope) error { + out.GenerateNewSecret = in.GenerateNewSecret + out.RevokeOldSecrets = in.RevokeOldSecrets + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *clientsecret.OIDCClientSecretRequestSpec, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in, out, s) +} + +func autoConvert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *clientsecret.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { + out.GenerateNewSecret = in.GenerateNewSecret + out.RevokeOldSecrets = in.RevokeOldSecrets + return nil +} + +// Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec is an autogenerated conversion function. +func Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *clientsecret.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { + return autoConvert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in, out, s) +} + +func autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *clientsecret.OIDCClientSecretRequestStatus, s conversion.Scope) error { + out.GeneratedSecret = in.GeneratedSecret + out.TotalClientSecrets = in.TotalClientSecrets + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *clientsecret.OIDCClientSecretRequestStatus, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(in, out, s) +} + +func autoConvert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *clientsecret.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { + out.GeneratedSecret = in.GeneratedSecret + out.TotalClientSecrets = in.TotalClientSecrets + return nil +} + +// Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus is an autogenerated conversion function. +func Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *clientsecret.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { + return autoConvert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in, out, s) +} diff --git a/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.23/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go similarity index 100% rename from generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go rename to generated/1.23/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go diff --git a/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go b/generated/1.23/apis/supervisor/clientsecret/v1alpha1/zz_generated.defaults.go similarity index 100% rename from generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go rename to generated/1.23/apis/supervisor/clientsecret/v1alpha1/zz_generated.defaults.go diff --git a/generated/1.23/apis/supervisor/clientsecret/zz_generated.deepcopy.go b/generated/1.23/apis/supervisor/clientsecret/zz_generated.deepcopy.go new file mode 100644 index 00000000..e0dc7d68 --- /dev/null +++ b/generated/1.23/apis/supervisor/clientsecret/zz_generated.deepcopy.go @@ -0,0 +1,73 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package clientsecret + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequest) DeepCopyInto(out *OIDCClientSecretRequest) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + out.Spec = in.Spec + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequest. +func (in *OIDCClientSecretRequest) DeepCopy() *OIDCClientSecretRequest { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequest) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestSpec. +func (in *OIDCClientSecretRequestSpec) DeepCopy() *OIDCClientSecretRequestSpec { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestStatus) DeepCopyInto(out *OIDCClientSecretRequestStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestStatus. +func (in *OIDCClientSecretRequestStatus) DeepCopy() *OIDCClientSecretRequestStatus { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.23/apis/supervisor/config/v1alpha1/register.go b/generated/1.23/apis/supervisor/config/v1alpha1/register.go index 69045298..54c51699 100644 --- a/generated/1.23/apis/supervisor/config/v1alpha1/register.go +++ b/generated/1.23/apis/supervisor/config/v1alpha1/register.go @@ -32,6 +32,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &FederationDomain{}, &FederationDomainList{}, + &OIDCClient{}, + &OIDCClientList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.23/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.23/apis/supervisor/config/v1alpha1/types_oidcclient.go similarity index 100% rename from generated/1.23/apis/supervisor/oauth/v1alpha1/types_oidcclient.go rename to generated/1.23/apis/supervisor/config/v1alpha1/types_oidcclient.go diff --git a/generated/1.23/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.23/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go index 856b8988..a55d88e7 100644 --- a/generated/1.23/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.23/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go @@ -150,3 +150,111 @@ func (in *FederationDomainTLSSpec) DeepCopy() *FederationDomainTLSSpec { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. +func (in *OIDCClient) DeepCopy() *OIDCClient { + if in == nil { + return nil + } + out := new(OIDCClient) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClient) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClient, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. +func (in *OIDCClientList) DeepCopy() *OIDCClientList { + if in == nil { + return nil + } + out := new(OIDCClientList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { + *out = *in + if in.AllowedRedirectURIs != nil { + in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.AllowedGrantTypes != nil { + in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes + *out = make([]GrantType, len(*in)) + copy(*out, *in) + } + if in.AllowedScopes != nil { + in, out := &in.AllowedScopes, &out.AllowedScopes + *out = make([]Scope, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. +func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { + if in == nil { + return nil + } + out := new(OIDCClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. +func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { + if in == nil { + return nil + } + out := new(OIDCClientStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.23/apis/supervisor/oauth/v1alpha1/doc.go b/generated/1.23/apis/supervisor/oauth/v1alpha1/doc.go deleted file mode 100644 index 75580481..00000000 --- a/generated/1.23/apis/supervisor/oauth/v1alpha1/doc.go +++ /dev/null @@ -1,10 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// +k8s:openapi-gen=true -// +k8s:deepcopy-gen=package -// +k8s:defaulter-gen=TypeMeta -// +groupName=oauth.supervisor.pinniped.dev - -// Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. -package v1alpha1 diff --git a/generated/1.23/apis/supervisor/oauth/v1alpha1/register.go b/generated/1.23/apis/supervisor/oauth/v1alpha1/register.go deleted file mode 100644 index 37ae1fbf..00000000 --- a/generated/1.23/apis/supervisor/oauth/v1alpha1/register.go +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -package v1alpha1 - -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" -) - -const GroupName = "oauth.supervisor.pinniped.dev" - -// SchemeGroupVersion is group version used to register these objects. -var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} - -var ( - SchemeBuilder runtime.SchemeBuilder - localSchemeBuilder = &SchemeBuilder - AddToScheme = localSchemeBuilder.AddToScheme -) - -func init() { - // We only register manually written functions here. The registration of the - // generated functions takes place in the generated files. The separation - // makes the code compile even when the generated files are missing. - localSchemeBuilder.Register(addKnownTypes) -} - -// Adds the list of known types to the given scheme. -func addKnownTypes(scheme *runtime.Scheme) error { - scheme.AddKnownTypes(SchemeGroupVersion, - &OIDCClient{}, - &OIDCClientList{}, - ) - metav1.AddToGroupVersion(scheme, SchemeGroupVersion) - return nil -} - -// Resource takes an unqualified resource and returns a Group qualified GroupResource. -func Resource(resource string) schema.GroupResource { - return SchemeGroupVersion.WithResource(resource).GroupResource() -} diff --git a/generated/1.23/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.23/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go deleted file mode 100644 index 1aba8aea..00000000 --- a/generated/1.23/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go +++ /dev/null @@ -1,121 +0,0 @@ -//go:build !ignore_autogenerated -// +build !ignore_autogenerated - -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by deepcopy-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - runtime "k8s.io/apimachinery/pkg/runtime" -) - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - in.Spec.DeepCopyInto(&out.Spec) - out.Status = in.Status - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. -func (in *OIDCClient) DeepCopy() *OIDCClient { - if in == nil { - return nil - } - out := new(OIDCClient) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *OIDCClient) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ListMeta.DeepCopyInto(&out.ListMeta) - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]OIDCClient, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. -func (in *OIDCClientList) DeepCopy() *OIDCClientList { - if in == nil { - return nil - } - out := new(OIDCClientList) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *OIDCClientList) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { - *out = *in - if in.AllowedRedirectURIs != nil { - in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.AllowedGrantTypes != nil { - in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes - *out = make([]GrantType, len(*in)) - copy(*out, *in) - } - if in.AllowedScopes != nil { - in, out := &in.AllowedScopes, &out.AllowedScopes - *out = make([]Scope, len(*in)) - copy(*out, *in) - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. -func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { - if in == nil { - return nil - } - out := new(OIDCClientSpec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. -func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { - if in == nil { - return nil - } - out := new(OIDCClientStatus) - in.DeepCopyInto(out) - return out -} diff --git a/generated/1.23/apis/supervisor/virtual/oauth/doc.go b/generated/1.23/apis/supervisor/virtual/oauth/doc.go deleted file mode 100644 index ca4e9a63..00000000 --- a/generated/1.23/apis/supervisor/virtual/oauth/doc.go +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// +k8s:deepcopy-gen=package -// +groupName=oauth.virtual.supervisor.pinniped.dev - -// Package oauth is the internal version of the Pinniped virtual oauth API. -package oauth diff --git a/generated/1.23/apis/supervisor/virtual/oauth/register.go b/generated/1.23/apis/supervisor/virtual/oauth/register.go deleted file mode 100644 index a238d85f..00000000 --- a/generated/1.23/apis/supervisor/virtual/oauth/register.go +++ /dev/null @@ -1,37 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -package oauth - -import ( - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" -) - -const GroupName = "oauth.virtual.supervisor.pinniped.dev" - -// SchemeGroupVersion is group version used to register these objects. -var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal} - -// Kind takes an unqualified kind and returns back a Group qualified GroupKind. -func Kind(kind string) schema.GroupKind { - return SchemeGroupVersion.WithKind(kind).GroupKind() -} - -// Resource takes an unqualified resource and returns back a Group qualified GroupResource. -func Resource(resource string) schema.GroupResource { - return SchemeGroupVersion.WithResource(resource).GroupResource() -} - -var ( - SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) - AddToScheme = SchemeBuilder.AddToScheme -) - -// Adds the list of known types to the given scheme. -func addKnownTypes(scheme *runtime.Scheme) error { - scheme.AddKnownTypes(SchemeGroupVersion, - &OIDCClientSecretRequest{}, - ) - return nil -} diff --git a/generated/1.23/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go b/generated/1.23/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go deleted file mode 100644 index ac54a93c..00000000 --- a/generated/1.23/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go +++ /dev/null @@ -1,25 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -package oauth - -import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - -type OIDCClientSecretRequestSpec struct { - GenerateNewSecret bool `json:"generateNewSecret"` - RevokeOldSecrets bool `json:"revokeOldSecrets"` -} - -type OIDCClientSecretRequestStatus struct { - GeneratedSecret string `json:"generatedSecret,omitempty"` - TotalClientSecrets int `json:"totalClientSecrets"` -} - -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object -type OIDCClientSecretRequest struct { - metav1.TypeMeta `json:",inline"` - metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID - - Spec OIDCClientSecretRequestSpec `json:"spec"` - Status OIDCClientSecretRequestStatus `json:"status"` -} diff --git a/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/register.go b/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/register.go deleted file mode 100644 index ecc75a08..00000000 --- a/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/register.go +++ /dev/null @@ -1,42 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -package v1alpha1 - -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" -) - -const GroupName = "oauth.virtual.supervisor.pinniped.dev" - -// SchemeGroupVersion is group version used to register these objects. -var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} - -var ( - SchemeBuilder runtime.SchemeBuilder - localSchemeBuilder = &SchemeBuilder - AddToScheme = SchemeBuilder.AddToScheme -) - -func init() { - // We only register manually written functions here. The registration of the - // generated functions takes place in the generated files. The separation - // makes the code compile even when the generated files are missing. - localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs) -} - -// Adds the list of known types to the given scheme. -func addKnownTypes(scheme *runtime.Scheme) error { - scheme.AddKnownTypes(SchemeGroupVersion, - &OIDCClientSecretRequest{}, - ) - metav1.AddToGroupVersion(scheme, SchemeGroupVersion) - return nil -} - -// Resource takes an unqualified resource and returns back a Group qualified GroupResource. -func Resource(resource string) schema.GroupResource { - return SchemeGroupVersion.WithResource(resource).GroupResource() -} diff --git a/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go b/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go deleted file mode 100644 index 300b394f..00000000 --- a/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go +++ /dev/null @@ -1,131 +0,0 @@ -//go:build !ignore_autogenerated -// +build !ignore_autogenerated - -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by conversion-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - oauth "go.pinniped.dev/generated/1.23/apis/supervisor/virtual/oauth" - conversion "k8s.io/apimachinery/pkg/conversion" - runtime "k8s.io/apimachinery/pkg/runtime" -) - -func init() { - localSchemeBuilder.Register(RegisterConversions) -} - -// RegisterConversions adds conversion functions to the given scheme. -// Public to allow building arbitrary schemes. -func RegisterConversions(s *runtime.Scheme) error { - if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequest)(nil), (*oauth.OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(a.(*OIDCClientSecretRequest), b.(*oauth.OIDCClientSecretRequest), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequest)(nil), (*OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(a.(*oauth.OIDCClientSecretRequest), b.(*OIDCClientSecretRequest), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*oauth.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*oauth.OIDCClientSecretRequestSpec), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequestSpec)(nil), (*OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(a.(*oauth.OIDCClientSecretRequestSpec), b.(*OIDCClientSecretRequestSpec), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestStatus)(nil), (*oauth.OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(a.(*OIDCClientSecretRequestStatus), b.(*oauth.OIDCClientSecretRequestStatus), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequestStatus)(nil), (*OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(a.(*oauth.OIDCClientSecretRequestStatus), b.(*OIDCClientSecretRequestStatus), scope) - }); err != nil { - return err - } - return nil -} - -func autoConvert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *oauth.OIDCClientSecretRequest, s conversion.Scope) error { - out.ObjectMeta = in.ObjectMeta - if err := Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { - return err - } - if err := Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { - return err - } - return nil -} - -// Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest is an autogenerated conversion function. -func Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *oauth.OIDCClientSecretRequest, s conversion.Scope) error { - return autoConvert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in, out, s) -} - -func autoConvert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *oauth.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { - out.ObjectMeta = in.ObjectMeta - if err := Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { - return err - } - if err := Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { - return err - } - return nil -} - -// Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest is an autogenerated conversion function. -func Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *oauth.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { - return autoConvert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s) -} - -func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *oauth.OIDCClientSecretRequestSpec, s conversion.Scope) error { - out.GenerateNewSecret = in.GenerateNewSecret - out.RevokeOldSecrets = in.RevokeOldSecrets - return nil -} - -// Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec is an autogenerated conversion function. -func Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *oauth.OIDCClientSecretRequestSpec, s conversion.Scope) error { - return autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in, out, s) -} - -func autoConvert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *oauth.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { - out.GenerateNewSecret = in.GenerateNewSecret - out.RevokeOldSecrets = in.RevokeOldSecrets - return nil -} - -// Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec is an autogenerated conversion function. -func Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *oauth.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { - return autoConvert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in, out, s) -} - -func autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *oauth.OIDCClientSecretRequestStatus, s conversion.Scope) error { - out.GeneratedSecret = in.GeneratedSecret - out.TotalClientSecrets = in.TotalClientSecrets - return nil -} - -// Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus is an autogenerated conversion function. -func Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *oauth.OIDCClientSecretRequestStatus, s conversion.Scope) error { - return autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in, out, s) -} - -func autoConvert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *oauth.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { - out.GeneratedSecret = in.GeneratedSecret - out.TotalClientSecrets = in.TotalClientSecrets - return nil -} - -// Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus is an autogenerated conversion function. -func Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *oauth.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { - return autoConvert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in, out, s) -} diff --git a/generated/1.23/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go b/generated/1.23/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go deleted file mode 100644 index 24b58e7b..00000000 --- a/generated/1.23/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go +++ /dev/null @@ -1,73 +0,0 @@ -//go:build !ignore_autogenerated -// +build !ignore_autogenerated - -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by deepcopy-gen. DO NOT EDIT. - -package oauth - -import ( - runtime "k8s.io/apimachinery/pkg/runtime" -) - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientSecretRequest) DeepCopyInto(out *OIDCClientSecretRequest) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - out.Spec = in.Spec - out.Status = in.Status - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequest. -func (in *OIDCClientSecretRequest) DeepCopy() *OIDCClientSecretRequest { - if in == nil { - return nil - } - out := new(OIDCClientSecretRequest) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestSpec. -func (in *OIDCClientSecretRequestSpec) DeepCopy() *OIDCClientSecretRequestSpec { - if in == nil { - return nil - } - out := new(OIDCClientSecretRequestSpec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientSecretRequestStatus) DeepCopyInto(out *OIDCClientSecretRequestStatus) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestStatus. -func (in *OIDCClientSecretRequestStatus) DeepCopy() *OIDCClientSecretRequestStatus { - if in == nil { - return nil - } - out := new(OIDCClientSecretRequestStatus) - in.DeepCopyInto(out) - return out -} diff --git a/generated/1.23/client/supervisor/clientset/versioned/clientset.go b/generated/1.23/client/supervisor/clientset/versioned/clientset.go index 0347d1bb..ec9ff03c 100644 --- a/generated/1.23/client/supervisor/clientset/versioned/clientset.go +++ b/generated/1.23/client/supervisor/clientset/versioned/clientset.go @@ -9,9 +9,9 @@ import ( "fmt" "net/http" + clientsecretv1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1" configv1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" discovery "k8s.io/client-go/discovery" rest "k8s.io/client-go/rest" flowcontrol "k8s.io/client-go/util/flowcontrol" @@ -19,18 +19,23 @@ import ( type Interface interface { Discovery() discovery.DiscoveryInterface + ClientsecretV1alpha1() clientsecretv1alpha1.ClientsecretV1alpha1Interface ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface - OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface } // Clientset contains the clients for groups. Each group has exactly one // version included in a Clientset. type Clientset struct { *discovery.DiscoveryClient - configV1alpha1 *configv1alpha1.ConfigV1alpha1Client - iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client - oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client + clientsecretV1alpha1 *clientsecretv1alpha1.ClientsecretV1alpha1Client + configV1alpha1 *configv1alpha1.ConfigV1alpha1Client + iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client +} + +// ClientsecretV1alpha1 retrieves the ClientsecretV1alpha1Client +func (c *Clientset) ClientsecretV1alpha1() clientsecretv1alpha1.ClientsecretV1alpha1Interface { + return c.clientsecretV1alpha1 } // ConfigV1alpha1 retrieves the ConfigV1alpha1Client @@ -43,11 +48,6 @@ func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return c.iDPV1alpha1 } -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return c.oauthV1alpha1 -} - // Discovery retrieves the DiscoveryClient func (c *Clientset) Discovery() discovery.DiscoveryInterface { if c == nil { @@ -92,6 +92,10 @@ func NewForConfigAndClient(c *rest.Config, httpClient *http.Client) (*Clientset, var cs Clientset var err error + cs.clientsecretV1alpha1, err = clientsecretv1alpha1.NewForConfigAndClient(&configShallowCopy, httpClient) + if err != nil { + return nil, err + } cs.configV1alpha1, err = configv1alpha1.NewForConfigAndClient(&configShallowCopy, httpClient) if err != nil { return nil, err @@ -100,10 +104,6 @@ func NewForConfigAndClient(c *rest.Config, httpClient *http.Client) (*Clientset, if err != nil { return nil, err } - cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfigAndClient(&configShallowCopy, httpClient) - if err != nil { - return nil, err - } cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfigAndClient(&configShallowCopy, httpClient) if err != nil { @@ -125,9 +125,9 @@ func NewForConfigOrDie(c *rest.Config) *Clientset { // New creates a new Clientset for the given RESTClient. func New(c rest.Interface) *Clientset { var cs Clientset + cs.clientsecretV1alpha1 = clientsecretv1alpha1.New(c) cs.configV1alpha1 = configv1alpha1.New(c) cs.iDPV1alpha1 = idpv1alpha1.New(c) - cs.oauthV1alpha1 = oauthv1alpha1.New(c) cs.DiscoveryClient = discovery.NewDiscoveryClient(c) return &cs diff --git a/generated/1.23/client/supervisor/clientset/versioned/fake/clientset_generated.go b/generated/1.23/client/supervisor/clientset/versioned/fake/clientset_generated.go index 26e5ff04..b356af4c 100644 --- a/generated/1.23/client/supervisor/clientset/versioned/fake/clientset_generated.go +++ b/generated/1.23/client/supervisor/clientset/versioned/fake/clientset_generated.go @@ -7,12 +7,12 @@ package fake import ( clientset "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned" + clientsecretv1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1" + fakeclientsecretv1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake" configv1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1" fakeconfigv1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake" idpv1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1" fakeidpv1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake" - oauthv1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" - fakeoauthv1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/watch" "k8s.io/client-go/discovery" @@ -70,6 +70,11 @@ var ( _ testing.FakeClient = &Clientset{} ) +// ClientsecretV1alpha1 retrieves the ClientsecretV1alpha1Client +func (c *Clientset) ClientsecretV1alpha1() clientsecretv1alpha1.ClientsecretV1alpha1Interface { + return &fakeclientsecretv1alpha1.FakeClientsecretV1alpha1{Fake: &c.Fake} +} + // ConfigV1alpha1 retrieves the ConfigV1alpha1Client func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { return &fakeconfigv1alpha1.FakeConfigV1alpha1{Fake: &c.Fake} @@ -79,8 +84,3 @@ func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake} } - -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} -} diff --git a/generated/1.23/client/supervisor/clientset/versioned/fake/register.go b/generated/1.23/client/supervisor/clientset/versioned/fake/register.go index 328aca4e..3047d642 100644 --- a/generated/1.23/client/supervisor/clientset/versioned/fake/register.go +++ b/generated/1.23/client/supervisor/clientset/versioned/fake/register.go @@ -6,9 +6,9 @@ package fake import ( + clientsecretv1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/clientsecret/v1alpha1" configv1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -20,9 +20,9 @@ var scheme = runtime.NewScheme() var codecs = serializer.NewCodecFactory(scheme) var localSchemeBuilder = runtime.SchemeBuilder{ + clientsecretv1alpha1.AddToScheme, configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, - oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.23/client/supervisor/clientset/versioned/scheme/register.go b/generated/1.23/client/supervisor/clientset/versioned/scheme/register.go index 5d908f2e..53d9a9dd 100644 --- a/generated/1.23/client/supervisor/clientset/versioned/scheme/register.go +++ b/generated/1.23/client/supervisor/clientset/versioned/scheme/register.go @@ -6,9 +6,9 @@ package scheme import ( + clientsecretv1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/clientsecret/v1alpha1" configv1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -20,9 +20,9 @@ var Scheme = runtime.NewScheme() var Codecs = serializer.NewCodecFactory(Scheme) var ParameterCodec = runtime.NewParameterCodec(Scheme) var localSchemeBuilder = runtime.SchemeBuilder{ + clientsecretv1alpha1.AddToScheme, configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, - oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/1.23/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/clientsecret_client.go similarity index 55% rename from generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go rename to generated/1.23/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/clientsecret_client.go index c55f2a47..d5473ea9 100644 --- a/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go +++ b/generated/1.23/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/clientsecret_client.go @@ -8,29 +8,29 @@ package v1alpha1 import ( "net/http" - v1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1" - "go.pinniped.dev/generated/1.23/client/supervisor/virtual/clientset/versioned/scheme" + v1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/clientsecret/v1alpha1" + "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned/scheme" rest "k8s.io/client-go/rest" ) -type OauthV1alpha1Interface interface { +type ClientsecretV1alpha1Interface interface { RESTClient() rest.Interface OIDCClientSecretRequestsGetter } -// OauthV1alpha1Client is used to interact with features provided by the oauth.virtual.supervisor.pinniped.dev group. -type OauthV1alpha1Client struct { +// ClientsecretV1alpha1Client is used to interact with features provided by the clientsecret.supervisor.pinniped.dev group. +type ClientsecretV1alpha1Client struct { restClient rest.Interface } -func (c *OauthV1alpha1Client) OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface { +func (c *ClientsecretV1alpha1Client) OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface { return newOIDCClientSecretRequests(c, namespace) } -// NewForConfig creates a new OauthV1alpha1Client for the given config. +// NewForConfig creates a new ClientsecretV1alpha1Client for the given config. // NewForConfig is equivalent to NewForConfigAndClient(c, httpClient), // where httpClient was generated with rest.HTTPClientFor(c). -func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { +func NewForConfig(c *rest.Config) (*ClientsecretV1alpha1Client, error) { config := *c if err := setConfigDefaults(&config); err != nil { return nil, err @@ -42,9 +42,9 @@ func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { return NewForConfigAndClient(&config, httpClient) } -// NewForConfigAndClient creates a new OauthV1alpha1Client for the given config and http client. +// NewForConfigAndClient creates a new ClientsecretV1alpha1Client for the given config and http client. // Note the http client provided takes precedence over the configured transport values. -func NewForConfigAndClient(c *rest.Config, h *http.Client) (*OauthV1alpha1Client, error) { +func NewForConfigAndClient(c *rest.Config, h *http.Client) (*ClientsecretV1alpha1Client, error) { config := *c if err := setConfigDefaults(&config); err != nil { return nil, err @@ -53,12 +53,12 @@ func NewForConfigAndClient(c *rest.Config, h *http.Client) (*OauthV1alpha1Client if err != nil { return nil, err } - return &OauthV1alpha1Client{client}, nil + return &ClientsecretV1alpha1Client{client}, nil } -// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and +// NewForConfigOrDie creates a new ClientsecretV1alpha1Client for the given config and // panics if there is an error in the config. -func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { +func NewForConfigOrDie(c *rest.Config) *ClientsecretV1alpha1Client { client, err := NewForConfig(c) if err != nil { panic(err) @@ -66,9 +66,9 @@ func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { return client } -// New creates a new OauthV1alpha1Client for the given RESTClient. -func New(c rest.Interface) *OauthV1alpha1Client { - return &OauthV1alpha1Client{c} +// New creates a new ClientsecretV1alpha1Client for the given RESTClient. +func New(c rest.Interface) *ClientsecretV1alpha1Client { + return &ClientsecretV1alpha1Client{c} } func setConfigDefaults(config *rest.Config) error { @@ -86,7 +86,7 @@ func setConfigDefaults(config *rest.Config) error { // RESTClient returns a RESTClient that is used to communicate // with API server by this client implementation. -func (c *OauthV1alpha1Client) RESTClient() rest.Interface { +func (c *ClientsecretV1alpha1Client) RESTClient() rest.Interface { if c == nil { return nil } diff --git a/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/1.23/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/doc.go similarity index 100% rename from generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go rename to generated/1.23/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/doc.go diff --git a/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/1.23/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/doc.go similarity index 100% rename from generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go rename to generated/1.23/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/doc.go diff --git a/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/1.23/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_clientsecret_client.go similarity index 60% rename from generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go rename to generated/1.23/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_clientsecret_client.go index c5ce6f9b..ebf1e89c 100644 --- a/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go +++ b/generated/1.23/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_clientsecret_client.go @@ -6,22 +6,22 @@ package fake import ( - v1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1" rest "k8s.io/client-go/rest" testing "k8s.io/client-go/testing" ) -type FakeOauthV1alpha1 struct { +type FakeClientsecretV1alpha1 struct { *testing.Fake } -func (c *FakeOauthV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { - return &FakeOIDCClients{c, namespace} +func (c *FakeClientsecretV1alpha1) OIDCClientSecretRequests(namespace string) v1alpha1.OIDCClientSecretRequestInterface { + return &FakeOIDCClientSecretRequests{c, namespace} } // RESTClient returns a RESTClient that is used to communicate // with API server by this client implementation. -func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { +func (c *FakeClientsecretV1alpha1) RESTClient() rest.Interface { var ret *rest.RESTClient return ret } diff --git a/generated/1.23/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_oidcclientsecretrequest.go b/generated/1.23/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_oidcclientsecretrequest.go new file mode 100644 index 00000000..be5d0b56 --- /dev/null +++ b/generated/1.23/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_oidcclientsecretrequest.go @@ -0,0 +1,36 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/clientsecret/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + schema "k8s.io/apimachinery/pkg/runtime/schema" + testing "k8s.io/client-go/testing" +) + +// FakeOIDCClientSecretRequests implements OIDCClientSecretRequestInterface +type FakeOIDCClientSecretRequests struct { + Fake *FakeClientsecretV1alpha1 + ns string +} + +var oidcclientsecretrequestsResource = schema.GroupVersionResource{Group: "clientsecret.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclientsecretrequests"} + +var oidcclientsecretrequestsKind = schema.GroupVersionKind{Group: "clientsecret.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClientSecretRequest"} + +// Create takes the representation of a oIDCClientSecretRequest and creates it. Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any. +func (c *FakeOIDCClientSecretRequests) Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (result *v1alpha1.OIDCClientSecretRequest, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(oidcclientsecretrequestsResource, c.ns, oIDCClientSecretRequest), &v1alpha1.OIDCClientSecretRequest{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClientSecretRequest), err +} diff --git a/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/1.23/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/generated_expansion.go similarity index 100% rename from generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go rename to generated/1.23/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/generated_expansion.go diff --git a/generated/1.23/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/oidcclientsecretrequest.go b/generated/1.23/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/oidcclientsecretrequest.go new file mode 100644 index 00000000..4851c4ff --- /dev/null +++ b/generated/1.23/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/oidcclientsecretrequest.go @@ -0,0 +1,54 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/clientsecret/v1alpha1" + scheme "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + rest "k8s.io/client-go/rest" +) + +// OIDCClientSecretRequestsGetter has a method to return a OIDCClientSecretRequestInterface. +// A group's client should implement this interface. +type OIDCClientSecretRequestsGetter interface { + OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface +} + +// OIDCClientSecretRequestInterface has methods to work with OIDCClientSecretRequest resources. +type OIDCClientSecretRequestInterface interface { + Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (*v1alpha1.OIDCClientSecretRequest, error) + OIDCClientSecretRequestExpansion +} + +// oIDCClientSecretRequests implements OIDCClientSecretRequestInterface +type oIDCClientSecretRequests struct { + client rest.Interface + ns string +} + +// newOIDCClientSecretRequests returns a OIDCClientSecretRequests +func newOIDCClientSecretRequests(c *ClientsecretV1alpha1Client, namespace string) *oIDCClientSecretRequests { + return &oIDCClientSecretRequests{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Create takes the representation of a oIDCClientSecretRequest and creates it. Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any. +func (c *oIDCClientSecretRequests) Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (result *v1alpha1.OIDCClientSecretRequest, err error) { + result = &v1alpha1.OIDCClientSecretRequest{} + err = c.client.Post(). + Namespace(c.ns). + Resource("oidcclientsecretrequests"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(oIDCClientSecretRequest). + Do(ctx). + Into(result) + return +} diff --git a/generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go b/generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go index 8327d19b..bca8a275 100644 --- a/generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go +++ b/generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go @@ -16,6 +16,7 @@ import ( type ConfigV1alpha1Interface interface { RESTClient() rest.Interface FederationDomainsGetter + OIDCClientsGetter } // ConfigV1alpha1Client is used to interact with features provided by the config.supervisor.pinniped.dev group. @@ -27,6 +28,10 @@ func (c *ConfigV1alpha1Client) FederationDomains(namespace string) FederationDom return newFederationDomains(c, namespace) } +func (c *ConfigV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { + return newOIDCClients(c, namespace) +} + // NewForConfig creates a new ConfigV1alpha1Client for the given config. // NewForConfig is equivalent to NewForConfigAndClient(c, httpClient), // where httpClient was generated with rest.HTTPClientFor(c). diff --git a/generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go b/generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go index fd1c886c..9cda8fe3 100644 --- a/generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go +++ b/generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go @@ -19,6 +19,10 @@ func (c *FakeConfigV1alpha1) FederationDomains(namespace string) v1alpha1.Federa return &FakeFederationDomains{c, namespace} } +func (c *FakeConfigV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { + return &FakeOIDCClients{c, namespace} +} + // RESTClient returns a RESTClient that is used to communicate // with API server by this client implementation. func (c *FakeConfigV1alpha1) RESTClient() rest.Interface { diff --git a/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go b/generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go similarity index 92% rename from generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go rename to generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go index 34cf2735..e810d4f6 100644 --- a/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go +++ b/generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go @@ -8,7 +8,7 @@ package fake import ( "context" - v1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/config/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" labels "k8s.io/apimachinery/pkg/labels" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -19,13 +19,13 @@ import ( // FakeOIDCClients implements OIDCClientInterface type FakeOIDCClients struct { - Fake *FakeOauthV1alpha1 + Fake *FakeConfigV1alpha1 ns string } -var oidcclientsResource = schema.GroupVersionResource{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} +var oidcclientsResource = schema.GroupVersionResource{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} -var oidcclientsKind = schema.GroupVersionKind{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} +var oidcclientsKind = schema.GroupVersionKind{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} // Get takes name of the oIDCClient, and returns the corresponding oIDCClient object, and an error if there is any. func (c *FakeOIDCClients) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCClient, err error) { diff --git a/generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go b/generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go index ba9c9173..35b9ee3d 100644 --- a/generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go +++ b/generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go @@ -6,3 +6,5 @@ package v1alpha1 type FederationDomainExpansion interface{} + +type OIDCClientExpansion interface{} diff --git a/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go b/generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go similarity index 97% rename from generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go rename to generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go index 18287fd4..07983ea2 100644 --- a/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go +++ b/generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go @@ -9,7 +9,7 @@ import ( "context" "time" - v1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/config/v1alpha1" scheme "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned/scheme" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" types "k8s.io/apimachinery/pkg/types" @@ -44,7 +44,7 @@ type oIDCClients struct { } // newOIDCClients returns a OIDCClients -func newOIDCClients(c *OauthV1alpha1Client, namespace string) *oIDCClients { +func newOIDCClients(c *ConfigV1alpha1Client, namespace string) *oIDCClients { return &oIDCClients{ client: c.RESTClient(), ns: namespace, diff --git a/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go deleted file mode 100644 index e7a470b6..00000000 --- a/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package has the automatically generated typed clients. -package v1alpha1 diff --git a/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go deleted file mode 100644 index 7906901b..00000000 --- a/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// Package fake has the automatically generated clients. -package fake diff --git a/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go deleted file mode 100644 index 87d22ea9..00000000 --- a/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -type OIDCClientExpansion interface{} diff --git a/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go deleted file mode 100644 index 7891e154..00000000 --- a/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go +++ /dev/null @@ -1,94 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - "net/http" - - v1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/oauth/v1alpha1" - "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned/scheme" - rest "k8s.io/client-go/rest" -) - -type OauthV1alpha1Interface interface { - RESTClient() rest.Interface - OIDCClientsGetter -} - -// OauthV1alpha1Client is used to interact with features provided by the oauth.supervisor.pinniped.dev group. -type OauthV1alpha1Client struct { - restClient rest.Interface -} - -func (c *OauthV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { - return newOIDCClients(c, namespace) -} - -// NewForConfig creates a new OauthV1alpha1Client for the given config. -// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient), -// where httpClient was generated with rest.HTTPClientFor(c). -func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { - config := *c - if err := setConfigDefaults(&config); err != nil { - return nil, err - } - httpClient, err := rest.HTTPClientFor(&config) - if err != nil { - return nil, err - } - return NewForConfigAndClient(&config, httpClient) -} - -// NewForConfigAndClient creates a new OauthV1alpha1Client for the given config and http client. -// Note the http client provided takes precedence over the configured transport values. -func NewForConfigAndClient(c *rest.Config, h *http.Client) (*OauthV1alpha1Client, error) { - config := *c - if err := setConfigDefaults(&config); err != nil { - return nil, err - } - client, err := rest.RESTClientForConfigAndClient(&config, h) - if err != nil { - return nil, err - } - return &OauthV1alpha1Client{client}, nil -} - -// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and -// panics if there is an error in the config. -func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { - client, err := NewForConfig(c) - if err != nil { - panic(err) - } - return client -} - -// New creates a new OauthV1alpha1Client for the given RESTClient. -func New(c rest.Interface) *OauthV1alpha1Client { - return &OauthV1alpha1Client{c} -} - -func setConfigDefaults(config *rest.Config) error { - gv := v1alpha1.SchemeGroupVersion - config.GroupVersion = &gv - config.APIPath = "/apis" - config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() - - if config.UserAgent == "" { - config.UserAgent = rest.DefaultKubernetesUserAgent() - } - - return nil -} - -// RESTClient returns a RESTClient that is used to communicate -// with API server by this client implementation. -func (c *OauthV1alpha1Client) RESTClient() rest.Interface { - if c == nil { - return nil - } - return c.restClient -} diff --git a/generated/1.23/client/supervisor/informers/externalversions/config/v1alpha1/interface.go b/generated/1.23/client/supervisor/informers/externalversions/config/v1alpha1/interface.go index c2a3fb35..c23807e9 100644 --- a/generated/1.23/client/supervisor/informers/externalversions/config/v1alpha1/interface.go +++ b/generated/1.23/client/supervisor/informers/externalversions/config/v1alpha1/interface.go @@ -13,6 +13,8 @@ import ( type Interface interface { // FederationDomains returns a FederationDomainInformer. FederationDomains() FederationDomainInformer + // OIDCClients returns a OIDCClientInformer. + OIDCClients() OIDCClientInformer } type version struct { @@ -30,3 +32,8 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList func (v *version) FederationDomains() FederationDomainInformer { return &federationDomainInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } + +// OIDCClients returns a OIDCClientInformer. +func (v *version) OIDCClients() OIDCClientInformer { + return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} diff --git a/generated/1.23/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go b/generated/1.23/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go similarity index 88% rename from generated/1.23/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go rename to generated/1.23/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go index a7fdc001..73b0bc9a 100644 --- a/generated/1.23/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go +++ b/generated/1.23/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go @@ -9,10 +9,10 @@ import ( "context" time "time" - oauthv1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/oauth/v1alpha1" + configv1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/config/v1alpha1" versioned "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned" internalinterfaces "go.pinniped.dev/generated/1.23/client/supervisor/informers/externalversions/internalinterfaces" - v1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/listers/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/listers/config/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" watch "k8s.io/apimachinery/pkg/watch" @@ -49,16 +49,16 @@ func NewFilteredOIDCClientInformer(client versioned.Interface, namespace string, if tweakListOptions != nil { tweakListOptions(&options) } - return client.OauthV1alpha1().OIDCClients(namespace).List(context.TODO(), options) + return client.ConfigV1alpha1().OIDCClients(namespace).List(context.TODO(), options) }, WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { if tweakListOptions != nil { tweakListOptions(&options) } - return client.OauthV1alpha1().OIDCClients(namespace).Watch(context.TODO(), options) + return client.ConfigV1alpha1().OIDCClients(namespace).Watch(context.TODO(), options) }, }, - &oauthv1alpha1.OIDCClient{}, + &configv1alpha1.OIDCClient{}, resyncPeriod, indexers, ) @@ -69,7 +69,7 @@ func (f *oIDCClientInformer) defaultInformer(client versioned.Interface, resyncP } func (f *oIDCClientInformer) Informer() cache.SharedIndexInformer { - return f.factory.InformerFor(&oauthv1alpha1.OIDCClient{}, f.defaultInformer) + return f.factory.InformerFor(&configv1alpha1.OIDCClient{}, f.defaultInformer) } func (f *oIDCClientInformer) Lister() v1alpha1.OIDCClientLister { diff --git a/generated/1.23/client/supervisor/informers/externalversions/factory.go b/generated/1.23/client/supervisor/informers/externalversions/factory.go index 690cfe62..25a2ea38 100644 --- a/generated/1.23/client/supervisor/informers/externalversions/factory.go +++ b/generated/1.23/client/supervisor/informers/externalversions/factory.go @@ -14,7 +14,6 @@ import ( config "go.pinniped.dev/generated/1.23/client/supervisor/informers/externalversions/config" idp "go.pinniped.dev/generated/1.23/client/supervisor/informers/externalversions/idp" internalinterfaces "go.pinniped.dev/generated/1.23/client/supervisor/informers/externalversions/internalinterfaces" - oauth "go.pinniped.dev/generated/1.23/client/supervisor/informers/externalversions/oauth" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -163,7 +162,6 @@ type SharedInformerFactory interface { Config() config.Interface IDP() idp.Interface - Oauth() oauth.Interface } func (f *sharedInformerFactory) Config() config.Interface { @@ -173,7 +171,3 @@ func (f *sharedInformerFactory) Config() config.Interface { func (f *sharedInformerFactory) IDP() idp.Interface { return idp.New(f, f.namespace, f.tweakListOptions) } - -func (f *sharedInformerFactory) Oauth() oauth.Interface { - return oauth.New(f, f.namespace, f.tweakListOptions) -} diff --git a/generated/1.23/client/supervisor/informers/externalversions/generic.go b/generated/1.23/client/supervisor/informers/externalversions/generic.go index da434169..4d9f6dce 100644 --- a/generated/1.23/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.23/client/supervisor/informers/externalversions/generic.go @@ -10,7 +10,6 @@ import ( v1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/oauth/v1alpha1" schema "k8s.io/apimachinery/pkg/runtime/schema" cache "k8s.io/client-go/tools/cache" ) @@ -44,6 +43,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource // Group=config.supervisor.pinniped.dev, Version=v1alpha1 case v1alpha1.SchemeGroupVersion.WithResource("federationdomains"): return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().FederationDomains().Informer()}, nil + case v1alpha1.SchemeGroupVersion.WithResource("oidcclients"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCClients().Informer()}, nil // Group=idp.supervisor.pinniped.dev, Version=v1alpha1 case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"): @@ -53,10 +54,6 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().OIDCIdentityProviders().Informer()}, nil - // Group=oauth.supervisor.pinniped.dev, Version=v1alpha1 - case oauthv1alpha1.SchemeGroupVersion.WithResource("oidcclients"): - return &genericInformer{resource: resource.GroupResource(), informer: f.Oauth().V1alpha1().OIDCClients().Informer()}, nil - } return nil, fmt.Errorf("no informer found for %v", resource) diff --git a/generated/1.23/client/supervisor/informers/externalversions/oauth/interface.go b/generated/1.23/client/supervisor/informers/externalversions/oauth/interface.go deleted file mode 100644 index f5bbdc54..00000000 --- a/generated/1.23/client/supervisor/informers/externalversions/oauth/interface.go +++ /dev/null @@ -1,33 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by informer-gen. DO NOT EDIT. - -package oauth - -import ( - internalinterfaces "go.pinniped.dev/generated/1.23/client/supervisor/informers/externalversions/internalinterfaces" - v1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/informers/externalversions/oauth/v1alpha1" -) - -// Interface provides access to each of this group's versions. -type Interface interface { - // V1alpha1 provides access to shared informers for resources in V1alpha1. - V1alpha1() v1alpha1.Interface -} - -type group struct { - factory internalinterfaces.SharedInformerFactory - namespace string - tweakListOptions internalinterfaces.TweakListOptionsFunc -} - -// New returns a new Interface. -func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { - return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} -} - -// V1alpha1 returns a new v1alpha1.Interface. -func (g *group) V1alpha1() v1alpha1.Interface { - return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions) -} diff --git a/generated/1.23/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go b/generated/1.23/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go deleted file mode 100644 index 6d128bf0..00000000 --- a/generated/1.23/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go +++ /dev/null @@ -1,32 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by informer-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - internalinterfaces "go.pinniped.dev/generated/1.23/client/supervisor/informers/externalversions/internalinterfaces" -) - -// Interface provides access to all the informers in this group version. -type Interface interface { - // OIDCClients returns a OIDCClientInformer. - OIDCClients() OIDCClientInformer -} - -type version struct { - factory internalinterfaces.SharedInformerFactory - namespace string - tweakListOptions internalinterfaces.TweakListOptionsFunc -} - -// New returns a new Interface. -func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { - return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} -} - -// OIDCClients returns a OIDCClientInformer. -func (v *version) OIDCClients() OIDCClientInformer { - return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} -} diff --git a/generated/1.23/client/supervisor/listers/config/v1alpha1/expansion_generated.go b/generated/1.23/client/supervisor/listers/config/v1alpha1/expansion_generated.go index d59892c4..bda2f20e 100644 --- a/generated/1.23/client/supervisor/listers/config/v1alpha1/expansion_generated.go +++ b/generated/1.23/client/supervisor/listers/config/v1alpha1/expansion_generated.go @@ -12,3 +12,11 @@ type FederationDomainListerExpansion interface{} // FederationDomainNamespaceListerExpansion allows custom methods to be added to // FederationDomainNamespaceLister. type FederationDomainNamespaceListerExpansion interface{} + +// OIDCClientListerExpansion allows custom methods to be added to +// OIDCClientLister. +type OIDCClientListerExpansion interface{} + +// OIDCClientNamespaceListerExpansion allows custom methods to be added to +// OIDCClientNamespaceLister. +type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/1.23/client/supervisor/listers/config/v1alpha1/oidcclient.go b/generated/1.23/client/supervisor/listers/config/v1alpha1/oidcclient.go new file mode 100644 index 00000000..b661faa8 --- /dev/null +++ b/generated/1.23/client/supervisor/listers/config/v1alpha1/oidcclient.go @@ -0,0 +1,86 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/config/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// OIDCClientLister helps list OIDCClients. +// All objects returned here must be treated as read-only. +type OIDCClientLister interface { + // List lists all OIDCClients in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) + // OIDCClients returns an object that can list and get OIDCClients. + OIDCClients(namespace string) OIDCClientNamespaceLister + OIDCClientListerExpansion +} + +// oIDCClientLister implements the OIDCClientLister interface. +type oIDCClientLister struct { + indexer cache.Indexer +} + +// NewOIDCClientLister returns a new OIDCClientLister. +func NewOIDCClientLister(indexer cache.Indexer) OIDCClientLister { + return &oIDCClientLister{indexer: indexer} +} + +// List lists all OIDCClients in the indexer. +func (s *oIDCClientLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.OIDCClient)) + }) + return ret, err +} + +// OIDCClients returns an object that can list and get OIDCClients. +func (s *oIDCClientLister) OIDCClients(namespace string) OIDCClientNamespaceLister { + return oIDCClientNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// OIDCClientNamespaceLister helps list and get OIDCClients. +// All objects returned here must be treated as read-only. +type OIDCClientNamespaceLister interface { + // List lists all OIDCClients in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) + // Get retrieves the OIDCClient from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha1.OIDCClient, error) + OIDCClientNamespaceListerExpansion +} + +// oIDCClientNamespaceLister implements the OIDCClientNamespaceLister +// interface. +type oIDCClientNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all OIDCClients in the indexer for a given namespace. +func (s oIDCClientNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.OIDCClient)) + }) + return ret, err +} + +// Get retrieves the OIDCClient from the indexer for a given namespace and name. +func (s oIDCClientNamespaceLister) Get(name string) (*v1alpha1.OIDCClient, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("oidcclient"), name) + } + return obj.(*v1alpha1.OIDCClient), nil +} diff --git a/generated/1.23/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go b/generated/1.23/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go deleted file mode 100644 index c19310da..00000000 --- a/generated/1.23/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go +++ /dev/null @@ -1,14 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by lister-gen. DO NOT EDIT. - -package v1alpha1 - -// OIDCClientListerExpansion allows custom methods to be added to -// OIDCClientLister. -type OIDCClientListerExpansion interface{} - -// OIDCClientNamespaceListerExpansion allows custom methods to be added to -// OIDCClientNamespaceLister. -type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/1.23/client/supervisor/listers/oauth/v1alpha1/oidcclient.go b/generated/1.23/client/supervisor/listers/oauth/v1alpha1/oidcclient.go deleted file mode 100644 index 28d81d93..00000000 --- a/generated/1.23/client/supervisor/listers/oauth/v1alpha1/oidcclient.go +++ /dev/null @@ -1,86 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by lister-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - v1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/oauth/v1alpha1" - "k8s.io/apimachinery/pkg/api/errors" - "k8s.io/apimachinery/pkg/labels" - "k8s.io/client-go/tools/cache" -) - -// OIDCClientLister helps list OIDCClients. -// All objects returned here must be treated as read-only. -type OIDCClientLister interface { - // List lists all OIDCClients in the indexer. - // Objects returned here must be treated as read-only. - List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) - // OIDCClients returns an object that can list and get OIDCClients. - OIDCClients(namespace string) OIDCClientNamespaceLister - OIDCClientListerExpansion -} - -// oIDCClientLister implements the OIDCClientLister interface. -type oIDCClientLister struct { - indexer cache.Indexer -} - -// NewOIDCClientLister returns a new OIDCClientLister. -func NewOIDCClientLister(indexer cache.Indexer) OIDCClientLister { - return &oIDCClientLister{indexer: indexer} -} - -// List lists all OIDCClients in the indexer. -func (s *oIDCClientLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { - err = cache.ListAll(s.indexer, selector, func(m interface{}) { - ret = append(ret, m.(*v1alpha1.OIDCClient)) - }) - return ret, err -} - -// OIDCClients returns an object that can list and get OIDCClients. -func (s *oIDCClientLister) OIDCClients(namespace string) OIDCClientNamespaceLister { - return oIDCClientNamespaceLister{indexer: s.indexer, namespace: namespace} -} - -// OIDCClientNamespaceLister helps list and get OIDCClients. -// All objects returned here must be treated as read-only. -type OIDCClientNamespaceLister interface { - // List lists all OIDCClients in the indexer for a given namespace. - // Objects returned here must be treated as read-only. - List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) - // Get retrieves the OIDCClient from the indexer for a given namespace and name. - // Objects returned here must be treated as read-only. - Get(name string) (*v1alpha1.OIDCClient, error) - OIDCClientNamespaceListerExpansion -} - -// oIDCClientNamespaceLister implements the OIDCClientNamespaceLister -// interface. -type oIDCClientNamespaceLister struct { - indexer cache.Indexer - namespace string -} - -// List lists all OIDCClients in the indexer for a given namespace. -func (s oIDCClientNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { - err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { - ret = append(ret, m.(*v1alpha1.OIDCClient)) - }) - return ret, err -} - -// Get retrieves the OIDCClient from the indexer for a given namespace and name. -func (s oIDCClientNamespaceLister) Get(name string) (*v1alpha1.OIDCClient, error) { - obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) - if err != nil { - return nil, err - } - if !exists { - return nil, errors.NewNotFound(v1alpha1.Resource("oidcclient"), name) - } - return obj.(*v1alpha1.OIDCClient), nil -} diff --git a/generated/1.23/client/supervisor/virtual/clientset/versioned/clientset.go b/generated/1.23/client/supervisor/virtual/clientset/versioned/clientset.go deleted file mode 100644 index e3386a25..00000000 --- a/generated/1.23/client/supervisor/virtual/clientset/versioned/clientset.go +++ /dev/null @@ -1,108 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package versioned - -import ( - "fmt" - "net/http" - - oauthv1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" - discovery "k8s.io/client-go/discovery" - rest "k8s.io/client-go/rest" - flowcontrol "k8s.io/client-go/util/flowcontrol" -) - -type Interface interface { - Discovery() discovery.DiscoveryInterface - OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface -} - -// Clientset contains the clients for groups. Each group has exactly one -// version included in a Clientset. -type Clientset struct { - *discovery.DiscoveryClient - oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client -} - -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return c.oauthV1alpha1 -} - -// Discovery retrieves the DiscoveryClient -func (c *Clientset) Discovery() discovery.DiscoveryInterface { - if c == nil { - return nil - } - return c.DiscoveryClient -} - -// NewForConfig creates a new Clientset for the given config. -// If config's RateLimiter is not set and QPS and Burst are acceptable, -// NewForConfig will generate a rate-limiter in configShallowCopy. -// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient), -// where httpClient was generated with rest.HTTPClientFor(c). -func NewForConfig(c *rest.Config) (*Clientset, error) { - configShallowCopy := *c - - if configShallowCopy.UserAgent == "" { - configShallowCopy.UserAgent = rest.DefaultKubernetesUserAgent() - } - - // share the transport between all clients - httpClient, err := rest.HTTPClientFor(&configShallowCopy) - if err != nil { - return nil, err - } - - return NewForConfigAndClient(&configShallowCopy, httpClient) -} - -// NewForConfigAndClient creates a new Clientset for the given config and http client. -// Note the http client provided takes precedence over the configured transport values. -// If config's RateLimiter is not set and QPS and Burst are acceptable, -// NewForConfigAndClient will generate a rate-limiter in configShallowCopy. -func NewForConfigAndClient(c *rest.Config, httpClient *http.Client) (*Clientset, error) { - configShallowCopy := *c - if configShallowCopy.RateLimiter == nil && configShallowCopy.QPS > 0 { - if configShallowCopy.Burst <= 0 { - return nil, fmt.Errorf("burst is required to be greater than 0 when RateLimiter is not set and QPS is set to greater than 0") - } - configShallowCopy.RateLimiter = flowcontrol.NewTokenBucketRateLimiter(configShallowCopy.QPS, configShallowCopy.Burst) - } - - var cs Clientset - var err error - cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfigAndClient(&configShallowCopy, httpClient) - if err != nil { - return nil, err - } - - cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfigAndClient(&configShallowCopy, httpClient) - if err != nil { - return nil, err - } - return &cs, nil -} - -// NewForConfigOrDie creates a new Clientset for the given config and -// panics if there is an error in the config. -func NewForConfigOrDie(c *rest.Config) *Clientset { - cs, err := NewForConfig(c) - if err != nil { - panic(err) - } - return cs -} - -// New creates a new Clientset for the given RESTClient. -func New(c rest.Interface) *Clientset { - var cs Clientset - cs.oauthV1alpha1 = oauthv1alpha1.New(c) - - cs.DiscoveryClient = discovery.NewDiscoveryClient(c) - return &cs -} diff --git a/generated/1.23/client/supervisor/virtual/clientset/versioned/doc.go b/generated/1.23/client/supervisor/virtual/clientset/versioned/doc.go deleted file mode 100644 index 5dc02e6e..00000000 --- a/generated/1.23/client/supervisor/virtual/clientset/versioned/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package has the automatically generated clientset. -package versioned diff --git a/generated/1.23/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go b/generated/1.23/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go deleted file mode 100644 index 43398825..00000000 --- a/generated/1.23/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go +++ /dev/null @@ -1,72 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - clientset "go.pinniped.dev/generated/1.23/client/supervisor/virtual/clientset/versioned" - oauthv1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" - fakeoauthv1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/watch" - "k8s.io/client-go/discovery" - fakediscovery "k8s.io/client-go/discovery/fake" - "k8s.io/client-go/testing" -) - -// NewSimpleClientset returns a clientset that will respond with the provided objects. -// It's backed by a very simple object tracker that processes creates, updates and deletions as-is, -// without applying any validations and/or defaults. It shouldn't be considered a replacement -// for a real clientset and is mostly useful in simple unit tests. -func NewSimpleClientset(objects ...runtime.Object) *Clientset { - o := testing.NewObjectTracker(scheme, codecs.UniversalDecoder()) - for _, obj := range objects { - if err := o.Add(obj); err != nil { - panic(err) - } - } - - cs := &Clientset{tracker: o} - cs.discovery = &fakediscovery.FakeDiscovery{Fake: &cs.Fake} - cs.AddReactor("*", "*", testing.ObjectReaction(o)) - cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) { - gvr := action.GetResource() - ns := action.GetNamespace() - watch, err := o.Watch(gvr, ns) - if err != nil { - return false, nil, err - } - return true, watch, nil - }) - - return cs -} - -// Clientset implements clientset.Interface. Meant to be embedded into a -// struct to get a default implementation. This makes faking out just the method -// you want to test easier. -type Clientset struct { - testing.Fake - discovery *fakediscovery.FakeDiscovery - tracker testing.ObjectTracker -} - -func (c *Clientset) Discovery() discovery.DiscoveryInterface { - return c.discovery -} - -func (c *Clientset) Tracker() testing.ObjectTracker { - return c.tracker -} - -var ( - _ clientset.Interface = &Clientset{} - _ testing.FakeClient = &Clientset{} -) - -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} -} diff --git a/generated/1.23/client/supervisor/virtual/clientset/versioned/fake/doc.go b/generated/1.23/client/supervisor/virtual/clientset/versioned/fake/doc.go deleted file mode 100644 index 7c9538fd..00000000 --- a/generated/1.23/client/supervisor/virtual/clientset/versioned/fake/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package has the automatically generated fake clientset. -package fake diff --git a/generated/1.23/client/supervisor/virtual/clientset/versioned/fake/register.go b/generated/1.23/client/supervisor/virtual/clientset/versioned/fake/register.go deleted file mode 100644 index 4657e60e..00000000 --- a/generated/1.23/client/supervisor/virtual/clientset/versioned/fake/register.go +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - oauthv1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - runtime "k8s.io/apimachinery/pkg/runtime" - schema "k8s.io/apimachinery/pkg/runtime/schema" - serializer "k8s.io/apimachinery/pkg/runtime/serializer" - utilruntime "k8s.io/apimachinery/pkg/util/runtime" -) - -var scheme = runtime.NewScheme() -var codecs = serializer.NewCodecFactory(scheme) - -var localSchemeBuilder = runtime.SchemeBuilder{ - oauthv1alpha1.AddToScheme, -} - -// AddToScheme adds all types of this clientset into the given scheme. This allows composition -// of clientsets, like in: -// -// import ( -// "k8s.io/client-go/kubernetes" -// clientsetscheme "k8s.io/client-go/kubernetes/scheme" -// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" -// ) -// -// kclientset, _ := kubernetes.NewForConfig(c) -// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) -// -// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types -// correctly. -var AddToScheme = localSchemeBuilder.AddToScheme - -func init() { - v1.AddToGroupVersion(scheme, schema.GroupVersion{Version: "v1"}) - utilruntime.Must(AddToScheme(scheme)) -} diff --git a/generated/1.23/client/supervisor/virtual/clientset/versioned/scheme/doc.go b/generated/1.23/client/supervisor/virtual/clientset/versioned/scheme/doc.go deleted file mode 100644 index cc02f1d3..00000000 --- a/generated/1.23/client/supervisor/virtual/clientset/versioned/scheme/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package contains the scheme of the automatically generated clientset. -package scheme diff --git a/generated/1.23/client/supervisor/virtual/clientset/versioned/scheme/register.go b/generated/1.23/client/supervisor/virtual/clientset/versioned/scheme/register.go deleted file mode 100644 index c101730c..00000000 --- a/generated/1.23/client/supervisor/virtual/clientset/versioned/scheme/register.go +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package scheme - -import ( - oauthv1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - runtime "k8s.io/apimachinery/pkg/runtime" - schema "k8s.io/apimachinery/pkg/runtime/schema" - serializer "k8s.io/apimachinery/pkg/runtime/serializer" - utilruntime "k8s.io/apimachinery/pkg/util/runtime" -) - -var Scheme = runtime.NewScheme() -var Codecs = serializer.NewCodecFactory(Scheme) -var ParameterCodec = runtime.NewParameterCodec(Scheme) -var localSchemeBuilder = runtime.SchemeBuilder{ - oauthv1alpha1.AddToScheme, -} - -// AddToScheme adds all types of this clientset into the given scheme. This allows composition -// of clientsets, like in: -// -// import ( -// "k8s.io/client-go/kubernetes" -// clientsetscheme "k8s.io/client-go/kubernetes/scheme" -// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" -// ) -// -// kclientset, _ := kubernetes.NewForConfig(c) -// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) -// -// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types -// correctly. -var AddToScheme = localSchemeBuilder.AddToScheme - -func init() { - v1.AddToGroupVersion(Scheme, schema.GroupVersion{Version: "v1"}) - utilruntime.Must(AddToScheme(Scheme)) -} diff --git a/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go deleted file mode 100644 index e7a470b6..00000000 --- a/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package has the automatically generated typed clients. -package v1alpha1 diff --git a/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go deleted file mode 100644 index 7906901b..00000000 --- a/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// Package fake has the automatically generated clients. -package fake diff --git a/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go deleted file mode 100644 index ef926450..00000000 --- a/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go +++ /dev/null @@ -1,27 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - v1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" - rest "k8s.io/client-go/rest" - testing "k8s.io/client-go/testing" -) - -type FakeOauthV1alpha1 struct { - *testing.Fake -} - -func (c *FakeOauthV1alpha1) OIDCClientSecretRequests(namespace string) v1alpha1.OIDCClientSecretRequestInterface { - return &FakeOIDCClientSecretRequests{c, namespace} -} - -// RESTClient returns a RESTClient that is used to communicate -// with API server by this client implementation. -func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { - var ret *rest.RESTClient - return ret -} diff --git a/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go b/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go deleted file mode 100644 index 7fbadd7f..00000000 --- a/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go +++ /dev/null @@ -1,36 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - "context" - - v1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - schema "k8s.io/apimachinery/pkg/runtime/schema" - testing "k8s.io/client-go/testing" -) - -// FakeOIDCClientSecretRequests implements OIDCClientSecretRequestInterface -type FakeOIDCClientSecretRequests struct { - Fake *FakeOauthV1alpha1 - ns string -} - -var oidcclientsecretrequestsResource = schema.GroupVersionResource{Group: "oauth.virtual.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclientsecretrequests"} - -var oidcclientsecretrequestsKind = schema.GroupVersionKind{Group: "oauth.virtual.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClientSecretRequest"} - -// Create takes the representation of a oIDCClientSecretRequest and creates it. Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any. -func (c *FakeOIDCClientSecretRequests) Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (result *v1alpha1.OIDCClientSecretRequest, err error) { - obj, err := c.Fake. - Invokes(testing.NewCreateAction(oidcclientsecretrequestsResource, c.ns, oIDCClientSecretRequest), &v1alpha1.OIDCClientSecretRequest{}) - - if obj == nil { - return nil, err - } - return obj.(*v1alpha1.OIDCClientSecretRequest), err -} diff --git a/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go b/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go deleted file mode 100644 index 073ea69b..00000000 --- a/generated/1.23/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go +++ /dev/null @@ -1,54 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - "context" - - v1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/virtual/oauth/v1alpha1" - scheme "go.pinniped.dev/generated/1.23/client/supervisor/virtual/clientset/versioned/scheme" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - rest "k8s.io/client-go/rest" -) - -// OIDCClientSecretRequestsGetter has a method to return a OIDCClientSecretRequestInterface. -// A group's client should implement this interface. -type OIDCClientSecretRequestsGetter interface { - OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface -} - -// OIDCClientSecretRequestInterface has methods to work with OIDCClientSecretRequest resources. -type OIDCClientSecretRequestInterface interface { - Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (*v1alpha1.OIDCClientSecretRequest, error) - OIDCClientSecretRequestExpansion -} - -// oIDCClientSecretRequests implements OIDCClientSecretRequestInterface -type oIDCClientSecretRequests struct { - client rest.Interface - ns string -} - -// newOIDCClientSecretRequests returns a OIDCClientSecretRequests -func newOIDCClientSecretRequests(c *OauthV1alpha1Client, namespace string) *oIDCClientSecretRequests { - return &oIDCClientSecretRequests{ - client: c.RESTClient(), - ns: namespace, - } -} - -// Create takes the representation of a oIDCClientSecretRequest and creates it. Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any. -func (c *oIDCClientSecretRequests) Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (result *v1alpha1.OIDCClientSecretRequest, err error) { - result = &v1alpha1.OIDCClientSecretRequest{} - err = c.client.Post(). - Namespace(c.ns). - Resource("oidcclientsecretrequests"). - VersionedParams(&opts, scheme.ParameterCodec). - Body(oIDCClientSecretRequest). - Do(ctx). - Into(result) - return -} diff --git a/generated/1.23/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.23/crds/config.supervisor.pinniped.dev_oidcclients.yaml new file mode 100644 index 00000000..4efa445e --- /dev/null +++ b/generated/1.23/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -0,0 +1,125 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: oidcclients.config.supervisor.pinniped.dev +spec: + group: config.supervisor.pinniped.dev + names: + categories: + - pinniped + kind: OIDCClient + listKind: OIDCClientList + plural: oidcclients + singular: oidcclient + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: OIDCClient describes the configuration of an OIDC client. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec of the OIDC client. + properties: + allowedGrantTypes: + description: "allowedGrantTypes is a list of the allowed grant_type + param values that should be accepted during OIDC flows with this + client. \n Must only contain the following values: - authorization_code: + allows the client to perform the authorization code grant flow, + i.e. allows the webapp to authenticate users. This grant must always + be listed. - refresh_token: allows the client to perform refresh + grants for the user to extend the user's session. This grant must + be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: + allows the client to perform RFC8693 token exchange, which is a + step in the process to be able to get a cluster credential for the + user. This grant must be listed if allowedScopes lists pinniped:request-audience." + items: + enum: + - authorization_code + - refresh_token + - urn:ietf:params:oauth:grant-type:token-exchange + type: string + minItems: 1 + type: array + allowedRedirectURIs: + description: allowedRedirectURIs is a list of the allowed redirect_uri + param values that should be accepted during OIDC flows with this + client. Any other uris will be rejected. Must be https, unless it + is a loopback. + items: + type: string + minItems: 1 + type: array + allowedScopes: + description: "allowedScopes is a list of the allowed scopes param + values that should be accepted during OIDC flows with this client. + \n Must only contain the following values: - openid: The client + is allowed to request ID tokens. ID tokens only include the required + claims by default (iss, sub, aud, exp, iat). This scope must always + be listed. - offline_access: The client is allowed to request an + initial refresh token during the authorization code grant flow. + This scope must be listed if allowedGrantTypes lists refresh_token. + - pinniped:request-audience: The client is allowed to request a + new audience value during a RFC8693 token exchange, which is a step + in the process to be able to get a cluster credential for the user. + openid, username and groups scopes must be listed when this scope + is present. This scope must be listed if allowedGrantTypes lists + urn:ietf:params:oauth:grant-type:token-exchange. - username: The + client is allowed to request that ID tokens contain the user's username. + Without the username scope being requested and allowed, the ID token + will not contain the user's username. - groups: The client is allowed + to request that ID tokens contain the user's group membership, if + their group membership is discoverable by the Supervisor. Without + the groups scope being requested and allowed, the ID token will + not contain groups." + items: + enum: + - openid + - offline_access + - username + - groups + - pinniped:request-audience + type: string + minItems: 1 + type: array + required: + - allowedGrantTypes + - allowedRedirectURIs + - allowedScopes + type: object + status: + description: Status of the OIDC client. + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/generated/1.23/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.23/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml deleted file mode 100644 index 589a9154..00000000 --- a/generated/1.23/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ /dev/null @@ -1,125 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.8.0 - creationTimestamp: null - name: oidcclients.oauth.supervisor.pinniped.dev -spec: - group: oauth.supervisor.pinniped.dev - names: - categories: - - pinniped - kind: OIDCClient - listKind: OIDCClientList - plural: oidcclients - singular: oidcclient - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: OIDCClient describes the configuration of an OIDC client. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec of the OIDC client. - properties: - allowedGrantTypes: - description: "allowedGrantTypes is a list of the allowed grant_type - param values that should be accepted during OIDC flows with this - client. \n Must only contain the following values: - authorization_code: - allows the client to perform the authorization code grant flow, - i.e. allows the webapp to authenticate users. This grant must always - be listed. - refresh_token: allows the client to perform refresh - grants for the user to extend the user's session. This grant must - be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: - allows the client to perform RFC8693 token exchange, which is a - step in the process to be able to get a cluster credential for the - user. This grant must be listed if allowedScopes lists pinniped:request-audience." - items: - enum: - - authorization_code - - refresh_token - - urn:ietf:params:oauth:grant-type:token-exchange - type: string - minItems: 1 - type: array - allowedRedirectURIs: - description: allowedRedirectURIs is a list of the allowed redirect_uri - param values that should be accepted during OIDC flows with this - client. Any other uris will be rejected. Must be https, unless it - is a loopback. - items: - type: string - minItems: 1 - type: array - allowedScopes: - description: "allowedScopes is a list of the allowed scopes param - values that should be accepted during OIDC flows with this client. - \n Must only contain the following values: - openid: The client - is allowed to request ID tokens. ID tokens only include the required - claims by default (iss, sub, aud, exp, iat). This scope must always - be listed. - offline_access: The client is allowed to request an - initial refresh token during the authorization code grant flow. - This scope must be listed if allowedGrantTypes lists refresh_token. - - pinniped:request-audience: The client is allowed to request a - new audience value during a RFC8693 token exchange, which is a step - in the process to be able to get a cluster credential for the user. - openid, username and groups scopes must be listed when this scope - is present. This scope must be listed if allowedGrantTypes lists - urn:ietf:params:oauth:grant-type:token-exchange. - username: The - client is allowed to request that ID tokens contain the user's username. - Without the username scope being requested and allowed, the ID token - will not contain the user's username. - groups: The client is allowed - to request that ID tokens contain the user's group membership, if - their group membership is discoverable by the Supervisor. Without - the groups scope being requested and allowed, the ID token will - not contain groups." - items: - enum: - - openid - - offline_access - - username - - groups - - pinniped:request-audience - type: string - minItems: 1 - type: array - required: - - allowedGrantTypes - - allowedRedirectURIs - - allowedScopes - type: object - status: - description: Status of the OIDC client. - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/generated/1.24/README.adoc b/generated/1.24/README.adoc index d1eff286..8d9d524d 100644 --- a/generated/1.24/README.adoc +++ b/generated/1.24/README.adoc @@ -6,15 +6,14 @@ .Packages - xref:{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1[$$authentication.concierge.pinniped.dev/v1alpha1$$] +- xref:{anchor_prefix}-clientsecret-supervisor-pinniped-dev-clientsecret[$$clientsecret.supervisor.pinniped.dev/clientsecret$$] +- xref:{anchor_prefix}-clientsecret-supervisor-pinniped-dev-v1alpha1[$$clientsecret.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-config-concierge-pinniped-dev-v1alpha1[$$config.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-config-supervisor-pinniped-dev-v1alpha1[$$config.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-identity-concierge-pinniped-dev-identity[$$identity.concierge.pinniped.dev/identity$$] - xref:{anchor_prefix}-identity-concierge-pinniped-dev-v1alpha1[$$identity.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1[$$idp.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$] -- xref:{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1[$$oauth.supervisor.pinniped.dev/v1alpha1$$] -- xref:{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-oauth[$$oauth.virtual.supervisor.pinniped.dev/oauth$$] -- xref:{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-v1alpha1[$$oauth.virtual.supervisor.pinniped.dev/v1alpha1$$] [id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"] @@ -213,6 +212,98 @@ Status of a webhook authenticator. +[id="{anchor_prefix}-clientsecret-supervisor-pinniped-dev-clientsecret"] +=== clientsecret.supervisor.pinniped.dev/clientsecret + +Package clientsecret is the internal version of the Pinniped client secret API. + + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-clientsecret-oidcclientsecretrequestspec"] +==== OIDCClientSecretRequestSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-clientsecret-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generateNewSecret`* __boolean__ | +| *`revokeOldSecrets`* __boolean__ | +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-clientsecret-oidcclientsecretrequeststatus"] +==== OIDCClientSecretRequestStatus + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-clientsecret-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generatedSecret`* __string__ | +| *`totalClientSecrets`* __integer__ | +|=== + + + +[id="{anchor_prefix}-clientsecret-supervisor-pinniped-dev-v1alpha1"] +=== clientsecret.supervisor.pinniped.dev/v1alpha1 + +Package v1alpha1 is the v1alpha1 version of the Pinniped client secret API. + + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestspec"] +==== OIDCClientSecretRequestSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generateNewSecret`* __boolean__ | +| *`revokeOldSecrets`* __boolean__ | +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequeststatus"] +==== OIDCClientSecretRequestStatus + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generatedSecret`* __string__ | +| *`totalClientSecrets`* __integer__ | +|=== + + + [id="{anchor_prefix}-config-concierge-pinniped-dev-v1alpha1"] === config.concierge.pinniped.dev/v1alpha1 @@ -546,6 +637,51 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-oidcclient"] +==== OIDCClient + +OIDCClient describes the configuration of an OIDC client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-oidcclientlist[$$OIDCClientList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC client. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC client. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-oidcclientspec"] +==== OIDCClientSpec + +OIDCClientSpec is a struct that describes an OIDC Client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-oidcclient[$$OIDCClient$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. +| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. +| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. +|=== + + + + [id="{anchor_prefix}-identity-concierge-pinniped-dev-identity"] === identity.concierge.pinniped.dev/identity @@ -1335,148 +1471,3 @@ TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned |=== - -[id="{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1"] -=== oauth.supervisor.pinniped.dev/v1alpha1 - -Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-oauth-v1alpha1-oidcclient"] -==== OIDCClient - -OIDCClient describes the configuration of an OIDC client. - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-oauth-v1alpha1-oidcclientlist[$$OIDCClientList$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. - -| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-oauth-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC client. -| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-oauth-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC client. -|=== - - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-oauth-v1alpha1-oidcclientspec"] -==== OIDCClientSpec - -OIDCClientSpec is a struct that describes an OIDC Client. - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-oauth-v1alpha1-oidcclient[$$OIDCClient$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. -| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. -| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. -|=== - - - - - -[id="{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-oauth"] -=== oauth.virtual.supervisor.pinniped.dev/oauth - -Package oauth is the internal version of the Pinniped virtual oauth API. - - - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-virtual-oauth-oidcclientsecretrequestspec"] -==== OIDCClientSecretRequestSpec - - - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-virtual-oauth-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`generateNewSecret`* __boolean__ | -| *`revokeOldSecrets`* __boolean__ | -|=== - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-virtual-oauth-oidcclientsecretrequeststatus"] -==== OIDCClientSecretRequestStatus - - - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-virtual-oauth-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`generatedSecret`* __string__ | -| *`totalClientSecrets`* __integer__ | -|=== - - - -[id="{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-v1alpha1"] -=== oauth.virtual.supervisor.pinniped.dev/v1alpha1 - -Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API. - - - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequestspec"] -==== OIDCClientSecretRequestSpec - - - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`generateNewSecret`* __boolean__ | -| *`revokeOldSecrets`* __boolean__ | -|=== - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequeststatus"] -==== OIDCClientSecretRequestStatus - - - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`generatedSecret`* __string__ | -| *`totalClientSecrets`* __integer__ | -|=== - - diff --git a/generated/1.24/apis/supervisor/clientsecret/doc.go b/generated/1.24/apis/supervisor/clientsecret/doc.go new file mode 100644 index 00000000..c536bc75 --- /dev/null +++ b/generated/1.24/apis/supervisor/clientsecret/doc.go @@ -0,0 +1,8 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:deepcopy-gen=package +// +groupName=clientsecret.supervisor.pinniped.dev + +// Package clientsecret is the internal version of the Pinniped client secret API. +package clientsecret diff --git a/generated/1.24/apis/supervisor/clientsecret/register.go b/generated/1.24/apis/supervisor/clientsecret/register.go new file mode 100644 index 00000000..4a1c0173 --- /dev/null +++ b/generated/1.24/apis/supervisor/clientsecret/register.go @@ -0,0 +1,37 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package clientsecret + +import ( + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "clientsecret.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal} + +// Kind takes an unqualified kind and returns back a Group qualified GroupKind. +func Kind(kind string) schema.GroupKind { + return SchemeGroupVersion.WithKind(kind).GroupKind() +} + +// Resource takes an unqualified resource and returns back a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} + +var ( + SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) + AddToScheme = SchemeBuilder.AddToScheme +) + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClientSecretRequest{}, + ) + return nil +} diff --git a/generated/1.24/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go b/generated/1.24/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go new file mode 100644 index 00000000..7fd1eb65 --- /dev/null +++ b/generated/1.24/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go @@ -0,0 +1,25 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package clientsecret + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +type OIDCClientSecretRequestSpec struct { + GenerateNewSecret bool `json:"generateNewSecret"` + RevokeOldSecrets bool `json:"revokeOldSecrets"` +} + +type OIDCClientSecretRequestStatus struct { + GeneratedSecret string `json:"generatedSecret,omitempty"` + TotalClientSecrets int `json:"totalClientSecrets"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequest struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID + + Spec OIDCClientSecretRequestSpec `json:"spec"` + Status OIDCClientSecretRequestStatus `json:"status"` +} diff --git a/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/conversion.go b/generated/1.24/apis/supervisor/clientsecret/v1alpha1/conversion.go similarity index 100% rename from generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/conversion.go rename to generated/1.24/apis/supervisor/clientsecret/v1alpha1/conversion.go diff --git a/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/defaults.go b/generated/1.24/apis/supervisor/clientsecret/v1alpha1/defaults.go similarity index 100% rename from generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/defaults.go rename to generated/1.24/apis/supervisor/clientsecret/v1alpha1/defaults.go diff --git a/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/doc.go b/generated/1.24/apis/supervisor/clientsecret/v1alpha1/doc.go similarity index 64% rename from generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/doc.go rename to generated/1.24/apis/supervisor/clientsecret/v1alpha1/doc.go index e41fce90..87c38f6d 100644 --- a/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/doc.go +++ b/generated/1.24/apis/supervisor/clientsecret/v1alpha1/doc.go @@ -3,9 +3,9 @@ // +k8s:openapi-gen=true // +k8s:deepcopy-gen=package -// +k8s:conversion-gen=go.pinniped.dev/generated/1.24/apis/supervisor/virtual/oauth +// +k8s:conversion-gen=go.pinniped.dev/generated/1.24/apis/supervisor/clientsecret // +k8s:defaulter-gen=TypeMeta -// +groupName=oauth.virtual.supervisor.pinniped.dev +// +groupName=clientsecret.supervisor.pinniped.dev -// Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API. +// Package v1alpha1 is the v1alpha1 version of the Pinniped client secret API. package v1alpha1 diff --git a/generated/1.24/apis/supervisor/clientsecret/v1alpha1/register.go b/generated/1.24/apis/supervisor/clientsecret/v1alpha1/register.go new file mode 100644 index 00000000..49602125 --- /dev/null +++ b/generated/1.24/apis/supervisor/clientsecret/v1alpha1/register.go @@ -0,0 +1,42 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "clientsecret.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = SchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClientSecretRequest{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns back a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go b/generated/1.24/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go similarity index 100% rename from generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go rename to generated/1.24/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go diff --git a/generated/1.24/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go b/generated/1.24/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go new file mode 100644 index 00000000..fd6f7ceb --- /dev/null +++ b/generated/1.24/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go @@ -0,0 +1,131 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by conversion-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + clientsecret "go.pinniped.dev/generated/1.24/apis/supervisor/clientsecret" + conversion "k8s.io/apimachinery/pkg/conversion" + runtime "k8s.io/apimachinery/pkg/runtime" +) + +func init() { + localSchemeBuilder.Register(RegisterConversions) +} + +// RegisterConversions adds conversion functions to the given scheme. +// Public to allow building arbitrary schemes. +func RegisterConversions(s *runtime.Scheme) error { + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequest)(nil), (*clientsecret.OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(a.(*OIDCClientSecretRequest), b.(*clientsecret.OIDCClientSecretRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequest)(nil), (*OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(a.(*clientsecret.OIDCClientSecretRequest), b.(*OIDCClientSecretRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*clientsecret.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*clientsecret.OIDCClientSecretRequestSpec), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequestSpec)(nil), (*OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(a.(*clientsecret.OIDCClientSecretRequestSpec), b.(*OIDCClientSecretRequestSpec), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestStatus)(nil), (*clientsecret.OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(a.(*OIDCClientSecretRequestStatus), b.(*clientsecret.OIDCClientSecretRequestStatus), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequestStatus)(nil), (*OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(a.(*clientsecret.OIDCClientSecretRequestStatus), b.(*OIDCClientSecretRequestStatus), scope) + }); err != nil { + return err + } + return nil +} + +func autoConvert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *clientsecret.OIDCClientSecretRequest, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { + return err + } + if err := Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *clientsecret.OIDCClientSecretRequest, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(in, out, s) +} + +func autoConvert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *clientsecret.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { + return err + } + if err := Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest is an autogenerated conversion function. +func Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *clientsecret.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { + return autoConvert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s) +} + +func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *clientsecret.OIDCClientSecretRequestSpec, s conversion.Scope) error { + out.GenerateNewSecret = in.GenerateNewSecret + out.RevokeOldSecrets = in.RevokeOldSecrets + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *clientsecret.OIDCClientSecretRequestSpec, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in, out, s) +} + +func autoConvert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *clientsecret.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { + out.GenerateNewSecret = in.GenerateNewSecret + out.RevokeOldSecrets = in.RevokeOldSecrets + return nil +} + +// Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec is an autogenerated conversion function. +func Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *clientsecret.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { + return autoConvert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in, out, s) +} + +func autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *clientsecret.OIDCClientSecretRequestStatus, s conversion.Scope) error { + out.GeneratedSecret = in.GeneratedSecret + out.TotalClientSecrets = in.TotalClientSecrets + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *clientsecret.OIDCClientSecretRequestStatus, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(in, out, s) +} + +func autoConvert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *clientsecret.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { + out.GeneratedSecret = in.GeneratedSecret + out.TotalClientSecrets = in.TotalClientSecrets + return nil +} + +// Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus is an autogenerated conversion function. +func Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *clientsecret.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { + return autoConvert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in, out, s) +} diff --git a/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.24/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go similarity index 100% rename from generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go rename to generated/1.24/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go diff --git a/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go b/generated/1.24/apis/supervisor/clientsecret/v1alpha1/zz_generated.defaults.go similarity index 100% rename from generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go rename to generated/1.24/apis/supervisor/clientsecret/v1alpha1/zz_generated.defaults.go diff --git a/generated/1.24/apis/supervisor/clientsecret/zz_generated.deepcopy.go b/generated/1.24/apis/supervisor/clientsecret/zz_generated.deepcopy.go new file mode 100644 index 00000000..e0dc7d68 --- /dev/null +++ b/generated/1.24/apis/supervisor/clientsecret/zz_generated.deepcopy.go @@ -0,0 +1,73 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package clientsecret + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequest) DeepCopyInto(out *OIDCClientSecretRequest) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + out.Spec = in.Spec + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequest. +func (in *OIDCClientSecretRequest) DeepCopy() *OIDCClientSecretRequest { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequest) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestSpec. +func (in *OIDCClientSecretRequestSpec) DeepCopy() *OIDCClientSecretRequestSpec { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestStatus) DeepCopyInto(out *OIDCClientSecretRequestStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestStatus. +func (in *OIDCClientSecretRequestStatus) DeepCopy() *OIDCClientSecretRequestStatus { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.24/apis/supervisor/config/v1alpha1/register.go b/generated/1.24/apis/supervisor/config/v1alpha1/register.go index 69045298..54c51699 100644 --- a/generated/1.24/apis/supervisor/config/v1alpha1/register.go +++ b/generated/1.24/apis/supervisor/config/v1alpha1/register.go @@ -32,6 +32,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &FederationDomain{}, &FederationDomainList{}, + &OIDCClient{}, + &OIDCClientList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.24/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.24/apis/supervisor/config/v1alpha1/types_oidcclient.go similarity index 100% rename from generated/1.24/apis/supervisor/oauth/v1alpha1/types_oidcclient.go rename to generated/1.24/apis/supervisor/config/v1alpha1/types_oidcclient.go diff --git a/generated/1.24/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.24/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go index 856b8988..a55d88e7 100644 --- a/generated/1.24/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.24/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go @@ -150,3 +150,111 @@ func (in *FederationDomainTLSSpec) DeepCopy() *FederationDomainTLSSpec { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. +func (in *OIDCClient) DeepCopy() *OIDCClient { + if in == nil { + return nil + } + out := new(OIDCClient) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClient) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClient, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. +func (in *OIDCClientList) DeepCopy() *OIDCClientList { + if in == nil { + return nil + } + out := new(OIDCClientList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { + *out = *in + if in.AllowedRedirectURIs != nil { + in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.AllowedGrantTypes != nil { + in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes + *out = make([]GrantType, len(*in)) + copy(*out, *in) + } + if in.AllowedScopes != nil { + in, out := &in.AllowedScopes, &out.AllowedScopes + *out = make([]Scope, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. +func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { + if in == nil { + return nil + } + out := new(OIDCClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. +func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { + if in == nil { + return nil + } + out := new(OIDCClientStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.24/apis/supervisor/oauth/v1alpha1/doc.go b/generated/1.24/apis/supervisor/oauth/v1alpha1/doc.go deleted file mode 100644 index 75580481..00000000 --- a/generated/1.24/apis/supervisor/oauth/v1alpha1/doc.go +++ /dev/null @@ -1,10 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// +k8s:openapi-gen=true -// +k8s:deepcopy-gen=package -// +k8s:defaulter-gen=TypeMeta -// +groupName=oauth.supervisor.pinniped.dev - -// Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. -package v1alpha1 diff --git a/generated/1.24/apis/supervisor/oauth/v1alpha1/register.go b/generated/1.24/apis/supervisor/oauth/v1alpha1/register.go deleted file mode 100644 index 37ae1fbf..00000000 --- a/generated/1.24/apis/supervisor/oauth/v1alpha1/register.go +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -package v1alpha1 - -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" -) - -const GroupName = "oauth.supervisor.pinniped.dev" - -// SchemeGroupVersion is group version used to register these objects. -var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} - -var ( - SchemeBuilder runtime.SchemeBuilder - localSchemeBuilder = &SchemeBuilder - AddToScheme = localSchemeBuilder.AddToScheme -) - -func init() { - // We only register manually written functions here. The registration of the - // generated functions takes place in the generated files. The separation - // makes the code compile even when the generated files are missing. - localSchemeBuilder.Register(addKnownTypes) -} - -// Adds the list of known types to the given scheme. -func addKnownTypes(scheme *runtime.Scheme) error { - scheme.AddKnownTypes(SchemeGroupVersion, - &OIDCClient{}, - &OIDCClientList{}, - ) - metav1.AddToGroupVersion(scheme, SchemeGroupVersion) - return nil -} - -// Resource takes an unqualified resource and returns a Group qualified GroupResource. -func Resource(resource string) schema.GroupResource { - return SchemeGroupVersion.WithResource(resource).GroupResource() -} diff --git a/generated/1.24/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.24/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go deleted file mode 100644 index 1aba8aea..00000000 --- a/generated/1.24/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go +++ /dev/null @@ -1,121 +0,0 @@ -//go:build !ignore_autogenerated -// +build !ignore_autogenerated - -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by deepcopy-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - runtime "k8s.io/apimachinery/pkg/runtime" -) - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - in.Spec.DeepCopyInto(&out.Spec) - out.Status = in.Status - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. -func (in *OIDCClient) DeepCopy() *OIDCClient { - if in == nil { - return nil - } - out := new(OIDCClient) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *OIDCClient) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ListMeta.DeepCopyInto(&out.ListMeta) - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]OIDCClient, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. -func (in *OIDCClientList) DeepCopy() *OIDCClientList { - if in == nil { - return nil - } - out := new(OIDCClientList) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *OIDCClientList) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { - *out = *in - if in.AllowedRedirectURIs != nil { - in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.AllowedGrantTypes != nil { - in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes - *out = make([]GrantType, len(*in)) - copy(*out, *in) - } - if in.AllowedScopes != nil { - in, out := &in.AllowedScopes, &out.AllowedScopes - *out = make([]Scope, len(*in)) - copy(*out, *in) - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. -func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { - if in == nil { - return nil - } - out := new(OIDCClientSpec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. -func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { - if in == nil { - return nil - } - out := new(OIDCClientStatus) - in.DeepCopyInto(out) - return out -} diff --git a/generated/1.24/apis/supervisor/virtual/oauth/doc.go b/generated/1.24/apis/supervisor/virtual/oauth/doc.go deleted file mode 100644 index ca4e9a63..00000000 --- a/generated/1.24/apis/supervisor/virtual/oauth/doc.go +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// +k8s:deepcopy-gen=package -// +groupName=oauth.virtual.supervisor.pinniped.dev - -// Package oauth is the internal version of the Pinniped virtual oauth API. -package oauth diff --git a/generated/1.24/apis/supervisor/virtual/oauth/register.go b/generated/1.24/apis/supervisor/virtual/oauth/register.go deleted file mode 100644 index a238d85f..00000000 --- a/generated/1.24/apis/supervisor/virtual/oauth/register.go +++ /dev/null @@ -1,37 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -package oauth - -import ( - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" -) - -const GroupName = "oauth.virtual.supervisor.pinniped.dev" - -// SchemeGroupVersion is group version used to register these objects. -var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal} - -// Kind takes an unqualified kind and returns back a Group qualified GroupKind. -func Kind(kind string) schema.GroupKind { - return SchemeGroupVersion.WithKind(kind).GroupKind() -} - -// Resource takes an unqualified resource and returns back a Group qualified GroupResource. -func Resource(resource string) schema.GroupResource { - return SchemeGroupVersion.WithResource(resource).GroupResource() -} - -var ( - SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) - AddToScheme = SchemeBuilder.AddToScheme -) - -// Adds the list of known types to the given scheme. -func addKnownTypes(scheme *runtime.Scheme) error { - scheme.AddKnownTypes(SchemeGroupVersion, - &OIDCClientSecretRequest{}, - ) - return nil -} diff --git a/generated/1.24/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go b/generated/1.24/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go deleted file mode 100644 index ac54a93c..00000000 --- a/generated/1.24/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go +++ /dev/null @@ -1,25 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -package oauth - -import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - -type OIDCClientSecretRequestSpec struct { - GenerateNewSecret bool `json:"generateNewSecret"` - RevokeOldSecrets bool `json:"revokeOldSecrets"` -} - -type OIDCClientSecretRequestStatus struct { - GeneratedSecret string `json:"generatedSecret,omitempty"` - TotalClientSecrets int `json:"totalClientSecrets"` -} - -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object -type OIDCClientSecretRequest struct { - metav1.TypeMeta `json:",inline"` - metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID - - Spec OIDCClientSecretRequestSpec `json:"spec"` - Status OIDCClientSecretRequestStatus `json:"status"` -} diff --git a/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/register.go b/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/register.go deleted file mode 100644 index ecc75a08..00000000 --- a/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/register.go +++ /dev/null @@ -1,42 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -package v1alpha1 - -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" -) - -const GroupName = "oauth.virtual.supervisor.pinniped.dev" - -// SchemeGroupVersion is group version used to register these objects. -var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} - -var ( - SchemeBuilder runtime.SchemeBuilder - localSchemeBuilder = &SchemeBuilder - AddToScheme = SchemeBuilder.AddToScheme -) - -func init() { - // We only register manually written functions here. The registration of the - // generated functions takes place in the generated files. The separation - // makes the code compile even when the generated files are missing. - localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs) -} - -// Adds the list of known types to the given scheme. -func addKnownTypes(scheme *runtime.Scheme) error { - scheme.AddKnownTypes(SchemeGroupVersion, - &OIDCClientSecretRequest{}, - ) - metav1.AddToGroupVersion(scheme, SchemeGroupVersion) - return nil -} - -// Resource takes an unqualified resource and returns back a Group qualified GroupResource. -func Resource(resource string) schema.GroupResource { - return SchemeGroupVersion.WithResource(resource).GroupResource() -} diff --git a/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go b/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go deleted file mode 100644 index 35815fbe..00000000 --- a/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go +++ /dev/null @@ -1,131 +0,0 @@ -//go:build !ignore_autogenerated -// +build !ignore_autogenerated - -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by conversion-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - oauth "go.pinniped.dev/generated/1.24/apis/supervisor/virtual/oauth" - conversion "k8s.io/apimachinery/pkg/conversion" - runtime "k8s.io/apimachinery/pkg/runtime" -) - -func init() { - localSchemeBuilder.Register(RegisterConversions) -} - -// RegisterConversions adds conversion functions to the given scheme. -// Public to allow building arbitrary schemes. -func RegisterConversions(s *runtime.Scheme) error { - if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequest)(nil), (*oauth.OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(a.(*OIDCClientSecretRequest), b.(*oauth.OIDCClientSecretRequest), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequest)(nil), (*OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(a.(*oauth.OIDCClientSecretRequest), b.(*OIDCClientSecretRequest), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*oauth.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*oauth.OIDCClientSecretRequestSpec), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequestSpec)(nil), (*OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(a.(*oauth.OIDCClientSecretRequestSpec), b.(*OIDCClientSecretRequestSpec), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestStatus)(nil), (*oauth.OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(a.(*OIDCClientSecretRequestStatus), b.(*oauth.OIDCClientSecretRequestStatus), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequestStatus)(nil), (*OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(a.(*oauth.OIDCClientSecretRequestStatus), b.(*OIDCClientSecretRequestStatus), scope) - }); err != nil { - return err - } - return nil -} - -func autoConvert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *oauth.OIDCClientSecretRequest, s conversion.Scope) error { - out.ObjectMeta = in.ObjectMeta - if err := Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { - return err - } - if err := Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { - return err - } - return nil -} - -// Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest is an autogenerated conversion function. -func Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *oauth.OIDCClientSecretRequest, s conversion.Scope) error { - return autoConvert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in, out, s) -} - -func autoConvert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *oauth.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { - out.ObjectMeta = in.ObjectMeta - if err := Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { - return err - } - if err := Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { - return err - } - return nil -} - -// Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest is an autogenerated conversion function. -func Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *oauth.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { - return autoConvert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s) -} - -func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *oauth.OIDCClientSecretRequestSpec, s conversion.Scope) error { - out.GenerateNewSecret = in.GenerateNewSecret - out.RevokeOldSecrets = in.RevokeOldSecrets - return nil -} - -// Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec is an autogenerated conversion function. -func Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *oauth.OIDCClientSecretRequestSpec, s conversion.Scope) error { - return autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in, out, s) -} - -func autoConvert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *oauth.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { - out.GenerateNewSecret = in.GenerateNewSecret - out.RevokeOldSecrets = in.RevokeOldSecrets - return nil -} - -// Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec is an autogenerated conversion function. -func Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *oauth.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { - return autoConvert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in, out, s) -} - -func autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *oauth.OIDCClientSecretRequestStatus, s conversion.Scope) error { - out.GeneratedSecret = in.GeneratedSecret - out.TotalClientSecrets = in.TotalClientSecrets - return nil -} - -// Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus is an autogenerated conversion function. -func Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *oauth.OIDCClientSecretRequestStatus, s conversion.Scope) error { - return autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in, out, s) -} - -func autoConvert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *oauth.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { - out.GeneratedSecret = in.GeneratedSecret - out.TotalClientSecrets = in.TotalClientSecrets - return nil -} - -// Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus is an autogenerated conversion function. -func Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *oauth.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { - return autoConvert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in, out, s) -} diff --git a/generated/1.24/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go b/generated/1.24/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go deleted file mode 100644 index 24b58e7b..00000000 --- a/generated/1.24/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go +++ /dev/null @@ -1,73 +0,0 @@ -//go:build !ignore_autogenerated -// +build !ignore_autogenerated - -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by deepcopy-gen. DO NOT EDIT. - -package oauth - -import ( - runtime "k8s.io/apimachinery/pkg/runtime" -) - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientSecretRequest) DeepCopyInto(out *OIDCClientSecretRequest) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - out.Spec = in.Spec - out.Status = in.Status - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequest. -func (in *OIDCClientSecretRequest) DeepCopy() *OIDCClientSecretRequest { - if in == nil { - return nil - } - out := new(OIDCClientSecretRequest) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestSpec. -func (in *OIDCClientSecretRequestSpec) DeepCopy() *OIDCClientSecretRequestSpec { - if in == nil { - return nil - } - out := new(OIDCClientSecretRequestSpec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientSecretRequestStatus) DeepCopyInto(out *OIDCClientSecretRequestStatus) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestStatus. -func (in *OIDCClientSecretRequestStatus) DeepCopy() *OIDCClientSecretRequestStatus { - if in == nil { - return nil - } - out := new(OIDCClientSecretRequestStatus) - in.DeepCopyInto(out) - return out -} diff --git a/generated/1.24/client/supervisor/clientset/versioned/clientset.go b/generated/1.24/client/supervisor/clientset/versioned/clientset.go index faf9359f..830a52a1 100644 --- a/generated/1.24/client/supervisor/clientset/versioned/clientset.go +++ b/generated/1.24/client/supervisor/clientset/versioned/clientset.go @@ -9,9 +9,9 @@ import ( "fmt" "net/http" + clientsecretv1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1" configv1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" discovery "k8s.io/client-go/discovery" rest "k8s.io/client-go/rest" flowcontrol "k8s.io/client-go/util/flowcontrol" @@ -19,18 +19,23 @@ import ( type Interface interface { Discovery() discovery.DiscoveryInterface + ClientsecretV1alpha1() clientsecretv1alpha1.ClientsecretV1alpha1Interface ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface - OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface } // Clientset contains the clients for groups. Each group has exactly one // version included in a Clientset. type Clientset struct { *discovery.DiscoveryClient - configV1alpha1 *configv1alpha1.ConfigV1alpha1Client - iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client - oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client + clientsecretV1alpha1 *clientsecretv1alpha1.ClientsecretV1alpha1Client + configV1alpha1 *configv1alpha1.ConfigV1alpha1Client + iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client +} + +// ClientsecretV1alpha1 retrieves the ClientsecretV1alpha1Client +func (c *Clientset) ClientsecretV1alpha1() clientsecretv1alpha1.ClientsecretV1alpha1Interface { + return c.clientsecretV1alpha1 } // ConfigV1alpha1 retrieves the ConfigV1alpha1Client @@ -43,11 +48,6 @@ func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return c.iDPV1alpha1 } -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return c.oauthV1alpha1 -} - // Discovery retrieves the DiscoveryClient func (c *Clientset) Discovery() discovery.DiscoveryInterface { if c == nil { @@ -92,6 +92,10 @@ func NewForConfigAndClient(c *rest.Config, httpClient *http.Client) (*Clientset, var cs Clientset var err error + cs.clientsecretV1alpha1, err = clientsecretv1alpha1.NewForConfigAndClient(&configShallowCopy, httpClient) + if err != nil { + return nil, err + } cs.configV1alpha1, err = configv1alpha1.NewForConfigAndClient(&configShallowCopy, httpClient) if err != nil { return nil, err @@ -100,10 +104,6 @@ func NewForConfigAndClient(c *rest.Config, httpClient *http.Client) (*Clientset, if err != nil { return nil, err } - cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfigAndClient(&configShallowCopy, httpClient) - if err != nil { - return nil, err - } cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfigAndClient(&configShallowCopy, httpClient) if err != nil { @@ -125,9 +125,9 @@ func NewForConfigOrDie(c *rest.Config) *Clientset { // New creates a new Clientset for the given RESTClient. func New(c rest.Interface) *Clientset { var cs Clientset + cs.clientsecretV1alpha1 = clientsecretv1alpha1.New(c) cs.configV1alpha1 = configv1alpha1.New(c) cs.iDPV1alpha1 = idpv1alpha1.New(c) - cs.oauthV1alpha1 = oauthv1alpha1.New(c) cs.DiscoveryClient = discovery.NewDiscoveryClient(c) return &cs diff --git a/generated/1.24/client/supervisor/clientset/versioned/fake/clientset_generated.go b/generated/1.24/client/supervisor/clientset/versioned/fake/clientset_generated.go index 3784bd68..8d2e9e47 100644 --- a/generated/1.24/client/supervisor/clientset/versioned/fake/clientset_generated.go +++ b/generated/1.24/client/supervisor/clientset/versioned/fake/clientset_generated.go @@ -7,12 +7,12 @@ package fake import ( clientset "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned" + clientsecretv1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1" + fakeclientsecretv1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake" configv1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1" fakeconfigv1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake" idpv1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1" fakeidpv1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake" - oauthv1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" - fakeoauthv1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/watch" "k8s.io/client-go/discovery" @@ -70,6 +70,11 @@ var ( _ testing.FakeClient = &Clientset{} ) +// ClientsecretV1alpha1 retrieves the ClientsecretV1alpha1Client +func (c *Clientset) ClientsecretV1alpha1() clientsecretv1alpha1.ClientsecretV1alpha1Interface { + return &fakeclientsecretv1alpha1.FakeClientsecretV1alpha1{Fake: &c.Fake} +} + // ConfigV1alpha1 retrieves the ConfigV1alpha1Client func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { return &fakeconfigv1alpha1.FakeConfigV1alpha1{Fake: &c.Fake} @@ -79,8 +84,3 @@ func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake} } - -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} -} diff --git a/generated/1.24/client/supervisor/clientset/versioned/fake/register.go b/generated/1.24/client/supervisor/clientset/versioned/fake/register.go index 3ac8970f..fcbf03b8 100644 --- a/generated/1.24/client/supervisor/clientset/versioned/fake/register.go +++ b/generated/1.24/client/supervisor/clientset/versioned/fake/register.go @@ -6,9 +6,9 @@ package fake import ( + clientsecretv1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/clientsecret/v1alpha1" configv1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -20,9 +20,9 @@ var scheme = runtime.NewScheme() var codecs = serializer.NewCodecFactory(scheme) var localSchemeBuilder = runtime.SchemeBuilder{ + clientsecretv1alpha1.AddToScheme, configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, - oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.24/client/supervisor/clientset/versioned/scheme/register.go b/generated/1.24/client/supervisor/clientset/versioned/scheme/register.go index 696c9bcc..dccce174 100644 --- a/generated/1.24/client/supervisor/clientset/versioned/scheme/register.go +++ b/generated/1.24/client/supervisor/clientset/versioned/scheme/register.go @@ -6,9 +6,9 @@ package scheme import ( + clientsecretv1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/clientsecret/v1alpha1" configv1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -20,9 +20,9 @@ var Scheme = runtime.NewScheme() var Codecs = serializer.NewCodecFactory(Scheme) var ParameterCodec = runtime.NewParameterCodec(Scheme) var localSchemeBuilder = runtime.SchemeBuilder{ + clientsecretv1alpha1.AddToScheme, configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, - oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/1.24/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/clientsecret_client.go similarity index 55% rename from generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go rename to generated/1.24/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/clientsecret_client.go index f5863aa1..a9ad436b 100644 --- a/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go +++ b/generated/1.24/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/clientsecret_client.go @@ -8,29 +8,29 @@ package v1alpha1 import ( "net/http" - v1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/virtual/oauth/v1alpha1" - "go.pinniped.dev/generated/latest/client/supervisor/virtual/clientset/versioned/scheme" + v1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/clientsecret/v1alpha1" + "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/scheme" rest "k8s.io/client-go/rest" ) -type OauthV1alpha1Interface interface { +type ClientsecretV1alpha1Interface interface { RESTClient() rest.Interface OIDCClientSecretRequestsGetter } -// OauthV1alpha1Client is used to interact with features provided by the oauth.virtual.supervisor.pinniped.dev group. -type OauthV1alpha1Client struct { +// ClientsecretV1alpha1Client is used to interact with features provided by the clientsecret.supervisor.pinniped.dev group. +type ClientsecretV1alpha1Client struct { restClient rest.Interface } -func (c *OauthV1alpha1Client) OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface { +func (c *ClientsecretV1alpha1Client) OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface { return newOIDCClientSecretRequests(c, namespace) } -// NewForConfig creates a new OauthV1alpha1Client for the given config. +// NewForConfig creates a new ClientsecretV1alpha1Client for the given config. // NewForConfig is equivalent to NewForConfigAndClient(c, httpClient), // where httpClient was generated with rest.HTTPClientFor(c). -func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { +func NewForConfig(c *rest.Config) (*ClientsecretV1alpha1Client, error) { config := *c if err := setConfigDefaults(&config); err != nil { return nil, err @@ -42,9 +42,9 @@ func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { return NewForConfigAndClient(&config, httpClient) } -// NewForConfigAndClient creates a new OauthV1alpha1Client for the given config and http client. +// NewForConfigAndClient creates a new ClientsecretV1alpha1Client for the given config and http client. // Note the http client provided takes precedence over the configured transport values. -func NewForConfigAndClient(c *rest.Config, h *http.Client) (*OauthV1alpha1Client, error) { +func NewForConfigAndClient(c *rest.Config, h *http.Client) (*ClientsecretV1alpha1Client, error) { config := *c if err := setConfigDefaults(&config); err != nil { return nil, err @@ -53,12 +53,12 @@ func NewForConfigAndClient(c *rest.Config, h *http.Client) (*OauthV1alpha1Client if err != nil { return nil, err } - return &OauthV1alpha1Client{client}, nil + return &ClientsecretV1alpha1Client{client}, nil } -// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and +// NewForConfigOrDie creates a new ClientsecretV1alpha1Client for the given config and // panics if there is an error in the config. -func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { +func NewForConfigOrDie(c *rest.Config) *ClientsecretV1alpha1Client { client, err := NewForConfig(c) if err != nil { panic(err) @@ -66,9 +66,9 @@ func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { return client } -// New creates a new OauthV1alpha1Client for the given RESTClient. -func New(c rest.Interface) *OauthV1alpha1Client { - return &OauthV1alpha1Client{c} +// New creates a new ClientsecretV1alpha1Client for the given RESTClient. +func New(c rest.Interface) *ClientsecretV1alpha1Client { + return &ClientsecretV1alpha1Client{c} } func setConfigDefaults(config *rest.Config) error { @@ -86,7 +86,7 @@ func setConfigDefaults(config *rest.Config) error { // RESTClient returns a RESTClient that is used to communicate // with API server by this client implementation. -func (c *OauthV1alpha1Client) RESTClient() rest.Interface { +func (c *ClientsecretV1alpha1Client) RESTClient() rest.Interface { if c == nil { return nil } diff --git a/generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/1.24/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/doc.go similarity index 100% rename from generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go rename to generated/1.24/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/doc.go diff --git a/generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/1.24/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/doc.go similarity index 100% rename from generated/1.20/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go rename to generated/1.24/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/doc.go diff --git a/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/1.24/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_clientsecret_client.go similarity index 60% rename from generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go rename to generated/1.24/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_clientsecret_client.go index f35814e2..3095c0b5 100644 --- a/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go +++ b/generated/1.24/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_clientsecret_client.go @@ -6,22 +6,22 @@ package fake import ( - v1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1" rest "k8s.io/client-go/rest" testing "k8s.io/client-go/testing" ) -type FakeOauthV1alpha1 struct { +type FakeClientsecretV1alpha1 struct { *testing.Fake } -func (c *FakeOauthV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { - return &FakeOIDCClients{c, namespace} +func (c *FakeClientsecretV1alpha1) OIDCClientSecretRequests(namespace string) v1alpha1.OIDCClientSecretRequestInterface { + return &FakeOIDCClientSecretRequests{c, namespace} } // RESTClient returns a RESTClient that is used to communicate // with API server by this client implementation. -func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { +func (c *FakeClientsecretV1alpha1) RESTClient() rest.Interface { var ret *rest.RESTClient return ret } diff --git a/generated/1.24/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_oidcclientsecretrequest.go b/generated/1.24/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_oidcclientsecretrequest.go new file mode 100644 index 00000000..2c21884f --- /dev/null +++ b/generated/1.24/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_oidcclientsecretrequest.go @@ -0,0 +1,36 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/clientsecret/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + schema "k8s.io/apimachinery/pkg/runtime/schema" + testing "k8s.io/client-go/testing" +) + +// FakeOIDCClientSecretRequests implements OIDCClientSecretRequestInterface +type FakeOIDCClientSecretRequests struct { + Fake *FakeClientsecretV1alpha1 + ns string +} + +var oidcclientsecretrequestsResource = schema.GroupVersionResource{Group: "clientsecret.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclientsecretrequests"} + +var oidcclientsecretrequestsKind = schema.GroupVersionKind{Group: "clientsecret.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClientSecretRequest"} + +// Create takes the representation of a oIDCClientSecretRequest and creates it. Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any. +func (c *FakeOIDCClientSecretRequests) Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (result *v1alpha1.OIDCClientSecretRequest, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(oidcclientsecretrequestsResource, c.ns, oIDCClientSecretRequest), &v1alpha1.OIDCClientSecretRequest{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClientSecretRequest), err +} diff --git a/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/1.24/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/generated_expansion.go similarity index 100% rename from generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go rename to generated/1.24/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/generated_expansion.go diff --git a/generated/1.24/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/oidcclientsecretrequest.go b/generated/1.24/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/oidcclientsecretrequest.go new file mode 100644 index 00000000..7be7135d --- /dev/null +++ b/generated/1.24/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/oidcclientsecretrequest.go @@ -0,0 +1,54 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/clientsecret/v1alpha1" + scheme "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + rest "k8s.io/client-go/rest" +) + +// OIDCClientSecretRequestsGetter has a method to return a OIDCClientSecretRequestInterface. +// A group's client should implement this interface. +type OIDCClientSecretRequestsGetter interface { + OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface +} + +// OIDCClientSecretRequestInterface has methods to work with OIDCClientSecretRequest resources. +type OIDCClientSecretRequestInterface interface { + Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (*v1alpha1.OIDCClientSecretRequest, error) + OIDCClientSecretRequestExpansion +} + +// oIDCClientSecretRequests implements OIDCClientSecretRequestInterface +type oIDCClientSecretRequests struct { + client rest.Interface + ns string +} + +// newOIDCClientSecretRequests returns a OIDCClientSecretRequests +func newOIDCClientSecretRequests(c *ClientsecretV1alpha1Client, namespace string) *oIDCClientSecretRequests { + return &oIDCClientSecretRequests{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Create takes the representation of a oIDCClientSecretRequest and creates it. Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any. +func (c *oIDCClientSecretRequests) Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (result *v1alpha1.OIDCClientSecretRequest, err error) { + result = &v1alpha1.OIDCClientSecretRequest{} + err = c.client.Post(). + Namespace(c.ns). + Resource("oidcclientsecretrequests"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(oIDCClientSecretRequest). + Do(ctx). + Into(result) + return +} diff --git a/generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go b/generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go index dc9ff4c2..975ae72c 100644 --- a/generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go +++ b/generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go @@ -16,6 +16,7 @@ import ( type ConfigV1alpha1Interface interface { RESTClient() rest.Interface FederationDomainsGetter + OIDCClientsGetter } // ConfigV1alpha1Client is used to interact with features provided by the config.supervisor.pinniped.dev group. @@ -27,6 +28,10 @@ func (c *ConfigV1alpha1Client) FederationDomains(namespace string) FederationDom return newFederationDomains(c, namespace) } +func (c *ConfigV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { + return newOIDCClients(c, namespace) +} + // NewForConfig creates a new ConfigV1alpha1Client for the given config. // NewForConfig is equivalent to NewForConfigAndClient(c, httpClient), // where httpClient was generated with rest.HTTPClientFor(c). diff --git a/generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go b/generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go index 19460208..79b8be68 100644 --- a/generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go +++ b/generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go @@ -19,6 +19,10 @@ func (c *FakeConfigV1alpha1) FederationDomains(namespace string) v1alpha1.Federa return &FakeFederationDomains{c, namespace} } +func (c *FakeConfigV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { + return &FakeOIDCClients{c, namespace} +} + // RESTClient returns a RESTClient that is used to communicate // with API server by this client implementation. func (c *FakeConfigV1alpha1) RESTClient() rest.Interface { diff --git a/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go b/generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go similarity index 92% rename from generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go rename to generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go index ec6ea5cd..550031b4 100644 --- a/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go +++ b/generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go @@ -8,7 +8,7 @@ package fake import ( "context" - v1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/config/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" labels "k8s.io/apimachinery/pkg/labels" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -19,13 +19,13 @@ import ( // FakeOIDCClients implements OIDCClientInterface type FakeOIDCClients struct { - Fake *FakeOauthV1alpha1 + Fake *FakeConfigV1alpha1 ns string } -var oidcclientsResource = schema.GroupVersionResource{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} +var oidcclientsResource = schema.GroupVersionResource{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} -var oidcclientsKind = schema.GroupVersionKind{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} +var oidcclientsKind = schema.GroupVersionKind{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} // Get takes name of the oIDCClient, and returns the corresponding oIDCClient object, and an error if there is any. func (c *FakeOIDCClients) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCClient, err error) { diff --git a/generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go b/generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go index ba9c9173..35b9ee3d 100644 --- a/generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go +++ b/generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go @@ -6,3 +6,5 @@ package v1alpha1 type FederationDomainExpansion interface{} + +type OIDCClientExpansion interface{} diff --git a/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go b/generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go similarity index 97% rename from generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go rename to generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go index cdbc0f4a..c7656132 100644 --- a/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go +++ b/generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go @@ -9,7 +9,7 @@ import ( "context" "time" - v1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/config/v1alpha1" scheme "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/scheme" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" types "k8s.io/apimachinery/pkg/types" @@ -44,7 +44,7 @@ type oIDCClients struct { } // newOIDCClients returns a OIDCClients -func newOIDCClients(c *OauthV1alpha1Client, namespace string) *oIDCClients { +func newOIDCClients(c *ConfigV1alpha1Client, namespace string) *oIDCClients { return &oIDCClients{ client: c.RESTClient(), ns: namespace, diff --git a/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go deleted file mode 100644 index e7a470b6..00000000 --- a/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package has the automatically generated typed clients. -package v1alpha1 diff --git a/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go deleted file mode 100644 index 7906901b..00000000 --- a/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// Package fake has the automatically generated clients. -package fake diff --git a/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go deleted file mode 100644 index 87d22ea9..00000000 --- a/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -type OIDCClientExpansion interface{} diff --git a/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go deleted file mode 100644 index 3f71b07e..00000000 --- a/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go +++ /dev/null @@ -1,94 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - "net/http" - - v1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/oauth/v1alpha1" - "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/scheme" - rest "k8s.io/client-go/rest" -) - -type OauthV1alpha1Interface interface { - RESTClient() rest.Interface - OIDCClientsGetter -} - -// OauthV1alpha1Client is used to interact with features provided by the oauth.supervisor.pinniped.dev group. -type OauthV1alpha1Client struct { - restClient rest.Interface -} - -func (c *OauthV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { - return newOIDCClients(c, namespace) -} - -// NewForConfig creates a new OauthV1alpha1Client for the given config. -// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient), -// where httpClient was generated with rest.HTTPClientFor(c). -func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { - config := *c - if err := setConfigDefaults(&config); err != nil { - return nil, err - } - httpClient, err := rest.HTTPClientFor(&config) - if err != nil { - return nil, err - } - return NewForConfigAndClient(&config, httpClient) -} - -// NewForConfigAndClient creates a new OauthV1alpha1Client for the given config and http client. -// Note the http client provided takes precedence over the configured transport values. -func NewForConfigAndClient(c *rest.Config, h *http.Client) (*OauthV1alpha1Client, error) { - config := *c - if err := setConfigDefaults(&config); err != nil { - return nil, err - } - client, err := rest.RESTClientForConfigAndClient(&config, h) - if err != nil { - return nil, err - } - return &OauthV1alpha1Client{client}, nil -} - -// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and -// panics if there is an error in the config. -func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { - client, err := NewForConfig(c) - if err != nil { - panic(err) - } - return client -} - -// New creates a new OauthV1alpha1Client for the given RESTClient. -func New(c rest.Interface) *OauthV1alpha1Client { - return &OauthV1alpha1Client{c} -} - -func setConfigDefaults(config *rest.Config) error { - gv := v1alpha1.SchemeGroupVersion - config.GroupVersion = &gv - config.APIPath = "/apis" - config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() - - if config.UserAgent == "" { - config.UserAgent = rest.DefaultKubernetesUserAgent() - } - - return nil -} - -// RESTClient returns a RESTClient that is used to communicate -// with API server by this client implementation. -func (c *OauthV1alpha1Client) RESTClient() rest.Interface { - if c == nil { - return nil - } - return c.restClient -} diff --git a/generated/1.24/client/supervisor/informers/externalversions/config/v1alpha1/interface.go b/generated/1.24/client/supervisor/informers/externalversions/config/v1alpha1/interface.go index 37374c24..4367467b 100644 --- a/generated/1.24/client/supervisor/informers/externalversions/config/v1alpha1/interface.go +++ b/generated/1.24/client/supervisor/informers/externalversions/config/v1alpha1/interface.go @@ -13,6 +13,8 @@ import ( type Interface interface { // FederationDomains returns a FederationDomainInformer. FederationDomains() FederationDomainInformer + // OIDCClients returns a OIDCClientInformer. + OIDCClients() OIDCClientInformer } type version struct { @@ -30,3 +32,8 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList func (v *version) FederationDomains() FederationDomainInformer { return &federationDomainInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } + +// OIDCClients returns a OIDCClientInformer. +func (v *version) OIDCClients() OIDCClientInformer { + return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} diff --git a/generated/1.24/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go b/generated/1.24/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go similarity index 88% rename from generated/1.24/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go rename to generated/1.24/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go index 51bc882d..ea999067 100644 --- a/generated/1.24/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go +++ b/generated/1.24/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go @@ -9,10 +9,10 @@ import ( "context" time "time" - oauthv1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/oauth/v1alpha1" + configv1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/config/v1alpha1" versioned "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned" internalinterfaces "go.pinniped.dev/generated/1.24/client/supervisor/informers/externalversions/internalinterfaces" - v1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/listers/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/listers/config/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" watch "k8s.io/apimachinery/pkg/watch" @@ -49,16 +49,16 @@ func NewFilteredOIDCClientInformer(client versioned.Interface, namespace string, if tweakListOptions != nil { tweakListOptions(&options) } - return client.OauthV1alpha1().OIDCClients(namespace).List(context.TODO(), options) + return client.ConfigV1alpha1().OIDCClients(namespace).List(context.TODO(), options) }, WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { if tweakListOptions != nil { tweakListOptions(&options) } - return client.OauthV1alpha1().OIDCClients(namespace).Watch(context.TODO(), options) + return client.ConfigV1alpha1().OIDCClients(namespace).Watch(context.TODO(), options) }, }, - &oauthv1alpha1.OIDCClient{}, + &configv1alpha1.OIDCClient{}, resyncPeriod, indexers, ) @@ -69,7 +69,7 @@ func (f *oIDCClientInformer) defaultInformer(client versioned.Interface, resyncP } func (f *oIDCClientInformer) Informer() cache.SharedIndexInformer { - return f.factory.InformerFor(&oauthv1alpha1.OIDCClient{}, f.defaultInformer) + return f.factory.InformerFor(&configv1alpha1.OIDCClient{}, f.defaultInformer) } func (f *oIDCClientInformer) Lister() v1alpha1.OIDCClientLister { diff --git a/generated/1.24/client/supervisor/informers/externalversions/factory.go b/generated/1.24/client/supervisor/informers/externalversions/factory.go index 1160af22..cd409f8c 100644 --- a/generated/1.24/client/supervisor/informers/externalversions/factory.go +++ b/generated/1.24/client/supervisor/informers/externalversions/factory.go @@ -14,7 +14,6 @@ import ( config "go.pinniped.dev/generated/1.24/client/supervisor/informers/externalversions/config" idp "go.pinniped.dev/generated/1.24/client/supervisor/informers/externalversions/idp" internalinterfaces "go.pinniped.dev/generated/1.24/client/supervisor/informers/externalversions/internalinterfaces" - oauth "go.pinniped.dev/generated/1.24/client/supervisor/informers/externalversions/oauth" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -163,7 +162,6 @@ type SharedInformerFactory interface { Config() config.Interface IDP() idp.Interface - Oauth() oauth.Interface } func (f *sharedInformerFactory) Config() config.Interface { @@ -173,7 +171,3 @@ func (f *sharedInformerFactory) Config() config.Interface { func (f *sharedInformerFactory) IDP() idp.Interface { return idp.New(f, f.namespace, f.tweakListOptions) } - -func (f *sharedInformerFactory) Oauth() oauth.Interface { - return oauth.New(f, f.namespace, f.tweakListOptions) -} diff --git a/generated/1.24/client/supervisor/informers/externalversions/generic.go b/generated/1.24/client/supervisor/informers/externalversions/generic.go index cff2d5db..c8e3dd37 100644 --- a/generated/1.24/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.24/client/supervisor/informers/externalversions/generic.go @@ -10,7 +10,6 @@ import ( v1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/oauth/v1alpha1" schema "k8s.io/apimachinery/pkg/runtime/schema" cache "k8s.io/client-go/tools/cache" ) @@ -44,6 +43,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource // Group=config.supervisor.pinniped.dev, Version=v1alpha1 case v1alpha1.SchemeGroupVersion.WithResource("federationdomains"): return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().FederationDomains().Informer()}, nil + case v1alpha1.SchemeGroupVersion.WithResource("oidcclients"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCClients().Informer()}, nil // Group=idp.supervisor.pinniped.dev, Version=v1alpha1 case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"): @@ -53,10 +54,6 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().OIDCIdentityProviders().Informer()}, nil - // Group=oauth.supervisor.pinniped.dev, Version=v1alpha1 - case oauthv1alpha1.SchemeGroupVersion.WithResource("oidcclients"): - return &genericInformer{resource: resource.GroupResource(), informer: f.Oauth().V1alpha1().OIDCClients().Informer()}, nil - } return nil, fmt.Errorf("no informer found for %v", resource) diff --git a/generated/1.24/client/supervisor/informers/externalversions/oauth/interface.go b/generated/1.24/client/supervisor/informers/externalversions/oauth/interface.go deleted file mode 100644 index de6a600c..00000000 --- a/generated/1.24/client/supervisor/informers/externalversions/oauth/interface.go +++ /dev/null @@ -1,33 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by informer-gen. DO NOT EDIT. - -package oauth - -import ( - internalinterfaces "go.pinniped.dev/generated/1.24/client/supervisor/informers/externalversions/internalinterfaces" - v1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/informers/externalversions/oauth/v1alpha1" -) - -// Interface provides access to each of this group's versions. -type Interface interface { - // V1alpha1 provides access to shared informers for resources in V1alpha1. - V1alpha1() v1alpha1.Interface -} - -type group struct { - factory internalinterfaces.SharedInformerFactory - namespace string - tweakListOptions internalinterfaces.TweakListOptionsFunc -} - -// New returns a new Interface. -func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { - return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} -} - -// V1alpha1 returns a new v1alpha1.Interface. -func (g *group) V1alpha1() v1alpha1.Interface { - return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions) -} diff --git a/generated/1.24/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go b/generated/1.24/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go deleted file mode 100644 index 7abf7d4f..00000000 --- a/generated/1.24/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go +++ /dev/null @@ -1,32 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by informer-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - internalinterfaces "go.pinniped.dev/generated/1.24/client/supervisor/informers/externalversions/internalinterfaces" -) - -// Interface provides access to all the informers in this group version. -type Interface interface { - // OIDCClients returns a OIDCClientInformer. - OIDCClients() OIDCClientInformer -} - -type version struct { - factory internalinterfaces.SharedInformerFactory - namespace string - tweakListOptions internalinterfaces.TweakListOptionsFunc -} - -// New returns a new Interface. -func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { - return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} -} - -// OIDCClients returns a OIDCClientInformer. -func (v *version) OIDCClients() OIDCClientInformer { - return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} -} diff --git a/generated/1.24/client/supervisor/listers/config/v1alpha1/expansion_generated.go b/generated/1.24/client/supervisor/listers/config/v1alpha1/expansion_generated.go index d59892c4..bda2f20e 100644 --- a/generated/1.24/client/supervisor/listers/config/v1alpha1/expansion_generated.go +++ b/generated/1.24/client/supervisor/listers/config/v1alpha1/expansion_generated.go @@ -12,3 +12,11 @@ type FederationDomainListerExpansion interface{} // FederationDomainNamespaceListerExpansion allows custom methods to be added to // FederationDomainNamespaceLister. type FederationDomainNamespaceListerExpansion interface{} + +// OIDCClientListerExpansion allows custom methods to be added to +// OIDCClientLister. +type OIDCClientListerExpansion interface{} + +// OIDCClientNamespaceListerExpansion allows custom methods to be added to +// OIDCClientNamespaceLister. +type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/1.24/client/supervisor/listers/config/v1alpha1/oidcclient.go b/generated/1.24/client/supervisor/listers/config/v1alpha1/oidcclient.go new file mode 100644 index 00000000..d69dd1fc --- /dev/null +++ b/generated/1.24/client/supervisor/listers/config/v1alpha1/oidcclient.go @@ -0,0 +1,86 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/config/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// OIDCClientLister helps list OIDCClients. +// All objects returned here must be treated as read-only. +type OIDCClientLister interface { + // List lists all OIDCClients in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) + // OIDCClients returns an object that can list and get OIDCClients. + OIDCClients(namespace string) OIDCClientNamespaceLister + OIDCClientListerExpansion +} + +// oIDCClientLister implements the OIDCClientLister interface. +type oIDCClientLister struct { + indexer cache.Indexer +} + +// NewOIDCClientLister returns a new OIDCClientLister. +func NewOIDCClientLister(indexer cache.Indexer) OIDCClientLister { + return &oIDCClientLister{indexer: indexer} +} + +// List lists all OIDCClients in the indexer. +func (s *oIDCClientLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.OIDCClient)) + }) + return ret, err +} + +// OIDCClients returns an object that can list and get OIDCClients. +func (s *oIDCClientLister) OIDCClients(namespace string) OIDCClientNamespaceLister { + return oIDCClientNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// OIDCClientNamespaceLister helps list and get OIDCClients. +// All objects returned here must be treated as read-only. +type OIDCClientNamespaceLister interface { + // List lists all OIDCClients in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) + // Get retrieves the OIDCClient from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha1.OIDCClient, error) + OIDCClientNamespaceListerExpansion +} + +// oIDCClientNamespaceLister implements the OIDCClientNamespaceLister +// interface. +type oIDCClientNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all OIDCClients in the indexer for a given namespace. +func (s oIDCClientNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.OIDCClient)) + }) + return ret, err +} + +// Get retrieves the OIDCClient from the indexer for a given namespace and name. +func (s oIDCClientNamespaceLister) Get(name string) (*v1alpha1.OIDCClient, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("oidcclient"), name) + } + return obj.(*v1alpha1.OIDCClient), nil +} diff --git a/generated/1.24/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go b/generated/1.24/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go deleted file mode 100644 index c19310da..00000000 --- a/generated/1.24/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go +++ /dev/null @@ -1,14 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by lister-gen. DO NOT EDIT. - -package v1alpha1 - -// OIDCClientListerExpansion allows custom methods to be added to -// OIDCClientLister. -type OIDCClientListerExpansion interface{} - -// OIDCClientNamespaceListerExpansion allows custom methods to be added to -// OIDCClientNamespaceLister. -type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/1.24/client/supervisor/listers/oauth/v1alpha1/oidcclient.go b/generated/1.24/client/supervisor/listers/oauth/v1alpha1/oidcclient.go deleted file mode 100644 index a969aa96..00000000 --- a/generated/1.24/client/supervisor/listers/oauth/v1alpha1/oidcclient.go +++ /dev/null @@ -1,86 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by lister-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - v1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/oauth/v1alpha1" - "k8s.io/apimachinery/pkg/api/errors" - "k8s.io/apimachinery/pkg/labels" - "k8s.io/client-go/tools/cache" -) - -// OIDCClientLister helps list OIDCClients. -// All objects returned here must be treated as read-only. -type OIDCClientLister interface { - // List lists all OIDCClients in the indexer. - // Objects returned here must be treated as read-only. - List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) - // OIDCClients returns an object that can list and get OIDCClients. - OIDCClients(namespace string) OIDCClientNamespaceLister - OIDCClientListerExpansion -} - -// oIDCClientLister implements the OIDCClientLister interface. -type oIDCClientLister struct { - indexer cache.Indexer -} - -// NewOIDCClientLister returns a new OIDCClientLister. -func NewOIDCClientLister(indexer cache.Indexer) OIDCClientLister { - return &oIDCClientLister{indexer: indexer} -} - -// List lists all OIDCClients in the indexer. -func (s *oIDCClientLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { - err = cache.ListAll(s.indexer, selector, func(m interface{}) { - ret = append(ret, m.(*v1alpha1.OIDCClient)) - }) - return ret, err -} - -// OIDCClients returns an object that can list and get OIDCClients. -func (s *oIDCClientLister) OIDCClients(namespace string) OIDCClientNamespaceLister { - return oIDCClientNamespaceLister{indexer: s.indexer, namespace: namespace} -} - -// OIDCClientNamespaceLister helps list and get OIDCClients. -// All objects returned here must be treated as read-only. -type OIDCClientNamespaceLister interface { - // List lists all OIDCClients in the indexer for a given namespace. - // Objects returned here must be treated as read-only. - List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) - // Get retrieves the OIDCClient from the indexer for a given namespace and name. - // Objects returned here must be treated as read-only. - Get(name string) (*v1alpha1.OIDCClient, error) - OIDCClientNamespaceListerExpansion -} - -// oIDCClientNamespaceLister implements the OIDCClientNamespaceLister -// interface. -type oIDCClientNamespaceLister struct { - indexer cache.Indexer - namespace string -} - -// List lists all OIDCClients in the indexer for a given namespace. -func (s oIDCClientNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { - err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { - ret = append(ret, m.(*v1alpha1.OIDCClient)) - }) - return ret, err -} - -// Get retrieves the OIDCClient from the indexer for a given namespace and name. -func (s oIDCClientNamespaceLister) Get(name string) (*v1alpha1.OIDCClient, error) { - obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) - if err != nil { - return nil, err - } - if !exists { - return nil, errors.NewNotFound(v1alpha1.Resource("oidcclient"), name) - } - return obj.(*v1alpha1.OIDCClient), nil -} diff --git a/generated/1.24/client/supervisor/virtual/clientset/versioned/clientset.go b/generated/1.24/client/supervisor/virtual/clientset/versioned/clientset.go deleted file mode 100644 index bc5111f5..00000000 --- a/generated/1.24/client/supervisor/virtual/clientset/versioned/clientset.go +++ /dev/null @@ -1,108 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package versioned - -import ( - "fmt" - "net/http" - - oauthv1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" - discovery "k8s.io/client-go/discovery" - rest "k8s.io/client-go/rest" - flowcontrol "k8s.io/client-go/util/flowcontrol" -) - -type Interface interface { - Discovery() discovery.DiscoveryInterface - OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface -} - -// Clientset contains the clients for groups. Each group has exactly one -// version included in a Clientset. -type Clientset struct { - *discovery.DiscoveryClient - oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client -} - -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return c.oauthV1alpha1 -} - -// Discovery retrieves the DiscoveryClient -func (c *Clientset) Discovery() discovery.DiscoveryInterface { - if c == nil { - return nil - } - return c.DiscoveryClient -} - -// NewForConfig creates a new Clientset for the given config. -// If config's RateLimiter is not set and QPS and Burst are acceptable, -// NewForConfig will generate a rate-limiter in configShallowCopy. -// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient), -// where httpClient was generated with rest.HTTPClientFor(c). -func NewForConfig(c *rest.Config) (*Clientset, error) { - configShallowCopy := *c - - if configShallowCopy.UserAgent == "" { - configShallowCopy.UserAgent = rest.DefaultKubernetesUserAgent() - } - - // share the transport between all clients - httpClient, err := rest.HTTPClientFor(&configShallowCopy) - if err != nil { - return nil, err - } - - return NewForConfigAndClient(&configShallowCopy, httpClient) -} - -// NewForConfigAndClient creates a new Clientset for the given config and http client. -// Note the http client provided takes precedence over the configured transport values. -// If config's RateLimiter is not set and QPS and Burst are acceptable, -// NewForConfigAndClient will generate a rate-limiter in configShallowCopy. -func NewForConfigAndClient(c *rest.Config, httpClient *http.Client) (*Clientset, error) { - configShallowCopy := *c - if configShallowCopy.RateLimiter == nil && configShallowCopy.QPS > 0 { - if configShallowCopy.Burst <= 0 { - return nil, fmt.Errorf("burst is required to be greater than 0 when RateLimiter is not set and QPS is set to greater than 0") - } - configShallowCopy.RateLimiter = flowcontrol.NewTokenBucketRateLimiter(configShallowCopy.QPS, configShallowCopy.Burst) - } - - var cs Clientset - var err error - cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfigAndClient(&configShallowCopy, httpClient) - if err != nil { - return nil, err - } - - cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfigAndClient(&configShallowCopy, httpClient) - if err != nil { - return nil, err - } - return &cs, nil -} - -// NewForConfigOrDie creates a new Clientset for the given config and -// panics if there is an error in the config. -func NewForConfigOrDie(c *rest.Config) *Clientset { - cs, err := NewForConfig(c) - if err != nil { - panic(err) - } - return cs -} - -// New creates a new Clientset for the given RESTClient. -func New(c rest.Interface) *Clientset { - var cs Clientset - cs.oauthV1alpha1 = oauthv1alpha1.New(c) - - cs.DiscoveryClient = discovery.NewDiscoveryClient(c) - return &cs -} diff --git a/generated/1.24/client/supervisor/virtual/clientset/versioned/doc.go b/generated/1.24/client/supervisor/virtual/clientset/versioned/doc.go deleted file mode 100644 index 5dc02e6e..00000000 --- a/generated/1.24/client/supervisor/virtual/clientset/versioned/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package has the automatically generated clientset. -package versioned diff --git a/generated/1.24/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go b/generated/1.24/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go deleted file mode 100644 index ad40c879..00000000 --- a/generated/1.24/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go +++ /dev/null @@ -1,72 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - clientset "go.pinniped.dev/generated/1.24/client/supervisor/virtual/clientset/versioned" - oauthv1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" - fakeoauthv1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/watch" - "k8s.io/client-go/discovery" - fakediscovery "k8s.io/client-go/discovery/fake" - "k8s.io/client-go/testing" -) - -// NewSimpleClientset returns a clientset that will respond with the provided objects. -// It's backed by a very simple object tracker that processes creates, updates and deletions as-is, -// without applying any validations and/or defaults. It shouldn't be considered a replacement -// for a real clientset and is mostly useful in simple unit tests. -func NewSimpleClientset(objects ...runtime.Object) *Clientset { - o := testing.NewObjectTracker(scheme, codecs.UniversalDecoder()) - for _, obj := range objects { - if err := o.Add(obj); err != nil { - panic(err) - } - } - - cs := &Clientset{tracker: o} - cs.discovery = &fakediscovery.FakeDiscovery{Fake: &cs.Fake} - cs.AddReactor("*", "*", testing.ObjectReaction(o)) - cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) { - gvr := action.GetResource() - ns := action.GetNamespace() - watch, err := o.Watch(gvr, ns) - if err != nil { - return false, nil, err - } - return true, watch, nil - }) - - return cs -} - -// Clientset implements clientset.Interface. Meant to be embedded into a -// struct to get a default implementation. This makes faking out just the method -// you want to test easier. -type Clientset struct { - testing.Fake - discovery *fakediscovery.FakeDiscovery - tracker testing.ObjectTracker -} - -func (c *Clientset) Discovery() discovery.DiscoveryInterface { - return c.discovery -} - -func (c *Clientset) Tracker() testing.ObjectTracker { - return c.tracker -} - -var ( - _ clientset.Interface = &Clientset{} - _ testing.FakeClient = &Clientset{} -) - -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} -} diff --git a/generated/1.24/client/supervisor/virtual/clientset/versioned/fake/doc.go b/generated/1.24/client/supervisor/virtual/clientset/versioned/fake/doc.go deleted file mode 100644 index 7c9538fd..00000000 --- a/generated/1.24/client/supervisor/virtual/clientset/versioned/fake/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package has the automatically generated fake clientset. -package fake diff --git a/generated/1.24/client/supervisor/virtual/clientset/versioned/fake/register.go b/generated/1.24/client/supervisor/virtual/clientset/versioned/fake/register.go deleted file mode 100644 index fcc85a4d..00000000 --- a/generated/1.24/client/supervisor/virtual/clientset/versioned/fake/register.go +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - oauthv1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - runtime "k8s.io/apimachinery/pkg/runtime" - schema "k8s.io/apimachinery/pkg/runtime/schema" - serializer "k8s.io/apimachinery/pkg/runtime/serializer" - utilruntime "k8s.io/apimachinery/pkg/util/runtime" -) - -var scheme = runtime.NewScheme() -var codecs = serializer.NewCodecFactory(scheme) - -var localSchemeBuilder = runtime.SchemeBuilder{ - oauthv1alpha1.AddToScheme, -} - -// AddToScheme adds all types of this clientset into the given scheme. This allows composition -// of clientsets, like in: -// -// import ( -// "k8s.io/client-go/kubernetes" -// clientsetscheme "k8s.io/client-go/kubernetes/scheme" -// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" -// ) -// -// kclientset, _ := kubernetes.NewForConfig(c) -// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) -// -// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types -// correctly. -var AddToScheme = localSchemeBuilder.AddToScheme - -func init() { - v1.AddToGroupVersion(scheme, schema.GroupVersion{Version: "v1"}) - utilruntime.Must(AddToScheme(scheme)) -} diff --git a/generated/1.24/client/supervisor/virtual/clientset/versioned/scheme/doc.go b/generated/1.24/client/supervisor/virtual/clientset/versioned/scheme/doc.go deleted file mode 100644 index cc02f1d3..00000000 --- a/generated/1.24/client/supervisor/virtual/clientset/versioned/scheme/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package contains the scheme of the automatically generated clientset. -package scheme diff --git a/generated/1.24/client/supervisor/virtual/clientset/versioned/scheme/register.go b/generated/1.24/client/supervisor/virtual/clientset/versioned/scheme/register.go deleted file mode 100644 index 4c7d2651..00000000 --- a/generated/1.24/client/supervisor/virtual/clientset/versioned/scheme/register.go +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package scheme - -import ( - oauthv1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - runtime "k8s.io/apimachinery/pkg/runtime" - schema "k8s.io/apimachinery/pkg/runtime/schema" - serializer "k8s.io/apimachinery/pkg/runtime/serializer" - utilruntime "k8s.io/apimachinery/pkg/util/runtime" -) - -var Scheme = runtime.NewScheme() -var Codecs = serializer.NewCodecFactory(Scheme) -var ParameterCodec = runtime.NewParameterCodec(Scheme) -var localSchemeBuilder = runtime.SchemeBuilder{ - oauthv1alpha1.AddToScheme, -} - -// AddToScheme adds all types of this clientset into the given scheme. This allows composition -// of clientsets, like in: -// -// import ( -// "k8s.io/client-go/kubernetes" -// clientsetscheme "k8s.io/client-go/kubernetes/scheme" -// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" -// ) -// -// kclientset, _ := kubernetes.NewForConfig(c) -// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) -// -// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types -// correctly. -var AddToScheme = localSchemeBuilder.AddToScheme - -func init() { - v1.AddToGroupVersion(Scheme, schema.GroupVersion{Version: "v1"}) - utilruntime.Must(AddToScheme(Scheme)) -} diff --git a/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go deleted file mode 100644 index e7a470b6..00000000 --- a/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package has the automatically generated typed clients. -package v1alpha1 diff --git a/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go deleted file mode 100644 index 7906901b..00000000 --- a/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// Package fake has the automatically generated clients. -package fake diff --git a/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go deleted file mode 100644 index 487cc65b..00000000 --- a/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go +++ /dev/null @@ -1,27 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - v1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" - rest "k8s.io/client-go/rest" - testing "k8s.io/client-go/testing" -) - -type FakeOauthV1alpha1 struct { - *testing.Fake -} - -func (c *FakeOauthV1alpha1) OIDCClientSecretRequests(namespace string) v1alpha1.OIDCClientSecretRequestInterface { - return &FakeOIDCClientSecretRequests{c, namespace} -} - -// RESTClient returns a RESTClient that is used to communicate -// with API server by this client implementation. -func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { - var ret *rest.RESTClient - return ret -} diff --git a/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go b/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go deleted file mode 100644 index fc821273..00000000 --- a/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go +++ /dev/null @@ -1,36 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - "context" - - v1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - schema "k8s.io/apimachinery/pkg/runtime/schema" - testing "k8s.io/client-go/testing" -) - -// FakeOIDCClientSecretRequests implements OIDCClientSecretRequestInterface -type FakeOIDCClientSecretRequests struct { - Fake *FakeOauthV1alpha1 - ns string -} - -var oidcclientsecretrequestsResource = schema.GroupVersionResource{Group: "oauth.virtual.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclientsecretrequests"} - -var oidcclientsecretrequestsKind = schema.GroupVersionKind{Group: "oauth.virtual.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClientSecretRequest"} - -// Create takes the representation of a oIDCClientSecretRequest and creates it. Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any. -func (c *FakeOIDCClientSecretRequests) Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (result *v1alpha1.OIDCClientSecretRequest, err error) { - obj, err := c.Fake. - Invokes(testing.NewCreateAction(oidcclientsecretrequestsResource, c.ns, oIDCClientSecretRequest), &v1alpha1.OIDCClientSecretRequest{}) - - if obj == nil { - return nil, err - } - return obj.(*v1alpha1.OIDCClientSecretRequest), err -} diff --git a/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go b/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go deleted file mode 100644 index ed4b8949..00000000 --- a/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go +++ /dev/null @@ -1,54 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - "context" - - v1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1" - scheme "go.pinniped.dev/generated/1.24/client/supervisor/virtual/clientset/versioned/scheme" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - rest "k8s.io/client-go/rest" -) - -// OIDCClientSecretRequestsGetter has a method to return a OIDCClientSecretRequestInterface. -// A group's client should implement this interface. -type OIDCClientSecretRequestsGetter interface { - OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface -} - -// OIDCClientSecretRequestInterface has methods to work with OIDCClientSecretRequest resources. -type OIDCClientSecretRequestInterface interface { - Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (*v1alpha1.OIDCClientSecretRequest, error) - OIDCClientSecretRequestExpansion -} - -// oIDCClientSecretRequests implements OIDCClientSecretRequestInterface -type oIDCClientSecretRequests struct { - client rest.Interface - ns string -} - -// newOIDCClientSecretRequests returns a OIDCClientSecretRequests -func newOIDCClientSecretRequests(c *OauthV1alpha1Client, namespace string) *oIDCClientSecretRequests { - return &oIDCClientSecretRequests{ - client: c.RESTClient(), - ns: namespace, - } -} - -// Create takes the representation of a oIDCClientSecretRequest and creates it. Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any. -func (c *oIDCClientSecretRequests) Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (result *v1alpha1.OIDCClientSecretRequest, err error) { - result = &v1alpha1.OIDCClientSecretRequest{} - err = c.client.Post(). - Namespace(c.ns). - Resource("oidcclientsecretrequests"). - VersionedParams(&opts, scheme.ParameterCodec). - Body(oIDCClientSecretRequest). - Do(ctx). - Into(result) - return -} diff --git a/generated/1.24/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.24/crds/config.supervisor.pinniped.dev_oidcclients.yaml new file mode 100644 index 00000000..4efa445e --- /dev/null +++ b/generated/1.24/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -0,0 +1,125 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: oidcclients.config.supervisor.pinniped.dev +spec: + group: config.supervisor.pinniped.dev + names: + categories: + - pinniped + kind: OIDCClient + listKind: OIDCClientList + plural: oidcclients + singular: oidcclient + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: OIDCClient describes the configuration of an OIDC client. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec of the OIDC client. + properties: + allowedGrantTypes: + description: "allowedGrantTypes is a list of the allowed grant_type + param values that should be accepted during OIDC flows with this + client. \n Must only contain the following values: - authorization_code: + allows the client to perform the authorization code grant flow, + i.e. allows the webapp to authenticate users. This grant must always + be listed. - refresh_token: allows the client to perform refresh + grants for the user to extend the user's session. This grant must + be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: + allows the client to perform RFC8693 token exchange, which is a + step in the process to be able to get a cluster credential for the + user. This grant must be listed if allowedScopes lists pinniped:request-audience." + items: + enum: + - authorization_code + - refresh_token + - urn:ietf:params:oauth:grant-type:token-exchange + type: string + minItems: 1 + type: array + allowedRedirectURIs: + description: allowedRedirectURIs is a list of the allowed redirect_uri + param values that should be accepted during OIDC flows with this + client. Any other uris will be rejected. Must be https, unless it + is a loopback. + items: + type: string + minItems: 1 + type: array + allowedScopes: + description: "allowedScopes is a list of the allowed scopes param + values that should be accepted during OIDC flows with this client. + \n Must only contain the following values: - openid: The client + is allowed to request ID tokens. ID tokens only include the required + claims by default (iss, sub, aud, exp, iat). This scope must always + be listed. - offline_access: The client is allowed to request an + initial refresh token during the authorization code grant flow. + This scope must be listed if allowedGrantTypes lists refresh_token. + - pinniped:request-audience: The client is allowed to request a + new audience value during a RFC8693 token exchange, which is a step + in the process to be able to get a cluster credential for the user. + openid, username and groups scopes must be listed when this scope + is present. This scope must be listed if allowedGrantTypes lists + urn:ietf:params:oauth:grant-type:token-exchange. - username: The + client is allowed to request that ID tokens contain the user's username. + Without the username scope being requested and allowed, the ID token + will not contain the user's username. - groups: The client is allowed + to request that ID tokens contain the user's group membership, if + their group membership is discoverable by the Supervisor. Without + the groups scope being requested and allowed, the ID token will + not contain groups." + items: + enum: + - openid + - offline_access + - username + - groups + - pinniped:request-audience + type: string + minItems: 1 + type: array + required: + - allowedGrantTypes + - allowedRedirectURIs + - allowedScopes + type: object + status: + description: Status of the OIDC client. + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/generated/1.24/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.24/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml deleted file mode 100644 index 589a9154..00000000 --- a/generated/1.24/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ /dev/null @@ -1,125 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.8.0 - creationTimestamp: null - name: oidcclients.oauth.supervisor.pinniped.dev -spec: - group: oauth.supervisor.pinniped.dev - names: - categories: - - pinniped - kind: OIDCClient - listKind: OIDCClientList - plural: oidcclients - singular: oidcclient - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: OIDCClient describes the configuration of an OIDC client. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec of the OIDC client. - properties: - allowedGrantTypes: - description: "allowedGrantTypes is a list of the allowed grant_type - param values that should be accepted during OIDC flows with this - client. \n Must only contain the following values: - authorization_code: - allows the client to perform the authorization code grant flow, - i.e. allows the webapp to authenticate users. This grant must always - be listed. - refresh_token: allows the client to perform refresh - grants for the user to extend the user's session. This grant must - be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: - allows the client to perform RFC8693 token exchange, which is a - step in the process to be able to get a cluster credential for the - user. This grant must be listed if allowedScopes lists pinniped:request-audience." - items: - enum: - - authorization_code - - refresh_token - - urn:ietf:params:oauth:grant-type:token-exchange - type: string - minItems: 1 - type: array - allowedRedirectURIs: - description: allowedRedirectURIs is a list of the allowed redirect_uri - param values that should be accepted during OIDC flows with this - client. Any other uris will be rejected. Must be https, unless it - is a loopback. - items: - type: string - minItems: 1 - type: array - allowedScopes: - description: "allowedScopes is a list of the allowed scopes param - values that should be accepted during OIDC flows with this client. - \n Must only contain the following values: - openid: The client - is allowed to request ID tokens. ID tokens only include the required - claims by default (iss, sub, aud, exp, iat). This scope must always - be listed. - offline_access: The client is allowed to request an - initial refresh token during the authorization code grant flow. - This scope must be listed if allowedGrantTypes lists refresh_token. - - pinniped:request-audience: The client is allowed to request a - new audience value during a RFC8693 token exchange, which is a step - in the process to be able to get a cluster credential for the user. - openid, username and groups scopes must be listed when this scope - is present. This scope must be listed if allowedGrantTypes lists - urn:ietf:params:oauth:grant-type:token-exchange. - username: The - client is allowed to request that ID tokens contain the user's username. - Without the username scope being requested and allowed, the ID token - will not contain the user's username. - groups: The client is allowed - to request that ID tokens contain the user's group membership, if - their group membership is discoverable by the Supervisor. Without - the groups scope being requested and allowed, the ID token will - not contain groups." - items: - enum: - - openid - - offline_access - - username - - groups - - pinniped:request-audience - type: string - minItems: 1 - type: array - required: - - allowedGrantTypes - - allowedRedirectURIs - - allowedScopes - type: object - status: - description: Status of the OIDC client. - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/generated/latest/apis/supervisor/clientsecret/doc.go b/generated/latest/apis/supervisor/clientsecret/doc.go new file mode 100644 index 00000000..c536bc75 --- /dev/null +++ b/generated/latest/apis/supervisor/clientsecret/doc.go @@ -0,0 +1,8 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:deepcopy-gen=package +// +groupName=clientsecret.supervisor.pinniped.dev + +// Package clientsecret is the internal version of the Pinniped client secret API. +package clientsecret diff --git a/generated/latest/apis/supervisor/clientsecret/register.go b/generated/latest/apis/supervisor/clientsecret/register.go new file mode 100644 index 00000000..4a1c0173 --- /dev/null +++ b/generated/latest/apis/supervisor/clientsecret/register.go @@ -0,0 +1,37 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package clientsecret + +import ( + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "clientsecret.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal} + +// Kind takes an unqualified kind and returns back a Group qualified GroupKind. +func Kind(kind string) schema.GroupKind { + return SchemeGroupVersion.WithKind(kind).GroupKind() +} + +// Resource takes an unqualified resource and returns back a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} + +var ( + SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) + AddToScheme = SchemeBuilder.AddToScheme +) + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClientSecretRequest{}, + ) + return nil +} diff --git a/generated/latest/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go b/generated/latest/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go new file mode 100644 index 00000000..7fd1eb65 --- /dev/null +++ b/generated/latest/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go @@ -0,0 +1,25 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package clientsecret + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +type OIDCClientSecretRequestSpec struct { + GenerateNewSecret bool `json:"generateNewSecret"` + RevokeOldSecrets bool `json:"revokeOldSecrets"` +} + +type OIDCClientSecretRequestStatus struct { + GeneratedSecret string `json:"generatedSecret,omitempty"` + TotalClientSecrets int `json:"totalClientSecrets"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequest struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID + + Spec OIDCClientSecretRequestSpec `json:"spec"` + Status OIDCClientSecretRequestStatus `json:"status"` +} diff --git a/generated/latest/apis/supervisor/virtual/oauth/v1alpha1/conversion.go b/generated/latest/apis/supervisor/clientsecret/v1alpha1/conversion.go similarity index 100% rename from generated/latest/apis/supervisor/virtual/oauth/v1alpha1/conversion.go rename to generated/latest/apis/supervisor/clientsecret/v1alpha1/conversion.go diff --git a/generated/latest/apis/supervisor/virtual/oauth/v1alpha1/defaults.go b/generated/latest/apis/supervisor/clientsecret/v1alpha1/defaults.go similarity index 100% rename from generated/latest/apis/supervisor/virtual/oauth/v1alpha1/defaults.go rename to generated/latest/apis/supervisor/clientsecret/v1alpha1/defaults.go diff --git a/generated/latest/apis/supervisor/virtual/oauth/v1alpha1/doc.go b/generated/latest/apis/supervisor/clientsecret/v1alpha1/doc.go similarity index 64% rename from generated/latest/apis/supervisor/virtual/oauth/v1alpha1/doc.go rename to generated/latest/apis/supervisor/clientsecret/v1alpha1/doc.go index 8aaf4d21..ce576323 100644 --- a/generated/latest/apis/supervisor/virtual/oauth/v1alpha1/doc.go +++ b/generated/latest/apis/supervisor/clientsecret/v1alpha1/doc.go @@ -3,9 +3,9 @@ // +k8s:openapi-gen=true // +k8s:deepcopy-gen=package -// +k8s:conversion-gen=go.pinniped.dev/generated/latest/apis/supervisor/virtual/oauth +// +k8s:conversion-gen=go.pinniped.dev/generated/latest/apis/supervisor/clientsecret // +k8s:defaulter-gen=TypeMeta -// +groupName=oauth.virtual.supervisor.pinniped.dev +// +groupName=clientsecret.supervisor.pinniped.dev -// Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API. +// Package v1alpha1 is the v1alpha1 version of the Pinniped client secret API. package v1alpha1 diff --git a/generated/latest/apis/supervisor/clientsecret/v1alpha1/register.go b/generated/latest/apis/supervisor/clientsecret/v1alpha1/register.go new file mode 100644 index 00000000..49602125 --- /dev/null +++ b/generated/latest/apis/supervisor/clientsecret/v1alpha1/register.go @@ -0,0 +1,42 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "clientsecret.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = SchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClientSecretRequest{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns back a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/generated/latest/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go b/generated/latest/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go similarity index 100% rename from generated/latest/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go rename to generated/latest/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go diff --git a/generated/latest/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go b/generated/latest/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go new file mode 100644 index 00000000..b2a4d732 --- /dev/null +++ b/generated/latest/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go @@ -0,0 +1,131 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by conversion-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + clientsecret "go.pinniped.dev/generated/latest/apis/supervisor/clientsecret" + conversion "k8s.io/apimachinery/pkg/conversion" + runtime "k8s.io/apimachinery/pkg/runtime" +) + +func init() { + localSchemeBuilder.Register(RegisterConversions) +} + +// RegisterConversions adds conversion functions to the given scheme. +// Public to allow building arbitrary schemes. +func RegisterConversions(s *runtime.Scheme) error { + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequest)(nil), (*clientsecret.OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(a.(*OIDCClientSecretRequest), b.(*clientsecret.OIDCClientSecretRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequest)(nil), (*OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(a.(*clientsecret.OIDCClientSecretRequest), b.(*OIDCClientSecretRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*clientsecret.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*clientsecret.OIDCClientSecretRequestSpec), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequestSpec)(nil), (*OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(a.(*clientsecret.OIDCClientSecretRequestSpec), b.(*OIDCClientSecretRequestSpec), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestStatus)(nil), (*clientsecret.OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(a.(*OIDCClientSecretRequestStatus), b.(*clientsecret.OIDCClientSecretRequestStatus), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequestStatus)(nil), (*OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(a.(*clientsecret.OIDCClientSecretRequestStatus), b.(*OIDCClientSecretRequestStatus), scope) + }); err != nil { + return err + } + return nil +} + +func autoConvert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *clientsecret.OIDCClientSecretRequest, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { + return err + } + if err := Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *clientsecret.OIDCClientSecretRequest, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(in, out, s) +} + +func autoConvert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *clientsecret.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { + return err + } + if err := Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest is an autogenerated conversion function. +func Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *clientsecret.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { + return autoConvert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s) +} + +func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *clientsecret.OIDCClientSecretRequestSpec, s conversion.Scope) error { + out.GenerateNewSecret = in.GenerateNewSecret + out.RevokeOldSecrets = in.RevokeOldSecrets + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *clientsecret.OIDCClientSecretRequestSpec, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in, out, s) +} + +func autoConvert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *clientsecret.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { + out.GenerateNewSecret = in.GenerateNewSecret + out.RevokeOldSecrets = in.RevokeOldSecrets + return nil +} + +// Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec is an autogenerated conversion function. +func Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *clientsecret.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { + return autoConvert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in, out, s) +} + +func autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *clientsecret.OIDCClientSecretRequestStatus, s conversion.Scope) error { + out.GeneratedSecret = in.GeneratedSecret + out.TotalClientSecrets = in.TotalClientSecrets + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *clientsecret.OIDCClientSecretRequestStatus, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(in, out, s) +} + +func autoConvert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *clientsecret.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { + out.GeneratedSecret = in.GeneratedSecret + out.TotalClientSecrets = in.TotalClientSecrets + return nil +} + +// Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus is an autogenerated conversion function. +func Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *clientsecret.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { + return autoConvert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in, out, s) +} diff --git a/generated/latest/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/latest/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go similarity index 100% rename from generated/latest/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go rename to generated/latest/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go diff --git a/generated/latest/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go b/generated/latest/apis/supervisor/clientsecret/v1alpha1/zz_generated.defaults.go similarity index 100% rename from generated/latest/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go rename to generated/latest/apis/supervisor/clientsecret/v1alpha1/zz_generated.defaults.go diff --git a/generated/latest/apis/supervisor/clientsecret/zz_generated.deepcopy.go b/generated/latest/apis/supervisor/clientsecret/zz_generated.deepcopy.go new file mode 100644 index 00000000..e0dc7d68 --- /dev/null +++ b/generated/latest/apis/supervisor/clientsecret/zz_generated.deepcopy.go @@ -0,0 +1,73 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package clientsecret + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequest) DeepCopyInto(out *OIDCClientSecretRequest) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + out.Spec = in.Spec + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequest. +func (in *OIDCClientSecretRequest) DeepCopy() *OIDCClientSecretRequest { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequest) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestSpec. +func (in *OIDCClientSecretRequestSpec) DeepCopy() *OIDCClientSecretRequestSpec { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestStatus) DeepCopyInto(out *OIDCClientSecretRequestStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestStatus. +func (in *OIDCClientSecretRequestStatus) DeepCopy() *OIDCClientSecretRequestStatus { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/latest/apis/supervisor/config/v1alpha1/register.go b/generated/latest/apis/supervisor/config/v1alpha1/register.go index 69045298..54c51699 100644 --- a/generated/latest/apis/supervisor/config/v1alpha1/register.go +++ b/generated/latest/apis/supervisor/config/v1alpha1/register.go @@ -32,6 +32,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &FederationDomain{}, &FederationDomainList{}, + &OIDCClient{}, + &OIDCClientList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/latest/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/latest/apis/supervisor/config/v1alpha1/types_oidcclient.go similarity index 100% rename from generated/latest/apis/supervisor/oauth/v1alpha1/types_oidcclient.go rename to generated/latest/apis/supervisor/config/v1alpha1/types_oidcclient.go diff --git a/generated/latest/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go b/generated/latest/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go index 856b8988..a55d88e7 100644 --- a/generated/latest/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/latest/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go @@ -150,3 +150,111 @@ func (in *FederationDomainTLSSpec) DeepCopy() *FederationDomainTLSSpec { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. +func (in *OIDCClient) DeepCopy() *OIDCClient { + if in == nil { + return nil + } + out := new(OIDCClient) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClient) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClient, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. +func (in *OIDCClientList) DeepCopy() *OIDCClientList { + if in == nil { + return nil + } + out := new(OIDCClientList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { + *out = *in + if in.AllowedRedirectURIs != nil { + in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.AllowedGrantTypes != nil { + in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes + *out = make([]GrantType, len(*in)) + copy(*out, *in) + } + if in.AllowedScopes != nil { + in, out := &in.AllowedScopes, &out.AllowedScopes + *out = make([]Scope, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. +func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { + if in == nil { + return nil + } + out := new(OIDCClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. +func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { + if in == nil { + return nil + } + out := new(OIDCClientStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/latest/apis/supervisor/oauth/v1alpha1/doc.go b/generated/latest/apis/supervisor/oauth/v1alpha1/doc.go deleted file mode 100644 index 75580481..00000000 --- a/generated/latest/apis/supervisor/oauth/v1alpha1/doc.go +++ /dev/null @@ -1,10 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// +k8s:openapi-gen=true -// +k8s:deepcopy-gen=package -// +k8s:defaulter-gen=TypeMeta -// +groupName=oauth.supervisor.pinniped.dev - -// Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. -package v1alpha1 diff --git a/generated/latest/apis/supervisor/oauth/v1alpha1/register.go b/generated/latest/apis/supervisor/oauth/v1alpha1/register.go deleted file mode 100644 index 37ae1fbf..00000000 --- a/generated/latest/apis/supervisor/oauth/v1alpha1/register.go +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -package v1alpha1 - -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" -) - -const GroupName = "oauth.supervisor.pinniped.dev" - -// SchemeGroupVersion is group version used to register these objects. -var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} - -var ( - SchemeBuilder runtime.SchemeBuilder - localSchemeBuilder = &SchemeBuilder - AddToScheme = localSchemeBuilder.AddToScheme -) - -func init() { - // We only register manually written functions here. The registration of the - // generated functions takes place in the generated files. The separation - // makes the code compile even when the generated files are missing. - localSchemeBuilder.Register(addKnownTypes) -} - -// Adds the list of known types to the given scheme. -func addKnownTypes(scheme *runtime.Scheme) error { - scheme.AddKnownTypes(SchemeGroupVersion, - &OIDCClient{}, - &OIDCClientList{}, - ) - metav1.AddToGroupVersion(scheme, SchemeGroupVersion) - return nil -} - -// Resource takes an unqualified resource and returns a Group qualified GroupResource. -func Resource(resource string) schema.GroupResource { - return SchemeGroupVersion.WithResource(resource).GroupResource() -} diff --git a/generated/latest/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/latest/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go deleted file mode 100644 index 1aba8aea..00000000 --- a/generated/latest/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go +++ /dev/null @@ -1,121 +0,0 @@ -//go:build !ignore_autogenerated -// +build !ignore_autogenerated - -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by deepcopy-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - runtime "k8s.io/apimachinery/pkg/runtime" -) - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - in.Spec.DeepCopyInto(&out.Spec) - out.Status = in.Status - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. -func (in *OIDCClient) DeepCopy() *OIDCClient { - if in == nil { - return nil - } - out := new(OIDCClient) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *OIDCClient) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ListMeta.DeepCopyInto(&out.ListMeta) - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]OIDCClient, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. -func (in *OIDCClientList) DeepCopy() *OIDCClientList { - if in == nil { - return nil - } - out := new(OIDCClientList) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *OIDCClientList) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { - *out = *in - if in.AllowedRedirectURIs != nil { - in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.AllowedGrantTypes != nil { - in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes - *out = make([]GrantType, len(*in)) - copy(*out, *in) - } - if in.AllowedScopes != nil { - in, out := &in.AllowedScopes, &out.AllowedScopes - *out = make([]Scope, len(*in)) - copy(*out, *in) - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. -func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { - if in == nil { - return nil - } - out := new(OIDCClientSpec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. -func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { - if in == nil { - return nil - } - out := new(OIDCClientStatus) - in.DeepCopyInto(out) - return out -} diff --git a/generated/latest/apis/supervisor/virtual/oauth/doc.go b/generated/latest/apis/supervisor/virtual/oauth/doc.go deleted file mode 100644 index ca4e9a63..00000000 --- a/generated/latest/apis/supervisor/virtual/oauth/doc.go +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// +k8s:deepcopy-gen=package -// +groupName=oauth.virtual.supervisor.pinniped.dev - -// Package oauth is the internal version of the Pinniped virtual oauth API. -package oauth diff --git a/generated/latest/apis/supervisor/virtual/oauth/register.go b/generated/latest/apis/supervisor/virtual/oauth/register.go deleted file mode 100644 index a238d85f..00000000 --- a/generated/latest/apis/supervisor/virtual/oauth/register.go +++ /dev/null @@ -1,37 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -package oauth - -import ( - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" -) - -const GroupName = "oauth.virtual.supervisor.pinniped.dev" - -// SchemeGroupVersion is group version used to register these objects. -var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal} - -// Kind takes an unqualified kind and returns back a Group qualified GroupKind. -func Kind(kind string) schema.GroupKind { - return SchemeGroupVersion.WithKind(kind).GroupKind() -} - -// Resource takes an unqualified resource and returns back a Group qualified GroupResource. -func Resource(resource string) schema.GroupResource { - return SchemeGroupVersion.WithResource(resource).GroupResource() -} - -var ( - SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) - AddToScheme = SchemeBuilder.AddToScheme -) - -// Adds the list of known types to the given scheme. -func addKnownTypes(scheme *runtime.Scheme) error { - scheme.AddKnownTypes(SchemeGroupVersion, - &OIDCClientSecretRequest{}, - ) - return nil -} diff --git a/generated/latest/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go b/generated/latest/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go deleted file mode 100644 index ac54a93c..00000000 --- a/generated/latest/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go +++ /dev/null @@ -1,25 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -package oauth - -import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - -type OIDCClientSecretRequestSpec struct { - GenerateNewSecret bool `json:"generateNewSecret"` - RevokeOldSecrets bool `json:"revokeOldSecrets"` -} - -type OIDCClientSecretRequestStatus struct { - GeneratedSecret string `json:"generatedSecret,omitempty"` - TotalClientSecrets int `json:"totalClientSecrets"` -} - -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object -type OIDCClientSecretRequest struct { - metav1.TypeMeta `json:",inline"` - metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID - - Spec OIDCClientSecretRequestSpec `json:"spec"` - Status OIDCClientSecretRequestStatus `json:"status"` -} diff --git a/generated/latest/apis/supervisor/virtual/oauth/v1alpha1/register.go b/generated/latest/apis/supervisor/virtual/oauth/v1alpha1/register.go deleted file mode 100644 index ecc75a08..00000000 --- a/generated/latest/apis/supervisor/virtual/oauth/v1alpha1/register.go +++ /dev/null @@ -1,42 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -package v1alpha1 - -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" -) - -const GroupName = "oauth.virtual.supervisor.pinniped.dev" - -// SchemeGroupVersion is group version used to register these objects. -var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} - -var ( - SchemeBuilder runtime.SchemeBuilder - localSchemeBuilder = &SchemeBuilder - AddToScheme = SchemeBuilder.AddToScheme -) - -func init() { - // We only register manually written functions here. The registration of the - // generated functions takes place in the generated files. The separation - // makes the code compile even when the generated files are missing. - localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs) -} - -// Adds the list of known types to the given scheme. -func addKnownTypes(scheme *runtime.Scheme) error { - scheme.AddKnownTypes(SchemeGroupVersion, - &OIDCClientSecretRequest{}, - ) - metav1.AddToGroupVersion(scheme, SchemeGroupVersion) - return nil -} - -// Resource takes an unqualified resource and returns back a Group qualified GroupResource. -func Resource(resource string) schema.GroupResource { - return SchemeGroupVersion.WithResource(resource).GroupResource() -} diff --git a/generated/latest/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go b/generated/latest/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go deleted file mode 100644 index aebfa30d..00000000 --- a/generated/latest/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go +++ /dev/null @@ -1,131 +0,0 @@ -//go:build !ignore_autogenerated -// +build !ignore_autogenerated - -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by conversion-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - oauth "go.pinniped.dev/generated/latest/apis/supervisor/virtual/oauth" - conversion "k8s.io/apimachinery/pkg/conversion" - runtime "k8s.io/apimachinery/pkg/runtime" -) - -func init() { - localSchemeBuilder.Register(RegisterConversions) -} - -// RegisterConversions adds conversion functions to the given scheme. -// Public to allow building arbitrary schemes. -func RegisterConversions(s *runtime.Scheme) error { - if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequest)(nil), (*oauth.OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(a.(*OIDCClientSecretRequest), b.(*oauth.OIDCClientSecretRequest), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequest)(nil), (*OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(a.(*oauth.OIDCClientSecretRequest), b.(*OIDCClientSecretRequest), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*oauth.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*oauth.OIDCClientSecretRequestSpec), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequestSpec)(nil), (*OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(a.(*oauth.OIDCClientSecretRequestSpec), b.(*OIDCClientSecretRequestSpec), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestStatus)(nil), (*oauth.OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(a.(*OIDCClientSecretRequestStatus), b.(*oauth.OIDCClientSecretRequestStatus), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequestStatus)(nil), (*OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(a.(*oauth.OIDCClientSecretRequestStatus), b.(*OIDCClientSecretRequestStatus), scope) - }); err != nil { - return err - } - return nil -} - -func autoConvert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *oauth.OIDCClientSecretRequest, s conversion.Scope) error { - out.ObjectMeta = in.ObjectMeta - if err := Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { - return err - } - if err := Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { - return err - } - return nil -} - -// Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest is an autogenerated conversion function. -func Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *oauth.OIDCClientSecretRequest, s conversion.Scope) error { - return autoConvert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in, out, s) -} - -func autoConvert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *oauth.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { - out.ObjectMeta = in.ObjectMeta - if err := Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { - return err - } - if err := Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { - return err - } - return nil -} - -// Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest is an autogenerated conversion function. -func Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *oauth.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { - return autoConvert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s) -} - -func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *oauth.OIDCClientSecretRequestSpec, s conversion.Scope) error { - out.GenerateNewSecret = in.GenerateNewSecret - out.RevokeOldSecrets = in.RevokeOldSecrets - return nil -} - -// Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec is an autogenerated conversion function. -func Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *oauth.OIDCClientSecretRequestSpec, s conversion.Scope) error { - return autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in, out, s) -} - -func autoConvert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *oauth.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { - out.GenerateNewSecret = in.GenerateNewSecret - out.RevokeOldSecrets = in.RevokeOldSecrets - return nil -} - -// Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec is an autogenerated conversion function. -func Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *oauth.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { - return autoConvert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in, out, s) -} - -func autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *oauth.OIDCClientSecretRequestStatus, s conversion.Scope) error { - out.GeneratedSecret = in.GeneratedSecret - out.TotalClientSecrets = in.TotalClientSecrets - return nil -} - -// Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus is an autogenerated conversion function. -func Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *oauth.OIDCClientSecretRequestStatus, s conversion.Scope) error { - return autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in, out, s) -} - -func autoConvert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *oauth.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { - out.GeneratedSecret = in.GeneratedSecret - out.TotalClientSecrets = in.TotalClientSecrets - return nil -} - -// Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus is an autogenerated conversion function. -func Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *oauth.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { - return autoConvert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in, out, s) -} diff --git a/generated/latest/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go b/generated/latest/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go deleted file mode 100644 index 24b58e7b..00000000 --- a/generated/latest/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go +++ /dev/null @@ -1,73 +0,0 @@ -//go:build !ignore_autogenerated -// +build !ignore_autogenerated - -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by deepcopy-gen. DO NOT EDIT. - -package oauth - -import ( - runtime "k8s.io/apimachinery/pkg/runtime" -) - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientSecretRequest) DeepCopyInto(out *OIDCClientSecretRequest) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - out.Spec = in.Spec - out.Status = in.Status - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequest. -func (in *OIDCClientSecretRequest) DeepCopy() *OIDCClientSecretRequest { - if in == nil { - return nil - } - out := new(OIDCClientSecretRequest) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestSpec. -func (in *OIDCClientSecretRequestSpec) DeepCopy() *OIDCClientSecretRequestSpec { - if in == nil { - return nil - } - out := new(OIDCClientSecretRequestSpec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientSecretRequestStatus) DeepCopyInto(out *OIDCClientSecretRequestStatus) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestStatus. -func (in *OIDCClientSecretRequestStatus) DeepCopy() *OIDCClientSecretRequestStatus { - if in == nil { - return nil - } - out := new(OIDCClientSecretRequestStatus) - in.DeepCopyInto(out) - return out -} diff --git a/generated/latest/client/supervisor/clientset/versioned/clientset.go b/generated/latest/client/supervisor/clientset/versioned/clientset.go index cc05d311..fc14381c 100644 --- a/generated/latest/client/supervisor/clientset/versioned/clientset.go +++ b/generated/latest/client/supervisor/clientset/versioned/clientset.go @@ -9,9 +9,9 @@ import ( "fmt" "net/http" + clientsecretv1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1" configv1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" discovery "k8s.io/client-go/discovery" rest "k8s.io/client-go/rest" flowcontrol "k8s.io/client-go/util/flowcontrol" @@ -19,18 +19,23 @@ import ( type Interface interface { Discovery() discovery.DiscoveryInterface + ClientsecretV1alpha1() clientsecretv1alpha1.ClientsecretV1alpha1Interface ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface - OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface } // Clientset contains the clients for groups. Each group has exactly one // version included in a Clientset. type Clientset struct { *discovery.DiscoveryClient - configV1alpha1 *configv1alpha1.ConfigV1alpha1Client - iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client - oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client + clientsecretV1alpha1 *clientsecretv1alpha1.ClientsecretV1alpha1Client + configV1alpha1 *configv1alpha1.ConfigV1alpha1Client + iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client +} + +// ClientsecretV1alpha1 retrieves the ClientsecretV1alpha1Client +func (c *Clientset) ClientsecretV1alpha1() clientsecretv1alpha1.ClientsecretV1alpha1Interface { + return c.clientsecretV1alpha1 } // ConfigV1alpha1 retrieves the ConfigV1alpha1Client @@ -43,11 +48,6 @@ func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return c.iDPV1alpha1 } -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return c.oauthV1alpha1 -} - // Discovery retrieves the DiscoveryClient func (c *Clientset) Discovery() discovery.DiscoveryInterface { if c == nil { @@ -92,6 +92,10 @@ func NewForConfigAndClient(c *rest.Config, httpClient *http.Client) (*Clientset, var cs Clientset var err error + cs.clientsecretV1alpha1, err = clientsecretv1alpha1.NewForConfigAndClient(&configShallowCopy, httpClient) + if err != nil { + return nil, err + } cs.configV1alpha1, err = configv1alpha1.NewForConfigAndClient(&configShallowCopy, httpClient) if err != nil { return nil, err @@ -100,10 +104,6 @@ func NewForConfigAndClient(c *rest.Config, httpClient *http.Client) (*Clientset, if err != nil { return nil, err } - cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfigAndClient(&configShallowCopy, httpClient) - if err != nil { - return nil, err - } cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfigAndClient(&configShallowCopy, httpClient) if err != nil { @@ -125,9 +125,9 @@ func NewForConfigOrDie(c *rest.Config) *Clientset { // New creates a new Clientset for the given RESTClient. func New(c rest.Interface) *Clientset { var cs Clientset + cs.clientsecretV1alpha1 = clientsecretv1alpha1.New(c) cs.configV1alpha1 = configv1alpha1.New(c) cs.iDPV1alpha1 = idpv1alpha1.New(c) - cs.oauthV1alpha1 = oauthv1alpha1.New(c) cs.DiscoveryClient = discovery.NewDiscoveryClient(c) return &cs diff --git a/generated/latest/client/supervisor/clientset/versioned/fake/clientset_generated.go b/generated/latest/client/supervisor/clientset/versioned/fake/clientset_generated.go index 6b73fc47..faa6581f 100644 --- a/generated/latest/client/supervisor/clientset/versioned/fake/clientset_generated.go +++ b/generated/latest/client/supervisor/clientset/versioned/fake/clientset_generated.go @@ -7,12 +7,12 @@ package fake import ( clientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" + clientsecretv1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1" + fakeclientsecretv1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake" configv1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1" fakeconfigv1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake" idpv1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1" fakeidpv1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake" - oauthv1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" - fakeoauthv1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/watch" "k8s.io/client-go/discovery" @@ -70,6 +70,11 @@ var ( _ testing.FakeClient = &Clientset{} ) +// ClientsecretV1alpha1 retrieves the ClientsecretV1alpha1Client +func (c *Clientset) ClientsecretV1alpha1() clientsecretv1alpha1.ClientsecretV1alpha1Interface { + return &fakeclientsecretv1alpha1.FakeClientsecretV1alpha1{Fake: &c.Fake} +} + // ConfigV1alpha1 retrieves the ConfigV1alpha1Client func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { return &fakeconfigv1alpha1.FakeConfigV1alpha1{Fake: &c.Fake} @@ -79,8 +84,3 @@ func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake} } - -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} -} diff --git a/generated/latest/client/supervisor/clientset/versioned/fake/register.go b/generated/latest/client/supervisor/clientset/versioned/fake/register.go index db9bb1a4..32607aa9 100644 --- a/generated/latest/client/supervisor/clientset/versioned/fake/register.go +++ b/generated/latest/client/supervisor/clientset/versioned/fake/register.go @@ -6,9 +6,9 @@ package fake import ( + clientsecretv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/clientsecret/v1alpha1" configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -20,9 +20,9 @@ var scheme = runtime.NewScheme() var codecs = serializer.NewCodecFactory(scheme) var localSchemeBuilder = runtime.SchemeBuilder{ + clientsecretv1alpha1.AddToScheme, configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, - oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/latest/client/supervisor/clientset/versioned/scheme/register.go b/generated/latest/client/supervisor/clientset/versioned/scheme/register.go index 9456d619..73edda13 100644 --- a/generated/latest/client/supervisor/clientset/versioned/scheme/register.go +++ b/generated/latest/client/supervisor/clientset/versioned/scheme/register.go @@ -6,9 +6,9 @@ package scheme import ( + clientsecretv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/clientsecret/v1alpha1" configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -20,9 +20,9 @@ var Scheme = runtime.NewScheme() var Codecs = serializer.NewCodecFactory(Scheme) var ParameterCodec = runtime.NewParameterCodec(Scheme) var localSchemeBuilder = runtime.SchemeBuilder{ + clientsecretv1alpha1.AddToScheme, configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, - oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/latest/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/clientsecret_client.go similarity index 55% rename from generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go rename to generated/latest/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/clientsecret_client.go index aa4521a2..d8ce41cd 100644 --- a/generated/1.24/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go +++ b/generated/latest/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/clientsecret_client.go @@ -8,29 +8,29 @@ package v1alpha1 import ( "net/http" - v1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/virtual/oauth/v1alpha1" - "go.pinniped.dev/generated/1.24/client/supervisor/virtual/clientset/versioned/scheme" + v1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/clientsecret/v1alpha1" + "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/scheme" rest "k8s.io/client-go/rest" ) -type OauthV1alpha1Interface interface { +type ClientsecretV1alpha1Interface interface { RESTClient() rest.Interface OIDCClientSecretRequestsGetter } -// OauthV1alpha1Client is used to interact with features provided by the oauth.virtual.supervisor.pinniped.dev group. -type OauthV1alpha1Client struct { +// ClientsecretV1alpha1Client is used to interact with features provided by the clientsecret.supervisor.pinniped.dev group. +type ClientsecretV1alpha1Client struct { restClient rest.Interface } -func (c *OauthV1alpha1Client) OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface { +func (c *ClientsecretV1alpha1Client) OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface { return newOIDCClientSecretRequests(c, namespace) } -// NewForConfig creates a new OauthV1alpha1Client for the given config. +// NewForConfig creates a new ClientsecretV1alpha1Client for the given config. // NewForConfig is equivalent to NewForConfigAndClient(c, httpClient), // where httpClient was generated with rest.HTTPClientFor(c). -func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { +func NewForConfig(c *rest.Config) (*ClientsecretV1alpha1Client, error) { config := *c if err := setConfigDefaults(&config); err != nil { return nil, err @@ -42,9 +42,9 @@ func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { return NewForConfigAndClient(&config, httpClient) } -// NewForConfigAndClient creates a new OauthV1alpha1Client for the given config and http client. +// NewForConfigAndClient creates a new ClientsecretV1alpha1Client for the given config and http client. // Note the http client provided takes precedence over the configured transport values. -func NewForConfigAndClient(c *rest.Config, h *http.Client) (*OauthV1alpha1Client, error) { +func NewForConfigAndClient(c *rest.Config, h *http.Client) (*ClientsecretV1alpha1Client, error) { config := *c if err := setConfigDefaults(&config); err != nil { return nil, err @@ -53,12 +53,12 @@ func NewForConfigAndClient(c *rest.Config, h *http.Client) (*OauthV1alpha1Client if err != nil { return nil, err } - return &OauthV1alpha1Client{client}, nil + return &ClientsecretV1alpha1Client{client}, nil } -// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and +// NewForConfigOrDie creates a new ClientsecretV1alpha1Client for the given config and // panics if there is an error in the config. -func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { +func NewForConfigOrDie(c *rest.Config) *ClientsecretV1alpha1Client { client, err := NewForConfig(c) if err != nil { panic(err) @@ -66,9 +66,9 @@ func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { return client } -// New creates a new OauthV1alpha1Client for the given RESTClient. -func New(c rest.Interface) *OauthV1alpha1Client { - return &OauthV1alpha1Client{c} +// New creates a new ClientsecretV1alpha1Client for the given RESTClient. +func New(c rest.Interface) *ClientsecretV1alpha1Client { + return &ClientsecretV1alpha1Client{c} } func setConfigDefaults(config *rest.Config) error { @@ -86,7 +86,7 @@ func setConfigDefaults(config *rest.Config) error { // RESTClient returns a RESTClient that is used to communicate // with API server by this client implementation. -func (c *OauthV1alpha1Client) RESTClient() rest.Interface { +func (c *ClientsecretV1alpha1Client) RESTClient() rest.Interface { if c == nil { return nil } diff --git a/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/latest/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/doc.go similarity index 100% rename from generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go rename to generated/latest/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/doc.go diff --git a/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/latest/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/doc.go similarity index 100% rename from generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go rename to generated/latest/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/doc.go diff --git a/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/latest/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_clientsecret_client.go similarity index 60% rename from generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go rename to generated/latest/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_clientsecret_client.go index abcc6a0c..27c559de 100644 --- a/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go +++ b/generated/latest/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_clientsecret_client.go @@ -6,22 +6,22 @@ package fake import ( - v1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1" rest "k8s.io/client-go/rest" testing "k8s.io/client-go/testing" ) -type FakeOauthV1alpha1 struct { +type FakeClientsecretV1alpha1 struct { *testing.Fake } -func (c *FakeOauthV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { - return &FakeOIDCClients{c, namespace} +func (c *FakeClientsecretV1alpha1) OIDCClientSecretRequests(namespace string) v1alpha1.OIDCClientSecretRequestInterface { + return &FakeOIDCClientSecretRequests{c, namespace} } // RESTClient returns a RESTClient that is used to communicate // with API server by this client implementation. -func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { +func (c *FakeClientsecretV1alpha1) RESTClient() rest.Interface { var ret *rest.RESTClient return ret } diff --git a/generated/latest/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_oidcclientsecretrequest.go b/generated/latest/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_oidcclientsecretrequest.go new file mode 100644 index 00000000..00da4ce8 --- /dev/null +++ b/generated/latest/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_oidcclientsecretrequest.go @@ -0,0 +1,36 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/clientsecret/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + schema "k8s.io/apimachinery/pkg/runtime/schema" + testing "k8s.io/client-go/testing" +) + +// FakeOIDCClientSecretRequests implements OIDCClientSecretRequestInterface +type FakeOIDCClientSecretRequests struct { + Fake *FakeClientsecretV1alpha1 + ns string +} + +var oidcclientsecretrequestsResource = schema.GroupVersionResource{Group: "clientsecret.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclientsecretrequests"} + +var oidcclientsecretrequestsKind = schema.GroupVersionKind{Group: "clientsecret.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClientSecretRequest"} + +// Create takes the representation of a oIDCClientSecretRequest and creates it. Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any. +func (c *FakeOIDCClientSecretRequests) Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (result *v1alpha1.OIDCClientSecretRequest, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(oidcclientsecretrequestsResource, c.ns, oIDCClientSecretRequest), &v1alpha1.OIDCClientSecretRequest{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClientSecretRequest), err +} diff --git a/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/latest/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/generated_expansion.go similarity index 100% rename from generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go rename to generated/latest/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/generated_expansion.go diff --git a/generated/latest/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/oidcclientsecretrequest.go b/generated/latest/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/oidcclientsecretrequest.go new file mode 100644 index 00000000..76bb20c1 --- /dev/null +++ b/generated/latest/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/oidcclientsecretrequest.go @@ -0,0 +1,54 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/clientsecret/v1alpha1" + scheme "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + rest "k8s.io/client-go/rest" +) + +// OIDCClientSecretRequestsGetter has a method to return a OIDCClientSecretRequestInterface. +// A group's client should implement this interface. +type OIDCClientSecretRequestsGetter interface { + OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface +} + +// OIDCClientSecretRequestInterface has methods to work with OIDCClientSecretRequest resources. +type OIDCClientSecretRequestInterface interface { + Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (*v1alpha1.OIDCClientSecretRequest, error) + OIDCClientSecretRequestExpansion +} + +// oIDCClientSecretRequests implements OIDCClientSecretRequestInterface +type oIDCClientSecretRequests struct { + client rest.Interface + ns string +} + +// newOIDCClientSecretRequests returns a OIDCClientSecretRequests +func newOIDCClientSecretRequests(c *ClientsecretV1alpha1Client, namespace string) *oIDCClientSecretRequests { + return &oIDCClientSecretRequests{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Create takes the representation of a oIDCClientSecretRequest and creates it. Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any. +func (c *oIDCClientSecretRequests) Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (result *v1alpha1.OIDCClientSecretRequest, err error) { + result = &v1alpha1.OIDCClientSecretRequest{} + err = c.client.Post(). + Namespace(c.ns). + Resource("oidcclientsecretrequests"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(oIDCClientSecretRequest). + Do(ctx). + Into(result) + return +} diff --git a/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go b/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go index c946632a..ea41ad67 100644 --- a/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go +++ b/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go @@ -16,6 +16,7 @@ import ( type ConfigV1alpha1Interface interface { RESTClient() rest.Interface FederationDomainsGetter + OIDCClientsGetter } // ConfigV1alpha1Client is used to interact with features provided by the config.supervisor.pinniped.dev group. @@ -27,6 +28,10 @@ func (c *ConfigV1alpha1Client) FederationDomains(namespace string) FederationDom return newFederationDomains(c, namespace) } +func (c *ConfigV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { + return newOIDCClients(c, namespace) +} + // NewForConfig creates a new ConfigV1alpha1Client for the given config. // NewForConfig is equivalent to NewForConfigAndClient(c, httpClient), // where httpClient was generated with rest.HTTPClientFor(c). diff --git a/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go b/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go index 088e66a2..2ca19bd6 100644 --- a/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go +++ b/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go @@ -19,6 +19,10 @@ func (c *FakeConfigV1alpha1) FederationDomains(namespace string) v1alpha1.Federa return &FakeFederationDomains{c, namespace} } +func (c *FakeConfigV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { + return &FakeOIDCClients{c, namespace} +} + // RESTClient returns a RESTClient that is used to communicate // with API server by this client implementation. func (c *FakeConfigV1alpha1) RESTClient() rest.Interface { diff --git a/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go b/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go similarity index 92% rename from generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go rename to generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go index 89568d1a..aba465a9 100644 --- a/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go +++ b/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go @@ -8,7 +8,7 @@ package fake import ( "context" - v1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" labels "k8s.io/apimachinery/pkg/labels" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -19,13 +19,13 @@ import ( // FakeOIDCClients implements OIDCClientInterface type FakeOIDCClients struct { - Fake *FakeOauthV1alpha1 + Fake *FakeConfigV1alpha1 ns string } -var oidcclientsResource = schema.GroupVersionResource{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} +var oidcclientsResource = schema.GroupVersionResource{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} -var oidcclientsKind = schema.GroupVersionKind{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} +var oidcclientsKind = schema.GroupVersionKind{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} // Get takes name of the oIDCClient, and returns the corresponding oIDCClient object, and an error if there is any. func (c *FakeOIDCClients) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCClient, err error) { diff --git a/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go b/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go index ba9c9173..35b9ee3d 100644 --- a/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go +++ b/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go @@ -6,3 +6,5 @@ package v1alpha1 type FederationDomainExpansion interface{} + +type OIDCClientExpansion interface{} diff --git a/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go b/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go similarity index 97% rename from generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go rename to generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go index 888c2a7e..68fa884e 100644 --- a/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go +++ b/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go @@ -9,7 +9,7 @@ import ( "context" "time" - v1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" scheme "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/scheme" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" types "k8s.io/apimachinery/pkg/types" @@ -44,7 +44,7 @@ type oIDCClients struct { } // newOIDCClients returns a OIDCClients -func newOIDCClients(c *OauthV1alpha1Client, namespace string) *oIDCClients { +func newOIDCClients(c *ConfigV1alpha1Client, namespace string) *oIDCClients { return &oIDCClients{ client: c.RESTClient(), ns: namespace, diff --git a/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go deleted file mode 100644 index e7a470b6..00000000 --- a/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package has the automatically generated typed clients. -package v1alpha1 diff --git a/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go deleted file mode 100644 index 7906901b..00000000 --- a/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// Package fake has the automatically generated clients. -package fake diff --git a/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go deleted file mode 100644 index 87d22ea9..00000000 --- a/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -type OIDCClientExpansion interface{} diff --git a/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go deleted file mode 100644 index 80077607..00000000 --- a/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go +++ /dev/null @@ -1,94 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - "net/http" - - v1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/oauth/v1alpha1" - "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/scheme" - rest "k8s.io/client-go/rest" -) - -type OauthV1alpha1Interface interface { - RESTClient() rest.Interface - OIDCClientsGetter -} - -// OauthV1alpha1Client is used to interact with features provided by the oauth.supervisor.pinniped.dev group. -type OauthV1alpha1Client struct { - restClient rest.Interface -} - -func (c *OauthV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { - return newOIDCClients(c, namespace) -} - -// NewForConfig creates a new OauthV1alpha1Client for the given config. -// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient), -// where httpClient was generated with rest.HTTPClientFor(c). -func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { - config := *c - if err := setConfigDefaults(&config); err != nil { - return nil, err - } - httpClient, err := rest.HTTPClientFor(&config) - if err != nil { - return nil, err - } - return NewForConfigAndClient(&config, httpClient) -} - -// NewForConfigAndClient creates a new OauthV1alpha1Client for the given config and http client. -// Note the http client provided takes precedence over the configured transport values. -func NewForConfigAndClient(c *rest.Config, h *http.Client) (*OauthV1alpha1Client, error) { - config := *c - if err := setConfigDefaults(&config); err != nil { - return nil, err - } - client, err := rest.RESTClientForConfigAndClient(&config, h) - if err != nil { - return nil, err - } - return &OauthV1alpha1Client{client}, nil -} - -// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and -// panics if there is an error in the config. -func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { - client, err := NewForConfig(c) - if err != nil { - panic(err) - } - return client -} - -// New creates a new OauthV1alpha1Client for the given RESTClient. -func New(c rest.Interface) *OauthV1alpha1Client { - return &OauthV1alpha1Client{c} -} - -func setConfigDefaults(config *rest.Config) error { - gv := v1alpha1.SchemeGroupVersion - config.GroupVersion = &gv - config.APIPath = "/apis" - config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() - - if config.UserAgent == "" { - config.UserAgent = rest.DefaultKubernetesUserAgent() - } - - return nil -} - -// RESTClient returns a RESTClient that is used to communicate -// with API server by this client implementation. -func (c *OauthV1alpha1Client) RESTClient() rest.Interface { - if c == nil { - return nil - } - return c.restClient -} diff --git a/generated/latest/client/supervisor/informers/externalversions/config/v1alpha1/interface.go b/generated/latest/client/supervisor/informers/externalversions/config/v1alpha1/interface.go index 5273529b..a86c165c 100644 --- a/generated/latest/client/supervisor/informers/externalversions/config/v1alpha1/interface.go +++ b/generated/latest/client/supervisor/informers/externalversions/config/v1alpha1/interface.go @@ -13,6 +13,8 @@ import ( type Interface interface { // FederationDomains returns a FederationDomainInformer. FederationDomains() FederationDomainInformer + // OIDCClients returns a OIDCClientInformer. + OIDCClients() OIDCClientInformer } type version struct { @@ -30,3 +32,8 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList func (v *version) FederationDomains() FederationDomainInformer { return &federationDomainInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } + +// OIDCClients returns a OIDCClientInformer. +func (v *version) OIDCClients() OIDCClientInformer { + return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} diff --git a/generated/latest/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go b/generated/latest/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go similarity index 88% rename from generated/latest/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go rename to generated/latest/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go index d3eec3d2..00d2f521 100644 --- a/generated/latest/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go +++ b/generated/latest/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go @@ -9,10 +9,10 @@ import ( "context" time "time" - oauthv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/oauth/v1alpha1" + configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" versioned "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" internalinterfaces "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/internalinterfaces" - v1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/listers/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/listers/config/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" watch "k8s.io/apimachinery/pkg/watch" @@ -49,16 +49,16 @@ func NewFilteredOIDCClientInformer(client versioned.Interface, namespace string, if tweakListOptions != nil { tweakListOptions(&options) } - return client.OauthV1alpha1().OIDCClients(namespace).List(context.TODO(), options) + return client.ConfigV1alpha1().OIDCClients(namespace).List(context.TODO(), options) }, WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { if tweakListOptions != nil { tweakListOptions(&options) } - return client.OauthV1alpha1().OIDCClients(namespace).Watch(context.TODO(), options) + return client.ConfigV1alpha1().OIDCClients(namespace).Watch(context.TODO(), options) }, }, - &oauthv1alpha1.OIDCClient{}, + &configv1alpha1.OIDCClient{}, resyncPeriod, indexers, ) @@ -69,7 +69,7 @@ func (f *oIDCClientInformer) defaultInformer(client versioned.Interface, resyncP } func (f *oIDCClientInformer) Informer() cache.SharedIndexInformer { - return f.factory.InformerFor(&oauthv1alpha1.OIDCClient{}, f.defaultInformer) + return f.factory.InformerFor(&configv1alpha1.OIDCClient{}, f.defaultInformer) } func (f *oIDCClientInformer) Lister() v1alpha1.OIDCClientLister { diff --git a/generated/latest/client/supervisor/informers/externalversions/factory.go b/generated/latest/client/supervisor/informers/externalversions/factory.go index d3c714e7..252195d3 100644 --- a/generated/latest/client/supervisor/informers/externalversions/factory.go +++ b/generated/latest/client/supervisor/informers/externalversions/factory.go @@ -14,7 +14,6 @@ import ( config "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/config" idp "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/idp" internalinterfaces "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/internalinterfaces" - oauth "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/oauth" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -163,7 +162,6 @@ type SharedInformerFactory interface { Config() config.Interface IDP() idp.Interface - Oauth() oauth.Interface } func (f *sharedInformerFactory) Config() config.Interface { @@ -173,7 +171,3 @@ func (f *sharedInformerFactory) Config() config.Interface { func (f *sharedInformerFactory) IDP() idp.Interface { return idp.New(f, f.namespace, f.tweakListOptions) } - -func (f *sharedInformerFactory) Oauth() oauth.Interface { - return oauth.New(f, f.namespace, f.tweakListOptions) -} diff --git a/generated/latest/client/supervisor/informers/externalversions/generic.go b/generated/latest/client/supervisor/informers/externalversions/generic.go index ba708933..eb3f5543 100644 --- a/generated/latest/client/supervisor/informers/externalversions/generic.go +++ b/generated/latest/client/supervisor/informers/externalversions/generic.go @@ -10,7 +10,6 @@ import ( v1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/oauth/v1alpha1" schema "k8s.io/apimachinery/pkg/runtime/schema" cache "k8s.io/client-go/tools/cache" ) @@ -44,6 +43,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource // Group=config.supervisor.pinniped.dev, Version=v1alpha1 case v1alpha1.SchemeGroupVersion.WithResource("federationdomains"): return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().FederationDomains().Informer()}, nil + case v1alpha1.SchemeGroupVersion.WithResource("oidcclients"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCClients().Informer()}, nil // Group=idp.supervisor.pinniped.dev, Version=v1alpha1 case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"): @@ -53,10 +54,6 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().OIDCIdentityProviders().Informer()}, nil - // Group=oauth.supervisor.pinniped.dev, Version=v1alpha1 - case oauthv1alpha1.SchemeGroupVersion.WithResource("oidcclients"): - return &genericInformer{resource: resource.GroupResource(), informer: f.Oauth().V1alpha1().OIDCClients().Informer()}, nil - } return nil, fmt.Errorf("no informer found for %v", resource) diff --git a/generated/latest/client/supervisor/informers/externalversions/oauth/interface.go b/generated/latest/client/supervisor/informers/externalversions/oauth/interface.go deleted file mode 100644 index b0c7105b..00000000 --- a/generated/latest/client/supervisor/informers/externalversions/oauth/interface.go +++ /dev/null @@ -1,33 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by informer-gen. DO NOT EDIT. - -package oauth - -import ( - internalinterfaces "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/internalinterfaces" - v1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/oauth/v1alpha1" -) - -// Interface provides access to each of this group's versions. -type Interface interface { - // V1alpha1 provides access to shared informers for resources in V1alpha1. - V1alpha1() v1alpha1.Interface -} - -type group struct { - factory internalinterfaces.SharedInformerFactory - namespace string - tweakListOptions internalinterfaces.TweakListOptionsFunc -} - -// New returns a new Interface. -func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { - return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} -} - -// V1alpha1 returns a new v1alpha1.Interface. -func (g *group) V1alpha1() v1alpha1.Interface { - return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions) -} diff --git a/generated/latest/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go b/generated/latest/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go deleted file mode 100644 index 48e12497..00000000 --- a/generated/latest/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go +++ /dev/null @@ -1,32 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by informer-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - internalinterfaces "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/internalinterfaces" -) - -// Interface provides access to all the informers in this group version. -type Interface interface { - // OIDCClients returns a OIDCClientInformer. - OIDCClients() OIDCClientInformer -} - -type version struct { - factory internalinterfaces.SharedInformerFactory - namespace string - tweakListOptions internalinterfaces.TweakListOptionsFunc -} - -// New returns a new Interface. -func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { - return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} -} - -// OIDCClients returns a OIDCClientInformer. -func (v *version) OIDCClients() OIDCClientInformer { - return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} -} diff --git a/generated/latest/client/supervisor/listers/config/v1alpha1/expansion_generated.go b/generated/latest/client/supervisor/listers/config/v1alpha1/expansion_generated.go index d59892c4..bda2f20e 100644 --- a/generated/latest/client/supervisor/listers/config/v1alpha1/expansion_generated.go +++ b/generated/latest/client/supervisor/listers/config/v1alpha1/expansion_generated.go @@ -12,3 +12,11 @@ type FederationDomainListerExpansion interface{} // FederationDomainNamespaceListerExpansion allows custom methods to be added to // FederationDomainNamespaceLister. type FederationDomainNamespaceListerExpansion interface{} + +// OIDCClientListerExpansion allows custom methods to be added to +// OIDCClientLister. +type OIDCClientListerExpansion interface{} + +// OIDCClientNamespaceListerExpansion allows custom methods to be added to +// OIDCClientNamespaceLister. +type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/latest/client/supervisor/listers/config/v1alpha1/oidcclient.go b/generated/latest/client/supervisor/listers/config/v1alpha1/oidcclient.go new file mode 100644 index 00000000..34297ee1 --- /dev/null +++ b/generated/latest/client/supervisor/listers/config/v1alpha1/oidcclient.go @@ -0,0 +1,86 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// OIDCClientLister helps list OIDCClients. +// All objects returned here must be treated as read-only. +type OIDCClientLister interface { + // List lists all OIDCClients in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) + // OIDCClients returns an object that can list and get OIDCClients. + OIDCClients(namespace string) OIDCClientNamespaceLister + OIDCClientListerExpansion +} + +// oIDCClientLister implements the OIDCClientLister interface. +type oIDCClientLister struct { + indexer cache.Indexer +} + +// NewOIDCClientLister returns a new OIDCClientLister. +func NewOIDCClientLister(indexer cache.Indexer) OIDCClientLister { + return &oIDCClientLister{indexer: indexer} +} + +// List lists all OIDCClients in the indexer. +func (s *oIDCClientLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.OIDCClient)) + }) + return ret, err +} + +// OIDCClients returns an object that can list and get OIDCClients. +func (s *oIDCClientLister) OIDCClients(namespace string) OIDCClientNamespaceLister { + return oIDCClientNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// OIDCClientNamespaceLister helps list and get OIDCClients. +// All objects returned here must be treated as read-only. +type OIDCClientNamespaceLister interface { + // List lists all OIDCClients in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) + // Get retrieves the OIDCClient from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha1.OIDCClient, error) + OIDCClientNamespaceListerExpansion +} + +// oIDCClientNamespaceLister implements the OIDCClientNamespaceLister +// interface. +type oIDCClientNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all OIDCClients in the indexer for a given namespace. +func (s oIDCClientNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.OIDCClient)) + }) + return ret, err +} + +// Get retrieves the OIDCClient from the indexer for a given namespace and name. +func (s oIDCClientNamespaceLister) Get(name string) (*v1alpha1.OIDCClient, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("oidcclient"), name) + } + return obj.(*v1alpha1.OIDCClient), nil +} diff --git a/generated/latest/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go b/generated/latest/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go deleted file mode 100644 index c19310da..00000000 --- a/generated/latest/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go +++ /dev/null @@ -1,14 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by lister-gen. DO NOT EDIT. - -package v1alpha1 - -// OIDCClientListerExpansion allows custom methods to be added to -// OIDCClientLister. -type OIDCClientListerExpansion interface{} - -// OIDCClientNamespaceListerExpansion allows custom methods to be added to -// OIDCClientNamespaceLister. -type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/latest/client/supervisor/listers/oauth/v1alpha1/oidcclient.go b/generated/latest/client/supervisor/listers/oauth/v1alpha1/oidcclient.go deleted file mode 100644 index 189936b6..00000000 --- a/generated/latest/client/supervisor/listers/oauth/v1alpha1/oidcclient.go +++ /dev/null @@ -1,86 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by lister-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - v1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/oauth/v1alpha1" - "k8s.io/apimachinery/pkg/api/errors" - "k8s.io/apimachinery/pkg/labels" - "k8s.io/client-go/tools/cache" -) - -// OIDCClientLister helps list OIDCClients. -// All objects returned here must be treated as read-only. -type OIDCClientLister interface { - // List lists all OIDCClients in the indexer. - // Objects returned here must be treated as read-only. - List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) - // OIDCClients returns an object that can list and get OIDCClients. - OIDCClients(namespace string) OIDCClientNamespaceLister - OIDCClientListerExpansion -} - -// oIDCClientLister implements the OIDCClientLister interface. -type oIDCClientLister struct { - indexer cache.Indexer -} - -// NewOIDCClientLister returns a new OIDCClientLister. -func NewOIDCClientLister(indexer cache.Indexer) OIDCClientLister { - return &oIDCClientLister{indexer: indexer} -} - -// List lists all OIDCClients in the indexer. -func (s *oIDCClientLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { - err = cache.ListAll(s.indexer, selector, func(m interface{}) { - ret = append(ret, m.(*v1alpha1.OIDCClient)) - }) - return ret, err -} - -// OIDCClients returns an object that can list and get OIDCClients. -func (s *oIDCClientLister) OIDCClients(namespace string) OIDCClientNamespaceLister { - return oIDCClientNamespaceLister{indexer: s.indexer, namespace: namespace} -} - -// OIDCClientNamespaceLister helps list and get OIDCClients. -// All objects returned here must be treated as read-only. -type OIDCClientNamespaceLister interface { - // List lists all OIDCClients in the indexer for a given namespace. - // Objects returned here must be treated as read-only. - List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) - // Get retrieves the OIDCClient from the indexer for a given namespace and name. - // Objects returned here must be treated as read-only. - Get(name string) (*v1alpha1.OIDCClient, error) - OIDCClientNamespaceListerExpansion -} - -// oIDCClientNamespaceLister implements the OIDCClientNamespaceLister -// interface. -type oIDCClientNamespaceLister struct { - indexer cache.Indexer - namespace string -} - -// List lists all OIDCClients in the indexer for a given namespace. -func (s oIDCClientNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { - err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { - ret = append(ret, m.(*v1alpha1.OIDCClient)) - }) - return ret, err -} - -// Get retrieves the OIDCClient from the indexer for a given namespace and name. -func (s oIDCClientNamespaceLister) Get(name string) (*v1alpha1.OIDCClient, error) { - obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) - if err != nil { - return nil, err - } - if !exists { - return nil, errors.NewNotFound(v1alpha1.Resource("oidcclient"), name) - } - return obj.(*v1alpha1.OIDCClient), nil -} diff --git a/generated/latest/client/supervisor/virtual/clientset/versioned/clientset.go b/generated/latest/client/supervisor/virtual/clientset/versioned/clientset.go deleted file mode 100644 index 87726aee..00000000 --- a/generated/latest/client/supervisor/virtual/clientset/versioned/clientset.go +++ /dev/null @@ -1,108 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package versioned - -import ( - "fmt" - "net/http" - - oauthv1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" - discovery "k8s.io/client-go/discovery" - rest "k8s.io/client-go/rest" - flowcontrol "k8s.io/client-go/util/flowcontrol" -) - -type Interface interface { - Discovery() discovery.DiscoveryInterface - OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface -} - -// Clientset contains the clients for groups. Each group has exactly one -// version included in a Clientset. -type Clientset struct { - *discovery.DiscoveryClient - oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client -} - -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return c.oauthV1alpha1 -} - -// Discovery retrieves the DiscoveryClient -func (c *Clientset) Discovery() discovery.DiscoveryInterface { - if c == nil { - return nil - } - return c.DiscoveryClient -} - -// NewForConfig creates a new Clientset for the given config. -// If config's RateLimiter is not set and QPS and Burst are acceptable, -// NewForConfig will generate a rate-limiter in configShallowCopy. -// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient), -// where httpClient was generated with rest.HTTPClientFor(c). -func NewForConfig(c *rest.Config) (*Clientset, error) { - configShallowCopy := *c - - if configShallowCopy.UserAgent == "" { - configShallowCopy.UserAgent = rest.DefaultKubernetesUserAgent() - } - - // share the transport between all clients - httpClient, err := rest.HTTPClientFor(&configShallowCopy) - if err != nil { - return nil, err - } - - return NewForConfigAndClient(&configShallowCopy, httpClient) -} - -// NewForConfigAndClient creates a new Clientset for the given config and http client. -// Note the http client provided takes precedence over the configured transport values. -// If config's RateLimiter is not set and QPS and Burst are acceptable, -// NewForConfigAndClient will generate a rate-limiter in configShallowCopy. -func NewForConfigAndClient(c *rest.Config, httpClient *http.Client) (*Clientset, error) { - configShallowCopy := *c - if configShallowCopy.RateLimiter == nil && configShallowCopy.QPS > 0 { - if configShallowCopy.Burst <= 0 { - return nil, fmt.Errorf("burst is required to be greater than 0 when RateLimiter is not set and QPS is set to greater than 0") - } - configShallowCopy.RateLimiter = flowcontrol.NewTokenBucketRateLimiter(configShallowCopy.QPS, configShallowCopy.Burst) - } - - var cs Clientset - var err error - cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfigAndClient(&configShallowCopy, httpClient) - if err != nil { - return nil, err - } - - cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfigAndClient(&configShallowCopy, httpClient) - if err != nil { - return nil, err - } - return &cs, nil -} - -// NewForConfigOrDie creates a new Clientset for the given config and -// panics if there is an error in the config. -func NewForConfigOrDie(c *rest.Config) *Clientset { - cs, err := NewForConfig(c) - if err != nil { - panic(err) - } - return cs -} - -// New creates a new Clientset for the given RESTClient. -func New(c rest.Interface) *Clientset { - var cs Clientset - cs.oauthV1alpha1 = oauthv1alpha1.New(c) - - cs.DiscoveryClient = discovery.NewDiscoveryClient(c) - return &cs -} diff --git a/generated/latest/client/supervisor/virtual/clientset/versioned/doc.go b/generated/latest/client/supervisor/virtual/clientset/versioned/doc.go deleted file mode 100644 index 5dc02e6e..00000000 --- a/generated/latest/client/supervisor/virtual/clientset/versioned/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package has the automatically generated clientset. -package versioned diff --git a/generated/latest/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go b/generated/latest/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go deleted file mode 100644 index a0552547..00000000 --- a/generated/latest/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go +++ /dev/null @@ -1,72 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - clientset "go.pinniped.dev/generated/latest/client/supervisor/virtual/clientset/versioned" - oauthv1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" - fakeoauthv1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/watch" - "k8s.io/client-go/discovery" - fakediscovery "k8s.io/client-go/discovery/fake" - "k8s.io/client-go/testing" -) - -// NewSimpleClientset returns a clientset that will respond with the provided objects. -// It's backed by a very simple object tracker that processes creates, updates and deletions as-is, -// without applying any validations and/or defaults. It shouldn't be considered a replacement -// for a real clientset and is mostly useful in simple unit tests. -func NewSimpleClientset(objects ...runtime.Object) *Clientset { - o := testing.NewObjectTracker(scheme, codecs.UniversalDecoder()) - for _, obj := range objects { - if err := o.Add(obj); err != nil { - panic(err) - } - } - - cs := &Clientset{tracker: o} - cs.discovery = &fakediscovery.FakeDiscovery{Fake: &cs.Fake} - cs.AddReactor("*", "*", testing.ObjectReaction(o)) - cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) { - gvr := action.GetResource() - ns := action.GetNamespace() - watch, err := o.Watch(gvr, ns) - if err != nil { - return false, nil, err - } - return true, watch, nil - }) - - return cs -} - -// Clientset implements clientset.Interface. Meant to be embedded into a -// struct to get a default implementation. This makes faking out just the method -// you want to test easier. -type Clientset struct { - testing.Fake - discovery *fakediscovery.FakeDiscovery - tracker testing.ObjectTracker -} - -func (c *Clientset) Discovery() discovery.DiscoveryInterface { - return c.discovery -} - -func (c *Clientset) Tracker() testing.ObjectTracker { - return c.tracker -} - -var ( - _ clientset.Interface = &Clientset{} - _ testing.FakeClient = &Clientset{} -) - -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} -} diff --git a/generated/latest/client/supervisor/virtual/clientset/versioned/fake/doc.go b/generated/latest/client/supervisor/virtual/clientset/versioned/fake/doc.go deleted file mode 100644 index 7c9538fd..00000000 --- a/generated/latest/client/supervisor/virtual/clientset/versioned/fake/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package has the automatically generated fake clientset. -package fake diff --git a/generated/latest/client/supervisor/virtual/clientset/versioned/fake/register.go b/generated/latest/client/supervisor/virtual/clientset/versioned/fake/register.go deleted file mode 100644 index 895e8126..00000000 --- a/generated/latest/client/supervisor/virtual/clientset/versioned/fake/register.go +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - oauthv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/virtual/oauth/v1alpha1" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - runtime "k8s.io/apimachinery/pkg/runtime" - schema "k8s.io/apimachinery/pkg/runtime/schema" - serializer "k8s.io/apimachinery/pkg/runtime/serializer" - utilruntime "k8s.io/apimachinery/pkg/util/runtime" -) - -var scheme = runtime.NewScheme() -var codecs = serializer.NewCodecFactory(scheme) - -var localSchemeBuilder = runtime.SchemeBuilder{ - oauthv1alpha1.AddToScheme, -} - -// AddToScheme adds all types of this clientset into the given scheme. This allows composition -// of clientsets, like in: -// -// import ( -// "k8s.io/client-go/kubernetes" -// clientsetscheme "k8s.io/client-go/kubernetes/scheme" -// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" -// ) -// -// kclientset, _ := kubernetes.NewForConfig(c) -// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) -// -// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types -// correctly. -var AddToScheme = localSchemeBuilder.AddToScheme - -func init() { - v1.AddToGroupVersion(scheme, schema.GroupVersion{Version: "v1"}) - utilruntime.Must(AddToScheme(scheme)) -} diff --git a/generated/latest/client/supervisor/virtual/clientset/versioned/scheme/doc.go b/generated/latest/client/supervisor/virtual/clientset/versioned/scheme/doc.go deleted file mode 100644 index cc02f1d3..00000000 --- a/generated/latest/client/supervisor/virtual/clientset/versioned/scheme/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package contains the scheme of the automatically generated clientset. -package scheme diff --git a/generated/latest/client/supervisor/virtual/clientset/versioned/scheme/register.go b/generated/latest/client/supervisor/virtual/clientset/versioned/scheme/register.go deleted file mode 100644 index a842d03d..00000000 --- a/generated/latest/client/supervisor/virtual/clientset/versioned/scheme/register.go +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package scheme - -import ( - oauthv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/virtual/oauth/v1alpha1" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - runtime "k8s.io/apimachinery/pkg/runtime" - schema "k8s.io/apimachinery/pkg/runtime/schema" - serializer "k8s.io/apimachinery/pkg/runtime/serializer" - utilruntime "k8s.io/apimachinery/pkg/util/runtime" -) - -var Scheme = runtime.NewScheme() -var Codecs = serializer.NewCodecFactory(Scheme) -var ParameterCodec = runtime.NewParameterCodec(Scheme) -var localSchemeBuilder = runtime.SchemeBuilder{ - oauthv1alpha1.AddToScheme, -} - -// AddToScheme adds all types of this clientset into the given scheme. This allows composition -// of clientsets, like in: -// -// import ( -// "k8s.io/client-go/kubernetes" -// clientsetscheme "k8s.io/client-go/kubernetes/scheme" -// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" -// ) -// -// kclientset, _ := kubernetes.NewForConfig(c) -// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) -// -// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types -// correctly. -var AddToScheme = localSchemeBuilder.AddToScheme - -func init() { - v1.AddToGroupVersion(Scheme, schema.GroupVersion{Version: "v1"}) - utilruntime.Must(AddToScheme(Scheme)) -} diff --git a/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go deleted file mode 100644 index e7a470b6..00000000 --- a/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package has the automatically generated typed clients. -package v1alpha1 diff --git a/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go deleted file mode 100644 index 7906901b..00000000 --- a/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// Package fake has the automatically generated clients. -package fake diff --git a/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go deleted file mode 100644 index c73da3da..00000000 --- a/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go +++ /dev/null @@ -1,27 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - v1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1" - rest "k8s.io/client-go/rest" - testing "k8s.io/client-go/testing" -) - -type FakeOauthV1alpha1 struct { - *testing.Fake -} - -func (c *FakeOauthV1alpha1) OIDCClientSecretRequests(namespace string) v1alpha1.OIDCClientSecretRequestInterface { - return &FakeOIDCClientSecretRequests{c, namespace} -} - -// RESTClient returns a RESTClient that is used to communicate -// with API server by this client implementation. -func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { - var ret *rest.RESTClient - return ret -} diff --git a/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go b/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go deleted file mode 100644 index 8220bcc7..00000000 --- a/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go +++ /dev/null @@ -1,36 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - "context" - - v1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/virtual/oauth/v1alpha1" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - schema "k8s.io/apimachinery/pkg/runtime/schema" - testing "k8s.io/client-go/testing" -) - -// FakeOIDCClientSecretRequests implements OIDCClientSecretRequestInterface -type FakeOIDCClientSecretRequests struct { - Fake *FakeOauthV1alpha1 - ns string -} - -var oidcclientsecretrequestsResource = schema.GroupVersionResource{Group: "oauth.virtual.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclientsecretrequests"} - -var oidcclientsecretrequestsKind = schema.GroupVersionKind{Group: "oauth.virtual.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClientSecretRequest"} - -// Create takes the representation of a oIDCClientSecretRequest and creates it. Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any. -func (c *FakeOIDCClientSecretRequests) Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (result *v1alpha1.OIDCClientSecretRequest, err error) { - obj, err := c.Fake. - Invokes(testing.NewCreateAction(oidcclientsecretrequestsResource, c.ns, oIDCClientSecretRequest), &v1alpha1.OIDCClientSecretRequest{}) - - if obj == nil { - return nil, err - } - return obj.(*v1alpha1.OIDCClientSecretRequest), err -} diff --git a/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go b/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go deleted file mode 100644 index 259bfbc9..00000000 --- a/generated/latest/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go +++ /dev/null @@ -1,54 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - "context" - - v1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/virtual/oauth/v1alpha1" - scheme "go.pinniped.dev/generated/latest/client/supervisor/virtual/clientset/versioned/scheme" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - rest "k8s.io/client-go/rest" -) - -// OIDCClientSecretRequestsGetter has a method to return a OIDCClientSecretRequestInterface. -// A group's client should implement this interface. -type OIDCClientSecretRequestsGetter interface { - OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface -} - -// OIDCClientSecretRequestInterface has methods to work with OIDCClientSecretRequest resources. -type OIDCClientSecretRequestInterface interface { - Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (*v1alpha1.OIDCClientSecretRequest, error) - OIDCClientSecretRequestExpansion -} - -// oIDCClientSecretRequests implements OIDCClientSecretRequestInterface -type oIDCClientSecretRequests struct { - client rest.Interface - ns string -} - -// newOIDCClientSecretRequests returns a OIDCClientSecretRequests -func newOIDCClientSecretRequests(c *OauthV1alpha1Client, namespace string) *oIDCClientSecretRequests { - return &oIDCClientSecretRequests{ - client: c.RESTClient(), - ns: namespace, - } -} - -// Create takes the representation of a oIDCClientSecretRequest and creates it. Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any. -func (c *oIDCClientSecretRequests) Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (result *v1alpha1.OIDCClientSecretRequest, err error) { - result = &v1alpha1.OIDCClientSecretRequest{} - err = c.client.Post(). - Namespace(c.ns). - Resource("oidcclientsecretrequests"). - VersionedParams(&opts, scheme.ParameterCodec). - Body(oIDCClientSecretRequest). - Do(ctx). - Into(result) - return -} diff --git a/hack/lib/update-codegen.sh b/hack/lib/update-codegen.sh index 81f27cf2..a290645a 100755 --- a/hack/lib/update-codegen.sh +++ b/hack/lib/update-codegen.sh @@ -123,7 +123,7 @@ echo "generating API-related code for our public API groups..." "deepcopy" \ "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/apis" \ "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/apis" \ - "supervisor/config:v1alpha1 supervisor/idp:v1alpha1 supervisor/oauth:v1alpha1 supervisor/virtual/oauth:v1alpha1 concierge/config:v1alpha1 concierge/authentication:v1alpha1 concierge/login:v1alpha1 concierge/identity:v1alpha1" \ + "supervisor/config:v1alpha1 supervisor/idp:v1alpha1 supervisor/clientsecret:v1alpha1 concierge/config:v1alpha1 concierge/authentication:v1alpha1 concierge/login:v1alpha1 concierge/identity:v1alpha1" \ --go-header-file "${ROOT}/hack/boilerplate.go.txt" -v "$debug_level" 2>&1 | sed "s|^|gen-api > |" ) @@ -135,7 +135,7 @@ echo "generating API-related code for our internal API groups..." "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/client/concierge" \ "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/apis" \ "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/apis" \ - "concierge/login:v1alpha1 concierge/identity:v1alpha1 supervisor/virtual/oauth:v1alpha1" \ + "concierge/login:v1alpha1 concierge/identity:v1alpha1 supervisor/clientsecret:v1alpha1" \ --go-header-file "${ROOT}/hack/boilerplate.go.txt" -v "$debug_level" 2>&1 | sed "s|^|gen-int-api > |" ) @@ -159,18 +159,9 @@ echo "generating client code for our public API groups..." "client,lister,informer" \ "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/client/supervisor" \ "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/apis" \ - "supervisor/config:v1alpha1 supervisor/idp:v1alpha1 supervisor/oauth:v1alpha1" \ + "supervisor/config:v1alpha1 supervisor/idp:v1alpha1 supervisor/clientsecret:v1alpha1" \ --go-header-file "${ROOT}/hack/boilerplate.go.txt" -v "$debug_level" 2>&1 | sed "s|^|gen-client > |" ) -(cd client && - bash "${GOPATH}/src/k8s.io/code-generator/generate-groups.sh" \ - "client,lister,informer" \ - "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/client/supervisor/virtual" \ - "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/apis" \ - "supervisor/virtual/oauth:v1alpha1" \ - --go-header-file "${ROOT}/hack/boilerplate.go.txt" -v "$debug_level" 2>&1 | sed "s|^|gen-client > |" -) - # Tidy up the .../client module echo "tidying ${OUTPUT_DIR}/client/go.mod..." @@ -189,7 +180,6 @@ crd-ref-docs \ (cd apis && controller-gen paths=./supervisor/config/v1alpha1 crd output:crd:artifacts:config=../crds && controller-gen paths=./supervisor/idp/v1alpha1 crd output:crd:artifacts:config=../crds && - controller-gen paths=./supervisor/oauth/v1alpha1 crd output:crd:artifacts:config=../crds && controller-gen paths=./concierge/config/v1alpha1 crd output:crd:artifacts:config=../crds && controller-gen paths=./concierge/authentication/v1alpha1 crd output:crd:artifacts:config=../crds ) diff --git a/internal/groupsuffix/groupdata.go b/internal/groupsuffix/groupdata.go index b2c20e1e..14e3fb11 100644 --- a/internal/groupsuffix/groupdata.go +++ b/internal/groupsuffix/groupdata.go @@ -8,7 +8,7 @@ import ( identityv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/identity/v1alpha1" loginv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/login/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/virtual/oauth/v1alpha1" + clientsecretv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/clientsecret/v1alpha1" ) type GroupData schema.GroupVersion @@ -34,15 +34,15 @@ func ConciergeAggregatedGroups(apiGroupSuffix string) (login, identity GroupData } } -func SupervisorAggregatedGroups(apiGroupSuffix string) (oauth GroupData) { - oauthVirtualSupervisorAPIGroup, ok1 := Replace(oauthv1alpha1.GroupName, apiGroupSuffix) +func SupervisorAggregatedGroups(apiGroupSuffix string) (clientSecret GroupData) { + clientSecretVirtualSupervisorAPIGroup, ok1 := Replace(clientsecretv1alpha1.GroupName, apiGroupSuffix) if !ok1 { panic("static group input is invalid") } return GroupData{ - Group: oauthVirtualSupervisorAPIGroup, - Version: oauthv1alpha1.SchemeGroupVersion.Version, + Group: clientSecretVirtualSupervisorAPIGroup, + Version: clientsecretv1alpha1.SchemeGroupVersion.Version, } } diff --git a/internal/kubeclient/kubeclient.go b/internal/kubeclient/kubeclient.go index 6a9d4eb5..98d0b7f6 100644 --- a/internal/kubeclient/kubeclient.go +++ b/internal/kubeclient/kubeclient.go @@ -23,17 +23,14 @@ import ( pinnipedconciergeclientsetscheme "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/scheme" pinnipedsupervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" pinnipedsupervisorclientsetscheme "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/scheme" - pinnipedsupervisorvirtualclientset "go.pinniped.dev/generated/latest/client/supervisor/virtual/clientset/versioned" - pinnipedsupervisorvirtualclientsetscheme "go.pinniped.dev/generated/latest/client/supervisor/virtual/clientset/versioned/scheme" "go.pinniped.dev/internal/crypto/ptls" ) type Client struct { - Kubernetes kubernetes.Interface - Aggregation aggregatorclient.Interface - PinnipedConcierge pinnipedconciergeclientset.Interface - PinnipedSupervisor pinnipedsupervisorclientset.Interface - PinnipedSupervisorVirtual pinnipedsupervisorvirtualclientset.Interface + Kubernetes kubernetes.Interface + Aggregation aggregatorclient.Interface + PinnipedConcierge pinnipedconciergeclientset.Interface + PinnipedSupervisor pinnipedsupervisorclientset.Interface JSONConfig, ProtoConfig *restclient.Config } @@ -93,17 +90,11 @@ func New(opts ...Option) (*Client, error) { return nil, fmt.Errorf("could not initialize pinniped client: %w", err) } - // Connect to the pinniped supervisor aggregated API. - pinnipedSupervisorVirtualClient, err := pinnipedsupervisorvirtualclientset.NewForConfig(configWithWrapper(jsonKubeConfig, pinnipedsupervisorvirtualclientsetscheme.Scheme, pinnipedsupervisorvirtualclientsetscheme.Codecs, c.middlewares, c.transportWrapper)) - if err != nil { - return nil, fmt.Errorf("could not initialize pinniped client: %w", err) - } return &Client{ - Kubernetes: k8sClient, - Aggregation: aggregatorClient, - PinnipedConcierge: pinnipedConciergeClient, - PinnipedSupervisor: pinnipedSupervisorClient, - PinnipedSupervisorVirtual: pinnipedSupervisorVirtualClient, + Kubernetes: k8sClient, + Aggregation: aggregatorClient, + PinnipedConcierge: pinnipedConciergeClient, + PinnipedSupervisor: pinnipedSupervisorClient, JSONConfig: jsonKubeConfig, ProtoConfig: protoKubeConfig, diff --git a/internal/registry/clientsecretrequest/rest.go b/internal/registry/clientsecretrequest/rest.go index cf01c18d..70a7eb07 100644 --- a/internal/registry/clientsecretrequest/rest.go +++ b/internal/registry/clientsecretrequest/rest.go @@ -14,7 +14,7 @@ import ( "k8s.io/apiserver/pkg/registry/rest" "k8s.io/utils/trace" - oauthapi "go.pinniped.dev/generated/latest/apis/supervisor/virtual/oauth" + clientsecretapi "go.pinniped.dev/generated/latest/apis/supervisor/clientsecret" ) func NewREST() *REST { @@ -33,7 +33,7 @@ var _ interface { } = (*REST)(nil) func (*REST) New() runtime.Object { - return &oauthapi.OIDCClientSecretRequest{} + return &clientsecretapi.OIDCClientSecretRequest{} } func (*REST) NamespaceScoped() bool { @@ -57,16 +57,16 @@ func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation return nil, err } - return &oauthapi.OIDCClientSecretRequest{ - Status: oauthapi.OIDCClientSecretRequestStatus{ + return &clientsecretapi.OIDCClientSecretRequest{ + Status: clientsecretapi.OIDCClientSecretRequestStatus{ GeneratedSecret: "not-a-real-secret", TotalClientSecrets: 20, }, }, nil } -func validateRequest(obj runtime.Object, t *trace.Trace) (*oauthapi.OIDCClientSecretRequest, error) { - clientSecretRequest, ok := obj.(*oauthapi.OIDCClientSecretRequest) +func validateRequest(obj runtime.Object, t *trace.Trace) (*clientsecretapi.OIDCClientSecretRequest, error) { + clientSecretRequest, ok := obj.(*clientsecretapi.OIDCClientSecretRequest) if !ok { traceValidationFailure(t, "not an OIDCClientSecretRequest") return nil, apierrors.NewBadRequest(fmt.Sprintf("not an OIDCClientSecretRequest: %#v", obj)) diff --git a/internal/supervisor/scheme/scheme.go b/internal/supervisor/scheme/scheme.go index 6179040e..d977d012 100644 --- a/internal/supervisor/scheme/scheme.go +++ b/internal/supervisor/scheme/scheme.go @@ -8,8 +8,8 @@ package scheme import ( "fmt" - oauthapi "go.pinniped.dev/generated/latest/apis/supervisor/virtual/oauth" - oauthv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/virtual/oauth/v1alpha1" + clientsecretapi "go.pinniped.dev/generated/latest/apis/supervisor/clientsecret" + clientsecretv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/clientsecret/v1alpha1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" @@ -31,21 +31,21 @@ func New(apiGroupSuffix string) (_ *runtime.Scheme, oauth schema.GroupVersion) { // nothing fancy is required if using the standard group suffix if apiGroupSuffix == groupsuffix.PinnipedDefaultSuffix { schemeBuilder := runtime.NewSchemeBuilder( - oauthv1alpha1.AddToScheme, - oauthapi.AddToScheme, + clientsecretv1alpha1.AddToScheme, + clientsecretapi.AddToScheme, ) utilruntime.Must(schemeBuilder.AddToScheme(scheme)) - return scheme, oauthv1alpha1.SchemeGroupVersion + return scheme, clientsecretv1alpha1.SchemeGroupVersion } oauthVirtualSupervisorGroupData := groupsuffix.SupervisorAggregatedGroups(apiGroupSuffix) - addToSchemeAtNewGroup(scheme, oauthv1alpha1.GroupName, oauthVirtualSupervisorGroupData.Group, oauthv1alpha1.AddToScheme, oauthapi.AddToScheme) + addToSchemeAtNewGroup(scheme, clientsecretv1alpha1.GroupName, oauthVirtualSupervisorGroupData.Group, clientsecretv1alpha1.AddToScheme, clientsecretapi.AddToScheme) // manually register conversions and defaulting into the correct scheme since we cannot directly call AddToScheme schemeBuilder := runtime.NewSchemeBuilder( - oauthv1alpha1.RegisterConversions, - oauthv1alpha1.RegisterDefaults, + clientsecretv1alpha1.RegisterConversions, + clientsecretv1alpha1.RegisterDefaults, ) utilruntime.Must(schemeBuilder.AddToScheme(scheme)) @@ -53,9 +53,9 @@ func New(apiGroupSuffix string) (_ *runtime.Scheme, oauth schema.GroupVersion) { // today, but we may have some in the future. Calling AddTypeDefaultingFunc overwrites // any previously registered defaulting function. Thus to make sure that we catch // a situation where we add a defaulting func, we attempt to call it here with a nil - // *oauthv1alpha1.OIDCClientSecretRequest. This will do nothing when there is no + // *clientsecretv1alpha1.OIDCClientSecretRequest. This will do nothing when there is no // defaulting func registered, but it will almost certainly panic if one is added. - scheme.Default((*oauthv1alpha1.OIDCClientSecretRequest)(nil)) + scheme.Default((*clientsecretv1alpha1.OIDCClientSecretRequest)(nil)) return scheme, schema.GroupVersion(oauthVirtualSupervisorGroupData) } diff --git a/internal/supervisor/scheme/scheme_test.go b/internal/supervisor/scheme/scheme_test.go index 80d1e1f8..fa860773 100644 --- a/internal/supervisor/scheme/scheme_test.go +++ b/internal/supervisor/scheme/scheme_test.go @@ -12,28 +12,28 @@ import ( "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" - oauthapi "go.pinniped.dev/generated/latest/apis/supervisor/virtual/oauth" - oauthv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/virtual/oauth/v1alpha1" + clientsecretapi "go.pinniped.dev/generated/latest/apis/supervisor/clientsecret" + clientsecretv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/clientsecret/v1alpha1" ) func TestNew(t *testing.T) { // the standard group - regularOAuthGV := schema.GroupVersion{ - Group: "oauth.virtual.supervisor.pinniped.dev", + regularClientSecretGV := schema.GroupVersion{ + Group: "clientsecret.supervisor.pinniped.dev", Version: "v1alpha1", } - regularOAuthGVInternal := schema.GroupVersion{ - Group: "oauth.virtual.supervisor.pinniped.dev", + regularClientSecretGVInternal := schema.GroupVersion{ + Group: "clientsecret.supervisor.pinniped.dev", Version: runtime.APIVersionInternal, } // the canonical other group - otherOAuthGV := schema.GroupVersion{ - Group: "oauth.virtual.supervisor.walrus.tld", + otherClientSecretGV := schema.GroupVersion{ + Group: "clientsecret.supervisor.walrus.tld", Version: "v1alpha1", } - otherOAuthGVInternal := schema.GroupVersion{ - Group: "oauth.virtual.supervisor.walrus.tld", + otherClientSecretGVInternal := schema.GroupVersion{ + Group: "clientsecret.supervisor.walrus.tld", Version: runtime.APIVersionInternal, } @@ -55,19 +55,19 @@ func TestNew(t *testing.T) { want: map[schema.GroupVersionKind]reflect.Type{ // all the types that are in the aggregated API group - regularOAuthGV.WithKind("OIDCClientSecretRequest"): reflect.TypeOf(&oauthv1alpha1.OIDCClientSecretRequest{}).Elem(), + regularClientSecretGV.WithKind("OIDCClientSecretRequest"): reflect.TypeOf(&clientsecretv1alpha1.OIDCClientSecretRequest{}).Elem(), - regularOAuthGVInternal.WithKind("OIDCClientSecretRequest"): reflect.TypeOf(&oauthapi.OIDCClientSecretRequest{}).Elem(), + regularClientSecretGVInternal.WithKind("OIDCClientSecretRequest"): reflect.TypeOf(&clientsecretapi.OIDCClientSecretRequest{}).Elem(), - regularOAuthGV.WithKind("CreateOptions"): reflect.TypeOf(&metav1.CreateOptions{}).Elem(), - regularOAuthGV.WithKind("DeleteOptions"): reflect.TypeOf(&metav1.DeleteOptions{}).Elem(), - regularOAuthGV.WithKind("GetOptions"): reflect.TypeOf(&metav1.GetOptions{}).Elem(), - regularOAuthGV.WithKind("ListOptions"): reflect.TypeOf(&metav1.ListOptions{}).Elem(), - regularOAuthGV.WithKind("PatchOptions"): reflect.TypeOf(&metav1.PatchOptions{}).Elem(), - regularOAuthGV.WithKind("UpdateOptions"): reflect.TypeOf(&metav1.UpdateOptions{}).Elem(), - regularOAuthGV.WithKind("WatchEvent"): reflect.TypeOf(&metav1.WatchEvent{}).Elem(), + regularClientSecretGV.WithKind("CreateOptions"): reflect.TypeOf(&metav1.CreateOptions{}).Elem(), + regularClientSecretGV.WithKind("DeleteOptions"): reflect.TypeOf(&metav1.DeleteOptions{}).Elem(), + regularClientSecretGV.WithKind("GetOptions"): reflect.TypeOf(&metav1.GetOptions{}).Elem(), + regularClientSecretGV.WithKind("ListOptions"): reflect.TypeOf(&metav1.ListOptions{}).Elem(), + regularClientSecretGV.WithKind("PatchOptions"): reflect.TypeOf(&metav1.PatchOptions{}).Elem(), + regularClientSecretGV.WithKind("UpdateOptions"): reflect.TypeOf(&metav1.UpdateOptions{}).Elem(), + regularClientSecretGV.WithKind("WatchEvent"): reflect.TypeOf(&metav1.WatchEvent{}).Elem(), - regularOAuthGVInternal.WithKind("WatchEvent"): reflect.TypeOf(&metav1.InternalEvent{}).Elem(), + regularClientSecretGVInternal.WithKind("WatchEvent"): reflect.TypeOf(&metav1.InternalEvent{}).Elem(), // the types below this line do not really matter to us because they are in the core group @@ -86,7 +86,7 @@ func TestNew(t *testing.T) { metav1.Unversioned.WithKind("UpdateOptions"): reflect.TypeOf(&metav1.UpdateOptions{}).Elem(), metav1.Unversioned.WithKind("WatchEvent"): reflect.TypeOf(&metav1.WatchEvent{}).Elem(), }, - wantOAuthGroupVersion: regularOAuthGV, + wantOAuthGroupVersion: regularClientSecretGV, }, { name: "other api group", @@ -94,19 +94,19 @@ func TestNew(t *testing.T) { want: map[schema.GroupVersionKind]reflect.Type{ // all the types that are in the aggregated API group - otherOAuthGV.WithKind("OIDCClientSecretRequest"): reflect.TypeOf(&oauthv1alpha1.OIDCClientSecretRequest{}).Elem(), + otherClientSecretGV.WithKind("OIDCClientSecretRequest"): reflect.TypeOf(&clientsecretv1alpha1.OIDCClientSecretRequest{}).Elem(), - otherOAuthGVInternal.WithKind("OIDCClientSecretRequest"): reflect.TypeOf(&oauthapi.OIDCClientSecretRequest{}).Elem(), + otherClientSecretGVInternal.WithKind("OIDCClientSecretRequest"): reflect.TypeOf(&clientsecretapi.OIDCClientSecretRequest{}).Elem(), - otherOAuthGV.WithKind("CreateOptions"): reflect.TypeOf(&metav1.CreateOptions{}).Elem(), - otherOAuthGV.WithKind("DeleteOptions"): reflect.TypeOf(&metav1.DeleteOptions{}).Elem(), - otherOAuthGV.WithKind("GetOptions"): reflect.TypeOf(&metav1.GetOptions{}).Elem(), - otherOAuthGV.WithKind("ListOptions"): reflect.TypeOf(&metav1.ListOptions{}).Elem(), - otherOAuthGV.WithKind("PatchOptions"): reflect.TypeOf(&metav1.PatchOptions{}).Elem(), - otherOAuthGV.WithKind("UpdateOptions"): reflect.TypeOf(&metav1.UpdateOptions{}).Elem(), - otherOAuthGV.WithKind("WatchEvent"): reflect.TypeOf(&metav1.WatchEvent{}).Elem(), + otherClientSecretGV.WithKind("CreateOptions"): reflect.TypeOf(&metav1.CreateOptions{}).Elem(), + otherClientSecretGV.WithKind("DeleteOptions"): reflect.TypeOf(&metav1.DeleteOptions{}).Elem(), + otherClientSecretGV.WithKind("GetOptions"): reflect.TypeOf(&metav1.GetOptions{}).Elem(), + otherClientSecretGV.WithKind("ListOptions"): reflect.TypeOf(&metav1.ListOptions{}).Elem(), + otherClientSecretGV.WithKind("PatchOptions"): reflect.TypeOf(&metav1.PatchOptions{}).Elem(), + otherClientSecretGV.WithKind("UpdateOptions"): reflect.TypeOf(&metav1.UpdateOptions{}).Elem(), + otherClientSecretGV.WithKind("WatchEvent"): reflect.TypeOf(&metav1.WatchEvent{}).Elem(), - otherOAuthGVInternal.WithKind("WatchEvent"): reflect.TypeOf(&metav1.InternalEvent{}).Elem(), + otherClientSecretGVInternal.WithKind("WatchEvent"): reflect.TypeOf(&metav1.InternalEvent{}).Elem(), // the types below this line do not really matter to us because they are in the core group @@ -125,7 +125,7 @@ func TestNew(t *testing.T) { metav1.Unversioned.WithKind("UpdateOptions"): reflect.TypeOf(&metav1.UpdateOptions{}).Elem(), metav1.Unversioned.WithKind("WatchEvent"): reflect.TypeOf(&metav1.WatchEvent{}).Elem(), }, - wantOAuthGroupVersion: otherOAuthGV, + wantOAuthGroupVersion: otherClientSecretGV, }, } for _, tt := range tests { diff --git a/test/integration/kube_api_discovery_test.go b/test/integration/kube_api_discovery_test.go index 835dcf0a..9c3b9602 100644 --- a/test/integration/kube_api_discovery_test.go +++ b/test/integration/kube_api_discovery_test.go @@ -53,8 +53,7 @@ func TestGetAPIResourceList(t *testing.T) { configConciergeGV := makeGV("config", "concierge") idpSupervisorGV := makeGV("idp", "supervisor") configSupervisorGV := makeGV("config", "supervisor") - oauthSupervisorGV := makeGV("oauth", "supervisor") - oauthVirtualSupervisorGV := makeGV("oauth.virtual", "supervisor") + oauthVirtualSupervisorGV := makeGV("clientsecret", "supervisor") tests := []struct { group metav1.APIGroup @@ -168,25 +167,6 @@ func TestGetAPIResourceList(t *testing.T) { Kind: "FederationDomain", Verbs: []string{"get", "patch", "update"}, }, - }, - }, - }, - { - group: metav1.APIGroup{ - Name: oauthSupervisorGV.Group, - Versions: []metav1.GroupVersionForDiscovery{ - { - GroupVersion: oauthSupervisorGV.String(), - Version: oauthSupervisorGV.Version, - }, - }, - PreferredVersion: metav1.GroupVersionForDiscovery{ - GroupVersion: oauthSupervisorGV.String(), - Version: oauthSupervisorGV.Version, - }, - }, - resourceByVersion: map[string][]metav1.APIResource{ - oauthSupervisorGV.String(): { { Name: "oidcclients", SingularName: "oidcclient", @@ -550,7 +530,7 @@ func TestCRDAdditionalPrinterColumns_Parallel(t *testing.T) { {Name: "Age", Type: "date", JSONPath: ".metadata.creationTimestamp"}, }, }, - addSuffix("oidcclients.oauth.supervisor"): { + addSuffix("oidcclients.config.supervisor"): { "v1alpha1": []apiextensionsv1.CustomResourceColumnDefinition{ {Name: "Age", Type: "date", JSONPath: ".metadata.creationTimestamp"}, }, diff --git a/test/integration/supervisor_oidcclientsecret_test.go b/test/integration/supervisor_oidcclientsecret_test.go index 9133f0c7..8e41b0ff 100644 --- a/test/integration/supervisor_oidcclientsecret_test.go +++ b/test/integration/supervisor_oidcclientsecret_test.go @@ -11,7 +11,7 @@ import ( "github.com/stretchr/testify/require" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "go.pinniped.dev/generated/latest/apis/supervisor/virtual/oauth/v1alpha1" + "go.pinniped.dev/generated/latest/apis/supervisor/clientsecret/v1alpha1" "go.pinniped.dev/test/testlib" ) @@ -21,9 +21,9 @@ func TestOIDCClientSecretRequest_HappyPath_Parallel(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), time.Minute) defer cancel() - client := testlib.NewVirtualSupervisorClientset(t) + client := testlib.NewSupervisorClientset(t) - response, err := client.OauthV1alpha1().OIDCClientSecretRequests(env.SupervisorNamespace).Create(ctx, + response, err := client.ClientsecretV1alpha1().OIDCClientSecretRequests(env.SupervisorNamespace).Create(ctx, &v1alpha1.OIDCClientSecretRequest{ Spec: v1alpha1.OIDCClientSecretRequestSpec{ GenerateNewSecret: true, @@ -41,9 +41,9 @@ func TestOIDCClientSecretRequest_Unauthenticated_Parallel(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), time.Minute) defer cancel() - client := testlib.NewAnonymousVirtualSupervisorClientset(t) + client := testlib.NewAnonymousSupervisorClientset(t) - _, err := client.OauthV1alpha1().OIDCClientSecretRequests(env.SupervisorNamespace).Create(ctx, + _, err := client.ClientsecretV1alpha1().OIDCClientSecretRequests(env.SupervisorNamespace).Create(ctx, &v1alpha1.OIDCClientSecretRequest{ Spec: v1alpha1.OIDCClientSecretRequestSpec{ GenerateNewSecret: true, diff --git a/test/testlib/client.go b/test/testlib/client.go index 376e1462..b395d6fe 100644 --- a/test/testlib/client.go +++ b/test/testlib/client.go @@ -34,7 +34,6 @@ import ( idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" conciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned" supervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" - virtualsupervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/virtual/clientset/versioned" "go.pinniped.dev/internal/groupsuffix" "go.pinniped.dev/internal/kubeclient" @@ -87,16 +86,10 @@ func NewSupervisorClientset(t *testing.T) supervisorclientset.Interface { return NewKubeclient(t, NewClientConfig(t)).PinnipedSupervisor } -func NewAnonymousVirtualSupervisorClientset(t *testing.T) virtualsupervisorclientset.Interface { +func NewAnonymousSupervisorClientset(t *testing.T) supervisorclientset.Interface { t.Helper() - return NewKubeclient(t, NewAnonymousClientRestConfig(t)).PinnipedSupervisorVirtual -} - -func NewVirtualSupervisorClientset(t *testing.T) virtualsupervisorclientset.Interface { - t.Helper() - - return NewKubeclient(t, NewClientConfig(t)).PinnipedSupervisorVirtual + return NewKubeclient(t, NewAnonymousClientRestConfig(t)).PinnipedSupervisor } func NewConciergeClientset(t *testing.T) conciergeclientset.Interface { From 0c1f48cbc1d5f3d5412c728c78f27a44cf30f71c Mon Sep 17 00:00:00 2001 From: Margo Crawford Date: Mon, 13 Jun 2022 15:48:54 -0700 Subject: [PATCH 15/61] Move oidcclient into config.supervisor.pinniped.dev Signed-off-by: Margo Crawford --- .../config/v1alpha1/register.go.tmpl | 2 + .../v1alpha1/types_oidcclient.go.tmpl | 0 apis/supervisor/oauth/v1alpha1/doc.go.tmpl | 10 -- .../oauth/v1alpha1/register.go.tmpl | 43 ------ ...g.supervisor.pinniped.dev_oidcclients.yaml | 4 +- deploy/supervisor/z0_crd_overlay.yaml | 6 +- generated/1.17/README.adoc | 99 ++++++-------- .../supervisor/config/v1alpha1/register.go | 2 + .../v1alpha1/types_oidcclient.go | 0 .../config/v1alpha1/zz_generated.deepcopy.go | 108 +++++++++++++++ .../apis/supervisor/oauth/v1alpha1/doc.go | 10 -- .../supervisor/oauth/v1alpha1/register.go | 43 ------ .../oauth/v1alpha1/zz_generated.deepcopy.go | 121 ---------------- .../clientset/versioned/clientset.go | 14 -- .../versioned/fake/clientset_generated.go | 7 - .../clientset/versioned/fake/register.go | 2 - .../clientset/versioned/scheme/register.go | 2 - .../typed/config/v1alpha1/config_client.go | 5 + .../v1alpha1/fake/fake_config_client.go | 4 + .../v1alpha1/fake/fake_oidcclient.go | 8 +- .../config/v1alpha1/generated_expansion.go | 2 + .../{oauth => config}/v1alpha1/oidcclient.go | 4 +- .../versioned/typed/oauth/v1alpha1/doc.go | 7 - .../typed/oauth/v1alpha1/fake/doc.go | 7 - .../oauth/v1alpha1/fake/fake_oauth_client.go | 27 ---- .../oauth/v1alpha1/generated_expansion.go | 8 -- .../typed/oauth/v1alpha1/oauth_client.go | 76 ----------- .../config/v1alpha1/interface.go | 7 + .../{oauth => config}/v1alpha1/oidcclient.go | 12 +- .../informers/externalversions/factory.go | 6 - .../informers/externalversions/generic.go | 7 +- .../externalversions/oauth/interface.go | 33 ----- .../oauth/v1alpha1/interface.go | 32 ----- .../config/v1alpha1/expansion_generated.go | 8 ++ .../{oauth => config}/v1alpha1/oidcclient.go | 2 +- .../oauth/v1alpha1/expansion_generated.go | 14 -- ....supervisor.pinniped.dev_oidcclients.yaml} | 4 +- generated/1.18/README.adoc | 99 ++++++-------- .../supervisor/config/v1alpha1/register.go | 2 + .../v1alpha1/types_oidcclient.go | 0 .../config/v1alpha1/zz_generated.deepcopy.go | 108 +++++++++++++++ .../apis/supervisor/oauth/v1alpha1/doc.go | 10 -- .../supervisor/oauth/v1alpha1/register.go | 43 ------ .../oauth/v1alpha1/zz_generated.deepcopy.go | 121 ---------------- .../clientset/versioned/clientset.go | 14 -- .../versioned/fake/clientset_generated.go | 7 - .../clientset/versioned/fake/register.go | 2 - .../clientset/versioned/scheme/register.go | 2 - .../typed/config/v1alpha1/config_client.go | 5 + .../v1alpha1/fake/fake_config_client.go | 4 + .../v1alpha1/fake/fake_oidcclient.go | 8 +- .../config/v1alpha1/generated_expansion.go | 2 + .../{oauth => config}/v1alpha1/oidcclient.go | 4 +- .../versioned/typed/oauth/v1alpha1/doc.go | 7 - .../typed/oauth/v1alpha1/fake/doc.go | 7 - .../oauth/v1alpha1/fake/fake_oauth_client.go | 27 ---- .../oauth/v1alpha1/generated_expansion.go | 8 -- .../typed/oauth/v1alpha1/oauth_client.go | 76 ----------- .../config/v1alpha1/interface.go | 7 + .../{oauth => config}/v1alpha1/oidcclient.go | 12 +- .../informers/externalversions/factory.go | 6 - .../informers/externalversions/generic.go | 7 +- .../externalversions/oauth/interface.go | 33 ----- .../oauth/v1alpha1/interface.go | 32 ----- .../config/v1alpha1/expansion_generated.go | 8 ++ .../{oauth => config}/v1alpha1/oidcclient.go | 2 +- .../oauth/v1alpha1/expansion_generated.go | 14 -- ...g.supervisor.pinniped.dev_oidcclients.yaml | 4 +- generated/1.19/README.adoc | 99 ++++++-------- .../supervisor/config/v1alpha1/register.go | 2 + .../v1alpha1/types_oidcclient.go | 0 .../config/v1alpha1/zz_generated.deepcopy.go | 108 +++++++++++++++ .../apis/supervisor/oauth/v1alpha1/doc.go | 10 -- .../supervisor/oauth/v1alpha1/register.go | 43 ------ .../oauth/v1alpha1/zz_generated.deepcopy.go | 121 ---------------- .../clientset/versioned/clientset.go | 14 -- .../versioned/fake/clientset_generated.go | 7 - .../clientset/versioned/fake/register.go | 2 - .../clientset/versioned/scheme/register.go | 2 - .../typed/config/v1alpha1/config_client.go | 5 + .../v1alpha1/fake/fake_config_client.go | 4 + .../config}/v1alpha1/fake/fake_oidcclient.go | 8 +- .../config/v1alpha1/generated_expansion.go | 2 + .../{oauth => config}/v1alpha1/oidcclient.go | 4 +- .../versioned/typed/oauth/v1alpha1/doc.go | 7 - .../typed/oauth/v1alpha1/fake/doc.go | 7 - .../oauth/v1alpha1/fake/fake_oauth_client.go | 27 ---- .../oauth/v1alpha1/generated_expansion.go | 8 -- .../typed/oauth/v1alpha1/oauth_client.go | 76 ----------- .../config/v1alpha1/interface.go | 7 + .../{oauth => config}/v1alpha1/oidcclient.go | 12 +- .../informers/externalversions/factory.go | 6 - .../informers/externalversions/generic.go | 7 +- .../externalversions/oauth/interface.go | 33 ----- .../oauth/v1alpha1/interface.go | 32 ----- .../config/v1alpha1/expansion_generated.go | 8 ++ .../{oauth => config}/v1alpha1/oidcclient.go | 2 +- .../oauth/v1alpha1/expansion_generated.go | 14 -- ....supervisor.pinniped.dev_oidcclients.yaml} | 4 +- generated/1.20/README.adoc | 99 ++++++-------- .../supervisor/config/v1alpha1/register.go | 2 + .../v1alpha1/types_oidcclient.go | 0 .../config/v1alpha1/zz_generated.deepcopy.go | 108 +++++++++++++++ .../apis/supervisor/oauth/v1alpha1/doc.go | 10 -- .../supervisor/oauth/v1alpha1/register.go | 43 ------ .../oauth/v1alpha1/zz_generated.deepcopy.go | 121 ---------------- .../clientset/versioned/clientset.go | 14 -- .../versioned/fake/clientset_generated.go | 7 - .../clientset/versioned/fake/register.go | 2 - .../clientset/versioned/scheme/register.go | 2 - .../typed/config/v1alpha1/config_client.go | 5 + .../v1alpha1/fake/fake_config_client.go | 4 + .../v1alpha1/fake/fake_oidcclient.go | 8 +- .../config/v1alpha1/generated_expansion.go | 2 + .../{oauth => config}/v1alpha1/oidcclient.go | 4 +- .../versioned/typed/oauth/v1alpha1/doc.go | 7 - .../typed/oauth/v1alpha1/fake/doc.go | 7 - .../oauth/v1alpha1/fake/fake_oauth_client.go | 27 ---- .../oauth/v1alpha1/generated_expansion.go | 8 -- .../typed/oauth/v1alpha1/oauth_client.go | 76 ----------- .../config/v1alpha1/interface.go | 7 + .../{oauth => config}/v1alpha1/oidcclient.go | 12 +- .../informers/externalversions/factory.go | 6 - .../informers/externalversions/generic.go | 7 +- .../externalversions/oauth/interface.go | 33 ----- .../oauth/v1alpha1/interface.go | 32 ----- .../config/v1alpha1/expansion_generated.go | 8 ++ .../listers/config}/v1alpha1/oidcclient.go | 2 +- .../oauth/v1alpha1/expansion_generated.go | 14 -- ...g.supervisor.pinniped.dev_oidcclients.yaml | 125 +++++++++++++++++ ...h.supervisor.pinniped.dev_oidcclients.yaml | 125 ----------------- generated/1.21/README.adoc | 99 ++++++-------- .../supervisor/config/v1alpha1/register.go | 2 + .../v1alpha1/types_oidcclient.go | 0 .../config/v1alpha1/zz_generated.deepcopy.go | 108 +++++++++++++++ .../apis/supervisor/oauth/v1alpha1/doc.go | 10 -- .../supervisor/oauth/v1alpha1/register.go | 43 ------ .../oauth/v1alpha1/zz_generated.deepcopy.go | 121 ---------------- .../clientset/versioned/clientset.go | 14 -- .../versioned/fake/clientset_generated.go | 7 - .../clientset/versioned/fake/register.go | 2 - .../clientset/versioned/scheme/register.go | 2 - .../typed/config/v1alpha1/config_client.go | 5 + .../v1alpha1/fake/fake_config_client.go | 4 + .../config}/v1alpha1/fake/fake_oidcclient.go | 8 +- .../config/v1alpha1/generated_expansion.go | 2 + .../{oauth => config}/v1alpha1/oidcclient.go | 4 +- .../versioned/typed/oauth/v1alpha1/doc.go | 7 - .../typed/oauth/v1alpha1/fake/doc.go | 7 - .../oauth/v1alpha1/fake/fake_oauth_client.go | 27 ---- .../oauth/v1alpha1/generated_expansion.go | 8 -- .../typed/oauth/v1alpha1/oauth_client.go | 76 ----------- .../config/v1alpha1/interface.go | 7 + .../{oauth => config}/v1alpha1/oidcclient.go | 12 +- .../informers/externalversions/factory.go | 6 - .../informers/externalversions/generic.go | 7 +- .../externalversions/oauth/interface.go | 33 ----- .../oauth/v1alpha1/interface.go | 32 ----- .../config/v1alpha1/expansion_generated.go | 8 ++ .../listers/config}/v1alpha1/oidcclient.go | 2 +- .../oauth/v1alpha1/expansion_generated.go | 14 -- ...g.supervisor.pinniped.dev_oidcclients.yaml | 125 +++++++++++++++++ ...h.supervisor.pinniped.dev_oidcclients.yaml | 125 ----------------- generated/1.22/README.adoc | 99 ++++++-------- .../supervisor/config/v1alpha1/register.go | 2 + .../v1alpha1/types_oidcclient.go | 0 .../config/v1alpha1/zz_generated.deepcopy.go | 108 +++++++++++++++ .../apis/supervisor/oauth/v1alpha1/doc.go | 10 -- .../supervisor/oauth/v1alpha1/register.go | 43 ------ .../oauth/v1alpha1/zz_generated.deepcopy.go | 121 ---------------- .../clientset/versioned/clientset.go | 14 -- .../versioned/fake/clientset_generated.go | 7 - .../clientset/versioned/fake/register.go | 2 - .../clientset/versioned/scheme/register.go | 2 - .../typed/config/v1alpha1/config_client.go | 5 + .../v1alpha1/fake/fake_config_client.go | 4 + .../config/v1alpha1/fake/fake_oidcclient.go | 129 ++++++++++++++++++ .../config/v1alpha1/generated_expansion.go | 2 + .../{oauth => config}/v1alpha1/oidcclient.go | 4 +- .../versioned/typed/oauth/v1alpha1/doc.go | 7 - .../typed/oauth/v1alpha1/fake/doc.go | 7 - .../oauth/v1alpha1/fake/fake_oauth_client.go | 27 ---- .../oauth/v1alpha1/fake/fake_oidcclient.go | 129 ------------------ .../oauth/v1alpha1/generated_expansion.go | 8 -- .../typed/oauth/v1alpha1/oauth_client.go | 76 ----------- .../config/v1alpha1/interface.go | 7 + .../{oauth => config}/v1alpha1/oidcclient.go | 12 +- .../informers/externalversions/factory.go | 6 - .../informers/externalversions/generic.go | 7 +- .../externalversions/oauth/interface.go | 33 ----- .../oauth/v1alpha1/interface.go | 32 ----- .../config/v1alpha1/expansion_generated.go | 8 ++ .../{oauth => config}/v1alpha1/oidcclient.go | 2 +- .../oauth/v1alpha1/expansion_generated.go | 14 -- ...g.supervisor.pinniped.dev_oidcclients.yaml | 125 +++++++++++++++++ ...h.supervisor.pinniped.dev_oidcclients.yaml | 125 ----------------- generated/1.23/README.adoc | 99 ++++++-------- .../supervisor/config/v1alpha1/register.go | 2 + .../v1alpha1/types_oidcclient.go | 0 .../config/v1alpha1/zz_generated.deepcopy.go | 108 +++++++++++++++ .../apis/supervisor/oauth/v1alpha1/doc.go | 10 -- .../supervisor/oauth/v1alpha1/register.go | 43 ------ .../oauth/v1alpha1/zz_generated.deepcopy.go | 121 ---------------- .../clientset/versioned/clientset.go | 13 -- .../versioned/fake/clientset_generated.go | 7 - .../clientset/versioned/fake/register.go | 2 - .../clientset/versioned/scheme/register.go | 2 - .../typed/config/v1alpha1/config_client.go | 5 + .../v1alpha1/fake/fake_config_client.go | 4 + .../v1alpha1/fake/fake_oidcclient.go | 8 +- .../config/v1alpha1/generated_expansion.go | 2 + .../{oauth => config}/v1alpha1/oidcclient.go | 4 +- .../versioned/typed/oauth/v1alpha1/doc.go | 7 - .../typed/oauth/v1alpha1/fake/doc.go | 7 - .../oauth/v1alpha1/fake/fake_oauth_client.go | 27 ---- .../oauth/v1alpha1/generated_expansion.go | 8 -- .../typed/oauth/v1alpha1/oauth_client.go | 94 ------------- .../config/v1alpha1/interface.go | 7 + .../{oauth => config}/v1alpha1/oidcclient.go | 12 +- .../informers/externalversions/factory.go | 6 - .../informers/externalversions/generic.go | 7 +- .../externalversions/oauth/interface.go | 33 ----- .../oauth/v1alpha1/interface.go | 32 ----- .../config/v1alpha1/expansion_generated.go | 8 ++ .../listers/config/v1alpha1/oidcclient.go | 86 ++++++++++++ .../oauth/v1alpha1/expansion_generated.go | 14 -- .../listers/oauth/v1alpha1/oidcclient.go | 86 ------------ ...g.supervisor.pinniped.dev_oidcclients.yaml | 125 +++++++++++++++++ ...h.supervisor.pinniped.dev_oidcclients.yaml | 125 ----------------- generated/1.24/README.adoc | 99 ++++++-------- .../supervisor/config/v1alpha1/register.go | 2 + .../v1alpha1/types_oidcclient.go | 0 .../config/v1alpha1/zz_generated.deepcopy.go | 108 +++++++++++++++ .../apis/supervisor/oauth/v1alpha1/doc.go | 10 -- .../supervisor/oauth/v1alpha1/register.go | 43 ------ .../oauth/v1alpha1/zz_generated.deepcopy.go | 121 ---------------- .../clientset/versioned/clientset.go | 13 -- .../versioned/fake/clientset_generated.go | 7 - .../clientset/versioned/fake/register.go | 2 - .../clientset/versioned/scheme/register.go | 2 - .../typed/config/v1alpha1/config_client.go | 5 + .../v1alpha1/fake/fake_config_client.go | 4 + .../v1alpha1/fake/fake_oidcclient.go | 8 +- .../config/v1alpha1/generated_expansion.go | 2 + .../{oauth => config}/v1alpha1/oidcclient.go | 4 +- .../versioned/typed/oauth/v1alpha1/doc.go | 7 - .../typed/oauth/v1alpha1/fake/doc.go | 7 - .../oauth/v1alpha1/fake/fake_oauth_client.go | 27 ---- .../oauth/v1alpha1/generated_expansion.go | 8 -- .../typed/oauth/v1alpha1/oauth_client.go | 94 ------------- .../config/v1alpha1/interface.go | 7 + .../{oauth => config}/v1alpha1/oidcclient.go | 12 +- .../informers/externalversions/factory.go | 6 - .../informers/externalversions/generic.go | 7 +- .../externalversions/oauth/interface.go | 33 ----- .../oauth/v1alpha1/interface.go | 32 ----- .../config/v1alpha1/expansion_generated.go | 8 ++ .../listers/config/v1alpha1/oidcclient.go | 86 ++++++++++++ .../oauth/v1alpha1/expansion_generated.go | 14 -- .../listers/oauth/v1alpha1/oidcclient.go | 86 ------------ ...g.supervisor.pinniped.dev_oidcclients.yaml | 125 +++++++++++++++++ ...h.supervisor.pinniped.dev_oidcclients.yaml | 125 ----------------- .../supervisor/config/v1alpha1/register.go | 2 + .../v1alpha1/types_oidcclient.go | 0 .../config/v1alpha1/zz_generated.deepcopy.go | 108 +++++++++++++++ .../apis/supervisor/oauth/v1alpha1/doc.go | 10 -- .../supervisor/oauth/v1alpha1/register.go | 43 ------ .../oauth/v1alpha1/zz_generated.deepcopy.go | 121 ---------------- .../clientset/versioned/clientset.go | 13 -- .../versioned/fake/clientset_generated.go | 7 - .../clientset/versioned/fake/register.go | 2 - .../clientset/versioned/scheme/register.go | 2 - .../typed/config/v1alpha1/config_client.go | 5 + .../v1alpha1/fake/fake_config_client.go | 4 + .../v1alpha1/fake/fake_oidcclient.go | 8 +- .../config/v1alpha1/generated_expansion.go | 2 + .../{oauth => config}/v1alpha1/oidcclient.go | 4 +- .../versioned/typed/oauth/v1alpha1/doc.go | 7 - .../typed/oauth/v1alpha1/fake/doc.go | 7 - .../oauth/v1alpha1/fake/fake_oauth_client.go | 27 ---- .../oauth/v1alpha1/generated_expansion.go | 8 -- .../typed/oauth/v1alpha1/oauth_client.go | 94 ------------- .../config/v1alpha1/interface.go | 7 + .../{oauth => config}/v1alpha1/oidcclient.go | 12 +- .../informers/externalversions/factory.go | 6 - .../informers/externalversions/generic.go | 7 +- .../externalversions/oauth/interface.go | 33 ----- .../oauth/v1alpha1/interface.go | 32 ----- .../config/v1alpha1/expansion_generated.go | 8 ++ .../listers/config/v1alpha1/oidcclient.go | 86 ++++++++++++ .../oauth/v1alpha1/expansion_generated.go | 14 -- .../listers/oauth/v1alpha1/oidcclient.go | 86 ------------ hack/lib/update-codegen.sh | 5 +- test/integration/kube_api_discovery_test.go | 22 +-- 294 files changed, 2740 insertions(+), 5419 deletions(-) rename apis/supervisor/{oauth => config}/v1alpha1/types_oidcclient.go.tmpl (100%) delete mode 100644 apis/supervisor/oauth/v1alpha1/doc.go.tmpl delete mode 100644 apis/supervisor/oauth/v1alpha1/register.go.tmpl rename generated/1.17/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml => deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml (98%) rename generated/1.17/apis/supervisor/{oauth => config}/v1alpha1/types_oidcclient.go (100%) delete mode 100644 generated/1.17/apis/supervisor/oauth/v1alpha1/doc.go delete mode 100644 generated/1.17/apis/supervisor/oauth/v1alpha1/register.go delete mode 100644 generated/1.17/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go rename generated/1.17/client/supervisor/clientset/versioned/typed/{oauth => config}/v1alpha1/fake/fake_oidcclient.go (92%) rename generated/1.17/client/supervisor/clientset/versioned/typed/{oauth => config}/v1alpha1/oidcclient.go (97%) delete mode 100644 generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go delete mode 100644 generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go delete mode 100644 generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go delete mode 100644 generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go delete mode 100644 generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go rename generated/1.17/client/supervisor/informers/externalversions/{oauth => config}/v1alpha1/oidcclient.go (89%) delete mode 100644 generated/1.17/client/supervisor/informers/externalversions/oauth/interface.go delete mode 100644 generated/1.17/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go rename generated/1.17/client/supervisor/listers/{oauth => config}/v1alpha1/oidcclient.go (97%) delete mode 100644 generated/1.17/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go rename generated/{1.18/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml => 1.17/crds/config.supervisor.pinniped.dev_oidcclients.yaml} (98%) rename generated/1.18/apis/supervisor/{oauth => config}/v1alpha1/types_oidcclient.go (100%) delete mode 100644 generated/1.18/apis/supervisor/oauth/v1alpha1/doc.go delete mode 100644 generated/1.18/apis/supervisor/oauth/v1alpha1/register.go delete mode 100644 generated/1.18/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go rename generated/1.18/client/supervisor/clientset/versioned/typed/{oauth => config}/v1alpha1/fake/fake_oidcclient.go (92%) rename generated/1.18/client/supervisor/clientset/versioned/typed/{oauth => config}/v1alpha1/oidcclient.go (97%) delete mode 100644 generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go delete mode 100644 generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go delete mode 100644 generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go delete mode 100644 generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go delete mode 100644 generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go rename generated/1.18/client/supervisor/informers/externalversions/{oauth => config}/v1alpha1/oidcclient.go (88%) delete mode 100644 generated/1.18/client/supervisor/informers/externalversions/oauth/interface.go delete mode 100644 generated/1.18/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go rename generated/1.18/client/supervisor/listers/{oauth => config}/v1alpha1/oidcclient.go (97%) delete mode 100644 generated/1.18/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go rename deploy/supervisor/oauth.supervisor.pinniped.dev_oidcclients.yaml => generated/1.18/crds/config.supervisor.pinniped.dev_oidcclients.yaml (98%) rename generated/1.19/apis/supervisor/{oauth => config}/v1alpha1/types_oidcclient.go (100%) delete mode 100644 generated/1.19/apis/supervisor/oauth/v1alpha1/doc.go delete mode 100644 generated/1.19/apis/supervisor/oauth/v1alpha1/register.go delete mode 100644 generated/1.19/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go rename generated/{1.21/client/supervisor/clientset/versioned/typed/oauth => 1.19/client/supervisor/clientset/versioned/typed/config}/v1alpha1/fake/fake_oidcclient.go (92%) rename generated/1.19/client/supervisor/clientset/versioned/typed/{oauth => config}/v1alpha1/oidcclient.go (97%) delete mode 100644 generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go delete mode 100644 generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go delete mode 100644 generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go delete mode 100644 generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go delete mode 100644 generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go rename generated/1.19/client/supervisor/informers/externalversions/{oauth => config}/v1alpha1/oidcclient.go (88%) delete mode 100644 generated/1.19/client/supervisor/informers/externalversions/oauth/interface.go delete mode 100644 generated/1.19/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go rename generated/1.19/client/supervisor/listers/{oauth => config}/v1alpha1/oidcclient.go (97%) delete mode 100644 generated/1.19/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go rename generated/1.19/crds/{oauth.supervisor.pinniped.dev_oidcclients.yaml => config.supervisor.pinniped.dev_oidcclients.yaml} (98%) rename generated/1.20/apis/supervisor/{oauth => config}/v1alpha1/types_oidcclient.go (100%) delete mode 100644 generated/1.20/apis/supervisor/oauth/v1alpha1/doc.go delete mode 100644 generated/1.20/apis/supervisor/oauth/v1alpha1/register.go delete mode 100644 generated/1.20/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go rename generated/1.20/client/supervisor/clientset/versioned/typed/{oauth => config}/v1alpha1/fake/fake_oidcclient.go (92%) rename generated/1.20/client/supervisor/clientset/versioned/typed/{oauth => config}/v1alpha1/oidcclient.go (97%) delete mode 100644 generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go delete mode 100644 generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go delete mode 100644 generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go delete mode 100644 generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go delete mode 100644 generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go rename generated/1.20/client/supervisor/informers/externalversions/{oauth => config}/v1alpha1/oidcclient.go (88%) delete mode 100644 generated/1.20/client/supervisor/informers/externalversions/oauth/interface.go delete mode 100644 generated/1.20/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go rename generated/{1.21/client/supervisor/listers/oauth => 1.20/client/supervisor/listers/config}/v1alpha1/oidcclient.go (97%) delete mode 100644 generated/1.20/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go create mode 100644 generated/1.20/crds/config.supervisor.pinniped.dev_oidcclients.yaml delete mode 100644 generated/1.20/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml rename generated/1.21/apis/supervisor/{oauth => config}/v1alpha1/types_oidcclient.go (100%) delete mode 100644 generated/1.21/apis/supervisor/oauth/v1alpha1/doc.go delete mode 100644 generated/1.21/apis/supervisor/oauth/v1alpha1/register.go delete mode 100644 generated/1.21/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go rename generated/{1.19/client/supervisor/clientset/versioned/typed/oauth => 1.21/client/supervisor/clientset/versioned/typed/config}/v1alpha1/fake/fake_oidcclient.go (92%) rename generated/1.21/client/supervisor/clientset/versioned/typed/{oauth => config}/v1alpha1/oidcclient.go (97%) delete mode 100644 generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go delete mode 100644 generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go delete mode 100644 generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go delete mode 100644 generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go delete mode 100644 generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go rename generated/1.21/client/supervisor/informers/externalversions/{oauth => config}/v1alpha1/oidcclient.go (88%) delete mode 100644 generated/1.21/client/supervisor/informers/externalversions/oauth/interface.go delete mode 100644 generated/1.21/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go rename generated/{1.20/client/supervisor/listers/oauth => 1.21/client/supervisor/listers/config}/v1alpha1/oidcclient.go (97%) delete mode 100644 generated/1.21/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go create mode 100644 generated/1.21/crds/config.supervisor.pinniped.dev_oidcclients.yaml delete mode 100644 generated/1.21/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml rename generated/1.22/apis/supervisor/{oauth => config}/v1alpha1/types_oidcclient.go (100%) delete mode 100644 generated/1.22/apis/supervisor/oauth/v1alpha1/doc.go delete mode 100644 generated/1.22/apis/supervisor/oauth/v1alpha1/register.go delete mode 100644 generated/1.22/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go create mode 100644 generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go rename generated/1.22/client/supervisor/clientset/versioned/typed/{oauth => config}/v1alpha1/oidcclient.go (97%) delete mode 100644 generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go delete mode 100644 generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go delete mode 100644 generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go delete mode 100644 generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go delete mode 100644 generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go delete mode 100644 generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go rename generated/1.22/client/supervisor/informers/externalversions/{oauth => config}/v1alpha1/oidcclient.go (88%) delete mode 100644 generated/1.22/client/supervisor/informers/externalversions/oauth/interface.go delete mode 100644 generated/1.22/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go rename generated/1.22/client/supervisor/listers/{oauth => config}/v1alpha1/oidcclient.go (97%) delete mode 100644 generated/1.22/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go create mode 100644 generated/1.22/crds/config.supervisor.pinniped.dev_oidcclients.yaml delete mode 100644 generated/1.22/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml rename generated/1.23/apis/supervisor/{oauth => config}/v1alpha1/types_oidcclient.go (100%) delete mode 100644 generated/1.23/apis/supervisor/oauth/v1alpha1/doc.go delete mode 100644 generated/1.23/apis/supervisor/oauth/v1alpha1/register.go delete mode 100644 generated/1.23/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go rename generated/1.23/client/supervisor/clientset/versioned/typed/{oauth => config}/v1alpha1/fake/fake_oidcclient.go (92%) rename generated/1.23/client/supervisor/clientset/versioned/typed/{oauth => config}/v1alpha1/oidcclient.go (97%) delete mode 100644 generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go delete mode 100644 generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go delete mode 100644 generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go delete mode 100644 generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go delete mode 100644 generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go rename generated/1.23/client/supervisor/informers/externalversions/{oauth => config}/v1alpha1/oidcclient.go (88%) delete mode 100644 generated/1.23/client/supervisor/informers/externalversions/oauth/interface.go delete mode 100644 generated/1.23/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go create mode 100644 generated/1.23/client/supervisor/listers/config/v1alpha1/oidcclient.go delete mode 100644 generated/1.23/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go delete mode 100644 generated/1.23/client/supervisor/listers/oauth/v1alpha1/oidcclient.go create mode 100644 generated/1.23/crds/config.supervisor.pinniped.dev_oidcclients.yaml delete mode 100644 generated/1.23/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml rename generated/1.24/apis/supervisor/{oauth => config}/v1alpha1/types_oidcclient.go (100%) delete mode 100644 generated/1.24/apis/supervisor/oauth/v1alpha1/doc.go delete mode 100644 generated/1.24/apis/supervisor/oauth/v1alpha1/register.go delete mode 100644 generated/1.24/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go rename generated/1.24/client/supervisor/clientset/versioned/typed/{oauth => config}/v1alpha1/fake/fake_oidcclient.go (92%) rename generated/1.24/client/supervisor/clientset/versioned/typed/{oauth => config}/v1alpha1/oidcclient.go (97%) delete mode 100644 generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go delete mode 100644 generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go delete mode 100644 generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go delete mode 100644 generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go delete mode 100644 generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go rename generated/1.24/client/supervisor/informers/externalversions/{oauth => config}/v1alpha1/oidcclient.go (88%) delete mode 100644 generated/1.24/client/supervisor/informers/externalversions/oauth/interface.go delete mode 100644 generated/1.24/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go create mode 100644 generated/1.24/client/supervisor/listers/config/v1alpha1/oidcclient.go delete mode 100644 generated/1.24/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go delete mode 100644 generated/1.24/client/supervisor/listers/oauth/v1alpha1/oidcclient.go create mode 100644 generated/1.24/crds/config.supervisor.pinniped.dev_oidcclients.yaml delete mode 100644 generated/1.24/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml rename generated/latest/apis/supervisor/{oauth => config}/v1alpha1/types_oidcclient.go (100%) delete mode 100644 generated/latest/apis/supervisor/oauth/v1alpha1/doc.go delete mode 100644 generated/latest/apis/supervisor/oauth/v1alpha1/register.go delete mode 100644 generated/latest/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go rename generated/latest/client/supervisor/clientset/versioned/typed/{oauth => config}/v1alpha1/fake/fake_oidcclient.go (92%) rename generated/latest/client/supervisor/clientset/versioned/typed/{oauth => config}/v1alpha1/oidcclient.go (97%) delete mode 100644 generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go delete mode 100644 generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go delete mode 100644 generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go delete mode 100644 generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go delete mode 100644 generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go rename generated/latest/client/supervisor/informers/externalversions/{oauth => config}/v1alpha1/oidcclient.go (88%) delete mode 100644 generated/latest/client/supervisor/informers/externalversions/oauth/interface.go delete mode 100644 generated/latest/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go create mode 100644 generated/latest/client/supervisor/listers/config/v1alpha1/oidcclient.go delete mode 100644 generated/latest/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go delete mode 100644 generated/latest/client/supervisor/listers/oauth/v1alpha1/oidcclient.go diff --git a/apis/supervisor/config/v1alpha1/register.go.tmpl b/apis/supervisor/config/v1alpha1/register.go.tmpl index 69045298..54c51699 100644 --- a/apis/supervisor/config/v1alpha1/register.go.tmpl +++ b/apis/supervisor/config/v1alpha1/register.go.tmpl @@ -32,6 +32,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &FederationDomain{}, &FederationDomainList{}, + &OIDCClient{}, + &OIDCClientList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/apis/supervisor/oauth/v1alpha1/types_oidcclient.go.tmpl b/apis/supervisor/config/v1alpha1/types_oidcclient.go.tmpl similarity index 100% rename from apis/supervisor/oauth/v1alpha1/types_oidcclient.go.tmpl rename to apis/supervisor/config/v1alpha1/types_oidcclient.go.tmpl diff --git a/apis/supervisor/oauth/v1alpha1/doc.go.tmpl b/apis/supervisor/oauth/v1alpha1/doc.go.tmpl deleted file mode 100644 index 75580481..00000000 --- a/apis/supervisor/oauth/v1alpha1/doc.go.tmpl +++ /dev/null @@ -1,10 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// +k8s:openapi-gen=true -// +k8s:deepcopy-gen=package -// +k8s:defaulter-gen=TypeMeta -// +groupName=oauth.supervisor.pinniped.dev - -// Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. -package v1alpha1 diff --git a/apis/supervisor/oauth/v1alpha1/register.go.tmpl b/apis/supervisor/oauth/v1alpha1/register.go.tmpl deleted file mode 100644 index 37ae1fbf..00000000 --- a/apis/supervisor/oauth/v1alpha1/register.go.tmpl +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -package v1alpha1 - -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" -) - -const GroupName = "oauth.supervisor.pinniped.dev" - -// SchemeGroupVersion is group version used to register these objects. -var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} - -var ( - SchemeBuilder runtime.SchemeBuilder - localSchemeBuilder = &SchemeBuilder - AddToScheme = localSchemeBuilder.AddToScheme -) - -func init() { - // We only register manually written functions here. The registration of the - // generated functions takes place in the generated files. The separation - // makes the code compile even when the generated files are missing. - localSchemeBuilder.Register(addKnownTypes) -} - -// Adds the list of known types to the given scheme. -func addKnownTypes(scheme *runtime.Scheme) error { - scheme.AddKnownTypes(SchemeGroupVersion, - &OIDCClient{}, - &OIDCClientList{}, - ) - metav1.AddToGroupVersion(scheme, SchemeGroupVersion) - return nil -} - -// Resource takes an unqualified resource and returns a Group qualified GroupResource. -func Resource(resource string) schema.GroupResource { - return SchemeGroupVersion.WithResource(resource).GroupResource() -} diff --git a/generated/1.17/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml similarity index 98% rename from generated/1.17/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml rename to deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml index 589a9154..4efa445e 100644 --- a/generated/1.17/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml @@ -5,9 +5,9 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null - name: oidcclients.oauth.supervisor.pinniped.dev + name: oidcclients.config.supervisor.pinniped.dev spec: - group: oauth.supervisor.pinniped.dev + group: config.supervisor.pinniped.dev names: categories: - pinniped diff --git a/deploy/supervisor/z0_crd_overlay.yaml b/deploy/supervisor/z0_crd_overlay.yaml index 130f780d..a658091b 100644 --- a/deploy/supervisor/z0_crd_overlay.yaml +++ b/deploy/supervisor/z0_crd_overlay.yaml @@ -41,11 +41,11 @@ metadata: spec: group: #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor") -#@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"oidcclients.oauth.supervisor.pinniped.dev"}}), expects=1 +#@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"oidcclients.config.supervisor.pinniped.dev"}}), expects=1 --- metadata: #@overlay/match missing_ok=True labels: #@ labels() - name: #@ pinnipedDevAPIGroupWithPrefix("oidcclients.oauth.supervisor") + name: #@ pinnipedDevAPIGroupWithPrefix("oidcclients.config.supervisor") spec: - group: #@ pinnipedDevAPIGroupWithPrefix("oauth.supervisor") + group: #@ pinnipedDevAPIGroupWithPrefix("config.supervisor") diff --git a/generated/1.17/README.adoc b/generated/1.17/README.adoc index 693d8d6b..624f035f 100644 --- a/generated/1.17/README.adoc +++ b/generated/1.17/README.adoc @@ -12,7 +12,6 @@ - xref:{anchor_prefix}-identity-concierge-pinniped-dev-v1alpha1[$$identity.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1[$$idp.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$] -- xref:{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1[$$oauth.supervisor.pinniped.dev/v1alpha1$$] [id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"] @@ -544,6 +543,51 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcclient"] +==== OIDCClient + +OIDCClient describes the configuration of an OIDC client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcclientlist[$$OIDCClientList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC client. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC client. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcclientspec"] +==== OIDCClientSpec + +OIDCClientSpec is a struct that describes an OIDC Client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcclient[$$OIDCClient$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. +| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. +| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. +|=== + + + + [id="{anchor_prefix}-identity-concierge-pinniped-dev-identity"] === identity.concierge.pinniped.dev/identity @@ -1333,56 +1377,3 @@ TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned |=== - -[id="{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1"] -=== oauth.supervisor.pinniped.dev/v1alpha1 - -Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-oauth-v1alpha1-oidcclient"] -==== OIDCClient - -OIDCClient describes the configuration of an OIDC client. - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-oauth-v1alpha1-oidcclientlist[$$OIDCClientList$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. - -| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-oauth-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC client. -| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-oauth-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC client. -|=== - - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-oauth-v1alpha1-oidcclientspec"] -==== OIDCClientSpec - -OIDCClientSpec is a struct that describes an OIDC Client. - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-oauth-v1alpha1-oidcclient[$$OIDCClient$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. -| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. -| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. -|=== - - - - diff --git a/generated/1.17/apis/supervisor/config/v1alpha1/register.go b/generated/1.17/apis/supervisor/config/v1alpha1/register.go index 69045298..54c51699 100644 --- a/generated/1.17/apis/supervisor/config/v1alpha1/register.go +++ b/generated/1.17/apis/supervisor/config/v1alpha1/register.go @@ -32,6 +32,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &FederationDomain{}, &FederationDomainList{}, + &OIDCClient{}, + &OIDCClientList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.17/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.17/apis/supervisor/config/v1alpha1/types_oidcclient.go similarity index 100% rename from generated/1.17/apis/supervisor/oauth/v1alpha1/types_oidcclient.go rename to generated/1.17/apis/supervisor/config/v1alpha1/types_oidcclient.go diff --git a/generated/1.17/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.17/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go index 856b8988..a55d88e7 100644 --- a/generated/1.17/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.17/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go @@ -150,3 +150,111 @@ func (in *FederationDomainTLSSpec) DeepCopy() *FederationDomainTLSSpec { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. +func (in *OIDCClient) DeepCopy() *OIDCClient { + if in == nil { + return nil + } + out := new(OIDCClient) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClient) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClient, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. +func (in *OIDCClientList) DeepCopy() *OIDCClientList { + if in == nil { + return nil + } + out := new(OIDCClientList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { + *out = *in + if in.AllowedRedirectURIs != nil { + in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.AllowedGrantTypes != nil { + in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes + *out = make([]GrantType, len(*in)) + copy(*out, *in) + } + if in.AllowedScopes != nil { + in, out := &in.AllowedScopes, &out.AllowedScopes + *out = make([]Scope, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. +func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { + if in == nil { + return nil + } + out := new(OIDCClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. +func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { + if in == nil { + return nil + } + out := new(OIDCClientStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.17/apis/supervisor/oauth/v1alpha1/doc.go b/generated/1.17/apis/supervisor/oauth/v1alpha1/doc.go deleted file mode 100644 index 75580481..00000000 --- a/generated/1.17/apis/supervisor/oauth/v1alpha1/doc.go +++ /dev/null @@ -1,10 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// +k8s:openapi-gen=true -// +k8s:deepcopy-gen=package -// +k8s:defaulter-gen=TypeMeta -// +groupName=oauth.supervisor.pinniped.dev - -// Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. -package v1alpha1 diff --git a/generated/1.17/apis/supervisor/oauth/v1alpha1/register.go b/generated/1.17/apis/supervisor/oauth/v1alpha1/register.go deleted file mode 100644 index 37ae1fbf..00000000 --- a/generated/1.17/apis/supervisor/oauth/v1alpha1/register.go +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -package v1alpha1 - -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" -) - -const GroupName = "oauth.supervisor.pinniped.dev" - -// SchemeGroupVersion is group version used to register these objects. -var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} - -var ( - SchemeBuilder runtime.SchemeBuilder - localSchemeBuilder = &SchemeBuilder - AddToScheme = localSchemeBuilder.AddToScheme -) - -func init() { - // We only register manually written functions here. The registration of the - // generated functions takes place in the generated files. The separation - // makes the code compile even when the generated files are missing. - localSchemeBuilder.Register(addKnownTypes) -} - -// Adds the list of known types to the given scheme. -func addKnownTypes(scheme *runtime.Scheme) error { - scheme.AddKnownTypes(SchemeGroupVersion, - &OIDCClient{}, - &OIDCClientList{}, - ) - metav1.AddToGroupVersion(scheme, SchemeGroupVersion) - return nil -} - -// Resource takes an unqualified resource and returns a Group qualified GroupResource. -func Resource(resource string) schema.GroupResource { - return SchemeGroupVersion.WithResource(resource).GroupResource() -} diff --git a/generated/1.17/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.17/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go deleted file mode 100644 index 1aba8aea..00000000 --- a/generated/1.17/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go +++ /dev/null @@ -1,121 +0,0 @@ -//go:build !ignore_autogenerated -// +build !ignore_autogenerated - -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by deepcopy-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - runtime "k8s.io/apimachinery/pkg/runtime" -) - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - in.Spec.DeepCopyInto(&out.Spec) - out.Status = in.Status - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. -func (in *OIDCClient) DeepCopy() *OIDCClient { - if in == nil { - return nil - } - out := new(OIDCClient) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *OIDCClient) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ListMeta.DeepCopyInto(&out.ListMeta) - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]OIDCClient, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. -func (in *OIDCClientList) DeepCopy() *OIDCClientList { - if in == nil { - return nil - } - out := new(OIDCClientList) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *OIDCClientList) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { - *out = *in - if in.AllowedRedirectURIs != nil { - in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.AllowedGrantTypes != nil { - in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes - *out = make([]GrantType, len(*in)) - copy(*out, *in) - } - if in.AllowedScopes != nil { - in, out := &in.AllowedScopes, &out.AllowedScopes - *out = make([]Scope, len(*in)) - copy(*out, *in) - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. -func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { - if in == nil { - return nil - } - out := new(OIDCClientSpec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. -func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { - if in == nil { - return nil - } - out := new(OIDCClientStatus) - in.DeepCopyInto(out) - return out -} diff --git a/generated/1.17/client/supervisor/clientset/versioned/clientset.go b/generated/1.17/client/supervisor/clientset/versioned/clientset.go index c51ef35e..d1845d53 100644 --- a/generated/1.17/client/supervisor/clientset/versioned/clientset.go +++ b/generated/1.17/client/supervisor/clientset/versioned/clientset.go @@ -10,7 +10,6 @@ import ( configv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" discovery "k8s.io/client-go/discovery" rest "k8s.io/client-go/rest" flowcontrol "k8s.io/client-go/util/flowcontrol" @@ -20,7 +19,6 @@ type Interface interface { Discovery() discovery.DiscoveryInterface ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface - OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface } // Clientset contains the clients for groups. Each group has exactly one @@ -29,7 +27,6 @@ type Clientset struct { *discovery.DiscoveryClient configV1alpha1 *configv1alpha1.ConfigV1alpha1Client iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client - oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client } // ConfigV1alpha1 retrieves the ConfigV1alpha1Client @@ -42,11 +39,6 @@ func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return c.iDPV1alpha1 } -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return c.oauthV1alpha1 -} - // Discovery retrieves the DiscoveryClient func (c *Clientset) Discovery() discovery.DiscoveryInterface { if c == nil { @@ -76,10 +68,6 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { if err != nil { return nil, err } - cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfig(&configShallowCopy) - if err != nil { - return nil, err - } cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfig(&configShallowCopy) if err != nil { @@ -94,7 +82,6 @@ func NewForConfigOrDie(c *rest.Config) *Clientset { var cs Clientset cs.configV1alpha1 = configv1alpha1.NewForConfigOrDie(c) cs.iDPV1alpha1 = idpv1alpha1.NewForConfigOrDie(c) - cs.oauthV1alpha1 = oauthv1alpha1.NewForConfigOrDie(c) cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c) return &cs @@ -105,7 +92,6 @@ func New(c rest.Interface) *Clientset { var cs Clientset cs.configV1alpha1 = configv1alpha1.New(c) cs.iDPV1alpha1 = idpv1alpha1.New(c) - cs.oauthV1alpha1 = oauthv1alpha1.New(c) cs.DiscoveryClient = discovery.NewDiscoveryClient(c) return &cs diff --git a/generated/1.17/client/supervisor/clientset/versioned/fake/clientset_generated.go b/generated/1.17/client/supervisor/clientset/versioned/fake/clientset_generated.go index 7139764c..0bc2edfc 100644 --- a/generated/1.17/client/supervisor/clientset/versioned/fake/clientset_generated.go +++ b/generated/1.17/client/supervisor/clientset/versioned/fake/clientset_generated.go @@ -11,8 +11,6 @@ import ( fakeconfigv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake" idpv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1" fakeidpv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake" - oauthv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" - fakeoauthv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/watch" "k8s.io/client-go/discovery" @@ -76,8 +74,3 @@ func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake} } - -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} -} diff --git a/generated/1.17/client/supervisor/clientset/versioned/fake/register.go b/generated/1.17/client/supervisor/clientset/versioned/fake/register.go index 980ce98f..5717b4eb 100644 --- a/generated/1.17/client/supervisor/clientset/versioned/fake/register.go +++ b/generated/1.17/client/supervisor/clientset/versioned/fake/register.go @@ -8,7 +8,6 @@ package fake import ( configv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -22,7 +21,6 @@ var parameterCodec = runtime.NewParameterCodec(scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, - oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.17/client/supervisor/clientset/versioned/scheme/register.go b/generated/1.17/client/supervisor/clientset/versioned/scheme/register.go index 676b0aae..3d881a08 100644 --- a/generated/1.17/client/supervisor/clientset/versioned/scheme/register.go +++ b/generated/1.17/client/supervisor/clientset/versioned/scheme/register.go @@ -8,7 +8,6 @@ package scheme import ( configv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -22,7 +21,6 @@ var ParameterCodec = runtime.NewParameterCodec(Scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, - oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go b/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go index f5c35bf5..49fcccef 100644 --- a/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go +++ b/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go @@ -14,6 +14,7 @@ import ( type ConfigV1alpha1Interface interface { RESTClient() rest.Interface FederationDomainsGetter + OIDCClientsGetter } // ConfigV1alpha1Client is used to interact with features provided by the config.supervisor.pinniped.dev group. @@ -25,6 +26,10 @@ func (c *ConfigV1alpha1Client) FederationDomains(namespace string) FederationDom return newFederationDomains(c, namespace) } +func (c *ConfigV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { + return newOIDCClients(c, namespace) +} + // NewForConfig creates a new ConfigV1alpha1Client for the given config. func NewForConfig(c *rest.Config) (*ConfigV1alpha1Client, error) { config := *c diff --git a/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go b/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go index 406fcd8c..2a586f92 100644 --- a/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go +++ b/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go @@ -19,6 +19,10 @@ func (c *FakeConfigV1alpha1) FederationDomains(namespace string) v1alpha1.Federa return &FakeFederationDomains{c, namespace} } +func (c *FakeConfigV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { + return &FakeOIDCClients{c, namespace} +} + // RESTClient returns a RESTClient that is used to communicate // with API server by this client implementation. func (c *FakeConfigV1alpha1) RESTClient() rest.Interface { diff --git a/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go b/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go similarity index 92% rename from generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go rename to generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go index 69c8555d..8acb613c 100644 --- a/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go +++ b/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go @@ -6,7 +6,7 @@ package fake import ( - v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" labels "k8s.io/apimachinery/pkg/labels" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -17,13 +17,13 @@ import ( // FakeOIDCClients implements OIDCClientInterface type FakeOIDCClients struct { - Fake *FakeOauthV1alpha1 + Fake *FakeConfigV1alpha1 ns string } -var oidcclientsResource = schema.GroupVersionResource{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} +var oidcclientsResource = schema.GroupVersionResource{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} -var oidcclientsKind = schema.GroupVersionKind{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} +var oidcclientsKind = schema.GroupVersionKind{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} // Get takes name of the oIDCClient, and returns the corresponding oIDCClient object, and an error if there is any. func (c *FakeOIDCClients) Get(name string, options v1.GetOptions) (result *v1alpha1.OIDCClient, err error) { diff --git a/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go b/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go index ba9c9173..35b9ee3d 100644 --- a/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go +++ b/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go @@ -6,3 +6,5 @@ package v1alpha1 type FederationDomainExpansion interface{} + +type OIDCClientExpansion interface{} diff --git a/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go b/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go similarity index 97% rename from generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go rename to generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go index 322bcb9d..95c4ebfb 100644 --- a/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go +++ b/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go @@ -8,7 +8,7 @@ package v1alpha1 import ( "time" - v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1" scheme "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/scheme" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" types "k8s.io/apimachinery/pkg/types" @@ -43,7 +43,7 @@ type oIDCClients struct { } // newOIDCClients returns a OIDCClients -func newOIDCClients(c *OauthV1alpha1Client, namespace string) *oIDCClients { +func newOIDCClients(c *ConfigV1alpha1Client, namespace string) *oIDCClients { return &oIDCClients{ client: c.RESTClient(), ns: namespace, diff --git a/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go deleted file mode 100644 index e7a470b6..00000000 --- a/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package has the automatically generated typed clients. -package v1alpha1 diff --git a/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go deleted file mode 100644 index 7906901b..00000000 --- a/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// Package fake has the automatically generated clients. -package fake diff --git a/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go deleted file mode 100644 index 1625045c..00000000 --- a/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go +++ /dev/null @@ -1,27 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - v1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" - rest "k8s.io/client-go/rest" - testing "k8s.io/client-go/testing" -) - -type FakeOauthV1alpha1 struct { - *testing.Fake -} - -func (c *FakeOauthV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { - return &FakeOIDCClients{c, namespace} -} - -// RESTClient returns a RESTClient that is used to communicate -// with API server by this client implementation. -func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { - var ret *rest.RESTClient - return ret -} diff --git a/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go deleted file mode 100644 index 87d22ea9..00000000 --- a/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -type OIDCClientExpansion interface{} diff --git a/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go deleted file mode 100644 index 32dae26a..00000000 --- a/generated/1.17/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go +++ /dev/null @@ -1,76 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/oauth/v1alpha1" - "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/scheme" - rest "k8s.io/client-go/rest" -) - -type OauthV1alpha1Interface interface { - RESTClient() rest.Interface - OIDCClientsGetter -} - -// OauthV1alpha1Client is used to interact with features provided by the oauth.supervisor.pinniped.dev group. -type OauthV1alpha1Client struct { - restClient rest.Interface -} - -func (c *OauthV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { - return newOIDCClients(c, namespace) -} - -// NewForConfig creates a new OauthV1alpha1Client for the given config. -func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { - config := *c - if err := setConfigDefaults(&config); err != nil { - return nil, err - } - client, err := rest.RESTClientFor(&config) - if err != nil { - return nil, err - } - return &OauthV1alpha1Client{client}, nil -} - -// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and -// panics if there is an error in the config. -func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { - client, err := NewForConfig(c) - if err != nil { - panic(err) - } - return client -} - -// New creates a new OauthV1alpha1Client for the given RESTClient. -func New(c rest.Interface) *OauthV1alpha1Client { - return &OauthV1alpha1Client{c} -} - -func setConfigDefaults(config *rest.Config) error { - gv := v1alpha1.SchemeGroupVersion - config.GroupVersion = &gv - config.APIPath = "/apis" - config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() - - if config.UserAgent == "" { - config.UserAgent = rest.DefaultKubernetesUserAgent() - } - - return nil -} - -// RESTClient returns a RESTClient that is used to communicate -// with API server by this client implementation. -func (c *OauthV1alpha1Client) RESTClient() rest.Interface { - if c == nil { - return nil - } - return c.restClient -} diff --git a/generated/1.17/client/supervisor/informers/externalversions/config/v1alpha1/interface.go b/generated/1.17/client/supervisor/informers/externalversions/config/v1alpha1/interface.go index ae8561df..33ffbf70 100644 --- a/generated/1.17/client/supervisor/informers/externalversions/config/v1alpha1/interface.go +++ b/generated/1.17/client/supervisor/informers/externalversions/config/v1alpha1/interface.go @@ -13,6 +13,8 @@ import ( type Interface interface { // FederationDomains returns a FederationDomainInformer. FederationDomains() FederationDomainInformer + // OIDCClients returns a OIDCClientInformer. + OIDCClients() OIDCClientInformer } type version struct { @@ -30,3 +32,8 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList func (v *version) FederationDomains() FederationDomainInformer { return &federationDomainInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } + +// OIDCClients returns a OIDCClientInformer. +func (v *version) OIDCClients() OIDCClientInformer { + return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} diff --git a/generated/1.17/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go b/generated/1.17/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go similarity index 89% rename from generated/1.17/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go rename to generated/1.17/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go index 1996f202..c6e9344f 100644 --- a/generated/1.17/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go +++ b/generated/1.17/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go @@ -8,10 +8,10 @@ package v1alpha1 import ( time "time" - oauthv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/oauth/v1alpha1" + configv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1" versioned "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned" internalinterfaces "go.pinniped.dev/generated/1.17/client/supervisor/informers/externalversions/internalinterfaces" - v1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/listers/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/listers/config/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" watch "k8s.io/apimachinery/pkg/watch" @@ -48,16 +48,16 @@ func NewFilteredOIDCClientInformer(client versioned.Interface, namespace string, if tweakListOptions != nil { tweakListOptions(&options) } - return client.OauthV1alpha1().OIDCClients(namespace).List(options) + return client.ConfigV1alpha1().OIDCClients(namespace).List(options) }, WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { if tweakListOptions != nil { tweakListOptions(&options) } - return client.OauthV1alpha1().OIDCClients(namespace).Watch(options) + return client.ConfigV1alpha1().OIDCClients(namespace).Watch(options) }, }, - &oauthv1alpha1.OIDCClient{}, + &configv1alpha1.OIDCClient{}, resyncPeriod, indexers, ) @@ -68,7 +68,7 @@ func (f *oIDCClientInformer) defaultInformer(client versioned.Interface, resyncP } func (f *oIDCClientInformer) Informer() cache.SharedIndexInformer { - return f.factory.InformerFor(&oauthv1alpha1.OIDCClient{}, f.defaultInformer) + return f.factory.InformerFor(&configv1alpha1.OIDCClient{}, f.defaultInformer) } func (f *oIDCClientInformer) Lister() v1alpha1.OIDCClientLister { diff --git a/generated/1.17/client/supervisor/informers/externalversions/factory.go b/generated/1.17/client/supervisor/informers/externalversions/factory.go index ac94e186..10a7bf92 100644 --- a/generated/1.17/client/supervisor/informers/externalversions/factory.go +++ b/generated/1.17/client/supervisor/informers/externalversions/factory.go @@ -14,7 +14,6 @@ import ( config "go.pinniped.dev/generated/1.17/client/supervisor/informers/externalversions/config" idp "go.pinniped.dev/generated/1.17/client/supervisor/informers/externalversions/idp" internalinterfaces "go.pinniped.dev/generated/1.17/client/supervisor/informers/externalversions/internalinterfaces" - oauth "go.pinniped.dev/generated/1.17/client/supervisor/informers/externalversions/oauth" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -163,7 +162,6 @@ type SharedInformerFactory interface { Config() config.Interface IDP() idp.Interface - Oauth() oauth.Interface } func (f *sharedInformerFactory) Config() config.Interface { @@ -173,7 +171,3 @@ func (f *sharedInformerFactory) Config() config.Interface { func (f *sharedInformerFactory) IDP() idp.Interface { return idp.New(f, f.namespace, f.tweakListOptions) } - -func (f *sharedInformerFactory) Oauth() oauth.Interface { - return oauth.New(f, f.namespace, f.tweakListOptions) -} diff --git a/generated/1.17/client/supervisor/informers/externalversions/generic.go b/generated/1.17/client/supervisor/informers/externalversions/generic.go index 4f5c74e4..befa67ca 100644 --- a/generated/1.17/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.17/client/supervisor/informers/externalversions/generic.go @@ -10,7 +10,6 @@ import ( v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/oauth/v1alpha1" schema "k8s.io/apimachinery/pkg/runtime/schema" cache "k8s.io/client-go/tools/cache" ) @@ -44,6 +43,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource // Group=config.supervisor.pinniped.dev, Version=v1alpha1 case v1alpha1.SchemeGroupVersion.WithResource("federationdomains"): return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().FederationDomains().Informer()}, nil + case v1alpha1.SchemeGroupVersion.WithResource("oidcclients"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCClients().Informer()}, nil // Group=idp.supervisor.pinniped.dev, Version=v1alpha1 case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"): @@ -53,10 +54,6 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().OIDCIdentityProviders().Informer()}, nil - // Group=oauth.supervisor.pinniped.dev, Version=v1alpha1 - case oauthv1alpha1.SchemeGroupVersion.WithResource("oidcclients"): - return &genericInformer{resource: resource.GroupResource(), informer: f.Oauth().V1alpha1().OIDCClients().Informer()}, nil - } return nil, fmt.Errorf("no informer found for %v", resource) diff --git a/generated/1.17/client/supervisor/informers/externalversions/oauth/interface.go b/generated/1.17/client/supervisor/informers/externalversions/oauth/interface.go deleted file mode 100644 index 06b9370b..00000000 --- a/generated/1.17/client/supervisor/informers/externalversions/oauth/interface.go +++ /dev/null @@ -1,33 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by informer-gen. DO NOT EDIT. - -package oauth - -import ( - internalinterfaces "go.pinniped.dev/generated/1.17/client/supervisor/informers/externalversions/internalinterfaces" - v1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/informers/externalversions/oauth/v1alpha1" -) - -// Interface provides access to each of this group's versions. -type Interface interface { - // V1alpha1 provides access to shared informers for resources in V1alpha1. - V1alpha1() v1alpha1.Interface -} - -type group struct { - factory internalinterfaces.SharedInformerFactory - namespace string - tweakListOptions internalinterfaces.TweakListOptionsFunc -} - -// New returns a new Interface. -func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { - return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} -} - -// V1alpha1 returns a new v1alpha1.Interface. -func (g *group) V1alpha1() v1alpha1.Interface { - return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions) -} diff --git a/generated/1.17/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go b/generated/1.17/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go deleted file mode 100644 index 46d19a40..00000000 --- a/generated/1.17/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go +++ /dev/null @@ -1,32 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by informer-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - internalinterfaces "go.pinniped.dev/generated/1.17/client/supervisor/informers/externalversions/internalinterfaces" -) - -// Interface provides access to all the informers in this group version. -type Interface interface { - // OIDCClients returns a OIDCClientInformer. - OIDCClients() OIDCClientInformer -} - -type version struct { - factory internalinterfaces.SharedInformerFactory - namespace string - tweakListOptions internalinterfaces.TweakListOptionsFunc -} - -// New returns a new Interface. -func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { - return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} -} - -// OIDCClients returns a OIDCClientInformer. -func (v *version) OIDCClients() OIDCClientInformer { - return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} -} diff --git a/generated/1.17/client/supervisor/listers/config/v1alpha1/expansion_generated.go b/generated/1.17/client/supervisor/listers/config/v1alpha1/expansion_generated.go index d59892c4..bda2f20e 100644 --- a/generated/1.17/client/supervisor/listers/config/v1alpha1/expansion_generated.go +++ b/generated/1.17/client/supervisor/listers/config/v1alpha1/expansion_generated.go @@ -12,3 +12,11 @@ type FederationDomainListerExpansion interface{} // FederationDomainNamespaceListerExpansion allows custom methods to be added to // FederationDomainNamespaceLister. type FederationDomainNamespaceListerExpansion interface{} + +// OIDCClientListerExpansion allows custom methods to be added to +// OIDCClientLister. +type OIDCClientListerExpansion interface{} + +// OIDCClientNamespaceListerExpansion allows custom methods to be added to +// OIDCClientNamespaceLister. +type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/1.17/client/supervisor/listers/oauth/v1alpha1/oidcclient.go b/generated/1.17/client/supervisor/listers/config/v1alpha1/oidcclient.go similarity index 97% rename from generated/1.17/client/supervisor/listers/oauth/v1alpha1/oidcclient.go rename to generated/1.17/client/supervisor/listers/config/v1alpha1/oidcclient.go index 8395809f..08c2ab25 100644 --- a/generated/1.17/client/supervisor/listers/oauth/v1alpha1/oidcclient.go +++ b/generated/1.17/client/supervisor/listers/config/v1alpha1/oidcclient.go @@ -6,7 +6,7 @@ package v1alpha1 import ( - v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1" "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/labels" "k8s.io/client-go/tools/cache" diff --git a/generated/1.17/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go b/generated/1.17/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go deleted file mode 100644 index c19310da..00000000 --- a/generated/1.17/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go +++ /dev/null @@ -1,14 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by lister-gen. DO NOT EDIT. - -package v1alpha1 - -// OIDCClientListerExpansion allows custom methods to be added to -// OIDCClientLister. -type OIDCClientListerExpansion interface{} - -// OIDCClientNamespaceListerExpansion allows custom methods to be added to -// OIDCClientNamespaceLister. -type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/1.18/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.17/crds/config.supervisor.pinniped.dev_oidcclients.yaml similarity index 98% rename from generated/1.18/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml rename to generated/1.17/crds/config.supervisor.pinniped.dev_oidcclients.yaml index 589a9154..4efa445e 100644 --- a/generated/1.18/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.17/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -5,9 +5,9 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null - name: oidcclients.oauth.supervisor.pinniped.dev + name: oidcclients.config.supervisor.pinniped.dev spec: - group: oauth.supervisor.pinniped.dev + group: config.supervisor.pinniped.dev names: categories: - pinniped diff --git a/generated/1.18/README.adoc b/generated/1.18/README.adoc index f2346ef6..63ec9f13 100644 --- a/generated/1.18/README.adoc +++ b/generated/1.18/README.adoc @@ -12,7 +12,6 @@ - xref:{anchor_prefix}-identity-concierge-pinniped-dev-v1alpha1[$$identity.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1[$$idp.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$] -- xref:{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1[$$oauth.supervisor.pinniped.dev/v1alpha1$$] [id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"] @@ -544,6 +543,51 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcclient"] +==== OIDCClient + +OIDCClient describes the configuration of an OIDC client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcclientlist[$$OIDCClientList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC client. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC client. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcclientspec"] +==== OIDCClientSpec + +OIDCClientSpec is a struct that describes an OIDC Client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcclient[$$OIDCClient$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. +| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. +| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. +|=== + + + + [id="{anchor_prefix}-identity-concierge-pinniped-dev-identity"] === identity.concierge.pinniped.dev/identity @@ -1333,56 +1377,3 @@ TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned |=== - -[id="{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1"] -=== oauth.supervisor.pinniped.dev/v1alpha1 - -Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-oauth-v1alpha1-oidcclient"] -==== OIDCClient - -OIDCClient describes the configuration of an OIDC client. - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-oauth-v1alpha1-oidcclientlist[$$OIDCClientList$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. - -| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-oauth-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC client. -| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-oauth-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC client. -|=== - - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-oauth-v1alpha1-oidcclientspec"] -==== OIDCClientSpec - -OIDCClientSpec is a struct that describes an OIDC Client. - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-oauth-v1alpha1-oidcclient[$$OIDCClient$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. -| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. -| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. -|=== - - - - diff --git a/generated/1.18/apis/supervisor/config/v1alpha1/register.go b/generated/1.18/apis/supervisor/config/v1alpha1/register.go index 69045298..54c51699 100644 --- a/generated/1.18/apis/supervisor/config/v1alpha1/register.go +++ b/generated/1.18/apis/supervisor/config/v1alpha1/register.go @@ -32,6 +32,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &FederationDomain{}, &FederationDomainList{}, + &OIDCClient{}, + &OIDCClientList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.18/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.18/apis/supervisor/config/v1alpha1/types_oidcclient.go similarity index 100% rename from generated/1.18/apis/supervisor/oauth/v1alpha1/types_oidcclient.go rename to generated/1.18/apis/supervisor/config/v1alpha1/types_oidcclient.go diff --git a/generated/1.18/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.18/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go index 856b8988..a55d88e7 100644 --- a/generated/1.18/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.18/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go @@ -150,3 +150,111 @@ func (in *FederationDomainTLSSpec) DeepCopy() *FederationDomainTLSSpec { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. +func (in *OIDCClient) DeepCopy() *OIDCClient { + if in == nil { + return nil + } + out := new(OIDCClient) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClient) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClient, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. +func (in *OIDCClientList) DeepCopy() *OIDCClientList { + if in == nil { + return nil + } + out := new(OIDCClientList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { + *out = *in + if in.AllowedRedirectURIs != nil { + in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.AllowedGrantTypes != nil { + in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes + *out = make([]GrantType, len(*in)) + copy(*out, *in) + } + if in.AllowedScopes != nil { + in, out := &in.AllowedScopes, &out.AllowedScopes + *out = make([]Scope, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. +func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { + if in == nil { + return nil + } + out := new(OIDCClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. +func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { + if in == nil { + return nil + } + out := new(OIDCClientStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.18/apis/supervisor/oauth/v1alpha1/doc.go b/generated/1.18/apis/supervisor/oauth/v1alpha1/doc.go deleted file mode 100644 index 75580481..00000000 --- a/generated/1.18/apis/supervisor/oauth/v1alpha1/doc.go +++ /dev/null @@ -1,10 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// +k8s:openapi-gen=true -// +k8s:deepcopy-gen=package -// +k8s:defaulter-gen=TypeMeta -// +groupName=oauth.supervisor.pinniped.dev - -// Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. -package v1alpha1 diff --git a/generated/1.18/apis/supervisor/oauth/v1alpha1/register.go b/generated/1.18/apis/supervisor/oauth/v1alpha1/register.go deleted file mode 100644 index 37ae1fbf..00000000 --- a/generated/1.18/apis/supervisor/oauth/v1alpha1/register.go +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -package v1alpha1 - -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" -) - -const GroupName = "oauth.supervisor.pinniped.dev" - -// SchemeGroupVersion is group version used to register these objects. -var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} - -var ( - SchemeBuilder runtime.SchemeBuilder - localSchemeBuilder = &SchemeBuilder - AddToScheme = localSchemeBuilder.AddToScheme -) - -func init() { - // We only register manually written functions here. The registration of the - // generated functions takes place in the generated files. The separation - // makes the code compile even when the generated files are missing. - localSchemeBuilder.Register(addKnownTypes) -} - -// Adds the list of known types to the given scheme. -func addKnownTypes(scheme *runtime.Scheme) error { - scheme.AddKnownTypes(SchemeGroupVersion, - &OIDCClient{}, - &OIDCClientList{}, - ) - metav1.AddToGroupVersion(scheme, SchemeGroupVersion) - return nil -} - -// Resource takes an unqualified resource and returns a Group qualified GroupResource. -func Resource(resource string) schema.GroupResource { - return SchemeGroupVersion.WithResource(resource).GroupResource() -} diff --git a/generated/1.18/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.18/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go deleted file mode 100644 index 1aba8aea..00000000 --- a/generated/1.18/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go +++ /dev/null @@ -1,121 +0,0 @@ -//go:build !ignore_autogenerated -// +build !ignore_autogenerated - -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by deepcopy-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - runtime "k8s.io/apimachinery/pkg/runtime" -) - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - in.Spec.DeepCopyInto(&out.Spec) - out.Status = in.Status - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. -func (in *OIDCClient) DeepCopy() *OIDCClient { - if in == nil { - return nil - } - out := new(OIDCClient) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *OIDCClient) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ListMeta.DeepCopyInto(&out.ListMeta) - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]OIDCClient, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. -func (in *OIDCClientList) DeepCopy() *OIDCClientList { - if in == nil { - return nil - } - out := new(OIDCClientList) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *OIDCClientList) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { - *out = *in - if in.AllowedRedirectURIs != nil { - in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.AllowedGrantTypes != nil { - in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes - *out = make([]GrantType, len(*in)) - copy(*out, *in) - } - if in.AllowedScopes != nil { - in, out := &in.AllowedScopes, &out.AllowedScopes - *out = make([]Scope, len(*in)) - copy(*out, *in) - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. -func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { - if in == nil { - return nil - } - out := new(OIDCClientSpec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. -func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { - if in == nil { - return nil - } - out := new(OIDCClientStatus) - in.DeepCopyInto(out) - return out -} diff --git a/generated/1.18/client/supervisor/clientset/versioned/clientset.go b/generated/1.18/client/supervisor/clientset/versioned/clientset.go index d9bb8ce9..1427efc1 100644 --- a/generated/1.18/client/supervisor/clientset/versioned/clientset.go +++ b/generated/1.18/client/supervisor/clientset/versioned/clientset.go @@ -10,7 +10,6 @@ import ( configv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" discovery "k8s.io/client-go/discovery" rest "k8s.io/client-go/rest" flowcontrol "k8s.io/client-go/util/flowcontrol" @@ -20,7 +19,6 @@ type Interface interface { Discovery() discovery.DiscoveryInterface ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface - OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface } // Clientset contains the clients for groups. Each group has exactly one @@ -29,7 +27,6 @@ type Clientset struct { *discovery.DiscoveryClient configV1alpha1 *configv1alpha1.ConfigV1alpha1Client iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client - oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client } // ConfigV1alpha1 retrieves the ConfigV1alpha1Client @@ -42,11 +39,6 @@ func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return c.iDPV1alpha1 } -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return c.oauthV1alpha1 -} - // Discovery retrieves the DiscoveryClient func (c *Clientset) Discovery() discovery.DiscoveryInterface { if c == nil { @@ -76,10 +68,6 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { if err != nil { return nil, err } - cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfig(&configShallowCopy) - if err != nil { - return nil, err - } cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfig(&configShallowCopy) if err != nil { @@ -94,7 +82,6 @@ func NewForConfigOrDie(c *rest.Config) *Clientset { var cs Clientset cs.configV1alpha1 = configv1alpha1.NewForConfigOrDie(c) cs.iDPV1alpha1 = idpv1alpha1.NewForConfigOrDie(c) - cs.oauthV1alpha1 = oauthv1alpha1.NewForConfigOrDie(c) cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c) return &cs @@ -105,7 +92,6 @@ func New(c rest.Interface) *Clientset { var cs Clientset cs.configV1alpha1 = configv1alpha1.New(c) cs.iDPV1alpha1 = idpv1alpha1.New(c) - cs.oauthV1alpha1 = oauthv1alpha1.New(c) cs.DiscoveryClient = discovery.NewDiscoveryClient(c) return &cs diff --git a/generated/1.18/client/supervisor/clientset/versioned/fake/clientset_generated.go b/generated/1.18/client/supervisor/clientset/versioned/fake/clientset_generated.go index be0ba580..4a5361d2 100644 --- a/generated/1.18/client/supervisor/clientset/versioned/fake/clientset_generated.go +++ b/generated/1.18/client/supervisor/clientset/versioned/fake/clientset_generated.go @@ -11,8 +11,6 @@ import ( fakeconfigv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake" idpv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1" fakeidpv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake" - oauthv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" - fakeoauthv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/watch" "k8s.io/client-go/discovery" @@ -76,8 +74,3 @@ func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake} } - -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} -} diff --git a/generated/1.18/client/supervisor/clientset/versioned/fake/register.go b/generated/1.18/client/supervisor/clientset/versioned/fake/register.go index 9a64a8a9..20b81309 100644 --- a/generated/1.18/client/supervisor/clientset/versioned/fake/register.go +++ b/generated/1.18/client/supervisor/clientset/versioned/fake/register.go @@ -8,7 +8,6 @@ package fake import ( configv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -22,7 +21,6 @@ var parameterCodec = runtime.NewParameterCodec(scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, - oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.18/client/supervisor/clientset/versioned/scheme/register.go b/generated/1.18/client/supervisor/clientset/versioned/scheme/register.go index 1de4c05d..23788bd1 100644 --- a/generated/1.18/client/supervisor/clientset/versioned/scheme/register.go +++ b/generated/1.18/client/supervisor/clientset/versioned/scheme/register.go @@ -8,7 +8,6 @@ package scheme import ( configv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -22,7 +21,6 @@ var ParameterCodec = runtime.NewParameterCodec(Scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, - oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go b/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go index 1bdb3362..24c1c6bf 100644 --- a/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go +++ b/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go @@ -14,6 +14,7 @@ import ( type ConfigV1alpha1Interface interface { RESTClient() rest.Interface FederationDomainsGetter + OIDCClientsGetter } // ConfigV1alpha1Client is used to interact with features provided by the config.supervisor.pinniped.dev group. @@ -25,6 +26,10 @@ func (c *ConfigV1alpha1Client) FederationDomains(namespace string) FederationDom return newFederationDomains(c, namespace) } +func (c *ConfigV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { + return newOIDCClients(c, namespace) +} + // NewForConfig creates a new ConfigV1alpha1Client for the given config. func NewForConfig(c *rest.Config) (*ConfigV1alpha1Client, error) { config := *c diff --git a/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go b/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go index 0aeb5048..a653b66e 100644 --- a/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go +++ b/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go @@ -19,6 +19,10 @@ func (c *FakeConfigV1alpha1) FederationDomains(namespace string) v1alpha1.Federa return &FakeFederationDomains{c, namespace} } +func (c *FakeConfigV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { + return &FakeOIDCClients{c, namespace} +} + // RESTClient returns a RESTClient that is used to communicate // with API server by this client implementation. func (c *FakeConfigV1alpha1) RESTClient() rest.Interface { diff --git a/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go b/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go similarity index 92% rename from generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go rename to generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go index a177ce4a..f04ffb6d 100644 --- a/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go +++ b/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go @@ -8,7 +8,7 @@ package fake import ( "context" - v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" labels "k8s.io/apimachinery/pkg/labels" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -19,13 +19,13 @@ import ( // FakeOIDCClients implements OIDCClientInterface type FakeOIDCClients struct { - Fake *FakeOauthV1alpha1 + Fake *FakeConfigV1alpha1 ns string } -var oidcclientsResource = schema.GroupVersionResource{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} +var oidcclientsResource = schema.GroupVersionResource{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} -var oidcclientsKind = schema.GroupVersionKind{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} +var oidcclientsKind = schema.GroupVersionKind{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} // Get takes name of the oIDCClient, and returns the corresponding oIDCClient object, and an error if there is any. func (c *FakeOIDCClients) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCClient, err error) { diff --git a/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go b/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go index ba9c9173..35b9ee3d 100644 --- a/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go +++ b/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go @@ -6,3 +6,5 @@ package v1alpha1 type FederationDomainExpansion interface{} + +type OIDCClientExpansion interface{} diff --git a/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go b/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go similarity index 97% rename from generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go rename to generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go index 26026924..1e65bfbf 100644 --- a/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go +++ b/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go @@ -9,7 +9,7 @@ import ( "context" "time" - v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1" scheme "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/scheme" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" types "k8s.io/apimachinery/pkg/types" @@ -44,7 +44,7 @@ type oIDCClients struct { } // newOIDCClients returns a OIDCClients -func newOIDCClients(c *OauthV1alpha1Client, namespace string) *oIDCClients { +func newOIDCClients(c *ConfigV1alpha1Client, namespace string) *oIDCClients { return &oIDCClients{ client: c.RESTClient(), ns: namespace, diff --git a/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go deleted file mode 100644 index e7a470b6..00000000 --- a/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package has the automatically generated typed clients. -package v1alpha1 diff --git a/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go deleted file mode 100644 index 7906901b..00000000 --- a/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// Package fake has the automatically generated clients. -package fake diff --git a/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go deleted file mode 100644 index 0483f163..00000000 --- a/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go +++ /dev/null @@ -1,27 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - v1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" - rest "k8s.io/client-go/rest" - testing "k8s.io/client-go/testing" -) - -type FakeOauthV1alpha1 struct { - *testing.Fake -} - -func (c *FakeOauthV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { - return &FakeOIDCClients{c, namespace} -} - -// RESTClient returns a RESTClient that is used to communicate -// with API server by this client implementation. -func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { - var ret *rest.RESTClient - return ret -} diff --git a/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go deleted file mode 100644 index 87d22ea9..00000000 --- a/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -type OIDCClientExpansion interface{} diff --git a/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go deleted file mode 100644 index 17d59cf4..00000000 --- a/generated/1.18/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go +++ /dev/null @@ -1,76 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/oauth/v1alpha1" - "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/scheme" - rest "k8s.io/client-go/rest" -) - -type OauthV1alpha1Interface interface { - RESTClient() rest.Interface - OIDCClientsGetter -} - -// OauthV1alpha1Client is used to interact with features provided by the oauth.supervisor.pinniped.dev group. -type OauthV1alpha1Client struct { - restClient rest.Interface -} - -func (c *OauthV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { - return newOIDCClients(c, namespace) -} - -// NewForConfig creates a new OauthV1alpha1Client for the given config. -func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { - config := *c - if err := setConfigDefaults(&config); err != nil { - return nil, err - } - client, err := rest.RESTClientFor(&config) - if err != nil { - return nil, err - } - return &OauthV1alpha1Client{client}, nil -} - -// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and -// panics if there is an error in the config. -func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { - client, err := NewForConfig(c) - if err != nil { - panic(err) - } - return client -} - -// New creates a new OauthV1alpha1Client for the given RESTClient. -func New(c rest.Interface) *OauthV1alpha1Client { - return &OauthV1alpha1Client{c} -} - -func setConfigDefaults(config *rest.Config) error { - gv := v1alpha1.SchemeGroupVersion - config.GroupVersion = &gv - config.APIPath = "/apis" - config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() - - if config.UserAgent == "" { - config.UserAgent = rest.DefaultKubernetesUserAgent() - } - - return nil -} - -// RESTClient returns a RESTClient that is used to communicate -// with API server by this client implementation. -func (c *OauthV1alpha1Client) RESTClient() rest.Interface { - if c == nil { - return nil - } - return c.restClient -} diff --git a/generated/1.18/client/supervisor/informers/externalversions/config/v1alpha1/interface.go b/generated/1.18/client/supervisor/informers/externalversions/config/v1alpha1/interface.go index 54d42593..af4b30aa 100644 --- a/generated/1.18/client/supervisor/informers/externalversions/config/v1alpha1/interface.go +++ b/generated/1.18/client/supervisor/informers/externalversions/config/v1alpha1/interface.go @@ -13,6 +13,8 @@ import ( type Interface interface { // FederationDomains returns a FederationDomainInformer. FederationDomains() FederationDomainInformer + // OIDCClients returns a OIDCClientInformer. + OIDCClients() OIDCClientInformer } type version struct { @@ -30,3 +32,8 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList func (v *version) FederationDomains() FederationDomainInformer { return &federationDomainInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } + +// OIDCClients returns a OIDCClientInformer. +func (v *version) OIDCClients() OIDCClientInformer { + return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} diff --git a/generated/1.18/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go b/generated/1.18/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go similarity index 88% rename from generated/1.18/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go rename to generated/1.18/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go index c5869b86..bf495ab0 100644 --- a/generated/1.18/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go +++ b/generated/1.18/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go @@ -9,10 +9,10 @@ import ( "context" time "time" - oauthv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/oauth/v1alpha1" + configv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1" versioned "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned" internalinterfaces "go.pinniped.dev/generated/1.18/client/supervisor/informers/externalversions/internalinterfaces" - v1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/listers/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/listers/config/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" watch "k8s.io/apimachinery/pkg/watch" @@ -49,16 +49,16 @@ func NewFilteredOIDCClientInformer(client versioned.Interface, namespace string, if tweakListOptions != nil { tweakListOptions(&options) } - return client.OauthV1alpha1().OIDCClients(namespace).List(context.TODO(), options) + return client.ConfigV1alpha1().OIDCClients(namespace).List(context.TODO(), options) }, WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { if tweakListOptions != nil { tweakListOptions(&options) } - return client.OauthV1alpha1().OIDCClients(namespace).Watch(context.TODO(), options) + return client.ConfigV1alpha1().OIDCClients(namespace).Watch(context.TODO(), options) }, }, - &oauthv1alpha1.OIDCClient{}, + &configv1alpha1.OIDCClient{}, resyncPeriod, indexers, ) @@ -69,7 +69,7 @@ func (f *oIDCClientInformer) defaultInformer(client versioned.Interface, resyncP } func (f *oIDCClientInformer) Informer() cache.SharedIndexInformer { - return f.factory.InformerFor(&oauthv1alpha1.OIDCClient{}, f.defaultInformer) + return f.factory.InformerFor(&configv1alpha1.OIDCClient{}, f.defaultInformer) } func (f *oIDCClientInformer) Lister() v1alpha1.OIDCClientLister { diff --git a/generated/1.18/client/supervisor/informers/externalversions/factory.go b/generated/1.18/client/supervisor/informers/externalversions/factory.go index 158fded5..997de893 100644 --- a/generated/1.18/client/supervisor/informers/externalversions/factory.go +++ b/generated/1.18/client/supervisor/informers/externalversions/factory.go @@ -14,7 +14,6 @@ import ( config "go.pinniped.dev/generated/1.18/client/supervisor/informers/externalversions/config" idp "go.pinniped.dev/generated/1.18/client/supervisor/informers/externalversions/idp" internalinterfaces "go.pinniped.dev/generated/1.18/client/supervisor/informers/externalversions/internalinterfaces" - oauth "go.pinniped.dev/generated/1.18/client/supervisor/informers/externalversions/oauth" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -163,7 +162,6 @@ type SharedInformerFactory interface { Config() config.Interface IDP() idp.Interface - Oauth() oauth.Interface } func (f *sharedInformerFactory) Config() config.Interface { @@ -173,7 +171,3 @@ func (f *sharedInformerFactory) Config() config.Interface { func (f *sharedInformerFactory) IDP() idp.Interface { return idp.New(f, f.namespace, f.tweakListOptions) } - -func (f *sharedInformerFactory) Oauth() oauth.Interface { - return oauth.New(f, f.namespace, f.tweakListOptions) -} diff --git a/generated/1.18/client/supervisor/informers/externalversions/generic.go b/generated/1.18/client/supervisor/informers/externalversions/generic.go index 43579b43..395cc6a8 100644 --- a/generated/1.18/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.18/client/supervisor/informers/externalversions/generic.go @@ -10,7 +10,6 @@ import ( v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/oauth/v1alpha1" schema "k8s.io/apimachinery/pkg/runtime/schema" cache "k8s.io/client-go/tools/cache" ) @@ -44,6 +43,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource // Group=config.supervisor.pinniped.dev, Version=v1alpha1 case v1alpha1.SchemeGroupVersion.WithResource("federationdomains"): return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().FederationDomains().Informer()}, nil + case v1alpha1.SchemeGroupVersion.WithResource("oidcclients"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCClients().Informer()}, nil // Group=idp.supervisor.pinniped.dev, Version=v1alpha1 case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"): @@ -53,10 +54,6 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().OIDCIdentityProviders().Informer()}, nil - // Group=oauth.supervisor.pinniped.dev, Version=v1alpha1 - case oauthv1alpha1.SchemeGroupVersion.WithResource("oidcclients"): - return &genericInformer{resource: resource.GroupResource(), informer: f.Oauth().V1alpha1().OIDCClients().Informer()}, nil - } return nil, fmt.Errorf("no informer found for %v", resource) diff --git a/generated/1.18/client/supervisor/informers/externalversions/oauth/interface.go b/generated/1.18/client/supervisor/informers/externalversions/oauth/interface.go deleted file mode 100644 index 7a2b6531..00000000 --- a/generated/1.18/client/supervisor/informers/externalversions/oauth/interface.go +++ /dev/null @@ -1,33 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by informer-gen. DO NOT EDIT. - -package oauth - -import ( - internalinterfaces "go.pinniped.dev/generated/1.18/client/supervisor/informers/externalversions/internalinterfaces" - v1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/informers/externalversions/oauth/v1alpha1" -) - -// Interface provides access to each of this group's versions. -type Interface interface { - // V1alpha1 provides access to shared informers for resources in V1alpha1. - V1alpha1() v1alpha1.Interface -} - -type group struct { - factory internalinterfaces.SharedInformerFactory - namespace string - tweakListOptions internalinterfaces.TweakListOptionsFunc -} - -// New returns a new Interface. -func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { - return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} -} - -// V1alpha1 returns a new v1alpha1.Interface. -func (g *group) V1alpha1() v1alpha1.Interface { - return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions) -} diff --git a/generated/1.18/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go b/generated/1.18/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go deleted file mode 100644 index 86b4efd0..00000000 --- a/generated/1.18/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go +++ /dev/null @@ -1,32 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by informer-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - internalinterfaces "go.pinniped.dev/generated/1.18/client/supervisor/informers/externalversions/internalinterfaces" -) - -// Interface provides access to all the informers in this group version. -type Interface interface { - // OIDCClients returns a OIDCClientInformer. - OIDCClients() OIDCClientInformer -} - -type version struct { - factory internalinterfaces.SharedInformerFactory - namespace string - tweakListOptions internalinterfaces.TweakListOptionsFunc -} - -// New returns a new Interface. -func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { - return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} -} - -// OIDCClients returns a OIDCClientInformer. -func (v *version) OIDCClients() OIDCClientInformer { - return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} -} diff --git a/generated/1.18/client/supervisor/listers/config/v1alpha1/expansion_generated.go b/generated/1.18/client/supervisor/listers/config/v1alpha1/expansion_generated.go index d59892c4..bda2f20e 100644 --- a/generated/1.18/client/supervisor/listers/config/v1alpha1/expansion_generated.go +++ b/generated/1.18/client/supervisor/listers/config/v1alpha1/expansion_generated.go @@ -12,3 +12,11 @@ type FederationDomainListerExpansion interface{} // FederationDomainNamespaceListerExpansion allows custom methods to be added to // FederationDomainNamespaceLister. type FederationDomainNamespaceListerExpansion interface{} + +// OIDCClientListerExpansion allows custom methods to be added to +// OIDCClientLister. +type OIDCClientListerExpansion interface{} + +// OIDCClientNamespaceListerExpansion allows custom methods to be added to +// OIDCClientNamespaceLister. +type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/1.18/client/supervisor/listers/oauth/v1alpha1/oidcclient.go b/generated/1.18/client/supervisor/listers/config/v1alpha1/oidcclient.go similarity index 97% rename from generated/1.18/client/supervisor/listers/oauth/v1alpha1/oidcclient.go rename to generated/1.18/client/supervisor/listers/config/v1alpha1/oidcclient.go index 77d38f1e..79278890 100644 --- a/generated/1.18/client/supervisor/listers/oauth/v1alpha1/oidcclient.go +++ b/generated/1.18/client/supervisor/listers/config/v1alpha1/oidcclient.go @@ -6,7 +6,7 @@ package v1alpha1 import ( - v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1" "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/labels" "k8s.io/client-go/tools/cache" diff --git a/generated/1.18/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go b/generated/1.18/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go deleted file mode 100644 index c19310da..00000000 --- a/generated/1.18/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go +++ /dev/null @@ -1,14 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by lister-gen. DO NOT EDIT. - -package v1alpha1 - -// OIDCClientListerExpansion allows custom methods to be added to -// OIDCClientLister. -type OIDCClientListerExpansion interface{} - -// OIDCClientNamespaceListerExpansion allows custom methods to be added to -// OIDCClientNamespaceLister. -type OIDCClientNamespaceListerExpansion interface{} diff --git a/deploy/supervisor/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.18/crds/config.supervisor.pinniped.dev_oidcclients.yaml similarity index 98% rename from deploy/supervisor/oauth.supervisor.pinniped.dev_oidcclients.yaml rename to generated/1.18/crds/config.supervisor.pinniped.dev_oidcclients.yaml index 589a9154..4efa445e 100644 --- a/deploy/supervisor/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.18/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -5,9 +5,9 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null - name: oidcclients.oauth.supervisor.pinniped.dev + name: oidcclients.config.supervisor.pinniped.dev spec: - group: oauth.supervisor.pinniped.dev + group: config.supervisor.pinniped.dev names: categories: - pinniped diff --git a/generated/1.19/README.adoc b/generated/1.19/README.adoc index 6cd1eaa0..f04d438f 100644 --- a/generated/1.19/README.adoc +++ b/generated/1.19/README.adoc @@ -12,7 +12,6 @@ - xref:{anchor_prefix}-identity-concierge-pinniped-dev-v1alpha1[$$identity.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1[$$idp.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$] -- xref:{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1[$$oauth.supervisor.pinniped.dev/v1alpha1$$] [id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"] @@ -544,6 +543,51 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcclient"] +==== OIDCClient + +OIDCClient describes the configuration of an OIDC client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcclientlist[$$OIDCClientList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC client. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC client. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcclientspec"] +==== OIDCClientSpec + +OIDCClientSpec is a struct that describes an OIDC Client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcclient[$$OIDCClient$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. +| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. +| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. +|=== + + + + [id="{anchor_prefix}-identity-concierge-pinniped-dev-identity"] === identity.concierge.pinniped.dev/identity @@ -1333,56 +1377,3 @@ TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned |=== - -[id="{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1"] -=== oauth.supervisor.pinniped.dev/v1alpha1 - -Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-oauth-v1alpha1-oidcclient"] -==== OIDCClient - -OIDCClient describes the configuration of an OIDC client. - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-oauth-v1alpha1-oidcclientlist[$$OIDCClientList$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. - -| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-oauth-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC client. -| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-oauth-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC client. -|=== - - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-oauth-v1alpha1-oidcclientspec"] -==== OIDCClientSpec - -OIDCClientSpec is a struct that describes an OIDC Client. - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-oauth-v1alpha1-oidcclient[$$OIDCClient$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. -| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. -| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. -|=== - - - - diff --git a/generated/1.19/apis/supervisor/config/v1alpha1/register.go b/generated/1.19/apis/supervisor/config/v1alpha1/register.go index 69045298..54c51699 100644 --- a/generated/1.19/apis/supervisor/config/v1alpha1/register.go +++ b/generated/1.19/apis/supervisor/config/v1alpha1/register.go @@ -32,6 +32,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &FederationDomain{}, &FederationDomainList{}, + &OIDCClient{}, + &OIDCClientList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.19/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.19/apis/supervisor/config/v1alpha1/types_oidcclient.go similarity index 100% rename from generated/1.19/apis/supervisor/oauth/v1alpha1/types_oidcclient.go rename to generated/1.19/apis/supervisor/config/v1alpha1/types_oidcclient.go diff --git a/generated/1.19/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.19/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go index 856b8988..a55d88e7 100644 --- a/generated/1.19/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.19/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go @@ -150,3 +150,111 @@ func (in *FederationDomainTLSSpec) DeepCopy() *FederationDomainTLSSpec { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. +func (in *OIDCClient) DeepCopy() *OIDCClient { + if in == nil { + return nil + } + out := new(OIDCClient) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClient) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClient, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. +func (in *OIDCClientList) DeepCopy() *OIDCClientList { + if in == nil { + return nil + } + out := new(OIDCClientList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { + *out = *in + if in.AllowedRedirectURIs != nil { + in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.AllowedGrantTypes != nil { + in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes + *out = make([]GrantType, len(*in)) + copy(*out, *in) + } + if in.AllowedScopes != nil { + in, out := &in.AllowedScopes, &out.AllowedScopes + *out = make([]Scope, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. +func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { + if in == nil { + return nil + } + out := new(OIDCClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. +func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { + if in == nil { + return nil + } + out := new(OIDCClientStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.19/apis/supervisor/oauth/v1alpha1/doc.go b/generated/1.19/apis/supervisor/oauth/v1alpha1/doc.go deleted file mode 100644 index 75580481..00000000 --- a/generated/1.19/apis/supervisor/oauth/v1alpha1/doc.go +++ /dev/null @@ -1,10 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// +k8s:openapi-gen=true -// +k8s:deepcopy-gen=package -// +k8s:defaulter-gen=TypeMeta -// +groupName=oauth.supervisor.pinniped.dev - -// Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. -package v1alpha1 diff --git a/generated/1.19/apis/supervisor/oauth/v1alpha1/register.go b/generated/1.19/apis/supervisor/oauth/v1alpha1/register.go deleted file mode 100644 index 37ae1fbf..00000000 --- a/generated/1.19/apis/supervisor/oauth/v1alpha1/register.go +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -package v1alpha1 - -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" -) - -const GroupName = "oauth.supervisor.pinniped.dev" - -// SchemeGroupVersion is group version used to register these objects. -var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} - -var ( - SchemeBuilder runtime.SchemeBuilder - localSchemeBuilder = &SchemeBuilder - AddToScheme = localSchemeBuilder.AddToScheme -) - -func init() { - // We only register manually written functions here. The registration of the - // generated functions takes place in the generated files. The separation - // makes the code compile even when the generated files are missing. - localSchemeBuilder.Register(addKnownTypes) -} - -// Adds the list of known types to the given scheme. -func addKnownTypes(scheme *runtime.Scheme) error { - scheme.AddKnownTypes(SchemeGroupVersion, - &OIDCClient{}, - &OIDCClientList{}, - ) - metav1.AddToGroupVersion(scheme, SchemeGroupVersion) - return nil -} - -// Resource takes an unqualified resource and returns a Group qualified GroupResource. -func Resource(resource string) schema.GroupResource { - return SchemeGroupVersion.WithResource(resource).GroupResource() -} diff --git a/generated/1.19/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.19/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go deleted file mode 100644 index 1aba8aea..00000000 --- a/generated/1.19/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go +++ /dev/null @@ -1,121 +0,0 @@ -//go:build !ignore_autogenerated -// +build !ignore_autogenerated - -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by deepcopy-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - runtime "k8s.io/apimachinery/pkg/runtime" -) - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - in.Spec.DeepCopyInto(&out.Spec) - out.Status = in.Status - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. -func (in *OIDCClient) DeepCopy() *OIDCClient { - if in == nil { - return nil - } - out := new(OIDCClient) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *OIDCClient) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ListMeta.DeepCopyInto(&out.ListMeta) - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]OIDCClient, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. -func (in *OIDCClientList) DeepCopy() *OIDCClientList { - if in == nil { - return nil - } - out := new(OIDCClientList) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *OIDCClientList) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { - *out = *in - if in.AllowedRedirectURIs != nil { - in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.AllowedGrantTypes != nil { - in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes - *out = make([]GrantType, len(*in)) - copy(*out, *in) - } - if in.AllowedScopes != nil { - in, out := &in.AllowedScopes, &out.AllowedScopes - *out = make([]Scope, len(*in)) - copy(*out, *in) - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. -func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { - if in == nil { - return nil - } - out := new(OIDCClientSpec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. -func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { - if in == nil { - return nil - } - out := new(OIDCClientStatus) - in.DeepCopyInto(out) - return out -} diff --git a/generated/1.19/client/supervisor/clientset/versioned/clientset.go b/generated/1.19/client/supervisor/clientset/versioned/clientset.go index 09f209c0..a5d5b43c 100644 --- a/generated/1.19/client/supervisor/clientset/versioned/clientset.go +++ b/generated/1.19/client/supervisor/clientset/versioned/clientset.go @@ -10,7 +10,6 @@ import ( configv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" discovery "k8s.io/client-go/discovery" rest "k8s.io/client-go/rest" flowcontrol "k8s.io/client-go/util/flowcontrol" @@ -20,7 +19,6 @@ type Interface interface { Discovery() discovery.DiscoveryInterface ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface - OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface } // Clientset contains the clients for groups. Each group has exactly one @@ -29,7 +27,6 @@ type Clientset struct { *discovery.DiscoveryClient configV1alpha1 *configv1alpha1.ConfigV1alpha1Client iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client - oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client } // ConfigV1alpha1 retrieves the ConfigV1alpha1Client @@ -42,11 +39,6 @@ func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return c.iDPV1alpha1 } -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return c.oauthV1alpha1 -} - // Discovery retrieves the DiscoveryClient func (c *Clientset) Discovery() discovery.DiscoveryInterface { if c == nil { @@ -76,10 +68,6 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { if err != nil { return nil, err } - cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfig(&configShallowCopy) - if err != nil { - return nil, err - } cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfig(&configShallowCopy) if err != nil { @@ -94,7 +82,6 @@ func NewForConfigOrDie(c *rest.Config) *Clientset { var cs Clientset cs.configV1alpha1 = configv1alpha1.NewForConfigOrDie(c) cs.iDPV1alpha1 = idpv1alpha1.NewForConfigOrDie(c) - cs.oauthV1alpha1 = oauthv1alpha1.NewForConfigOrDie(c) cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c) return &cs @@ -105,7 +92,6 @@ func New(c rest.Interface) *Clientset { var cs Clientset cs.configV1alpha1 = configv1alpha1.New(c) cs.iDPV1alpha1 = idpv1alpha1.New(c) - cs.oauthV1alpha1 = oauthv1alpha1.New(c) cs.DiscoveryClient = discovery.NewDiscoveryClient(c) return &cs diff --git a/generated/1.19/client/supervisor/clientset/versioned/fake/clientset_generated.go b/generated/1.19/client/supervisor/clientset/versioned/fake/clientset_generated.go index cc7334de..6fbd1410 100644 --- a/generated/1.19/client/supervisor/clientset/versioned/fake/clientset_generated.go +++ b/generated/1.19/client/supervisor/clientset/versioned/fake/clientset_generated.go @@ -11,8 +11,6 @@ import ( fakeconfigv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake" idpv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1" fakeidpv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake" - oauthv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" - fakeoauthv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/watch" "k8s.io/client-go/discovery" @@ -76,8 +74,3 @@ func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake} } - -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} -} diff --git a/generated/1.19/client/supervisor/clientset/versioned/fake/register.go b/generated/1.19/client/supervisor/clientset/versioned/fake/register.go index 31bd0f0b..93a34271 100644 --- a/generated/1.19/client/supervisor/clientset/versioned/fake/register.go +++ b/generated/1.19/client/supervisor/clientset/versioned/fake/register.go @@ -8,7 +8,6 @@ package fake import ( configv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -22,7 +21,6 @@ var codecs = serializer.NewCodecFactory(scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, - oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.19/client/supervisor/clientset/versioned/scheme/register.go b/generated/1.19/client/supervisor/clientset/versioned/scheme/register.go index bd2ef62e..0f2ac77b 100644 --- a/generated/1.19/client/supervisor/clientset/versioned/scheme/register.go +++ b/generated/1.19/client/supervisor/clientset/versioned/scheme/register.go @@ -8,7 +8,6 @@ package scheme import ( configv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -22,7 +21,6 @@ var ParameterCodec = runtime.NewParameterCodec(Scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, - oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go b/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go index ecfa976c..b34ed0d7 100644 --- a/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go +++ b/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go @@ -14,6 +14,7 @@ import ( type ConfigV1alpha1Interface interface { RESTClient() rest.Interface FederationDomainsGetter + OIDCClientsGetter } // ConfigV1alpha1Client is used to interact with features provided by the config.supervisor.pinniped.dev group. @@ -25,6 +26,10 @@ func (c *ConfigV1alpha1Client) FederationDomains(namespace string) FederationDom return newFederationDomains(c, namespace) } +func (c *ConfigV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { + return newOIDCClients(c, namespace) +} + // NewForConfig creates a new ConfigV1alpha1Client for the given config. func NewForConfig(c *rest.Config) (*ConfigV1alpha1Client, error) { config := *c diff --git a/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go b/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go index c725f508..eb035c6e 100644 --- a/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go +++ b/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go @@ -19,6 +19,10 @@ func (c *FakeConfigV1alpha1) FederationDomains(namespace string) v1alpha1.Federa return &FakeFederationDomains{c, namespace} } +func (c *FakeConfigV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { + return &FakeOIDCClients{c, namespace} +} + // RESTClient returns a RESTClient that is used to communicate // with API server by this client implementation. func (c *FakeConfigV1alpha1) RESTClient() rest.Interface { diff --git a/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go b/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go similarity index 92% rename from generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go rename to generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go index cdd06d71..ce4d4348 100644 --- a/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go +++ b/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go @@ -8,7 +8,7 @@ package fake import ( "context" - v1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" labels "k8s.io/apimachinery/pkg/labels" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -19,13 +19,13 @@ import ( // FakeOIDCClients implements OIDCClientInterface type FakeOIDCClients struct { - Fake *FakeOauthV1alpha1 + Fake *FakeConfigV1alpha1 ns string } -var oidcclientsResource = schema.GroupVersionResource{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} +var oidcclientsResource = schema.GroupVersionResource{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} -var oidcclientsKind = schema.GroupVersionKind{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} +var oidcclientsKind = schema.GroupVersionKind{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} // Get takes name of the oIDCClient, and returns the corresponding oIDCClient object, and an error if there is any. func (c *FakeOIDCClients) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCClient, err error) { diff --git a/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go b/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go index ba9c9173..35b9ee3d 100644 --- a/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go +++ b/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go @@ -6,3 +6,5 @@ package v1alpha1 type FederationDomainExpansion interface{} + +type OIDCClientExpansion interface{} diff --git a/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go b/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go similarity index 97% rename from generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go rename to generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go index 93cd5805..eff0aae4 100644 --- a/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go +++ b/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go @@ -9,7 +9,7 @@ import ( "context" "time" - v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1" scheme "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/scheme" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" types "k8s.io/apimachinery/pkg/types" @@ -44,7 +44,7 @@ type oIDCClients struct { } // newOIDCClients returns a OIDCClients -func newOIDCClients(c *OauthV1alpha1Client, namespace string) *oIDCClients { +func newOIDCClients(c *ConfigV1alpha1Client, namespace string) *oIDCClients { return &oIDCClients{ client: c.RESTClient(), ns: namespace, diff --git a/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go deleted file mode 100644 index e7a470b6..00000000 --- a/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package has the automatically generated typed clients. -package v1alpha1 diff --git a/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go deleted file mode 100644 index 7906901b..00000000 --- a/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// Package fake has the automatically generated clients. -package fake diff --git a/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go deleted file mode 100644 index 9430b71b..00000000 --- a/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go +++ /dev/null @@ -1,27 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - v1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" - rest "k8s.io/client-go/rest" - testing "k8s.io/client-go/testing" -) - -type FakeOauthV1alpha1 struct { - *testing.Fake -} - -func (c *FakeOauthV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { - return &FakeOIDCClients{c, namespace} -} - -// RESTClient returns a RESTClient that is used to communicate -// with API server by this client implementation. -func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { - var ret *rest.RESTClient - return ret -} diff --git a/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go deleted file mode 100644 index 87d22ea9..00000000 --- a/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -type OIDCClientExpansion interface{} diff --git a/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go deleted file mode 100644 index 0e347f19..00000000 --- a/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go +++ /dev/null @@ -1,76 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/oauth/v1alpha1" - "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/scheme" - rest "k8s.io/client-go/rest" -) - -type OauthV1alpha1Interface interface { - RESTClient() rest.Interface - OIDCClientsGetter -} - -// OauthV1alpha1Client is used to interact with features provided by the oauth.supervisor.pinniped.dev group. -type OauthV1alpha1Client struct { - restClient rest.Interface -} - -func (c *OauthV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { - return newOIDCClients(c, namespace) -} - -// NewForConfig creates a new OauthV1alpha1Client for the given config. -func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { - config := *c - if err := setConfigDefaults(&config); err != nil { - return nil, err - } - client, err := rest.RESTClientFor(&config) - if err != nil { - return nil, err - } - return &OauthV1alpha1Client{client}, nil -} - -// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and -// panics if there is an error in the config. -func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { - client, err := NewForConfig(c) - if err != nil { - panic(err) - } - return client -} - -// New creates a new OauthV1alpha1Client for the given RESTClient. -func New(c rest.Interface) *OauthV1alpha1Client { - return &OauthV1alpha1Client{c} -} - -func setConfigDefaults(config *rest.Config) error { - gv := v1alpha1.SchemeGroupVersion - config.GroupVersion = &gv - config.APIPath = "/apis" - config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() - - if config.UserAgent == "" { - config.UserAgent = rest.DefaultKubernetesUserAgent() - } - - return nil -} - -// RESTClient returns a RESTClient that is used to communicate -// with API server by this client implementation. -func (c *OauthV1alpha1Client) RESTClient() rest.Interface { - if c == nil { - return nil - } - return c.restClient -} diff --git a/generated/1.19/client/supervisor/informers/externalversions/config/v1alpha1/interface.go b/generated/1.19/client/supervisor/informers/externalversions/config/v1alpha1/interface.go index 33b72e12..76ca860c 100644 --- a/generated/1.19/client/supervisor/informers/externalversions/config/v1alpha1/interface.go +++ b/generated/1.19/client/supervisor/informers/externalversions/config/v1alpha1/interface.go @@ -13,6 +13,8 @@ import ( type Interface interface { // FederationDomains returns a FederationDomainInformer. FederationDomains() FederationDomainInformer + // OIDCClients returns a OIDCClientInformer. + OIDCClients() OIDCClientInformer } type version struct { @@ -30,3 +32,8 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList func (v *version) FederationDomains() FederationDomainInformer { return &federationDomainInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } + +// OIDCClients returns a OIDCClientInformer. +func (v *version) OIDCClients() OIDCClientInformer { + return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} diff --git a/generated/1.19/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go b/generated/1.19/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go similarity index 88% rename from generated/1.19/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go rename to generated/1.19/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go index 749b0977..f1e4d5b9 100644 --- a/generated/1.19/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go +++ b/generated/1.19/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go @@ -9,10 +9,10 @@ import ( "context" time "time" - oauthv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/oauth/v1alpha1" + configv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1" versioned "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned" internalinterfaces "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/internalinterfaces" - v1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/listers/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/listers/config/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" watch "k8s.io/apimachinery/pkg/watch" @@ -49,16 +49,16 @@ func NewFilteredOIDCClientInformer(client versioned.Interface, namespace string, if tweakListOptions != nil { tweakListOptions(&options) } - return client.OauthV1alpha1().OIDCClients(namespace).List(context.TODO(), options) + return client.ConfigV1alpha1().OIDCClients(namespace).List(context.TODO(), options) }, WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { if tweakListOptions != nil { tweakListOptions(&options) } - return client.OauthV1alpha1().OIDCClients(namespace).Watch(context.TODO(), options) + return client.ConfigV1alpha1().OIDCClients(namespace).Watch(context.TODO(), options) }, }, - &oauthv1alpha1.OIDCClient{}, + &configv1alpha1.OIDCClient{}, resyncPeriod, indexers, ) @@ -69,7 +69,7 @@ func (f *oIDCClientInformer) defaultInformer(client versioned.Interface, resyncP } func (f *oIDCClientInformer) Informer() cache.SharedIndexInformer { - return f.factory.InformerFor(&oauthv1alpha1.OIDCClient{}, f.defaultInformer) + return f.factory.InformerFor(&configv1alpha1.OIDCClient{}, f.defaultInformer) } func (f *oIDCClientInformer) Lister() v1alpha1.OIDCClientLister { diff --git a/generated/1.19/client/supervisor/informers/externalversions/factory.go b/generated/1.19/client/supervisor/informers/externalversions/factory.go index 90fff5ef..0ad18aae 100644 --- a/generated/1.19/client/supervisor/informers/externalversions/factory.go +++ b/generated/1.19/client/supervisor/informers/externalversions/factory.go @@ -14,7 +14,6 @@ import ( config "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/config" idp "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/idp" internalinterfaces "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/internalinterfaces" - oauth "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/oauth" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -163,7 +162,6 @@ type SharedInformerFactory interface { Config() config.Interface IDP() idp.Interface - Oauth() oauth.Interface } func (f *sharedInformerFactory) Config() config.Interface { @@ -173,7 +171,3 @@ func (f *sharedInformerFactory) Config() config.Interface { func (f *sharedInformerFactory) IDP() idp.Interface { return idp.New(f, f.namespace, f.tweakListOptions) } - -func (f *sharedInformerFactory) Oauth() oauth.Interface { - return oauth.New(f, f.namespace, f.tweakListOptions) -} diff --git a/generated/1.19/client/supervisor/informers/externalversions/generic.go b/generated/1.19/client/supervisor/informers/externalversions/generic.go index ffc852ca..6b246a62 100644 --- a/generated/1.19/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.19/client/supervisor/informers/externalversions/generic.go @@ -10,7 +10,6 @@ import ( v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/oauth/v1alpha1" schema "k8s.io/apimachinery/pkg/runtime/schema" cache "k8s.io/client-go/tools/cache" ) @@ -44,6 +43,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource // Group=config.supervisor.pinniped.dev, Version=v1alpha1 case v1alpha1.SchemeGroupVersion.WithResource("federationdomains"): return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().FederationDomains().Informer()}, nil + case v1alpha1.SchemeGroupVersion.WithResource("oidcclients"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCClients().Informer()}, nil // Group=idp.supervisor.pinniped.dev, Version=v1alpha1 case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"): @@ -53,10 +54,6 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().OIDCIdentityProviders().Informer()}, nil - // Group=oauth.supervisor.pinniped.dev, Version=v1alpha1 - case oauthv1alpha1.SchemeGroupVersion.WithResource("oidcclients"): - return &genericInformer{resource: resource.GroupResource(), informer: f.Oauth().V1alpha1().OIDCClients().Informer()}, nil - } return nil, fmt.Errorf("no informer found for %v", resource) diff --git a/generated/1.19/client/supervisor/informers/externalversions/oauth/interface.go b/generated/1.19/client/supervisor/informers/externalversions/oauth/interface.go deleted file mode 100644 index 2b6d2943..00000000 --- a/generated/1.19/client/supervisor/informers/externalversions/oauth/interface.go +++ /dev/null @@ -1,33 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by informer-gen. DO NOT EDIT. - -package oauth - -import ( - internalinterfaces "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/internalinterfaces" - v1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/oauth/v1alpha1" -) - -// Interface provides access to each of this group's versions. -type Interface interface { - // V1alpha1 provides access to shared informers for resources in V1alpha1. - V1alpha1() v1alpha1.Interface -} - -type group struct { - factory internalinterfaces.SharedInformerFactory - namespace string - tweakListOptions internalinterfaces.TweakListOptionsFunc -} - -// New returns a new Interface. -func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { - return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} -} - -// V1alpha1 returns a new v1alpha1.Interface. -func (g *group) V1alpha1() v1alpha1.Interface { - return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions) -} diff --git a/generated/1.19/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go b/generated/1.19/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go deleted file mode 100644 index 3db762a4..00000000 --- a/generated/1.19/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go +++ /dev/null @@ -1,32 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by informer-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - internalinterfaces "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/internalinterfaces" -) - -// Interface provides access to all the informers in this group version. -type Interface interface { - // OIDCClients returns a OIDCClientInformer. - OIDCClients() OIDCClientInformer -} - -type version struct { - factory internalinterfaces.SharedInformerFactory - namespace string - tweakListOptions internalinterfaces.TweakListOptionsFunc -} - -// New returns a new Interface. -func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { - return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} -} - -// OIDCClients returns a OIDCClientInformer. -func (v *version) OIDCClients() OIDCClientInformer { - return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} -} diff --git a/generated/1.19/client/supervisor/listers/config/v1alpha1/expansion_generated.go b/generated/1.19/client/supervisor/listers/config/v1alpha1/expansion_generated.go index d59892c4..bda2f20e 100644 --- a/generated/1.19/client/supervisor/listers/config/v1alpha1/expansion_generated.go +++ b/generated/1.19/client/supervisor/listers/config/v1alpha1/expansion_generated.go @@ -12,3 +12,11 @@ type FederationDomainListerExpansion interface{} // FederationDomainNamespaceListerExpansion allows custom methods to be added to // FederationDomainNamespaceLister. type FederationDomainNamespaceListerExpansion interface{} + +// OIDCClientListerExpansion allows custom methods to be added to +// OIDCClientLister. +type OIDCClientListerExpansion interface{} + +// OIDCClientNamespaceListerExpansion allows custom methods to be added to +// OIDCClientNamespaceLister. +type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/1.19/client/supervisor/listers/oauth/v1alpha1/oidcclient.go b/generated/1.19/client/supervisor/listers/config/v1alpha1/oidcclient.go similarity index 97% rename from generated/1.19/client/supervisor/listers/oauth/v1alpha1/oidcclient.go rename to generated/1.19/client/supervisor/listers/config/v1alpha1/oidcclient.go index 7040f4c9..db99f57c 100644 --- a/generated/1.19/client/supervisor/listers/oauth/v1alpha1/oidcclient.go +++ b/generated/1.19/client/supervisor/listers/config/v1alpha1/oidcclient.go @@ -6,7 +6,7 @@ package v1alpha1 import ( - v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1" "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/labels" "k8s.io/client-go/tools/cache" diff --git a/generated/1.19/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go b/generated/1.19/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go deleted file mode 100644 index c19310da..00000000 --- a/generated/1.19/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go +++ /dev/null @@ -1,14 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by lister-gen. DO NOT EDIT. - -package v1alpha1 - -// OIDCClientListerExpansion allows custom methods to be added to -// OIDCClientLister. -type OIDCClientListerExpansion interface{} - -// OIDCClientNamespaceListerExpansion allows custom methods to be added to -// OIDCClientNamespaceLister. -type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/1.19/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.19/crds/config.supervisor.pinniped.dev_oidcclients.yaml similarity index 98% rename from generated/1.19/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml rename to generated/1.19/crds/config.supervisor.pinniped.dev_oidcclients.yaml index 589a9154..4efa445e 100644 --- a/generated/1.19/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.19/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -5,9 +5,9 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null - name: oidcclients.oauth.supervisor.pinniped.dev + name: oidcclients.config.supervisor.pinniped.dev spec: - group: oauth.supervisor.pinniped.dev + group: config.supervisor.pinniped.dev names: categories: - pinniped diff --git a/generated/1.20/README.adoc b/generated/1.20/README.adoc index 1c559c9e..2e989cd3 100644 --- a/generated/1.20/README.adoc +++ b/generated/1.20/README.adoc @@ -12,7 +12,6 @@ - xref:{anchor_prefix}-identity-concierge-pinniped-dev-v1alpha1[$$identity.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1[$$idp.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$] -- xref:{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1[$$oauth.supervisor.pinniped.dev/v1alpha1$$] [id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"] @@ -544,6 +543,51 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-config-v1alpha1-oidcclient"] +==== OIDCClient + +OIDCClient describes the configuration of an OIDC client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-config-v1alpha1-oidcclientlist[$$OIDCClientList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.2/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-config-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC client. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-config-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC client. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-config-v1alpha1-oidcclientspec"] +==== OIDCClientSpec + +OIDCClientSpec is a struct that describes an OIDC Client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-config-v1alpha1-oidcclient[$$OIDCClient$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. +| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. +| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. +|=== + + + + [id="{anchor_prefix}-identity-concierge-pinniped-dev-identity"] === identity.concierge.pinniped.dev/identity @@ -1333,56 +1377,3 @@ TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned |=== - -[id="{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1"] -=== oauth.supervisor.pinniped.dev/v1alpha1 - -Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-oauth-v1alpha1-oidcclient"] -==== OIDCClient - -OIDCClient describes the configuration of an OIDC client. - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-oauth-v1alpha1-oidcclientlist[$$OIDCClientList$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.2/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. - -| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-oauth-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC client. -| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-oauth-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC client. -|=== - - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-oauth-v1alpha1-oidcclientspec"] -==== OIDCClientSpec - -OIDCClientSpec is a struct that describes an OIDC Client. - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-oauth-v1alpha1-oidcclient[$$OIDCClient$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. -| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. -| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. -|=== - - - - diff --git a/generated/1.20/apis/supervisor/config/v1alpha1/register.go b/generated/1.20/apis/supervisor/config/v1alpha1/register.go index 69045298..54c51699 100644 --- a/generated/1.20/apis/supervisor/config/v1alpha1/register.go +++ b/generated/1.20/apis/supervisor/config/v1alpha1/register.go @@ -32,6 +32,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &FederationDomain{}, &FederationDomainList{}, + &OIDCClient{}, + &OIDCClientList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.20/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.20/apis/supervisor/config/v1alpha1/types_oidcclient.go similarity index 100% rename from generated/1.20/apis/supervisor/oauth/v1alpha1/types_oidcclient.go rename to generated/1.20/apis/supervisor/config/v1alpha1/types_oidcclient.go diff --git a/generated/1.20/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.20/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go index 856b8988..a55d88e7 100644 --- a/generated/1.20/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.20/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go @@ -150,3 +150,111 @@ func (in *FederationDomainTLSSpec) DeepCopy() *FederationDomainTLSSpec { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. +func (in *OIDCClient) DeepCopy() *OIDCClient { + if in == nil { + return nil + } + out := new(OIDCClient) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClient) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClient, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. +func (in *OIDCClientList) DeepCopy() *OIDCClientList { + if in == nil { + return nil + } + out := new(OIDCClientList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { + *out = *in + if in.AllowedRedirectURIs != nil { + in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.AllowedGrantTypes != nil { + in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes + *out = make([]GrantType, len(*in)) + copy(*out, *in) + } + if in.AllowedScopes != nil { + in, out := &in.AllowedScopes, &out.AllowedScopes + *out = make([]Scope, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. +func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { + if in == nil { + return nil + } + out := new(OIDCClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. +func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { + if in == nil { + return nil + } + out := new(OIDCClientStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.20/apis/supervisor/oauth/v1alpha1/doc.go b/generated/1.20/apis/supervisor/oauth/v1alpha1/doc.go deleted file mode 100644 index 75580481..00000000 --- a/generated/1.20/apis/supervisor/oauth/v1alpha1/doc.go +++ /dev/null @@ -1,10 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// +k8s:openapi-gen=true -// +k8s:deepcopy-gen=package -// +k8s:defaulter-gen=TypeMeta -// +groupName=oauth.supervisor.pinniped.dev - -// Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. -package v1alpha1 diff --git a/generated/1.20/apis/supervisor/oauth/v1alpha1/register.go b/generated/1.20/apis/supervisor/oauth/v1alpha1/register.go deleted file mode 100644 index 37ae1fbf..00000000 --- a/generated/1.20/apis/supervisor/oauth/v1alpha1/register.go +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -package v1alpha1 - -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" -) - -const GroupName = "oauth.supervisor.pinniped.dev" - -// SchemeGroupVersion is group version used to register these objects. -var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} - -var ( - SchemeBuilder runtime.SchemeBuilder - localSchemeBuilder = &SchemeBuilder - AddToScheme = localSchemeBuilder.AddToScheme -) - -func init() { - // We only register manually written functions here. The registration of the - // generated functions takes place in the generated files. The separation - // makes the code compile even when the generated files are missing. - localSchemeBuilder.Register(addKnownTypes) -} - -// Adds the list of known types to the given scheme. -func addKnownTypes(scheme *runtime.Scheme) error { - scheme.AddKnownTypes(SchemeGroupVersion, - &OIDCClient{}, - &OIDCClientList{}, - ) - metav1.AddToGroupVersion(scheme, SchemeGroupVersion) - return nil -} - -// Resource takes an unqualified resource and returns a Group qualified GroupResource. -func Resource(resource string) schema.GroupResource { - return SchemeGroupVersion.WithResource(resource).GroupResource() -} diff --git a/generated/1.20/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.20/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go deleted file mode 100644 index 1aba8aea..00000000 --- a/generated/1.20/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go +++ /dev/null @@ -1,121 +0,0 @@ -//go:build !ignore_autogenerated -// +build !ignore_autogenerated - -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by deepcopy-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - runtime "k8s.io/apimachinery/pkg/runtime" -) - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - in.Spec.DeepCopyInto(&out.Spec) - out.Status = in.Status - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. -func (in *OIDCClient) DeepCopy() *OIDCClient { - if in == nil { - return nil - } - out := new(OIDCClient) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *OIDCClient) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ListMeta.DeepCopyInto(&out.ListMeta) - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]OIDCClient, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. -func (in *OIDCClientList) DeepCopy() *OIDCClientList { - if in == nil { - return nil - } - out := new(OIDCClientList) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *OIDCClientList) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { - *out = *in - if in.AllowedRedirectURIs != nil { - in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.AllowedGrantTypes != nil { - in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes - *out = make([]GrantType, len(*in)) - copy(*out, *in) - } - if in.AllowedScopes != nil { - in, out := &in.AllowedScopes, &out.AllowedScopes - *out = make([]Scope, len(*in)) - copy(*out, *in) - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. -func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { - if in == nil { - return nil - } - out := new(OIDCClientSpec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. -func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { - if in == nil { - return nil - } - out := new(OIDCClientStatus) - in.DeepCopyInto(out) - return out -} diff --git a/generated/1.20/client/supervisor/clientset/versioned/clientset.go b/generated/1.20/client/supervisor/clientset/versioned/clientset.go index ec78cd88..47592892 100644 --- a/generated/1.20/client/supervisor/clientset/versioned/clientset.go +++ b/generated/1.20/client/supervisor/clientset/versioned/clientset.go @@ -10,7 +10,6 @@ import ( configv1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned/typed/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" discovery "k8s.io/client-go/discovery" rest "k8s.io/client-go/rest" flowcontrol "k8s.io/client-go/util/flowcontrol" @@ -20,7 +19,6 @@ type Interface interface { Discovery() discovery.DiscoveryInterface ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface - OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface } // Clientset contains the clients for groups. Each group has exactly one @@ -29,7 +27,6 @@ type Clientset struct { *discovery.DiscoveryClient configV1alpha1 *configv1alpha1.ConfigV1alpha1Client iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client - oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client } // ConfigV1alpha1 retrieves the ConfigV1alpha1Client @@ -42,11 +39,6 @@ func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return c.iDPV1alpha1 } -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return c.oauthV1alpha1 -} - // Discovery retrieves the DiscoveryClient func (c *Clientset) Discovery() discovery.DiscoveryInterface { if c == nil { @@ -76,10 +68,6 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { if err != nil { return nil, err } - cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfig(&configShallowCopy) - if err != nil { - return nil, err - } cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfig(&configShallowCopy) if err != nil { @@ -94,7 +82,6 @@ func NewForConfigOrDie(c *rest.Config) *Clientset { var cs Clientset cs.configV1alpha1 = configv1alpha1.NewForConfigOrDie(c) cs.iDPV1alpha1 = idpv1alpha1.NewForConfigOrDie(c) - cs.oauthV1alpha1 = oauthv1alpha1.NewForConfigOrDie(c) cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c) return &cs @@ -105,7 +92,6 @@ func New(c rest.Interface) *Clientset { var cs Clientset cs.configV1alpha1 = configv1alpha1.New(c) cs.iDPV1alpha1 = idpv1alpha1.New(c) - cs.oauthV1alpha1 = oauthv1alpha1.New(c) cs.DiscoveryClient = discovery.NewDiscoveryClient(c) return &cs diff --git a/generated/1.20/client/supervisor/clientset/versioned/fake/clientset_generated.go b/generated/1.20/client/supervisor/clientset/versioned/fake/clientset_generated.go index cee1ca0d..4f710f0b 100644 --- a/generated/1.20/client/supervisor/clientset/versioned/fake/clientset_generated.go +++ b/generated/1.20/client/supervisor/clientset/versioned/fake/clientset_generated.go @@ -11,8 +11,6 @@ import ( fakeconfigv1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake" idpv1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned/typed/idp/v1alpha1" fakeidpv1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake" - oauthv1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" - fakeoauthv1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/watch" "k8s.io/client-go/discovery" @@ -76,8 +74,3 @@ func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake} } - -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} -} diff --git a/generated/1.20/client/supervisor/clientset/versioned/fake/register.go b/generated/1.20/client/supervisor/clientset/versioned/fake/register.go index b9ea3ea8..7587d602 100644 --- a/generated/1.20/client/supervisor/clientset/versioned/fake/register.go +++ b/generated/1.20/client/supervisor/clientset/versioned/fake/register.go @@ -8,7 +8,6 @@ package fake import ( configv1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -22,7 +21,6 @@ var codecs = serializer.NewCodecFactory(scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, - oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.20/client/supervisor/clientset/versioned/scheme/register.go b/generated/1.20/client/supervisor/clientset/versioned/scheme/register.go index cd769223..af0ed68f 100644 --- a/generated/1.20/client/supervisor/clientset/versioned/scheme/register.go +++ b/generated/1.20/client/supervisor/clientset/versioned/scheme/register.go @@ -8,7 +8,6 @@ package scheme import ( configv1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -22,7 +21,6 @@ var ParameterCodec = runtime.NewParameterCodec(Scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, - oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go b/generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go index 5baa9401..0af8db5d 100644 --- a/generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go +++ b/generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go @@ -14,6 +14,7 @@ import ( type ConfigV1alpha1Interface interface { RESTClient() rest.Interface FederationDomainsGetter + OIDCClientsGetter } // ConfigV1alpha1Client is used to interact with features provided by the config.supervisor.pinniped.dev group. @@ -25,6 +26,10 @@ func (c *ConfigV1alpha1Client) FederationDomains(namespace string) FederationDom return newFederationDomains(c, namespace) } +func (c *ConfigV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { + return newOIDCClients(c, namespace) +} + // NewForConfig creates a new ConfigV1alpha1Client for the given config. func NewForConfig(c *rest.Config) (*ConfigV1alpha1Client, error) { config := *c diff --git a/generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go b/generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go index 67628cf9..68debe9b 100644 --- a/generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go +++ b/generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go @@ -19,6 +19,10 @@ func (c *FakeConfigV1alpha1) FederationDomains(namespace string) v1alpha1.Federa return &FakeFederationDomains{c, namespace} } +func (c *FakeConfigV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { + return &FakeOIDCClients{c, namespace} +} + // RESTClient returns a RESTClient that is used to communicate // with API server by this client implementation. func (c *FakeConfigV1alpha1) RESTClient() rest.Interface { diff --git a/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go b/generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go similarity index 92% rename from generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go rename to generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go index 38aac300..b481c9ec 100644 --- a/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go +++ b/generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go @@ -8,7 +8,7 @@ package fake import ( "context" - v1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/config/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" labels "k8s.io/apimachinery/pkg/labels" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -19,13 +19,13 @@ import ( // FakeOIDCClients implements OIDCClientInterface type FakeOIDCClients struct { - Fake *FakeOauthV1alpha1 + Fake *FakeConfigV1alpha1 ns string } -var oidcclientsResource = schema.GroupVersionResource{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} +var oidcclientsResource = schema.GroupVersionResource{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} -var oidcclientsKind = schema.GroupVersionKind{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} +var oidcclientsKind = schema.GroupVersionKind{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} // Get takes name of the oIDCClient, and returns the corresponding oIDCClient object, and an error if there is any. func (c *FakeOIDCClients) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCClient, err error) { diff --git a/generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go b/generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go index ba9c9173..35b9ee3d 100644 --- a/generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go +++ b/generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go @@ -6,3 +6,5 @@ package v1alpha1 type FederationDomainExpansion interface{} + +type OIDCClientExpansion interface{} diff --git a/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go b/generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go similarity index 97% rename from generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go rename to generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go index 32503911..2b2e4e9e 100644 --- a/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go +++ b/generated/1.20/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go @@ -9,7 +9,7 @@ import ( "context" "time" - v1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/config/v1alpha1" scheme "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned/scheme" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" types "k8s.io/apimachinery/pkg/types" @@ -44,7 +44,7 @@ type oIDCClients struct { } // newOIDCClients returns a OIDCClients -func newOIDCClients(c *OauthV1alpha1Client, namespace string) *oIDCClients { +func newOIDCClients(c *ConfigV1alpha1Client, namespace string) *oIDCClients { return &oIDCClients{ client: c.RESTClient(), ns: namespace, diff --git a/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go deleted file mode 100644 index e7a470b6..00000000 --- a/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package has the automatically generated typed clients. -package v1alpha1 diff --git a/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go deleted file mode 100644 index 7906901b..00000000 --- a/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// Package fake has the automatically generated clients. -package fake diff --git a/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go deleted file mode 100644 index 3bc1da70..00000000 --- a/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go +++ /dev/null @@ -1,27 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - v1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" - rest "k8s.io/client-go/rest" - testing "k8s.io/client-go/testing" -) - -type FakeOauthV1alpha1 struct { - *testing.Fake -} - -func (c *FakeOauthV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { - return &FakeOIDCClients{c, namespace} -} - -// RESTClient returns a RESTClient that is used to communicate -// with API server by this client implementation. -func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { - var ret *rest.RESTClient - return ret -} diff --git a/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go deleted file mode 100644 index 87d22ea9..00000000 --- a/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -type OIDCClientExpansion interface{} diff --git a/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go deleted file mode 100644 index ca9d2cf5..00000000 --- a/generated/1.20/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go +++ /dev/null @@ -1,76 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - v1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/oauth/v1alpha1" - "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned/scheme" - rest "k8s.io/client-go/rest" -) - -type OauthV1alpha1Interface interface { - RESTClient() rest.Interface - OIDCClientsGetter -} - -// OauthV1alpha1Client is used to interact with features provided by the oauth.supervisor.pinniped.dev group. -type OauthV1alpha1Client struct { - restClient rest.Interface -} - -func (c *OauthV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { - return newOIDCClients(c, namespace) -} - -// NewForConfig creates a new OauthV1alpha1Client for the given config. -func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { - config := *c - if err := setConfigDefaults(&config); err != nil { - return nil, err - } - client, err := rest.RESTClientFor(&config) - if err != nil { - return nil, err - } - return &OauthV1alpha1Client{client}, nil -} - -// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and -// panics if there is an error in the config. -func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { - client, err := NewForConfig(c) - if err != nil { - panic(err) - } - return client -} - -// New creates a new OauthV1alpha1Client for the given RESTClient. -func New(c rest.Interface) *OauthV1alpha1Client { - return &OauthV1alpha1Client{c} -} - -func setConfigDefaults(config *rest.Config) error { - gv := v1alpha1.SchemeGroupVersion - config.GroupVersion = &gv - config.APIPath = "/apis" - config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() - - if config.UserAgent == "" { - config.UserAgent = rest.DefaultKubernetesUserAgent() - } - - return nil -} - -// RESTClient returns a RESTClient that is used to communicate -// with API server by this client implementation. -func (c *OauthV1alpha1Client) RESTClient() rest.Interface { - if c == nil { - return nil - } - return c.restClient -} diff --git a/generated/1.20/client/supervisor/informers/externalversions/config/v1alpha1/interface.go b/generated/1.20/client/supervisor/informers/externalversions/config/v1alpha1/interface.go index 399bc958..37340c6b 100644 --- a/generated/1.20/client/supervisor/informers/externalversions/config/v1alpha1/interface.go +++ b/generated/1.20/client/supervisor/informers/externalversions/config/v1alpha1/interface.go @@ -13,6 +13,8 @@ import ( type Interface interface { // FederationDomains returns a FederationDomainInformer. FederationDomains() FederationDomainInformer + // OIDCClients returns a OIDCClientInformer. + OIDCClients() OIDCClientInformer } type version struct { @@ -30,3 +32,8 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList func (v *version) FederationDomains() FederationDomainInformer { return &federationDomainInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } + +// OIDCClients returns a OIDCClientInformer. +func (v *version) OIDCClients() OIDCClientInformer { + return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} diff --git a/generated/1.20/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go b/generated/1.20/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go similarity index 88% rename from generated/1.20/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go rename to generated/1.20/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go index 37efa298..0ebc789f 100644 --- a/generated/1.20/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go +++ b/generated/1.20/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go @@ -9,10 +9,10 @@ import ( "context" time "time" - oauthv1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/oauth/v1alpha1" + configv1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/config/v1alpha1" versioned "go.pinniped.dev/generated/1.20/client/supervisor/clientset/versioned" internalinterfaces "go.pinniped.dev/generated/1.20/client/supervisor/informers/externalversions/internalinterfaces" - v1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/listers/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/listers/config/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" watch "k8s.io/apimachinery/pkg/watch" @@ -49,16 +49,16 @@ func NewFilteredOIDCClientInformer(client versioned.Interface, namespace string, if tweakListOptions != nil { tweakListOptions(&options) } - return client.OauthV1alpha1().OIDCClients(namespace).List(context.TODO(), options) + return client.ConfigV1alpha1().OIDCClients(namespace).List(context.TODO(), options) }, WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { if tweakListOptions != nil { tweakListOptions(&options) } - return client.OauthV1alpha1().OIDCClients(namespace).Watch(context.TODO(), options) + return client.ConfigV1alpha1().OIDCClients(namespace).Watch(context.TODO(), options) }, }, - &oauthv1alpha1.OIDCClient{}, + &configv1alpha1.OIDCClient{}, resyncPeriod, indexers, ) @@ -69,7 +69,7 @@ func (f *oIDCClientInformer) defaultInformer(client versioned.Interface, resyncP } func (f *oIDCClientInformer) Informer() cache.SharedIndexInformer { - return f.factory.InformerFor(&oauthv1alpha1.OIDCClient{}, f.defaultInformer) + return f.factory.InformerFor(&configv1alpha1.OIDCClient{}, f.defaultInformer) } func (f *oIDCClientInformer) Lister() v1alpha1.OIDCClientLister { diff --git a/generated/1.20/client/supervisor/informers/externalversions/factory.go b/generated/1.20/client/supervisor/informers/externalversions/factory.go index 6e6fffaa..60395f1f 100644 --- a/generated/1.20/client/supervisor/informers/externalversions/factory.go +++ b/generated/1.20/client/supervisor/informers/externalversions/factory.go @@ -14,7 +14,6 @@ import ( config "go.pinniped.dev/generated/1.20/client/supervisor/informers/externalversions/config" idp "go.pinniped.dev/generated/1.20/client/supervisor/informers/externalversions/idp" internalinterfaces "go.pinniped.dev/generated/1.20/client/supervisor/informers/externalversions/internalinterfaces" - oauth "go.pinniped.dev/generated/1.20/client/supervisor/informers/externalversions/oauth" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -163,7 +162,6 @@ type SharedInformerFactory interface { Config() config.Interface IDP() idp.Interface - Oauth() oauth.Interface } func (f *sharedInformerFactory) Config() config.Interface { @@ -173,7 +171,3 @@ func (f *sharedInformerFactory) Config() config.Interface { func (f *sharedInformerFactory) IDP() idp.Interface { return idp.New(f, f.namespace, f.tweakListOptions) } - -func (f *sharedInformerFactory) Oauth() oauth.Interface { - return oauth.New(f, f.namespace, f.tweakListOptions) -} diff --git a/generated/1.20/client/supervisor/informers/externalversions/generic.go b/generated/1.20/client/supervisor/informers/externalversions/generic.go index d541574e..d063878c 100644 --- a/generated/1.20/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.20/client/supervisor/informers/externalversions/generic.go @@ -10,7 +10,6 @@ import ( v1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/oauth/v1alpha1" schema "k8s.io/apimachinery/pkg/runtime/schema" cache "k8s.io/client-go/tools/cache" ) @@ -44,6 +43,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource // Group=config.supervisor.pinniped.dev, Version=v1alpha1 case v1alpha1.SchemeGroupVersion.WithResource("federationdomains"): return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().FederationDomains().Informer()}, nil + case v1alpha1.SchemeGroupVersion.WithResource("oidcclients"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCClients().Informer()}, nil // Group=idp.supervisor.pinniped.dev, Version=v1alpha1 case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"): @@ -53,10 +54,6 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().OIDCIdentityProviders().Informer()}, nil - // Group=oauth.supervisor.pinniped.dev, Version=v1alpha1 - case oauthv1alpha1.SchemeGroupVersion.WithResource("oidcclients"): - return &genericInformer{resource: resource.GroupResource(), informer: f.Oauth().V1alpha1().OIDCClients().Informer()}, nil - } return nil, fmt.Errorf("no informer found for %v", resource) diff --git a/generated/1.20/client/supervisor/informers/externalversions/oauth/interface.go b/generated/1.20/client/supervisor/informers/externalversions/oauth/interface.go deleted file mode 100644 index b4cc533e..00000000 --- a/generated/1.20/client/supervisor/informers/externalversions/oauth/interface.go +++ /dev/null @@ -1,33 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by informer-gen. DO NOT EDIT. - -package oauth - -import ( - internalinterfaces "go.pinniped.dev/generated/1.20/client/supervisor/informers/externalversions/internalinterfaces" - v1alpha1 "go.pinniped.dev/generated/1.20/client/supervisor/informers/externalversions/oauth/v1alpha1" -) - -// Interface provides access to each of this group's versions. -type Interface interface { - // V1alpha1 provides access to shared informers for resources in V1alpha1. - V1alpha1() v1alpha1.Interface -} - -type group struct { - factory internalinterfaces.SharedInformerFactory - namespace string - tweakListOptions internalinterfaces.TweakListOptionsFunc -} - -// New returns a new Interface. -func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { - return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} -} - -// V1alpha1 returns a new v1alpha1.Interface. -func (g *group) V1alpha1() v1alpha1.Interface { - return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions) -} diff --git a/generated/1.20/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go b/generated/1.20/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go deleted file mode 100644 index ed7eacf5..00000000 --- a/generated/1.20/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go +++ /dev/null @@ -1,32 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by informer-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - internalinterfaces "go.pinniped.dev/generated/1.20/client/supervisor/informers/externalversions/internalinterfaces" -) - -// Interface provides access to all the informers in this group version. -type Interface interface { - // OIDCClients returns a OIDCClientInformer. - OIDCClients() OIDCClientInformer -} - -type version struct { - factory internalinterfaces.SharedInformerFactory - namespace string - tweakListOptions internalinterfaces.TweakListOptionsFunc -} - -// New returns a new Interface. -func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { - return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} -} - -// OIDCClients returns a OIDCClientInformer. -func (v *version) OIDCClients() OIDCClientInformer { - return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} -} diff --git a/generated/1.20/client/supervisor/listers/config/v1alpha1/expansion_generated.go b/generated/1.20/client/supervisor/listers/config/v1alpha1/expansion_generated.go index d59892c4..bda2f20e 100644 --- a/generated/1.20/client/supervisor/listers/config/v1alpha1/expansion_generated.go +++ b/generated/1.20/client/supervisor/listers/config/v1alpha1/expansion_generated.go @@ -12,3 +12,11 @@ type FederationDomainListerExpansion interface{} // FederationDomainNamespaceListerExpansion allows custom methods to be added to // FederationDomainNamespaceLister. type FederationDomainNamespaceListerExpansion interface{} + +// OIDCClientListerExpansion allows custom methods to be added to +// OIDCClientLister. +type OIDCClientListerExpansion interface{} + +// OIDCClientNamespaceListerExpansion allows custom methods to be added to +// OIDCClientNamespaceLister. +type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/1.21/client/supervisor/listers/oauth/v1alpha1/oidcclient.go b/generated/1.20/client/supervisor/listers/config/v1alpha1/oidcclient.go similarity index 97% rename from generated/1.21/client/supervisor/listers/oauth/v1alpha1/oidcclient.go rename to generated/1.20/client/supervisor/listers/config/v1alpha1/oidcclient.go index ac6047cd..d3e12885 100644 --- a/generated/1.21/client/supervisor/listers/oauth/v1alpha1/oidcclient.go +++ b/generated/1.20/client/supervisor/listers/config/v1alpha1/oidcclient.go @@ -6,7 +6,7 @@ package v1alpha1 import ( - v1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/config/v1alpha1" "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/labels" "k8s.io/client-go/tools/cache" diff --git a/generated/1.20/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go b/generated/1.20/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go deleted file mode 100644 index c19310da..00000000 --- a/generated/1.20/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go +++ /dev/null @@ -1,14 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by lister-gen. DO NOT EDIT. - -package v1alpha1 - -// OIDCClientListerExpansion allows custom methods to be added to -// OIDCClientLister. -type OIDCClientListerExpansion interface{} - -// OIDCClientNamespaceListerExpansion allows custom methods to be added to -// OIDCClientNamespaceLister. -type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/1.20/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.20/crds/config.supervisor.pinniped.dev_oidcclients.yaml new file mode 100644 index 00000000..4efa445e --- /dev/null +++ b/generated/1.20/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -0,0 +1,125 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: oidcclients.config.supervisor.pinniped.dev +spec: + group: config.supervisor.pinniped.dev + names: + categories: + - pinniped + kind: OIDCClient + listKind: OIDCClientList + plural: oidcclients + singular: oidcclient + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: OIDCClient describes the configuration of an OIDC client. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec of the OIDC client. + properties: + allowedGrantTypes: + description: "allowedGrantTypes is a list of the allowed grant_type + param values that should be accepted during OIDC flows with this + client. \n Must only contain the following values: - authorization_code: + allows the client to perform the authorization code grant flow, + i.e. allows the webapp to authenticate users. This grant must always + be listed. - refresh_token: allows the client to perform refresh + grants for the user to extend the user's session. This grant must + be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: + allows the client to perform RFC8693 token exchange, which is a + step in the process to be able to get a cluster credential for the + user. This grant must be listed if allowedScopes lists pinniped:request-audience." + items: + enum: + - authorization_code + - refresh_token + - urn:ietf:params:oauth:grant-type:token-exchange + type: string + minItems: 1 + type: array + allowedRedirectURIs: + description: allowedRedirectURIs is a list of the allowed redirect_uri + param values that should be accepted during OIDC flows with this + client. Any other uris will be rejected. Must be https, unless it + is a loopback. + items: + type: string + minItems: 1 + type: array + allowedScopes: + description: "allowedScopes is a list of the allowed scopes param + values that should be accepted during OIDC flows with this client. + \n Must only contain the following values: - openid: The client + is allowed to request ID tokens. ID tokens only include the required + claims by default (iss, sub, aud, exp, iat). This scope must always + be listed. - offline_access: The client is allowed to request an + initial refresh token during the authorization code grant flow. + This scope must be listed if allowedGrantTypes lists refresh_token. + - pinniped:request-audience: The client is allowed to request a + new audience value during a RFC8693 token exchange, which is a step + in the process to be able to get a cluster credential for the user. + openid, username and groups scopes must be listed when this scope + is present. This scope must be listed if allowedGrantTypes lists + urn:ietf:params:oauth:grant-type:token-exchange. - username: The + client is allowed to request that ID tokens contain the user's username. + Without the username scope being requested and allowed, the ID token + will not contain the user's username. - groups: The client is allowed + to request that ID tokens contain the user's group membership, if + their group membership is discoverable by the Supervisor. Without + the groups scope being requested and allowed, the ID token will + not contain groups." + items: + enum: + - openid + - offline_access + - username + - groups + - pinniped:request-audience + type: string + minItems: 1 + type: array + required: + - allowedGrantTypes + - allowedRedirectURIs + - allowedScopes + type: object + status: + description: Status of the OIDC client. + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/generated/1.20/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.20/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml deleted file mode 100644 index 589a9154..00000000 --- a/generated/1.20/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ /dev/null @@ -1,125 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.8.0 - creationTimestamp: null - name: oidcclients.oauth.supervisor.pinniped.dev -spec: - group: oauth.supervisor.pinniped.dev - names: - categories: - - pinniped - kind: OIDCClient - listKind: OIDCClientList - plural: oidcclients - singular: oidcclient - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: OIDCClient describes the configuration of an OIDC client. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec of the OIDC client. - properties: - allowedGrantTypes: - description: "allowedGrantTypes is a list of the allowed grant_type - param values that should be accepted during OIDC flows with this - client. \n Must only contain the following values: - authorization_code: - allows the client to perform the authorization code grant flow, - i.e. allows the webapp to authenticate users. This grant must always - be listed. - refresh_token: allows the client to perform refresh - grants for the user to extend the user's session. This grant must - be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: - allows the client to perform RFC8693 token exchange, which is a - step in the process to be able to get a cluster credential for the - user. This grant must be listed if allowedScopes lists pinniped:request-audience." - items: - enum: - - authorization_code - - refresh_token - - urn:ietf:params:oauth:grant-type:token-exchange - type: string - minItems: 1 - type: array - allowedRedirectURIs: - description: allowedRedirectURIs is a list of the allowed redirect_uri - param values that should be accepted during OIDC flows with this - client. Any other uris will be rejected. Must be https, unless it - is a loopback. - items: - type: string - minItems: 1 - type: array - allowedScopes: - description: "allowedScopes is a list of the allowed scopes param - values that should be accepted during OIDC flows with this client. - \n Must only contain the following values: - openid: The client - is allowed to request ID tokens. ID tokens only include the required - claims by default (iss, sub, aud, exp, iat). This scope must always - be listed. - offline_access: The client is allowed to request an - initial refresh token during the authorization code grant flow. - This scope must be listed if allowedGrantTypes lists refresh_token. - - pinniped:request-audience: The client is allowed to request a - new audience value during a RFC8693 token exchange, which is a step - in the process to be able to get a cluster credential for the user. - openid, username and groups scopes must be listed when this scope - is present. This scope must be listed if allowedGrantTypes lists - urn:ietf:params:oauth:grant-type:token-exchange. - username: The - client is allowed to request that ID tokens contain the user's username. - Without the username scope being requested and allowed, the ID token - will not contain the user's username. - groups: The client is allowed - to request that ID tokens contain the user's group membership, if - their group membership is discoverable by the Supervisor. Without - the groups scope being requested and allowed, the ID token will - not contain groups." - items: - enum: - - openid - - offline_access - - username - - groups - - pinniped:request-audience - type: string - minItems: 1 - type: array - required: - - allowedGrantTypes - - allowedRedirectURIs - - allowedScopes - type: object - status: - description: Status of the OIDC client. - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/generated/1.21/README.adoc b/generated/1.21/README.adoc index 2a9ca757..7635b9a6 100644 --- a/generated/1.21/README.adoc +++ b/generated/1.21/README.adoc @@ -12,7 +12,6 @@ - xref:{anchor_prefix}-identity-concierge-pinniped-dev-v1alpha1[$$identity.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1[$$idp.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$] -- xref:{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1[$$oauth.supervisor.pinniped.dev/v1alpha1$$] [id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"] @@ -544,6 +543,51 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-oidcclient"] +==== OIDCClient + +OIDCClient describes the configuration of an OIDC client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-oidcclientlist[$$OIDCClientList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC client. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC client. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-oidcclientspec"] +==== OIDCClientSpec + +OIDCClientSpec is a struct that describes an OIDC Client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-oidcclient[$$OIDCClient$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. +| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. +| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. +|=== + + + + [id="{anchor_prefix}-identity-concierge-pinniped-dev-identity"] === identity.concierge.pinniped.dev/identity @@ -1333,56 +1377,3 @@ TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned |=== - -[id="{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1"] -=== oauth.supervisor.pinniped.dev/v1alpha1 - -Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-oauth-v1alpha1-oidcclient"] -==== OIDCClient - -OIDCClient describes the configuration of an OIDC client. - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-oauth-v1alpha1-oidcclientlist[$$OIDCClientList$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. - -| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-oauth-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC client. -| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-oauth-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC client. -|=== - - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-oauth-v1alpha1-oidcclientspec"] -==== OIDCClientSpec - -OIDCClientSpec is a struct that describes an OIDC Client. - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-oauth-v1alpha1-oidcclient[$$OIDCClient$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. -| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. -| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. -|=== - - - - diff --git a/generated/1.21/apis/supervisor/config/v1alpha1/register.go b/generated/1.21/apis/supervisor/config/v1alpha1/register.go index 69045298..54c51699 100644 --- a/generated/1.21/apis/supervisor/config/v1alpha1/register.go +++ b/generated/1.21/apis/supervisor/config/v1alpha1/register.go @@ -32,6 +32,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &FederationDomain{}, &FederationDomainList{}, + &OIDCClient{}, + &OIDCClientList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.21/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.21/apis/supervisor/config/v1alpha1/types_oidcclient.go similarity index 100% rename from generated/1.21/apis/supervisor/oauth/v1alpha1/types_oidcclient.go rename to generated/1.21/apis/supervisor/config/v1alpha1/types_oidcclient.go diff --git a/generated/1.21/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.21/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go index 856b8988..a55d88e7 100644 --- a/generated/1.21/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.21/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go @@ -150,3 +150,111 @@ func (in *FederationDomainTLSSpec) DeepCopy() *FederationDomainTLSSpec { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. +func (in *OIDCClient) DeepCopy() *OIDCClient { + if in == nil { + return nil + } + out := new(OIDCClient) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClient) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClient, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. +func (in *OIDCClientList) DeepCopy() *OIDCClientList { + if in == nil { + return nil + } + out := new(OIDCClientList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { + *out = *in + if in.AllowedRedirectURIs != nil { + in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.AllowedGrantTypes != nil { + in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes + *out = make([]GrantType, len(*in)) + copy(*out, *in) + } + if in.AllowedScopes != nil { + in, out := &in.AllowedScopes, &out.AllowedScopes + *out = make([]Scope, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. +func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { + if in == nil { + return nil + } + out := new(OIDCClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. +func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { + if in == nil { + return nil + } + out := new(OIDCClientStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.21/apis/supervisor/oauth/v1alpha1/doc.go b/generated/1.21/apis/supervisor/oauth/v1alpha1/doc.go deleted file mode 100644 index 75580481..00000000 --- a/generated/1.21/apis/supervisor/oauth/v1alpha1/doc.go +++ /dev/null @@ -1,10 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// +k8s:openapi-gen=true -// +k8s:deepcopy-gen=package -// +k8s:defaulter-gen=TypeMeta -// +groupName=oauth.supervisor.pinniped.dev - -// Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. -package v1alpha1 diff --git a/generated/1.21/apis/supervisor/oauth/v1alpha1/register.go b/generated/1.21/apis/supervisor/oauth/v1alpha1/register.go deleted file mode 100644 index 37ae1fbf..00000000 --- a/generated/1.21/apis/supervisor/oauth/v1alpha1/register.go +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -package v1alpha1 - -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" -) - -const GroupName = "oauth.supervisor.pinniped.dev" - -// SchemeGroupVersion is group version used to register these objects. -var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} - -var ( - SchemeBuilder runtime.SchemeBuilder - localSchemeBuilder = &SchemeBuilder - AddToScheme = localSchemeBuilder.AddToScheme -) - -func init() { - // We only register manually written functions here. The registration of the - // generated functions takes place in the generated files. The separation - // makes the code compile even when the generated files are missing. - localSchemeBuilder.Register(addKnownTypes) -} - -// Adds the list of known types to the given scheme. -func addKnownTypes(scheme *runtime.Scheme) error { - scheme.AddKnownTypes(SchemeGroupVersion, - &OIDCClient{}, - &OIDCClientList{}, - ) - metav1.AddToGroupVersion(scheme, SchemeGroupVersion) - return nil -} - -// Resource takes an unqualified resource and returns a Group qualified GroupResource. -func Resource(resource string) schema.GroupResource { - return SchemeGroupVersion.WithResource(resource).GroupResource() -} diff --git a/generated/1.21/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.21/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go deleted file mode 100644 index 1aba8aea..00000000 --- a/generated/1.21/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go +++ /dev/null @@ -1,121 +0,0 @@ -//go:build !ignore_autogenerated -// +build !ignore_autogenerated - -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by deepcopy-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - runtime "k8s.io/apimachinery/pkg/runtime" -) - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - in.Spec.DeepCopyInto(&out.Spec) - out.Status = in.Status - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. -func (in *OIDCClient) DeepCopy() *OIDCClient { - if in == nil { - return nil - } - out := new(OIDCClient) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *OIDCClient) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ListMeta.DeepCopyInto(&out.ListMeta) - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]OIDCClient, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. -func (in *OIDCClientList) DeepCopy() *OIDCClientList { - if in == nil { - return nil - } - out := new(OIDCClientList) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *OIDCClientList) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { - *out = *in - if in.AllowedRedirectURIs != nil { - in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.AllowedGrantTypes != nil { - in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes - *out = make([]GrantType, len(*in)) - copy(*out, *in) - } - if in.AllowedScopes != nil { - in, out := &in.AllowedScopes, &out.AllowedScopes - *out = make([]Scope, len(*in)) - copy(*out, *in) - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. -func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { - if in == nil { - return nil - } - out := new(OIDCClientSpec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. -func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { - if in == nil { - return nil - } - out := new(OIDCClientStatus) - in.DeepCopyInto(out) - return out -} diff --git a/generated/1.21/client/supervisor/clientset/versioned/clientset.go b/generated/1.21/client/supervisor/clientset/versioned/clientset.go index 23d76422..aa52f6ae 100644 --- a/generated/1.21/client/supervisor/clientset/versioned/clientset.go +++ b/generated/1.21/client/supervisor/clientset/versioned/clientset.go @@ -10,7 +10,6 @@ import ( configv1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" discovery "k8s.io/client-go/discovery" rest "k8s.io/client-go/rest" flowcontrol "k8s.io/client-go/util/flowcontrol" @@ -20,7 +19,6 @@ type Interface interface { Discovery() discovery.DiscoveryInterface ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface - OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface } // Clientset contains the clients for groups. Each group has exactly one @@ -29,7 +27,6 @@ type Clientset struct { *discovery.DiscoveryClient configV1alpha1 *configv1alpha1.ConfigV1alpha1Client iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client - oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client } // ConfigV1alpha1 retrieves the ConfigV1alpha1Client @@ -42,11 +39,6 @@ func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return c.iDPV1alpha1 } -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return c.oauthV1alpha1 -} - // Discovery retrieves the DiscoveryClient func (c *Clientset) Discovery() discovery.DiscoveryInterface { if c == nil { @@ -76,10 +68,6 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { if err != nil { return nil, err } - cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfig(&configShallowCopy) - if err != nil { - return nil, err - } cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfig(&configShallowCopy) if err != nil { @@ -94,7 +82,6 @@ func NewForConfigOrDie(c *rest.Config) *Clientset { var cs Clientset cs.configV1alpha1 = configv1alpha1.NewForConfigOrDie(c) cs.iDPV1alpha1 = idpv1alpha1.NewForConfigOrDie(c) - cs.oauthV1alpha1 = oauthv1alpha1.NewForConfigOrDie(c) cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c) return &cs @@ -105,7 +92,6 @@ func New(c rest.Interface) *Clientset { var cs Clientset cs.configV1alpha1 = configv1alpha1.New(c) cs.iDPV1alpha1 = idpv1alpha1.New(c) - cs.oauthV1alpha1 = oauthv1alpha1.New(c) cs.DiscoveryClient = discovery.NewDiscoveryClient(c) return &cs diff --git a/generated/1.21/client/supervisor/clientset/versioned/fake/clientset_generated.go b/generated/1.21/client/supervisor/clientset/versioned/fake/clientset_generated.go index 6a40aa3e..31bf30c1 100644 --- a/generated/1.21/client/supervisor/clientset/versioned/fake/clientset_generated.go +++ b/generated/1.21/client/supervisor/clientset/versioned/fake/clientset_generated.go @@ -11,8 +11,6 @@ import ( fakeconfigv1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake" idpv1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1" fakeidpv1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake" - oauthv1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" - fakeoauthv1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/watch" "k8s.io/client-go/discovery" @@ -76,8 +74,3 @@ func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake} } - -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} -} diff --git a/generated/1.21/client/supervisor/clientset/versioned/fake/register.go b/generated/1.21/client/supervisor/clientset/versioned/fake/register.go index 8fb2f241..3a9d6a18 100644 --- a/generated/1.21/client/supervisor/clientset/versioned/fake/register.go +++ b/generated/1.21/client/supervisor/clientset/versioned/fake/register.go @@ -8,7 +8,6 @@ package fake import ( configv1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -22,7 +21,6 @@ var codecs = serializer.NewCodecFactory(scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, - oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.21/client/supervisor/clientset/versioned/scheme/register.go b/generated/1.21/client/supervisor/clientset/versioned/scheme/register.go index ca3c854a..0629cdd4 100644 --- a/generated/1.21/client/supervisor/clientset/versioned/scheme/register.go +++ b/generated/1.21/client/supervisor/clientset/versioned/scheme/register.go @@ -8,7 +8,6 @@ package scheme import ( configv1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -22,7 +21,6 @@ var ParameterCodec = runtime.NewParameterCodec(Scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, - oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go b/generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go index cdfc9c9a..d2b845f9 100644 --- a/generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go +++ b/generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go @@ -14,6 +14,7 @@ import ( type ConfigV1alpha1Interface interface { RESTClient() rest.Interface FederationDomainsGetter + OIDCClientsGetter } // ConfigV1alpha1Client is used to interact with features provided by the config.supervisor.pinniped.dev group. @@ -25,6 +26,10 @@ func (c *ConfigV1alpha1Client) FederationDomains(namespace string) FederationDom return newFederationDomains(c, namespace) } +func (c *ConfigV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { + return newOIDCClients(c, namespace) +} + // NewForConfig creates a new ConfigV1alpha1Client for the given config. func NewForConfig(c *rest.Config) (*ConfigV1alpha1Client, error) { config := *c diff --git a/generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go b/generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go index 8bf53fea..d8bf41b3 100644 --- a/generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go +++ b/generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go @@ -19,6 +19,10 @@ func (c *FakeConfigV1alpha1) FederationDomains(namespace string) v1alpha1.Federa return &FakeFederationDomains{c, namespace} } +func (c *FakeConfigV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { + return &FakeOIDCClients{c, namespace} +} + // RESTClient returns a RESTClient that is used to communicate // with API server by this client implementation. func (c *FakeConfigV1alpha1) RESTClient() rest.Interface { diff --git a/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go b/generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go similarity index 92% rename from generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go rename to generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go index 078ab176..7dbc152b 100644 --- a/generated/1.19/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go +++ b/generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go @@ -8,7 +8,7 @@ package fake import ( "context" - v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/config/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" labels "k8s.io/apimachinery/pkg/labels" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -19,13 +19,13 @@ import ( // FakeOIDCClients implements OIDCClientInterface type FakeOIDCClients struct { - Fake *FakeOauthV1alpha1 + Fake *FakeConfigV1alpha1 ns string } -var oidcclientsResource = schema.GroupVersionResource{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} +var oidcclientsResource = schema.GroupVersionResource{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} -var oidcclientsKind = schema.GroupVersionKind{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} +var oidcclientsKind = schema.GroupVersionKind{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} // Get takes name of the oIDCClient, and returns the corresponding oIDCClient object, and an error if there is any. func (c *FakeOIDCClients) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCClient, err error) { diff --git a/generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go b/generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go index ba9c9173..35b9ee3d 100644 --- a/generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go +++ b/generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go @@ -6,3 +6,5 @@ package v1alpha1 type FederationDomainExpansion interface{} + +type OIDCClientExpansion interface{} diff --git a/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go b/generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go similarity index 97% rename from generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go rename to generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go index c7e2f82b..10f97b4f 100644 --- a/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go +++ b/generated/1.21/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go @@ -9,7 +9,7 @@ import ( "context" "time" - v1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/config/v1alpha1" scheme "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/scheme" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" types "k8s.io/apimachinery/pkg/types" @@ -44,7 +44,7 @@ type oIDCClients struct { } // newOIDCClients returns a OIDCClients -func newOIDCClients(c *OauthV1alpha1Client, namespace string) *oIDCClients { +func newOIDCClients(c *ConfigV1alpha1Client, namespace string) *oIDCClients { return &oIDCClients{ client: c.RESTClient(), ns: namespace, diff --git a/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go deleted file mode 100644 index e7a470b6..00000000 --- a/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package has the automatically generated typed clients. -package v1alpha1 diff --git a/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go deleted file mode 100644 index 7906901b..00000000 --- a/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// Package fake has the automatically generated clients. -package fake diff --git a/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go deleted file mode 100644 index 8e56072b..00000000 --- a/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go +++ /dev/null @@ -1,27 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - v1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" - rest "k8s.io/client-go/rest" - testing "k8s.io/client-go/testing" -) - -type FakeOauthV1alpha1 struct { - *testing.Fake -} - -func (c *FakeOauthV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { - return &FakeOIDCClients{c, namespace} -} - -// RESTClient returns a RESTClient that is used to communicate -// with API server by this client implementation. -func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { - var ret *rest.RESTClient - return ret -} diff --git a/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go deleted file mode 100644 index 87d22ea9..00000000 --- a/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -type OIDCClientExpansion interface{} diff --git a/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go deleted file mode 100644 index 259f1b10..00000000 --- a/generated/1.21/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go +++ /dev/null @@ -1,76 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - v1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/oauth/v1alpha1" - "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/scheme" - rest "k8s.io/client-go/rest" -) - -type OauthV1alpha1Interface interface { - RESTClient() rest.Interface - OIDCClientsGetter -} - -// OauthV1alpha1Client is used to interact with features provided by the oauth.supervisor.pinniped.dev group. -type OauthV1alpha1Client struct { - restClient rest.Interface -} - -func (c *OauthV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { - return newOIDCClients(c, namespace) -} - -// NewForConfig creates a new OauthV1alpha1Client for the given config. -func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { - config := *c - if err := setConfigDefaults(&config); err != nil { - return nil, err - } - client, err := rest.RESTClientFor(&config) - if err != nil { - return nil, err - } - return &OauthV1alpha1Client{client}, nil -} - -// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and -// panics if there is an error in the config. -func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { - client, err := NewForConfig(c) - if err != nil { - panic(err) - } - return client -} - -// New creates a new OauthV1alpha1Client for the given RESTClient. -func New(c rest.Interface) *OauthV1alpha1Client { - return &OauthV1alpha1Client{c} -} - -func setConfigDefaults(config *rest.Config) error { - gv := v1alpha1.SchemeGroupVersion - config.GroupVersion = &gv - config.APIPath = "/apis" - config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() - - if config.UserAgent == "" { - config.UserAgent = rest.DefaultKubernetesUserAgent() - } - - return nil -} - -// RESTClient returns a RESTClient that is used to communicate -// with API server by this client implementation. -func (c *OauthV1alpha1Client) RESTClient() rest.Interface { - if c == nil { - return nil - } - return c.restClient -} diff --git a/generated/1.21/client/supervisor/informers/externalversions/config/v1alpha1/interface.go b/generated/1.21/client/supervisor/informers/externalversions/config/v1alpha1/interface.go index e678f3e3..e3cf746d 100644 --- a/generated/1.21/client/supervisor/informers/externalversions/config/v1alpha1/interface.go +++ b/generated/1.21/client/supervisor/informers/externalversions/config/v1alpha1/interface.go @@ -13,6 +13,8 @@ import ( type Interface interface { // FederationDomains returns a FederationDomainInformer. FederationDomains() FederationDomainInformer + // OIDCClients returns a OIDCClientInformer. + OIDCClients() OIDCClientInformer } type version struct { @@ -30,3 +32,8 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList func (v *version) FederationDomains() FederationDomainInformer { return &federationDomainInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } + +// OIDCClients returns a OIDCClientInformer. +func (v *version) OIDCClients() OIDCClientInformer { + return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} diff --git a/generated/1.21/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go b/generated/1.21/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go similarity index 88% rename from generated/1.21/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go rename to generated/1.21/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go index f56b83db..dda5d6d3 100644 --- a/generated/1.21/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go +++ b/generated/1.21/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go @@ -9,10 +9,10 @@ import ( "context" time "time" - oauthv1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/oauth/v1alpha1" + configv1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/config/v1alpha1" versioned "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned" internalinterfaces "go.pinniped.dev/generated/1.21/client/supervisor/informers/externalversions/internalinterfaces" - v1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/listers/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/listers/config/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" watch "k8s.io/apimachinery/pkg/watch" @@ -49,16 +49,16 @@ func NewFilteredOIDCClientInformer(client versioned.Interface, namespace string, if tweakListOptions != nil { tweakListOptions(&options) } - return client.OauthV1alpha1().OIDCClients(namespace).List(context.TODO(), options) + return client.ConfigV1alpha1().OIDCClients(namespace).List(context.TODO(), options) }, WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { if tweakListOptions != nil { tweakListOptions(&options) } - return client.OauthV1alpha1().OIDCClients(namespace).Watch(context.TODO(), options) + return client.ConfigV1alpha1().OIDCClients(namespace).Watch(context.TODO(), options) }, }, - &oauthv1alpha1.OIDCClient{}, + &configv1alpha1.OIDCClient{}, resyncPeriod, indexers, ) @@ -69,7 +69,7 @@ func (f *oIDCClientInformer) defaultInformer(client versioned.Interface, resyncP } func (f *oIDCClientInformer) Informer() cache.SharedIndexInformer { - return f.factory.InformerFor(&oauthv1alpha1.OIDCClient{}, f.defaultInformer) + return f.factory.InformerFor(&configv1alpha1.OIDCClient{}, f.defaultInformer) } func (f *oIDCClientInformer) Lister() v1alpha1.OIDCClientLister { diff --git a/generated/1.21/client/supervisor/informers/externalversions/factory.go b/generated/1.21/client/supervisor/informers/externalversions/factory.go index 5f2301a2..09200fa1 100644 --- a/generated/1.21/client/supervisor/informers/externalversions/factory.go +++ b/generated/1.21/client/supervisor/informers/externalversions/factory.go @@ -14,7 +14,6 @@ import ( config "go.pinniped.dev/generated/1.21/client/supervisor/informers/externalversions/config" idp "go.pinniped.dev/generated/1.21/client/supervisor/informers/externalversions/idp" internalinterfaces "go.pinniped.dev/generated/1.21/client/supervisor/informers/externalversions/internalinterfaces" - oauth "go.pinniped.dev/generated/1.21/client/supervisor/informers/externalversions/oauth" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -163,7 +162,6 @@ type SharedInformerFactory interface { Config() config.Interface IDP() idp.Interface - Oauth() oauth.Interface } func (f *sharedInformerFactory) Config() config.Interface { @@ -173,7 +171,3 @@ func (f *sharedInformerFactory) Config() config.Interface { func (f *sharedInformerFactory) IDP() idp.Interface { return idp.New(f, f.namespace, f.tweakListOptions) } - -func (f *sharedInformerFactory) Oauth() oauth.Interface { - return oauth.New(f, f.namespace, f.tweakListOptions) -} diff --git a/generated/1.21/client/supervisor/informers/externalversions/generic.go b/generated/1.21/client/supervisor/informers/externalversions/generic.go index d08e96cf..7ea48934 100644 --- a/generated/1.21/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.21/client/supervisor/informers/externalversions/generic.go @@ -10,7 +10,6 @@ import ( v1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/oauth/v1alpha1" schema "k8s.io/apimachinery/pkg/runtime/schema" cache "k8s.io/client-go/tools/cache" ) @@ -44,6 +43,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource // Group=config.supervisor.pinniped.dev, Version=v1alpha1 case v1alpha1.SchemeGroupVersion.WithResource("federationdomains"): return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().FederationDomains().Informer()}, nil + case v1alpha1.SchemeGroupVersion.WithResource("oidcclients"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCClients().Informer()}, nil // Group=idp.supervisor.pinniped.dev, Version=v1alpha1 case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"): @@ -53,10 +54,6 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().OIDCIdentityProviders().Informer()}, nil - // Group=oauth.supervisor.pinniped.dev, Version=v1alpha1 - case oauthv1alpha1.SchemeGroupVersion.WithResource("oidcclients"): - return &genericInformer{resource: resource.GroupResource(), informer: f.Oauth().V1alpha1().OIDCClients().Informer()}, nil - } return nil, fmt.Errorf("no informer found for %v", resource) diff --git a/generated/1.21/client/supervisor/informers/externalversions/oauth/interface.go b/generated/1.21/client/supervisor/informers/externalversions/oauth/interface.go deleted file mode 100644 index d734d0d3..00000000 --- a/generated/1.21/client/supervisor/informers/externalversions/oauth/interface.go +++ /dev/null @@ -1,33 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by informer-gen. DO NOT EDIT. - -package oauth - -import ( - internalinterfaces "go.pinniped.dev/generated/1.21/client/supervisor/informers/externalversions/internalinterfaces" - v1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/informers/externalversions/oauth/v1alpha1" -) - -// Interface provides access to each of this group's versions. -type Interface interface { - // V1alpha1 provides access to shared informers for resources in V1alpha1. - V1alpha1() v1alpha1.Interface -} - -type group struct { - factory internalinterfaces.SharedInformerFactory - namespace string - tweakListOptions internalinterfaces.TweakListOptionsFunc -} - -// New returns a new Interface. -func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { - return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} -} - -// V1alpha1 returns a new v1alpha1.Interface. -func (g *group) V1alpha1() v1alpha1.Interface { - return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions) -} diff --git a/generated/1.21/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go b/generated/1.21/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go deleted file mode 100644 index 05ad0a58..00000000 --- a/generated/1.21/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go +++ /dev/null @@ -1,32 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by informer-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - internalinterfaces "go.pinniped.dev/generated/1.21/client/supervisor/informers/externalversions/internalinterfaces" -) - -// Interface provides access to all the informers in this group version. -type Interface interface { - // OIDCClients returns a OIDCClientInformer. - OIDCClients() OIDCClientInformer -} - -type version struct { - factory internalinterfaces.SharedInformerFactory - namespace string - tweakListOptions internalinterfaces.TweakListOptionsFunc -} - -// New returns a new Interface. -func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { - return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} -} - -// OIDCClients returns a OIDCClientInformer. -func (v *version) OIDCClients() OIDCClientInformer { - return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} -} diff --git a/generated/1.21/client/supervisor/listers/config/v1alpha1/expansion_generated.go b/generated/1.21/client/supervisor/listers/config/v1alpha1/expansion_generated.go index d59892c4..bda2f20e 100644 --- a/generated/1.21/client/supervisor/listers/config/v1alpha1/expansion_generated.go +++ b/generated/1.21/client/supervisor/listers/config/v1alpha1/expansion_generated.go @@ -12,3 +12,11 @@ type FederationDomainListerExpansion interface{} // FederationDomainNamespaceListerExpansion allows custom methods to be added to // FederationDomainNamespaceLister. type FederationDomainNamespaceListerExpansion interface{} + +// OIDCClientListerExpansion allows custom methods to be added to +// OIDCClientLister. +type OIDCClientListerExpansion interface{} + +// OIDCClientNamespaceListerExpansion allows custom methods to be added to +// OIDCClientNamespaceLister. +type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/1.20/client/supervisor/listers/oauth/v1alpha1/oidcclient.go b/generated/1.21/client/supervisor/listers/config/v1alpha1/oidcclient.go similarity index 97% rename from generated/1.20/client/supervisor/listers/oauth/v1alpha1/oidcclient.go rename to generated/1.21/client/supervisor/listers/config/v1alpha1/oidcclient.go index 9cb0fe48..72abf61d 100644 --- a/generated/1.20/client/supervisor/listers/oauth/v1alpha1/oidcclient.go +++ b/generated/1.21/client/supervisor/listers/config/v1alpha1/oidcclient.go @@ -6,7 +6,7 @@ package v1alpha1 import ( - v1alpha1 "go.pinniped.dev/generated/1.20/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/config/v1alpha1" "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/labels" "k8s.io/client-go/tools/cache" diff --git a/generated/1.21/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go b/generated/1.21/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go deleted file mode 100644 index c19310da..00000000 --- a/generated/1.21/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go +++ /dev/null @@ -1,14 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by lister-gen. DO NOT EDIT. - -package v1alpha1 - -// OIDCClientListerExpansion allows custom methods to be added to -// OIDCClientLister. -type OIDCClientListerExpansion interface{} - -// OIDCClientNamespaceListerExpansion allows custom methods to be added to -// OIDCClientNamespaceLister. -type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/1.21/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.21/crds/config.supervisor.pinniped.dev_oidcclients.yaml new file mode 100644 index 00000000..4efa445e --- /dev/null +++ b/generated/1.21/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -0,0 +1,125 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: oidcclients.config.supervisor.pinniped.dev +spec: + group: config.supervisor.pinniped.dev + names: + categories: + - pinniped + kind: OIDCClient + listKind: OIDCClientList + plural: oidcclients + singular: oidcclient + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: OIDCClient describes the configuration of an OIDC client. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec of the OIDC client. + properties: + allowedGrantTypes: + description: "allowedGrantTypes is a list of the allowed grant_type + param values that should be accepted during OIDC flows with this + client. \n Must only contain the following values: - authorization_code: + allows the client to perform the authorization code grant flow, + i.e. allows the webapp to authenticate users. This grant must always + be listed. - refresh_token: allows the client to perform refresh + grants for the user to extend the user's session. This grant must + be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: + allows the client to perform RFC8693 token exchange, which is a + step in the process to be able to get a cluster credential for the + user. This grant must be listed if allowedScopes lists pinniped:request-audience." + items: + enum: + - authorization_code + - refresh_token + - urn:ietf:params:oauth:grant-type:token-exchange + type: string + minItems: 1 + type: array + allowedRedirectURIs: + description: allowedRedirectURIs is a list of the allowed redirect_uri + param values that should be accepted during OIDC flows with this + client. Any other uris will be rejected. Must be https, unless it + is a loopback. + items: + type: string + minItems: 1 + type: array + allowedScopes: + description: "allowedScopes is a list of the allowed scopes param + values that should be accepted during OIDC flows with this client. + \n Must only contain the following values: - openid: The client + is allowed to request ID tokens. ID tokens only include the required + claims by default (iss, sub, aud, exp, iat). This scope must always + be listed. - offline_access: The client is allowed to request an + initial refresh token during the authorization code grant flow. + This scope must be listed if allowedGrantTypes lists refresh_token. + - pinniped:request-audience: The client is allowed to request a + new audience value during a RFC8693 token exchange, which is a step + in the process to be able to get a cluster credential for the user. + openid, username and groups scopes must be listed when this scope + is present. This scope must be listed if allowedGrantTypes lists + urn:ietf:params:oauth:grant-type:token-exchange. - username: The + client is allowed to request that ID tokens contain the user's username. + Without the username scope being requested and allowed, the ID token + will not contain the user's username. - groups: The client is allowed + to request that ID tokens contain the user's group membership, if + their group membership is discoverable by the Supervisor. Without + the groups scope being requested and allowed, the ID token will + not contain groups." + items: + enum: + - openid + - offline_access + - username + - groups + - pinniped:request-audience + type: string + minItems: 1 + type: array + required: + - allowedGrantTypes + - allowedRedirectURIs + - allowedScopes + type: object + status: + description: Status of the OIDC client. + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/generated/1.21/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.21/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml deleted file mode 100644 index 589a9154..00000000 --- a/generated/1.21/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ /dev/null @@ -1,125 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.8.0 - creationTimestamp: null - name: oidcclients.oauth.supervisor.pinniped.dev -spec: - group: oauth.supervisor.pinniped.dev - names: - categories: - - pinniped - kind: OIDCClient - listKind: OIDCClientList - plural: oidcclients - singular: oidcclient - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: OIDCClient describes the configuration of an OIDC client. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec of the OIDC client. - properties: - allowedGrantTypes: - description: "allowedGrantTypes is a list of the allowed grant_type - param values that should be accepted during OIDC flows with this - client. \n Must only contain the following values: - authorization_code: - allows the client to perform the authorization code grant flow, - i.e. allows the webapp to authenticate users. This grant must always - be listed. - refresh_token: allows the client to perform refresh - grants for the user to extend the user's session. This grant must - be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: - allows the client to perform RFC8693 token exchange, which is a - step in the process to be able to get a cluster credential for the - user. This grant must be listed if allowedScopes lists pinniped:request-audience." - items: - enum: - - authorization_code - - refresh_token - - urn:ietf:params:oauth:grant-type:token-exchange - type: string - minItems: 1 - type: array - allowedRedirectURIs: - description: allowedRedirectURIs is a list of the allowed redirect_uri - param values that should be accepted during OIDC flows with this - client. Any other uris will be rejected. Must be https, unless it - is a loopback. - items: - type: string - minItems: 1 - type: array - allowedScopes: - description: "allowedScopes is a list of the allowed scopes param - values that should be accepted during OIDC flows with this client. - \n Must only contain the following values: - openid: The client - is allowed to request ID tokens. ID tokens only include the required - claims by default (iss, sub, aud, exp, iat). This scope must always - be listed. - offline_access: The client is allowed to request an - initial refresh token during the authorization code grant flow. - This scope must be listed if allowedGrantTypes lists refresh_token. - - pinniped:request-audience: The client is allowed to request a - new audience value during a RFC8693 token exchange, which is a step - in the process to be able to get a cluster credential for the user. - openid, username and groups scopes must be listed when this scope - is present. This scope must be listed if allowedGrantTypes lists - urn:ietf:params:oauth:grant-type:token-exchange. - username: The - client is allowed to request that ID tokens contain the user's username. - Without the username scope being requested and allowed, the ID token - will not contain the user's username. - groups: The client is allowed - to request that ID tokens contain the user's group membership, if - their group membership is discoverable by the Supervisor. Without - the groups scope being requested and allowed, the ID token will - not contain groups." - items: - enum: - - openid - - offline_access - - username - - groups - - pinniped:request-audience - type: string - minItems: 1 - type: array - required: - - allowedGrantTypes - - allowedRedirectURIs - - allowedScopes - type: object - status: - description: Status of the OIDC client. - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/generated/1.22/README.adoc b/generated/1.22/README.adoc index 78e1cd46..5ba5e839 100644 --- a/generated/1.22/README.adoc +++ b/generated/1.22/README.adoc @@ -12,7 +12,6 @@ - xref:{anchor_prefix}-identity-concierge-pinniped-dev-v1alpha1[$$identity.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1[$$idp.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$] -- xref:{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1[$$oauth.supervisor.pinniped.dev/v1alpha1$$] [id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"] @@ -544,6 +543,51 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-oidcclient"] +==== OIDCClient + +OIDCClient describes the configuration of an OIDC client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-oidcclientlist[$$OIDCClientList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC client. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC client. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-oidcclientspec"] +==== OIDCClientSpec + +OIDCClientSpec is a struct that describes an OIDC Client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-oidcclient[$$OIDCClient$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. +| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. +| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. +|=== + + + + [id="{anchor_prefix}-identity-concierge-pinniped-dev-identity"] === identity.concierge.pinniped.dev/identity @@ -1333,56 +1377,3 @@ TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned |=== - -[id="{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1"] -=== oauth.supervisor.pinniped.dev/v1alpha1 - -Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-oauth-v1alpha1-oidcclient"] -==== OIDCClient - -OIDCClient describes the configuration of an OIDC client. - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-oauth-v1alpha1-oidcclientlist[$$OIDCClientList$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. - -| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-oauth-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC client. -| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-oauth-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC client. -|=== - - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-oauth-v1alpha1-oidcclientspec"] -==== OIDCClientSpec - -OIDCClientSpec is a struct that describes an OIDC Client. - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-oauth-v1alpha1-oidcclient[$$OIDCClient$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. -| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. -| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. -|=== - - - - diff --git a/generated/1.22/apis/supervisor/config/v1alpha1/register.go b/generated/1.22/apis/supervisor/config/v1alpha1/register.go index 69045298..54c51699 100644 --- a/generated/1.22/apis/supervisor/config/v1alpha1/register.go +++ b/generated/1.22/apis/supervisor/config/v1alpha1/register.go @@ -32,6 +32,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &FederationDomain{}, &FederationDomainList{}, + &OIDCClient{}, + &OIDCClientList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.22/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.22/apis/supervisor/config/v1alpha1/types_oidcclient.go similarity index 100% rename from generated/1.22/apis/supervisor/oauth/v1alpha1/types_oidcclient.go rename to generated/1.22/apis/supervisor/config/v1alpha1/types_oidcclient.go diff --git a/generated/1.22/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.22/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go index 856b8988..a55d88e7 100644 --- a/generated/1.22/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.22/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go @@ -150,3 +150,111 @@ func (in *FederationDomainTLSSpec) DeepCopy() *FederationDomainTLSSpec { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. +func (in *OIDCClient) DeepCopy() *OIDCClient { + if in == nil { + return nil + } + out := new(OIDCClient) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClient) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClient, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. +func (in *OIDCClientList) DeepCopy() *OIDCClientList { + if in == nil { + return nil + } + out := new(OIDCClientList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { + *out = *in + if in.AllowedRedirectURIs != nil { + in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.AllowedGrantTypes != nil { + in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes + *out = make([]GrantType, len(*in)) + copy(*out, *in) + } + if in.AllowedScopes != nil { + in, out := &in.AllowedScopes, &out.AllowedScopes + *out = make([]Scope, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. +func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { + if in == nil { + return nil + } + out := new(OIDCClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. +func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { + if in == nil { + return nil + } + out := new(OIDCClientStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.22/apis/supervisor/oauth/v1alpha1/doc.go b/generated/1.22/apis/supervisor/oauth/v1alpha1/doc.go deleted file mode 100644 index 75580481..00000000 --- a/generated/1.22/apis/supervisor/oauth/v1alpha1/doc.go +++ /dev/null @@ -1,10 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// +k8s:openapi-gen=true -// +k8s:deepcopy-gen=package -// +k8s:defaulter-gen=TypeMeta -// +groupName=oauth.supervisor.pinniped.dev - -// Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. -package v1alpha1 diff --git a/generated/1.22/apis/supervisor/oauth/v1alpha1/register.go b/generated/1.22/apis/supervisor/oauth/v1alpha1/register.go deleted file mode 100644 index 37ae1fbf..00000000 --- a/generated/1.22/apis/supervisor/oauth/v1alpha1/register.go +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -package v1alpha1 - -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" -) - -const GroupName = "oauth.supervisor.pinniped.dev" - -// SchemeGroupVersion is group version used to register these objects. -var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} - -var ( - SchemeBuilder runtime.SchemeBuilder - localSchemeBuilder = &SchemeBuilder - AddToScheme = localSchemeBuilder.AddToScheme -) - -func init() { - // We only register manually written functions here. The registration of the - // generated functions takes place in the generated files. The separation - // makes the code compile even when the generated files are missing. - localSchemeBuilder.Register(addKnownTypes) -} - -// Adds the list of known types to the given scheme. -func addKnownTypes(scheme *runtime.Scheme) error { - scheme.AddKnownTypes(SchemeGroupVersion, - &OIDCClient{}, - &OIDCClientList{}, - ) - metav1.AddToGroupVersion(scheme, SchemeGroupVersion) - return nil -} - -// Resource takes an unqualified resource and returns a Group qualified GroupResource. -func Resource(resource string) schema.GroupResource { - return SchemeGroupVersion.WithResource(resource).GroupResource() -} diff --git a/generated/1.22/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.22/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go deleted file mode 100644 index 1aba8aea..00000000 --- a/generated/1.22/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go +++ /dev/null @@ -1,121 +0,0 @@ -//go:build !ignore_autogenerated -// +build !ignore_autogenerated - -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by deepcopy-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - runtime "k8s.io/apimachinery/pkg/runtime" -) - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - in.Spec.DeepCopyInto(&out.Spec) - out.Status = in.Status - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. -func (in *OIDCClient) DeepCopy() *OIDCClient { - if in == nil { - return nil - } - out := new(OIDCClient) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *OIDCClient) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ListMeta.DeepCopyInto(&out.ListMeta) - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]OIDCClient, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. -func (in *OIDCClientList) DeepCopy() *OIDCClientList { - if in == nil { - return nil - } - out := new(OIDCClientList) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *OIDCClientList) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { - *out = *in - if in.AllowedRedirectURIs != nil { - in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.AllowedGrantTypes != nil { - in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes - *out = make([]GrantType, len(*in)) - copy(*out, *in) - } - if in.AllowedScopes != nil { - in, out := &in.AllowedScopes, &out.AllowedScopes - *out = make([]Scope, len(*in)) - copy(*out, *in) - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. -func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { - if in == nil { - return nil - } - out := new(OIDCClientSpec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. -func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { - if in == nil { - return nil - } - out := new(OIDCClientStatus) - in.DeepCopyInto(out) - return out -} diff --git a/generated/1.22/client/supervisor/clientset/versioned/clientset.go b/generated/1.22/client/supervisor/clientset/versioned/clientset.go index dcdcab22..b110aa5d 100644 --- a/generated/1.22/client/supervisor/clientset/versioned/clientset.go +++ b/generated/1.22/client/supervisor/clientset/versioned/clientset.go @@ -10,7 +10,6 @@ import ( configv1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" discovery "k8s.io/client-go/discovery" rest "k8s.io/client-go/rest" flowcontrol "k8s.io/client-go/util/flowcontrol" @@ -20,7 +19,6 @@ type Interface interface { Discovery() discovery.DiscoveryInterface ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface - OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface } // Clientset contains the clients for groups. Each group has exactly one @@ -29,7 +27,6 @@ type Clientset struct { *discovery.DiscoveryClient configV1alpha1 *configv1alpha1.ConfigV1alpha1Client iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client - oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client } // ConfigV1alpha1 retrieves the ConfigV1alpha1Client @@ -42,11 +39,6 @@ func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return c.iDPV1alpha1 } -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return c.oauthV1alpha1 -} - // Discovery retrieves the DiscoveryClient func (c *Clientset) Discovery() discovery.DiscoveryInterface { if c == nil { @@ -76,10 +68,6 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { if err != nil { return nil, err } - cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfig(&configShallowCopy) - if err != nil { - return nil, err - } cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfig(&configShallowCopy) if err != nil { @@ -94,7 +82,6 @@ func NewForConfigOrDie(c *rest.Config) *Clientset { var cs Clientset cs.configV1alpha1 = configv1alpha1.NewForConfigOrDie(c) cs.iDPV1alpha1 = idpv1alpha1.NewForConfigOrDie(c) - cs.oauthV1alpha1 = oauthv1alpha1.NewForConfigOrDie(c) cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c) return &cs @@ -105,7 +92,6 @@ func New(c rest.Interface) *Clientset { var cs Clientset cs.configV1alpha1 = configv1alpha1.New(c) cs.iDPV1alpha1 = idpv1alpha1.New(c) - cs.oauthV1alpha1 = oauthv1alpha1.New(c) cs.DiscoveryClient = discovery.NewDiscoveryClient(c) return &cs diff --git a/generated/1.22/client/supervisor/clientset/versioned/fake/clientset_generated.go b/generated/1.22/client/supervisor/clientset/versioned/fake/clientset_generated.go index 492217cf..919b66cf 100644 --- a/generated/1.22/client/supervisor/clientset/versioned/fake/clientset_generated.go +++ b/generated/1.22/client/supervisor/clientset/versioned/fake/clientset_generated.go @@ -11,8 +11,6 @@ import ( fakeconfigv1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake" idpv1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1" fakeidpv1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake" - oauthv1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" - fakeoauthv1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/watch" "k8s.io/client-go/discovery" @@ -79,8 +77,3 @@ func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake} } - -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} -} diff --git a/generated/1.22/client/supervisor/clientset/versioned/fake/register.go b/generated/1.22/client/supervisor/clientset/versioned/fake/register.go index 690d6ee3..38fb0501 100644 --- a/generated/1.22/client/supervisor/clientset/versioned/fake/register.go +++ b/generated/1.22/client/supervisor/clientset/versioned/fake/register.go @@ -8,7 +8,6 @@ package fake import ( configv1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -22,7 +21,6 @@ var codecs = serializer.NewCodecFactory(scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, - oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.22/client/supervisor/clientset/versioned/scheme/register.go b/generated/1.22/client/supervisor/clientset/versioned/scheme/register.go index 99bafb85..1fdb17cd 100644 --- a/generated/1.22/client/supervisor/clientset/versioned/scheme/register.go +++ b/generated/1.22/client/supervisor/clientset/versioned/scheme/register.go @@ -8,7 +8,6 @@ package scheme import ( configv1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -22,7 +21,6 @@ var ParameterCodec = runtime.NewParameterCodec(Scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, - oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go b/generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go index 8b13c709..252b4962 100644 --- a/generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go +++ b/generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go @@ -14,6 +14,7 @@ import ( type ConfigV1alpha1Interface interface { RESTClient() rest.Interface FederationDomainsGetter + OIDCClientsGetter } // ConfigV1alpha1Client is used to interact with features provided by the config.supervisor.pinniped.dev group. @@ -25,6 +26,10 @@ func (c *ConfigV1alpha1Client) FederationDomains(namespace string) FederationDom return newFederationDomains(c, namespace) } +func (c *ConfigV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { + return newOIDCClients(c, namespace) +} + // NewForConfig creates a new ConfigV1alpha1Client for the given config. func NewForConfig(c *rest.Config) (*ConfigV1alpha1Client, error) { config := *c diff --git a/generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go b/generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go index 309e08b8..1ad242eb 100644 --- a/generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go +++ b/generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go @@ -19,6 +19,10 @@ func (c *FakeConfigV1alpha1) FederationDomains(namespace string) v1alpha1.Federa return &FakeFederationDomains{c, namespace} } +func (c *FakeConfigV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { + return &FakeOIDCClients{c, namespace} +} + // RESTClient returns a RESTClient that is used to communicate // with API server by this client implementation. func (c *FakeConfigV1alpha1) RESTClient() rest.Interface { diff --git a/generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go b/generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go new file mode 100644 index 00000000..49ce2584 --- /dev/null +++ b/generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go @@ -0,0 +1,129 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/config/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeOIDCClients implements OIDCClientInterface +type FakeOIDCClients struct { + Fake *FakeConfigV1alpha1 + ns string +} + +var oidcclientsResource = schema.GroupVersionResource{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} + +var oidcclientsKind = schema.GroupVersionKind{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} + +// Get takes name of the oIDCClient, and returns the corresponding oIDCClient object, and an error if there is any. +func (c *FakeOIDCClients) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(oidcclientsResource, c.ns, name), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// List takes label and field selectors, and returns the list of OIDCClients that match those selectors. +func (c *FakeOIDCClients) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.OIDCClientList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(oidcclientsResource, oidcclientsKind, c.ns, opts), &v1alpha1.OIDCClientList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.OIDCClientList{ListMeta: obj.(*v1alpha1.OIDCClientList).ListMeta} + for _, item := range obj.(*v1alpha1.OIDCClientList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested oIDCClients. +func (c *FakeOIDCClients) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(oidcclientsResource, c.ns, opts)) + +} + +// Create takes the representation of a oIDCClient and creates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *FakeOIDCClients) Create(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.CreateOptions) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(oidcclientsResource, c.ns, oIDCClient), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// Update takes the representation of a oIDCClient and updates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *FakeOIDCClients) Update(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(oidcclientsResource, c.ns, oIDCClient), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeOIDCClients) UpdateStatus(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (*v1alpha1.OIDCClient, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(oidcclientsResource, "status", c.ns, oIDCClient), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// Delete takes name of the oIDCClient and deletes it. Returns an error if one occurs. +func (c *FakeOIDCClients) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteAction(oidcclientsResource, c.ns, name), &v1alpha1.OIDCClient{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeOIDCClients) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(oidcclientsResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha1.OIDCClientList{}) + return err +} + +// Patch applies the patch and returns the patched oIDCClient. +func (c *FakeOIDCClients) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(oidcclientsResource, c.ns, name, pt, data, subresources...), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} diff --git a/generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go b/generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go index ba9c9173..35b9ee3d 100644 --- a/generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go +++ b/generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go @@ -6,3 +6,5 @@ package v1alpha1 type FederationDomainExpansion interface{} + +type OIDCClientExpansion interface{} diff --git a/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go b/generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go similarity index 97% rename from generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go rename to generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go index be9f6246..8d5bdab6 100644 --- a/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go +++ b/generated/1.22/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go @@ -9,7 +9,7 @@ import ( "context" "time" - v1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/config/v1alpha1" scheme "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned/scheme" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" types "k8s.io/apimachinery/pkg/types" @@ -44,7 +44,7 @@ type oIDCClients struct { } // newOIDCClients returns a OIDCClients -func newOIDCClients(c *OauthV1alpha1Client, namespace string) *oIDCClients { +func newOIDCClients(c *ConfigV1alpha1Client, namespace string) *oIDCClients { return &oIDCClients{ client: c.RESTClient(), ns: namespace, diff --git a/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go deleted file mode 100644 index e7a470b6..00000000 --- a/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package has the automatically generated typed clients. -package v1alpha1 diff --git a/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go deleted file mode 100644 index 7906901b..00000000 --- a/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// Package fake has the automatically generated clients. -package fake diff --git a/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go deleted file mode 100644 index 7f7620ad..00000000 --- a/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go +++ /dev/null @@ -1,27 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - v1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" - rest "k8s.io/client-go/rest" - testing "k8s.io/client-go/testing" -) - -type FakeOauthV1alpha1 struct { - *testing.Fake -} - -func (c *FakeOauthV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { - return &FakeOIDCClients{c, namespace} -} - -// RESTClient returns a RESTClient that is used to communicate -// with API server by this client implementation. -func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { - var ret *rest.RESTClient - return ret -} diff --git a/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go b/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go deleted file mode 100644 index afddba32..00000000 --- a/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go +++ /dev/null @@ -1,129 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - "context" - - v1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/oauth/v1alpha1" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - labels "k8s.io/apimachinery/pkg/labels" - schema "k8s.io/apimachinery/pkg/runtime/schema" - types "k8s.io/apimachinery/pkg/types" - watch "k8s.io/apimachinery/pkg/watch" - testing "k8s.io/client-go/testing" -) - -// FakeOIDCClients implements OIDCClientInterface -type FakeOIDCClients struct { - Fake *FakeOauthV1alpha1 - ns string -} - -var oidcclientsResource = schema.GroupVersionResource{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} - -var oidcclientsKind = schema.GroupVersionKind{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} - -// Get takes name of the oIDCClient, and returns the corresponding oIDCClient object, and an error if there is any. -func (c *FakeOIDCClients) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCClient, err error) { - obj, err := c.Fake. - Invokes(testing.NewGetAction(oidcclientsResource, c.ns, name), &v1alpha1.OIDCClient{}) - - if obj == nil { - return nil, err - } - return obj.(*v1alpha1.OIDCClient), err -} - -// List takes label and field selectors, and returns the list of OIDCClients that match those selectors. -func (c *FakeOIDCClients) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.OIDCClientList, err error) { - obj, err := c.Fake. - Invokes(testing.NewListAction(oidcclientsResource, oidcclientsKind, c.ns, opts), &v1alpha1.OIDCClientList{}) - - if obj == nil { - return nil, err - } - - label, _, _ := testing.ExtractFromListOptions(opts) - if label == nil { - label = labels.Everything() - } - list := &v1alpha1.OIDCClientList{ListMeta: obj.(*v1alpha1.OIDCClientList).ListMeta} - for _, item := range obj.(*v1alpha1.OIDCClientList).Items { - if label.Matches(labels.Set(item.Labels)) { - list.Items = append(list.Items, item) - } - } - return list, err -} - -// Watch returns a watch.Interface that watches the requested oIDCClients. -func (c *FakeOIDCClients) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { - return c.Fake. - InvokesWatch(testing.NewWatchAction(oidcclientsResource, c.ns, opts)) - -} - -// Create takes the representation of a oIDCClient and creates it. Returns the server's representation of the oIDCClient, and an error, if there is any. -func (c *FakeOIDCClients) Create(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.CreateOptions) (result *v1alpha1.OIDCClient, err error) { - obj, err := c.Fake. - Invokes(testing.NewCreateAction(oidcclientsResource, c.ns, oIDCClient), &v1alpha1.OIDCClient{}) - - if obj == nil { - return nil, err - } - return obj.(*v1alpha1.OIDCClient), err -} - -// Update takes the representation of a oIDCClient and updates it. Returns the server's representation of the oIDCClient, and an error, if there is any. -func (c *FakeOIDCClients) Update(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (result *v1alpha1.OIDCClient, err error) { - obj, err := c.Fake. - Invokes(testing.NewUpdateAction(oidcclientsResource, c.ns, oIDCClient), &v1alpha1.OIDCClient{}) - - if obj == nil { - return nil, err - } - return obj.(*v1alpha1.OIDCClient), err -} - -// UpdateStatus was generated because the type contains a Status member. -// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). -func (c *FakeOIDCClients) UpdateStatus(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (*v1alpha1.OIDCClient, error) { - obj, err := c.Fake. - Invokes(testing.NewUpdateSubresourceAction(oidcclientsResource, "status", c.ns, oIDCClient), &v1alpha1.OIDCClient{}) - - if obj == nil { - return nil, err - } - return obj.(*v1alpha1.OIDCClient), err -} - -// Delete takes name of the oIDCClient and deletes it. Returns an error if one occurs. -func (c *FakeOIDCClients) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { - _, err := c.Fake. - Invokes(testing.NewDeleteAction(oidcclientsResource, c.ns, name), &v1alpha1.OIDCClient{}) - - return err -} - -// DeleteCollection deletes a collection of objects. -func (c *FakeOIDCClients) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { - action := testing.NewDeleteCollectionAction(oidcclientsResource, c.ns, listOpts) - - _, err := c.Fake.Invokes(action, &v1alpha1.OIDCClientList{}) - return err -} - -// Patch applies the patch and returns the patched oIDCClient. -func (c *FakeOIDCClients) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCClient, err error) { - obj, err := c.Fake. - Invokes(testing.NewPatchSubresourceAction(oidcclientsResource, c.ns, name, pt, data, subresources...), &v1alpha1.OIDCClient{}) - - if obj == nil { - return nil, err - } - return obj.(*v1alpha1.OIDCClient), err -} diff --git a/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go deleted file mode 100644 index 87d22ea9..00000000 --- a/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -type OIDCClientExpansion interface{} diff --git a/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go deleted file mode 100644 index 1bf4eb28..00000000 --- a/generated/1.22/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go +++ /dev/null @@ -1,76 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - v1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/oauth/v1alpha1" - "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned/scheme" - rest "k8s.io/client-go/rest" -) - -type OauthV1alpha1Interface interface { - RESTClient() rest.Interface - OIDCClientsGetter -} - -// OauthV1alpha1Client is used to interact with features provided by the oauth.supervisor.pinniped.dev group. -type OauthV1alpha1Client struct { - restClient rest.Interface -} - -func (c *OauthV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { - return newOIDCClients(c, namespace) -} - -// NewForConfig creates a new OauthV1alpha1Client for the given config. -func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { - config := *c - if err := setConfigDefaults(&config); err != nil { - return nil, err - } - client, err := rest.RESTClientFor(&config) - if err != nil { - return nil, err - } - return &OauthV1alpha1Client{client}, nil -} - -// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and -// panics if there is an error in the config. -func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { - client, err := NewForConfig(c) - if err != nil { - panic(err) - } - return client -} - -// New creates a new OauthV1alpha1Client for the given RESTClient. -func New(c rest.Interface) *OauthV1alpha1Client { - return &OauthV1alpha1Client{c} -} - -func setConfigDefaults(config *rest.Config) error { - gv := v1alpha1.SchemeGroupVersion - config.GroupVersion = &gv - config.APIPath = "/apis" - config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() - - if config.UserAgent == "" { - config.UserAgent = rest.DefaultKubernetesUserAgent() - } - - return nil -} - -// RESTClient returns a RESTClient that is used to communicate -// with API server by this client implementation. -func (c *OauthV1alpha1Client) RESTClient() rest.Interface { - if c == nil { - return nil - } - return c.restClient -} diff --git a/generated/1.22/client/supervisor/informers/externalversions/config/v1alpha1/interface.go b/generated/1.22/client/supervisor/informers/externalversions/config/v1alpha1/interface.go index f2d9a689..9659ea3a 100644 --- a/generated/1.22/client/supervisor/informers/externalversions/config/v1alpha1/interface.go +++ b/generated/1.22/client/supervisor/informers/externalversions/config/v1alpha1/interface.go @@ -13,6 +13,8 @@ import ( type Interface interface { // FederationDomains returns a FederationDomainInformer. FederationDomains() FederationDomainInformer + // OIDCClients returns a OIDCClientInformer. + OIDCClients() OIDCClientInformer } type version struct { @@ -30,3 +32,8 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList func (v *version) FederationDomains() FederationDomainInformer { return &federationDomainInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } + +// OIDCClients returns a OIDCClientInformer. +func (v *version) OIDCClients() OIDCClientInformer { + return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} diff --git a/generated/1.22/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go b/generated/1.22/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go similarity index 88% rename from generated/1.22/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go rename to generated/1.22/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go index 73fd8a10..a7d6ba7f 100644 --- a/generated/1.22/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go +++ b/generated/1.22/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go @@ -9,10 +9,10 @@ import ( "context" time "time" - oauthv1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/oauth/v1alpha1" + configv1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/config/v1alpha1" versioned "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned" internalinterfaces "go.pinniped.dev/generated/1.22/client/supervisor/informers/externalversions/internalinterfaces" - v1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/listers/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/listers/config/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" watch "k8s.io/apimachinery/pkg/watch" @@ -49,16 +49,16 @@ func NewFilteredOIDCClientInformer(client versioned.Interface, namespace string, if tweakListOptions != nil { tweakListOptions(&options) } - return client.OauthV1alpha1().OIDCClients(namespace).List(context.TODO(), options) + return client.ConfigV1alpha1().OIDCClients(namespace).List(context.TODO(), options) }, WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { if tweakListOptions != nil { tweakListOptions(&options) } - return client.OauthV1alpha1().OIDCClients(namespace).Watch(context.TODO(), options) + return client.ConfigV1alpha1().OIDCClients(namespace).Watch(context.TODO(), options) }, }, - &oauthv1alpha1.OIDCClient{}, + &configv1alpha1.OIDCClient{}, resyncPeriod, indexers, ) @@ -69,7 +69,7 @@ func (f *oIDCClientInformer) defaultInformer(client versioned.Interface, resyncP } func (f *oIDCClientInformer) Informer() cache.SharedIndexInformer { - return f.factory.InformerFor(&oauthv1alpha1.OIDCClient{}, f.defaultInformer) + return f.factory.InformerFor(&configv1alpha1.OIDCClient{}, f.defaultInformer) } func (f *oIDCClientInformer) Lister() v1alpha1.OIDCClientLister { diff --git a/generated/1.22/client/supervisor/informers/externalversions/factory.go b/generated/1.22/client/supervisor/informers/externalversions/factory.go index b1a59943..1686a18c 100644 --- a/generated/1.22/client/supervisor/informers/externalversions/factory.go +++ b/generated/1.22/client/supervisor/informers/externalversions/factory.go @@ -14,7 +14,6 @@ import ( config "go.pinniped.dev/generated/1.22/client/supervisor/informers/externalversions/config" idp "go.pinniped.dev/generated/1.22/client/supervisor/informers/externalversions/idp" internalinterfaces "go.pinniped.dev/generated/1.22/client/supervisor/informers/externalversions/internalinterfaces" - oauth "go.pinniped.dev/generated/1.22/client/supervisor/informers/externalversions/oauth" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -163,7 +162,6 @@ type SharedInformerFactory interface { Config() config.Interface IDP() idp.Interface - Oauth() oauth.Interface } func (f *sharedInformerFactory) Config() config.Interface { @@ -173,7 +171,3 @@ func (f *sharedInformerFactory) Config() config.Interface { func (f *sharedInformerFactory) IDP() idp.Interface { return idp.New(f, f.namespace, f.tweakListOptions) } - -func (f *sharedInformerFactory) Oauth() oauth.Interface { - return oauth.New(f, f.namespace, f.tweakListOptions) -} diff --git a/generated/1.22/client/supervisor/informers/externalversions/generic.go b/generated/1.22/client/supervisor/informers/externalversions/generic.go index 0380a5b8..9f22e409 100644 --- a/generated/1.22/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.22/client/supervisor/informers/externalversions/generic.go @@ -10,7 +10,6 @@ import ( v1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/oauth/v1alpha1" schema "k8s.io/apimachinery/pkg/runtime/schema" cache "k8s.io/client-go/tools/cache" ) @@ -44,6 +43,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource // Group=config.supervisor.pinniped.dev, Version=v1alpha1 case v1alpha1.SchemeGroupVersion.WithResource("federationdomains"): return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().FederationDomains().Informer()}, nil + case v1alpha1.SchemeGroupVersion.WithResource("oidcclients"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCClients().Informer()}, nil // Group=idp.supervisor.pinniped.dev, Version=v1alpha1 case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"): @@ -53,10 +54,6 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().OIDCIdentityProviders().Informer()}, nil - // Group=oauth.supervisor.pinniped.dev, Version=v1alpha1 - case oauthv1alpha1.SchemeGroupVersion.WithResource("oidcclients"): - return &genericInformer{resource: resource.GroupResource(), informer: f.Oauth().V1alpha1().OIDCClients().Informer()}, nil - } return nil, fmt.Errorf("no informer found for %v", resource) diff --git a/generated/1.22/client/supervisor/informers/externalversions/oauth/interface.go b/generated/1.22/client/supervisor/informers/externalversions/oauth/interface.go deleted file mode 100644 index 97090c7c..00000000 --- a/generated/1.22/client/supervisor/informers/externalversions/oauth/interface.go +++ /dev/null @@ -1,33 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by informer-gen. DO NOT EDIT. - -package oauth - -import ( - internalinterfaces "go.pinniped.dev/generated/1.22/client/supervisor/informers/externalversions/internalinterfaces" - v1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/informers/externalversions/oauth/v1alpha1" -) - -// Interface provides access to each of this group's versions. -type Interface interface { - // V1alpha1 provides access to shared informers for resources in V1alpha1. - V1alpha1() v1alpha1.Interface -} - -type group struct { - factory internalinterfaces.SharedInformerFactory - namespace string - tweakListOptions internalinterfaces.TweakListOptionsFunc -} - -// New returns a new Interface. -func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { - return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} -} - -// V1alpha1 returns a new v1alpha1.Interface. -func (g *group) V1alpha1() v1alpha1.Interface { - return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions) -} diff --git a/generated/1.22/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go b/generated/1.22/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go deleted file mode 100644 index 19d5ccb1..00000000 --- a/generated/1.22/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go +++ /dev/null @@ -1,32 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by informer-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - internalinterfaces "go.pinniped.dev/generated/1.22/client/supervisor/informers/externalversions/internalinterfaces" -) - -// Interface provides access to all the informers in this group version. -type Interface interface { - // OIDCClients returns a OIDCClientInformer. - OIDCClients() OIDCClientInformer -} - -type version struct { - factory internalinterfaces.SharedInformerFactory - namespace string - tweakListOptions internalinterfaces.TweakListOptionsFunc -} - -// New returns a new Interface. -func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { - return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} -} - -// OIDCClients returns a OIDCClientInformer. -func (v *version) OIDCClients() OIDCClientInformer { - return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} -} diff --git a/generated/1.22/client/supervisor/listers/config/v1alpha1/expansion_generated.go b/generated/1.22/client/supervisor/listers/config/v1alpha1/expansion_generated.go index d59892c4..bda2f20e 100644 --- a/generated/1.22/client/supervisor/listers/config/v1alpha1/expansion_generated.go +++ b/generated/1.22/client/supervisor/listers/config/v1alpha1/expansion_generated.go @@ -12,3 +12,11 @@ type FederationDomainListerExpansion interface{} // FederationDomainNamespaceListerExpansion allows custom methods to be added to // FederationDomainNamespaceLister. type FederationDomainNamespaceListerExpansion interface{} + +// OIDCClientListerExpansion allows custom methods to be added to +// OIDCClientLister. +type OIDCClientListerExpansion interface{} + +// OIDCClientNamespaceListerExpansion allows custom methods to be added to +// OIDCClientNamespaceLister. +type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/1.22/client/supervisor/listers/oauth/v1alpha1/oidcclient.go b/generated/1.22/client/supervisor/listers/config/v1alpha1/oidcclient.go similarity index 97% rename from generated/1.22/client/supervisor/listers/oauth/v1alpha1/oidcclient.go rename to generated/1.22/client/supervisor/listers/config/v1alpha1/oidcclient.go index e73a2114..fe4943b0 100644 --- a/generated/1.22/client/supervisor/listers/oauth/v1alpha1/oidcclient.go +++ b/generated/1.22/client/supervisor/listers/config/v1alpha1/oidcclient.go @@ -6,7 +6,7 @@ package v1alpha1 import ( - v1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/config/v1alpha1" "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/labels" "k8s.io/client-go/tools/cache" diff --git a/generated/1.22/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go b/generated/1.22/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go deleted file mode 100644 index c19310da..00000000 --- a/generated/1.22/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go +++ /dev/null @@ -1,14 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by lister-gen. DO NOT EDIT. - -package v1alpha1 - -// OIDCClientListerExpansion allows custom methods to be added to -// OIDCClientLister. -type OIDCClientListerExpansion interface{} - -// OIDCClientNamespaceListerExpansion allows custom methods to be added to -// OIDCClientNamespaceLister. -type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/1.22/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.22/crds/config.supervisor.pinniped.dev_oidcclients.yaml new file mode 100644 index 00000000..4efa445e --- /dev/null +++ b/generated/1.22/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -0,0 +1,125 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: oidcclients.config.supervisor.pinniped.dev +spec: + group: config.supervisor.pinniped.dev + names: + categories: + - pinniped + kind: OIDCClient + listKind: OIDCClientList + plural: oidcclients + singular: oidcclient + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: OIDCClient describes the configuration of an OIDC client. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec of the OIDC client. + properties: + allowedGrantTypes: + description: "allowedGrantTypes is a list of the allowed grant_type + param values that should be accepted during OIDC flows with this + client. \n Must only contain the following values: - authorization_code: + allows the client to perform the authorization code grant flow, + i.e. allows the webapp to authenticate users. This grant must always + be listed. - refresh_token: allows the client to perform refresh + grants for the user to extend the user's session. This grant must + be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: + allows the client to perform RFC8693 token exchange, which is a + step in the process to be able to get a cluster credential for the + user. This grant must be listed if allowedScopes lists pinniped:request-audience." + items: + enum: + - authorization_code + - refresh_token + - urn:ietf:params:oauth:grant-type:token-exchange + type: string + minItems: 1 + type: array + allowedRedirectURIs: + description: allowedRedirectURIs is a list of the allowed redirect_uri + param values that should be accepted during OIDC flows with this + client. Any other uris will be rejected. Must be https, unless it + is a loopback. + items: + type: string + minItems: 1 + type: array + allowedScopes: + description: "allowedScopes is a list of the allowed scopes param + values that should be accepted during OIDC flows with this client. + \n Must only contain the following values: - openid: The client + is allowed to request ID tokens. ID tokens only include the required + claims by default (iss, sub, aud, exp, iat). This scope must always + be listed. - offline_access: The client is allowed to request an + initial refresh token during the authorization code grant flow. + This scope must be listed if allowedGrantTypes lists refresh_token. + - pinniped:request-audience: The client is allowed to request a + new audience value during a RFC8693 token exchange, which is a step + in the process to be able to get a cluster credential for the user. + openid, username and groups scopes must be listed when this scope + is present. This scope must be listed if allowedGrantTypes lists + urn:ietf:params:oauth:grant-type:token-exchange. - username: The + client is allowed to request that ID tokens contain the user's username. + Without the username scope being requested and allowed, the ID token + will not contain the user's username. - groups: The client is allowed + to request that ID tokens contain the user's group membership, if + their group membership is discoverable by the Supervisor. Without + the groups scope being requested and allowed, the ID token will + not contain groups." + items: + enum: + - openid + - offline_access + - username + - groups + - pinniped:request-audience + type: string + minItems: 1 + type: array + required: + - allowedGrantTypes + - allowedRedirectURIs + - allowedScopes + type: object + status: + description: Status of the OIDC client. + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/generated/1.22/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.22/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml deleted file mode 100644 index 589a9154..00000000 --- a/generated/1.22/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ /dev/null @@ -1,125 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.8.0 - creationTimestamp: null - name: oidcclients.oauth.supervisor.pinniped.dev -spec: - group: oauth.supervisor.pinniped.dev - names: - categories: - - pinniped - kind: OIDCClient - listKind: OIDCClientList - plural: oidcclients - singular: oidcclient - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: OIDCClient describes the configuration of an OIDC client. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec of the OIDC client. - properties: - allowedGrantTypes: - description: "allowedGrantTypes is a list of the allowed grant_type - param values that should be accepted during OIDC flows with this - client. \n Must only contain the following values: - authorization_code: - allows the client to perform the authorization code grant flow, - i.e. allows the webapp to authenticate users. This grant must always - be listed. - refresh_token: allows the client to perform refresh - grants for the user to extend the user's session. This grant must - be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: - allows the client to perform RFC8693 token exchange, which is a - step in the process to be able to get a cluster credential for the - user. This grant must be listed if allowedScopes lists pinniped:request-audience." - items: - enum: - - authorization_code - - refresh_token - - urn:ietf:params:oauth:grant-type:token-exchange - type: string - minItems: 1 - type: array - allowedRedirectURIs: - description: allowedRedirectURIs is a list of the allowed redirect_uri - param values that should be accepted during OIDC flows with this - client. Any other uris will be rejected. Must be https, unless it - is a loopback. - items: - type: string - minItems: 1 - type: array - allowedScopes: - description: "allowedScopes is a list of the allowed scopes param - values that should be accepted during OIDC flows with this client. - \n Must only contain the following values: - openid: The client - is allowed to request ID tokens. ID tokens only include the required - claims by default (iss, sub, aud, exp, iat). This scope must always - be listed. - offline_access: The client is allowed to request an - initial refresh token during the authorization code grant flow. - This scope must be listed if allowedGrantTypes lists refresh_token. - - pinniped:request-audience: The client is allowed to request a - new audience value during a RFC8693 token exchange, which is a step - in the process to be able to get a cluster credential for the user. - openid, username and groups scopes must be listed when this scope - is present. This scope must be listed if allowedGrantTypes lists - urn:ietf:params:oauth:grant-type:token-exchange. - username: The - client is allowed to request that ID tokens contain the user's username. - Without the username scope being requested and allowed, the ID token - will not contain the user's username. - groups: The client is allowed - to request that ID tokens contain the user's group membership, if - their group membership is discoverable by the Supervisor. Without - the groups scope being requested and allowed, the ID token will - not contain groups." - items: - enum: - - openid - - offline_access - - username - - groups - - pinniped:request-audience - type: string - minItems: 1 - type: array - required: - - allowedGrantTypes - - allowedRedirectURIs - - allowedScopes - type: object - status: - description: Status of the OIDC client. - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/generated/1.23/README.adoc b/generated/1.23/README.adoc index d858f07a..78612146 100644 --- a/generated/1.23/README.adoc +++ b/generated/1.23/README.adoc @@ -12,7 +12,6 @@ - xref:{anchor_prefix}-identity-concierge-pinniped-dev-v1alpha1[$$identity.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1[$$idp.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$] -- xref:{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1[$$oauth.supervisor.pinniped.dev/v1alpha1$$] [id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"] @@ -544,6 +543,51 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-oidcclient"] +==== OIDCClient + +OIDCClient describes the configuration of an OIDC client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-oidcclientlist[$$OIDCClientList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC client. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC client. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-oidcclientspec"] +==== OIDCClientSpec + +OIDCClientSpec is a struct that describes an OIDC Client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-oidcclient[$$OIDCClient$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. +| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. +| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. +|=== + + + + [id="{anchor_prefix}-identity-concierge-pinniped-dev-identity"] === identity.concierge.pinniped.dev/identity @@ -1333,56 +1377,3 @@ TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned |=== - -[id="{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1"] -=== oauth.supervisor.pinniped.dev/v1alpha1 - -Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-oauth-v1alpha1-oidcclient"] -==== OIDCClient - -OIDCClient describes the configuration of an OIDC client. - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-oauth-v1alpha1-oidcclientlist[$$OIDCClientList$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. - -| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-oauth-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC client. -| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-oauth-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC client. -|=== - - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-oauth-v1alpha1-oidcclientspec"] -==== OIDCClientSpec - -OIDCClientSpec is a struct that describes an OIDC Client. - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-oauth-v1alpha1-oidcclient[$$OIDCClient$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. -| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. -| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. -|=== - - - - diff --git a/generated/1.23/apis/supervisor/config/v1alpha1/register.go b/generated/1.23/apis/supervisor/config/v1alpha1/register.go index 69045298..54c51699 100644 --- a/generated/1.23/apis/supervisor/config/v1alpha1/register.go +++ b/generated/1.23/apis/supervisor/config/v1alpha1/register.go @@ -32,6 +32,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &FederationDomain{}, &FederationDomainList{}, + &OIDCClient{}, + &OIDCClientList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.23/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.23/apis/supervisor/config/v1alpha1/types_oidcclient.go similarity index 100% rename from generated/1.23/apis/supervisor/oauth/v1alpha1/types_oidcclient.go rename to generated/1.23/apis/supervisor/config/v1alpha1/types_oidcclient.go diff --git a/generated/1.23/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.23/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go index 856b8988..a55d88e7 100644 --- a/generated/1.23/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.23/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go @@ -150,3 +150,111 @@ func (in *FederationDomainTLSSpec) DeepCopy() *FederationDomainTLSSpec { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. +func (in *OIDCClient) DeepCopy() *OIDCClient { + if in == nil { + return nil + } + out := new(OIDCClient) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClient) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClient, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. +func (in *OIDCClientList) DeepCopy() *OIDCClientList { + if in == nil { + return nil + } + out := new(OIDCClientList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { + *out = *in + if in.AllowedRedirectURIs != nil { + in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.AllowedGrantTypes != nil { + in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes + *out = make([]GrantType, len(*in)) + copy(*out, *in) + } + if in.AllowedScopes != nil { + in, out := &in.AllowedScopes, &out.AllowedScopes + *out = make([]Scope, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. +func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { + if in == nil { + return nil + } + out := new(OIDCClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. +func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { + if in == nil { + return nil + } + out := new(OIDCClientStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.23/apis/supervisor/oauth/v1alpha1/doc.go b/generated/1.23/apis/supervisor/oauth/v1alpha1/doc.go deleted file mode 100644 index 75580481..00000000 --- a/generated/1.23/apis/supervisor/oauth/v1alpha1/doc.go +++ /dev/null @@ -1,10 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// +k8s:openapi-gen=true -// +k8s:deepcopy-gen=package -// +k8s:defaulter-gen=TypeMeta -// +groupName=oauth.supervisor.pinniped.dev - -// Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. -package v1alpha1 diff --git a/generated/1.23/apis/supervisor/oauth/v1alpha1/register.go b/generated/1.23/apis/supervisor/oauth/v1alpha1/register.go deleted file mode 100644 index 37ae1fbf..00000000 --- a/generated/1.23/apis/supervisor/oauth/v1alpha1/register.go +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -package v1alpha1 - -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" -) - -const GroupName = "oauth.supervisor.pinniped.dev" - -// SchemeGroupVersion is group version used to register these objects. -var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} - -var ( - SchemeBuilder runtime.SchemeBuilder - localSchemeBuilder = &SchemeBuilder - AddToScheme = localSchemeBuilder.AddToScheme -) - -func init() { - // We only register manually written functions here. The registration of the - // generated functions takes place in the generated files. The separation - // makes the code compile even when the generated files are missing. - localSchemeBuilder.Register(addKnownTypes) -} - -// Adds the list of known types to the given scheme. -func addKnownTypes(scheme *runtime.Scheme) error { - scheme.AddKnownTypes(SchemeGroupVersion, - &OIDCClient{}, - &OIDCClientList{}, - ) - metav1.AddToGroupVersion(scheme, SchemeGroupVersion) - return nil -} - -// Resource takes an unqualified resource and returns a Group qualified GroupResource. -func Resource(resource string) schema.GroupResource { - return SchemeGroupVersion.WithResource(resource).GroupResource() -} diff --git a/generated/1.23/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.23/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go deleted file mode 100644 index 1aba8aea..00000000 --- a/generated/1.23/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go +++ /dev/null @@ -1,121 +0,0 @@ -//go:build !ignore_autogenerated -// +build !ignore_autogenerated - -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by deepcopy-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - runtime "k8s.io/apimachinery/pkg/runtime" -) - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - in.Spec.DeepCopyInto(&out.Spec) - out.Status = in.Status - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. -func (in *OIDCClient) DeepCopy() *OIDCClient { - if in == nil { - return nil - } - out := new(OIDCClient) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *OIDCClient) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ListMeta.DeepCopyInto(&out.ListMeta) - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]OIDCClient, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. -func (in *OIDCClientList) DeepCopy() *OIDCClientList { - if in == nil { - return nil - } - out := new(OIDCClientList) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *OIDCClientList) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { - *out = *in - if in.AllowedRedirectURIs != nil { - in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.AllowedGrantTypes != nil { - in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes - *out = make([]GrantType, len(*in)) - copy(*out, *in) - } - if in.AllowedScopes != nil { - in, out := &in.AllowedScopes, &out.AllowedScopes - *out = make([]Scope, len(*in)) - copy(*out, *in) - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. -func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { - if in == nil { - return nil - } - out := new(OIDCClientSpec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. -func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { - if in == nil { - return nil - } - out := new(OIDCClientStatus) - in.DeepCopyInto(out) - return out -} diff --git a/generated/1.23/client/supervisor/clientset/versioned/clientset.go b/generated/1.23/client/supervisor/clientset/versioned/clientset.go index 0347d1bb..6f778d3a 100644 --- a/generated/1.23/client/supervisor/clientset/versioned/clientset.go +++ b/generated/1.23/client/supervisor/clientset/versioned/clientset.go @@ -11,7 +11,6 @@ import ( configv1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" discovery "k8s.io/client-go/discovery" rest "k8s.io/client-go/rest" flowcontrol "k8s.io/client-go/util/flowcontrol" @@ -21,7 +20,6 @@ type Interface interface { Discovery() discovery.DiscoveryInterface ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface - OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface } // Clientset contains the clients for groups. Each group has exactly one @@ -30,7 +28,6 @@ type Clientset struct { *discovery.DiscoveryClient configV1alpha1 *configv1alpha1.ConfigV1alpha1Client iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client - oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client } // ConfigV1alpha1 retrieves the ConfigV1alpha1Client @@ -43,11 +40,6 @@ func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return c.iDPV1alpha1 } -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return c.oauthV1alpha1 -} - // Discovery retrieves the DiscoveryClient func (c *Clientset) Discovery() discovery.DiscoveryInterface { if c == nil { @@ -100,10 +92,6 @@ func NewForConfigAndClient(c *rest.Config, httpClient *http.Client) (*Clientset, if err != nil { return nil, err } - cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfigAndClient(&configShallowCopy, httpClient) - if err != nil { - return nil, err - } cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfigAndClient(&configShallowCopy, httpClient) if err != nil { @@ -127,7 +115,6 @@ func New(c rest.Interface) *Clientset { var cs Clientset cs.configV1alpha1 = configv1alpha1.New(c) cs.iDPV1alpha1 = idpv1alpha1.New(c) - cs.oauthV1alpha1 = oauthv1alpha1.New(c) cs.DiscoveryClient = discovery.NewDiscoveryClient(c) return &cs diff --git a/generated/1.23/client/supervisor/clientset/versioned/fake/clientset_generated.go b/generated/1.23/client/supervisor/clientset/versioned/fake/clientset_generated.go index 26e5ff04..0c53ef8d 100644 --- a/generated/1.23/client/supervisor/clientset/versioned/fake/clientset_generated.go +++ b/generated/1.23/client/supervisor/clientset/versioned/fake/clientset_generated.go @@ -11,8 +11,6 @@ import ( fakeconfigv1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake" idpv1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1" fakeidpv1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake" - oauthv1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" - fakeoauthv1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/watch" "k8s.io/client-go/discovery" @@ -79,8 +77,3 @@ func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake} } - -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} -} diff --git a/generated/1.23/client/supervisor/clientset/versioned/fake/register.go b/generated/1.23/client/supervisor/clientset/versioned/fake/register.go index 328aca4e..f46c7432 100644 --- a/generated/1.23/client/supervisor/clientset/versioned/fake/register.go +++ b/generated/1.23/client/supervisor/clientset/versioned/fake/register.go @@ -8,7 +8,6 @@ package fake import ( configv1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -22,7 +21,6 @@ var codecs = serializer.NewCodecFactory(scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, - oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.23/client/supervisor/clientset/versioned/scheme/register.go b/generated/1.23/client/supervisor/clientset/versioned/scheme/register.go index 5d908f2e..b251a20d 100644 --- a/generated/1.23/client/supervisor/clientset/versioned/scheme/register.go +++ b/generated/1.23/client/supervisor/clientset/versioned/scheme/register.go @@ -8,7 +8,6 @@ package scheme import ( configv1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -22,7 +21,6 @@ var ParameterCodec = runtime.NewParameterCodec(Scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, - oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go b/generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go index 8327d19b..bca8a275 100644 --- a/generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go +++ b/generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go @@ -16,6 +16,7 @@ import ( type ConfigV1alpha1Interface interface { RESTClient() rest.Interface FederationDomainsGetter + OIDCClientsGetter } // ConfigV1alpha1Client is used to interact with features provided by the config.supervisor.pinniped.dev group. @@ -27,6 +28,10 @@ func (c *ConfigV1alpha1Client) FederationDomains(namespace string) FederationDom return newFederationDomains(c, namespace) } +func (c *ConfigV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { + return newOIDCClients(c, namespace) +} + // NewForConfig creates a new ConfigV1alpha1Client for the given config. // NewForConfig is equivalent to NewForConfigAndClient(c, httpClient), // where httpClient was generated with rest.HTTPClientFor(c). diff --git a/generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go b/generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go index fd1c886c..9cda8fe3 100644 --- a/generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go +++ b/generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go @@ -19,6 +19,10 @@ func (c *FakeConfigV1alpha1) FederationDomains(namespace string) v1alpha1.Federa return &FakeFederationDomains{c, namespace} } +func (c *FakeConfigV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { + return &FakeOIDCClients{c, namespace} +} + // RESTClient returns a RESTClient that is used to communicate // with API server by this client implementation. func (c *FakeConfigV1alpha1) RESTClient() rest.Interface { diff --git a/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go b/generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go similarity index 92% rename from generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go rename to generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go index 34cf2735..e810d4f6 100644 --- a/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go +++ b/generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go @@ -8,7 +8,7 @@ package fake import ( "context" - v1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/config/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" labels "k8s.io/apimachinery/pkg/labels" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -19,13 +19,13 @@ import ( // FakeOIDCClients implements OIDCClientInterface type FakeOIDCClients struct { - Fake *FakeOauthV1alpha1 + Fake *FakeConfigV1alpha1 ns string } -var oidcclientsResource = schema.GroupVersionResource{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} +var oidcclientsResource = schema.GroupVersionResource{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} -var oidcclientsKind = schema.GroupVersionKind{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} +var oidcclientsKind = schema.GroupVersionKind{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} // Get takes name of the oIDCClient, and returns the corresponding oIDCClient object, and an error if there is any. func (c *FakeOIDCClients) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCClient, err error) { diff --git a/generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go b/generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go index ba9c9173..35b9ee3d 100644 --- a/generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go +++ b/generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go @@ -6,3 +6,5 @@ package v1alpha1 type FederationDomainExpansion interface{} + +type OIDCClientExpansion interface{} diff --git a/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go b/generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go similarity index 97% rename from generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go rename to generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go index 18287fd4..07983ea2 100644 --- a/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go +++ b/generated/1.23/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go @@ -9,7 +9,7 @@ import ( "context" "time" - v1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/config/v1alpha1" scheme "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned/scheme" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" types "k8s.io/apimachinery/pkg/types" @@ -44,7 +44,7 @@ type oIDCClients struct { } // newOIDCClients returns a OIDCClients -func newOIDCClients(c *OauthV1alpha1Client, namespace string) *oIDCClients { +func newOIDCClients(c *ConfigV1alpha1Client, namespace string) *oIDCClients { return &oIDCClients{ client: c.RESTClient(), ns: namespace, diff --git a/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go deleted file mode 100644 index e7a470b6..00000000 --- a/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package has the automatically generated typed clients. -package v1alpha1 diff --git a/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go deleted file mode 100644 index 7906901b..00000000 --- a/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// Package fake has the automatically generated clients. -package fake diff --git a/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go deleted file mode 100644 index c5ce6f9b..00000000 --- a/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go +++ /dev/null @@ -1,27 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - v1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" - rest "k8s.io/client-go/rest" - testing "k8s.io/client-go/testing" -) - -type FakeOauthV1alpha1 struct { - *testing.Fake -} - -func (c *FakeOauthV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { - return &FakeOIDCClients{c, namespace} -} - -// RESTClient returns a RESTClient that is used to communicate -// with API server by this client implementation. -func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { - var ret *rest.RESTClient - return ret -} diff --git a/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go deleted file mode 100644 index 87d22ea9..00000000 --- a/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -type OIDCClientExpansion interface{} diff --git a/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go deleted file mode 100644 index 7891e154..00000000 --- a/generated/1.23/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go +++ /dev/null @@ -1,94 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - "net/http" - - v1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/oauth/v1alpha1" - "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned/scheme" - rest "k8s.io/client-go/rest" -) - -type OauthV1alpha1Interface interface { - RESTClient() rest.Interface - OIDCClientsGetter -} - -// OauthV1alpha1Client is used to interact with features provided by the oauth.supervisor.pinniped.dev group. -type OauthV1alpha1Client struct { - restClient rest.Interface -} - -func (c *OauthV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { - return newOIDCClients(c, namespace) -} - -// NewForConfig creates a new OauthV1alpha1Client for the given config. -// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient), -// where httpClient was generated with rest.HTTPClientFor(c). -func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { - config := *c - if err := setConfigDefaults(&config); err != nil { - return nil, err - } - httpClient, err := rest.HTTPClientFor(&config) - if err != nil { - return nil, err - } - return NewForConfigAndClient(&config, httpClient) -} - -// NewForConfigAndClient creates a new OauthV1alpha1Client for the given config and http client. -// Note the http client provided takes precedence over the configured transport values. -func NewForConfigAndClient(c *rest.Config, h *http.Client) (*OauthV1alpha1Client, error) { - config := *c - if err := setConfigDefaults(&config); err != nil { - return nil, err - } - client, err := rest.RESTClientForConfigAndClient(&config, h) - if err != nil { - return nil, err - } - return &OauthV1alpha1Client{client}, nil -} - -// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and -// panics if there is an error in the config. -func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { - client, err := NewForConfig(c) - if err != nil { - panic(err) - } - return client -} - -// New creates a new OauthV1alpha1Client for the given RESTClient. -func New(c rest.Interface) *OauthV1alpha1Client { - return &OauthV1alpha1Client{c} -} - -func setConfigDefaults(config *rest.Config) error { - gv := v1alpha1.SchemeGroupVersion - config.GroupVersion = &gv - config.APIPath = "/apis" - config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() - - if config.UserAgent == "" { - config.UserAgent = rest.DefaultKubernetesUserAgent() - } - - return nil -} - -// RESTClient returns a RESTClient that is used to communicate -// with API server by this client implementation. -func (c *OauthV1alpha1Client) RESTClient() rest.Interface { - if c == nil { - return nil - } - return c.restClient -} diff --git a/generated/1.23/client/supervisor/informers/externalversions/config/v1alpha1/interface.go b/generated/1.23/client/supervisor/informers/externalversions/config/v1alpha1/interface.go index c2a3fb35..c23807e9 100644 --- a/generated/1.23/client/supervisor/informers/externalversions/config/v1alpha1/interface.go +++ b/generated/1.23/client/supervisor/informers/externalversions/config/v1alpha1/interface.go @@ -13,6 +13,8 @@ import ( type Interface interface { // FederationDomains returns a FederationDomainInformer. FederationDomains() FederationDomainInformer + // OIDCClients returns a OIDCClientInformer. + OIDCClients() OIDCClientInformer } type version struct { @@ -30,3 +32,8 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList func (v *version) FederationDomains() FederationDomainInformer { return &federationDomainInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } + +// OIDCClients returns a OIDCClientInformer. +func (v *version) OIDCClients() OIDCClientInformer { + return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} diff --git a/generated/1.23/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go b/generated/1.23/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go similarity index 88% rename from generated/1.23/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go rename to generated/1.23/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go index a7fdc001..73b0bc9a 100644 --- a/generated/1.23/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go +++ b/generated/1.23/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go @@ -9,10 +9,10 @@ import ( "context" time "time" - oauthv1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/oauth/v1alpha1" + configv1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/config/v1alpha1" versioned "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned" internalinterfaces "go.pinniped.dev/generated/1.23/client/supervisor/informers/externalversions/internalinterfaces" - v1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/listers/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/listers/config/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" watch "k8s.io/apimachinery/pkg/watch" @@ -49,16 +49,16 @@ func NewFilteredOIDCClientInformer(client versioned.Interface, namespace string, if tweakListOptions != nil { tweakListOptions(&options) } - return client.OauthV1alpha1().OIDCClients(namespace).List(context.TODO(), options) + return client.ConfigV1alpha1().OIDCClients(namespace).List(context.TODO(), options) }, WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { if tweakListOptions != nil { tweakListOptions(&options) } - return client.OauthV1alpha1().OIDCClients(namespace).Watch(context.TODO(), options) + return client.ConfigV1alpha1().OIDCClients(namespace).Watch(context.TODO(), options) }, }, - &oauthv1alpha1.OIDCClient{}, + &configv1alpha1.OIDCClient{}, resyncPeriod, indexers, ) @@ -69,7 +69,7 @@ func (f *oIDCClientInformer) defaultInformer(client versioned.Interface, resyncP } func (f *oIDCClientInformer) Informer() cache.SharedIndexInformer { - return f.factory.InformerFor(&oauthv1alpha1.OIDCClient{}, f.defaultInformer) + return f.factory.InformerFor(&configv1alpha1.OIDCClient{}, f.defaultInformer) } func (f *oIDCClientInformer) Lister() v1alpha1.OIDCClientLister { diff --git a/generated/1.23/client/supervisor/informers/externalversions/factory.go b/generated/1.23/client/supervisor/informers/externalversions/factory.go index 690cfe62..25a2ea38 100644 --- a/generated/1.23/client/supervisor/informers/externalversions/factory.go +++ b/generated/1.23/client/supervisor/informers/externalversions/factory.go @@ -14,7 +14,6 @@ import ( config "go.pinniped.dev/generated/1.23/client/supervisor/informers/externalversions/config" idp "go.pinniped.dev/generated/1.23/client/supervisor/informers/externalversions/idp" internalinterfaces "go.pinniped.dev/generated/1.23/client/supervisor/informers/externalversions/internalinterfaces" - oauth "go.pinniped.dev/generated/1.23/client/supervisor/informers/externalversions/oauth" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -163,7 +162,6 @@ type SharedInformerFactory interface { Config() config.Interface IDP() idp.Interface - Oauth() oauth.Interface } func (f *sharedInformerFactory) Config() config.Interface { @@ -173,7 +171,3 @@ func (f *sharedInformerFactory) Config() config.Interface { func (f *sharedInformerFactory) IDP() idp.Interface { return idp.New(f, f.namespace, f.tweakListOptions) } - -func (f *sharedInformerFactory) Oauth() oauth.Interface { - return oauth.New(f, f.namespace, f.tweakListOptions) -} diff --git a/generated/1.23/client/supervisor/informers/externalversions/generic.go b/generated/1.23/client/supervisor/informers/externalversions/generic.go index da434169..4d9f6dce 100644 --- a/generated/1.23/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.23/client/supervisor/informers/externalversions/generic.go @@ -10,7 +10,6 @@ import ( v1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/oauth/v1alpha1" schema "k8s.io/apimachinery/pkg/runtime/schema" cache "k8s.io/client-go/tools/cache" ) @@ -44,6 +43,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource // Group=config.supervisor.pinniped.dev, Version=v1alpha1 case v1alpha1.SchemeGroupVersion.WithResource("federationdomains"): return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().FederationDomains().Informer()}, nil + case v1alpha1.SchemeGroupVersion.WithResource("oidcclients"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCClients().Informer()}, nil // Group=idp.supervisor.pinniped.dev, Version=v1alpha1 case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"): @@ -53,10 +54,6 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().OIDCIdentityProviders().Informer()}, nil - // Group=oauth.supervisor.pinniped.dev, Version=v1alpha1 - case oauthv1alpha1.SchemeGroupVersion.WithResource("oidcclients"): - return &genericInformer{resource: resource.GroupResource(), informer: f.Oauth().V1alpha1().OIDCClients().Informer()}, nil - } return nil, fmt.Errorf("no informer found for %v", resource) diff --git a/generated/1.23/client/supervisor/informers/externalversions/oauth/interface.go b/generated/1.23/client/supervisor/informers/externalversions/oauth/interface.go deleted file mode 100644 index f5bbdc54..00000000 --- a/generated/1.23/client/supervisor/informers/externalversions/oauth/interface.go +++ /dev/null @@ -1,33 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by informer-gen. DO NOT EDIT. - -package oauth - -import ( - internalinterfaces "go.pinniped.dev/generated/1.23/client/supervisor/informers/externalversions/internalinterfaces" - v1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/informers/externalversions/oauth/v1alpha1" -) - -// Interface provides access to each of this group's versions. -type Interface interface { - // V1alpha1 provides access to shared informers for resources in V1alpha1. - V1alpha1() v1alpha1.Interface -} - -type group struct { - factory internalinterfaces.SharedInformerFactory - namespace string - tweakListOptions internalinterfaces.TweakListOptionsFunc -} - -// New returns a new Interface. -func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { - return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} -} - -// V1alpha1 returns a new v1alpha1.Interface. -func (g *group) V1alpha1() v1alpha1.Interface { - return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions) -} diff --git a/generated/1.23/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go b/generated/1.23/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go deleted file mode 100644 index 6d128bf0..00000000 --- a/generated/1.23/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go +++ /dev/null @@ -1,32 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by informer-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - internalinterfaces "go.pinniped.dev/generated/1.23/client/supervisor/informers/externalversions/internalinterfaces" -) - -// Interface provides access to all the informers in this group version. -type Interface interface { - // OIDCClients returns a OIDCClientInformer. - OIDCClients() OIDCClientInformer -} - -type version struct { - factory internalinterfaces.SharedInformerFactory - namespace string - tweakListOptions internalinterfaces.TweakListOptionsFunc -} - -// New returns a new Interface. -func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { - return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} -} - -// OIDCClients returns a OIDCClientInformer. -func (v *version) OIDCClients() OIDCClientInformer { - return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} -} diff --git a/generated/1.23/client/supervisor/listers/config/v1alpha1/expansion_generated.go b/generated/1.23/client/supervisor/listers/config/v1alpha1/expansion_generated.go index d59892c4..bda2f20e 100644 --- a/generated/1.23/client/supervisor/listers/config/v1alpha1/expansion_generated.go +++ b/generated/1.23/client/supervisor/listers/config/v1alpha1/expansion_generated.go @@ -12,3 +12,11 @@ type FederationDomainListerExpansion interface{} // FederationDomainNamespaceListerExpansion allows custom methods to be added to // FederationDomainNamespaceLister. type FederationDomainNamespaceListerExpansion interface{} + +// OIDCClientListerExpansion allows custom methods to be added to +// OIDCClientLister. +type OIDCClientListerExpansion interface{} + +// OIDCClientNamespaceListerExpansion allows custom methods to be added to +// OIDCClientNamespaceLister. +type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/1.23/client/supervisor/listers/config/v1alpha1/oidcclient.go b/generated/1.23/client/supervisor/listers/config/v1alpha1/oidcclient.go new file mode 100644 index 00000000..b661faa8 --- /dev/null +++ b/generated/1.23/client/supervisor/listers/config/v1alpha1/oidcclient.go @@ -0,0 +1,86 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/config/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// OIDCClientLister helps list OIDCClients. +// All objects returned here must be treated as read-only. +type OIDCClientLister interface { + // List lists all OIDCClients in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) + // OIDCClients returns an object that can list and get OIDCClients. + OIDCClients(namespace string) OIDCClientNamespaceLister + OIDCClientListerExpansion +} + +// oIDCClientLister implements the OIDCClientLister interface. +type oIDCClientLister struct { + indexer cache.Indexer +} + +// NewOIDCClientLister returns a new OIDCClientLister. +func NewOIDCClientLister(indexer cache.Indexer) OIDCClientLister { + return &oIDCClientLister{indexer: indexer} +} + +// List lists all OIDCClients in the indexer. +func (s *oIDCClientLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.OIDCClient)) + }) + return ret, err +} + +// OIDCClients returns an object that can list and get OIDCClients. +func (s *oIDCClientLister) OIDCClients(namespace string) OIDCClientNamespaceLister { + return oIDCClientNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// OIDCClientNamespaceLister helps list and get OIDCClients. +// All objects returned here must be treated as read-only. +type OIDCClientNamespaceLister interface { + // List lists all OIDCClients in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) + // Get retrieves the OIDCClient from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha1.OIDCClient, error) + OIDCClientNamespaceListerExpansion +} + +// oIDCClientNamespaceLister implements the OIDCClientNamespaceLister +// interface. +type oIDCClientNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all OIDCClients in the indexer for a given namespace. +func (s oIDCClientNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.OIDCClient)) + }) + return ret, err +} + +// Get retrieves the OIDCClient from the indexer for a given namespace and name. +func (s oIDCClientNamespaceLister) Get(name string) (*v1alpha1.OIDCClient, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("oidcclient"), name) + } + return obj.(*v1alpha1.OIDCClient), nil +} diff --git a/generated/1.23/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go b/generated/1.23/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go deleted file mode 100644 index c19310da..00000000 --- a/generated/1.23/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go +++ /dev/null @@ -1,14 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by lister-gen. DO NOT EDIT. - -package v1alpha1 - -// OIDCClientListerExpansion allows custom methods to be added to -// OIDCClientLister. -type OIDCClientListerExpansion interface{} - -// OIDCClientNamespaceListerExpansion allows custom methods to be added to -// OIDCClientNamespaceLister. -type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/1.23/client/supervisor/listers/oauth/v1alpha1/oidcclient.go b/generated/1.23/client/supervisor/listers/oauth/v1alpha1/oidcclient.go deleted file mode 100644 index 28d81d93..00000000 --- a/generated/1.23/client/supervisor/listers/oauth/v1alpha1/oidcclient.go +++ /dev/null @@ -1,86 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by lister-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - v1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/oauth/v1alpha1" - "k8s.io/apimachinery/pkg/api/errors" - "k8s.io/apimachinery/pkg/labels" - "k8s.io/client-go/tools/cache" -) - -// OIDCClientLister helps list OIDCClients. -// All objects returned here must be treated as read-only. -type OIDCClientLister interface { - // List lists all OIDCClients in the indexer. - // Objects returned here must be treated as read-only. - List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) - // OIDCClients returns an object that can list and get OIDCClients. - OIDCClients(namespace string) OIDCClientNamespaceLister - OIDCClientListerExpansion -} - -// oIDCClientLister implements the OIDCClientLister interface. -type oIDCClientLister struct { - indexer cache.Indexer -} - -// NewOIDCClientLister returns a new OIDCClientLister. -func NewOIDCClientLister(indexer cache.Indexer) OIDCClientLister { - return &oIDCClientLister{indexer: indexer} -} - -// List lists all OIDCClients in the indexer. -func (s *oIDCClientLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { - err = cache.ListAll(s.indexer, selector, func(m interface{}) { - ret = append(ret, m.(*v1alpha1.OIDCClient)) - }) - return ret, err -} - -// OIDCClients returns an object that can list and get OIDCClients. -func (s *oIDCClientLister) OIDCClients(namespace string) OIDCClientNamespaceLister { - return oIDCClientNamespaceLister{indexer: s.indexer, namespace: namespace} -} - -// OIDCClientNamespaceLister helps list and get OIDCClients. -// All objects returned here must be treated as read-only. -type OIDCClientNamespaceLister interface { - // List lists all OIDCClients in the indexer for a given namespace. - // Objects returned here must be treated as read-only. - List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) - // Get retrieves the OIDCClient from the indexer for a given namespace and name. - // Objects returned here must be treated as read-only. - Get(name string) (*v1alpha1.OIDCClient, error) - OIDCClientNamespaceListerExpansion -} - -// oIDCClientNamespaceLister implements the OIDCClientNamespaceLister -// interface. -type oIDCClientNamespaceLister struct { - indexer cache.Indexer - namespace string -} - -// List lists all OIDCClients in the indexer for a given namespace. -func (s oIDCClientNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { - err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { - ret = append(ret, m.(*v1alpha1.OIDCClient)) - }) - return ret, err -} - -// Get retrieves the OIDCClient from the indexer for a given namespace and name. -func (s oIDCClientNamespaceLister) Get(name string) (*v1alpha1.OIDCClient, error) { - obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) - if err != nil { - return nil, err - } - if !exists { - return nil, errors.NewNotFound(v1alpha1.Resource("oidcclient"), name) - } - return obj.(*v1alpha1.OIDCClient), nil -} diff --git a/generated/1.23/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.23/crds/config.supervisor.pinniped.dev_oidcclients.yaml new file mode 100644 index 00000000..4efa445e --- /dev/null +++ b/generated/1.23/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -0,0 +1,125 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: oidcclients.config.supervisor.pinniped.dev +spec: + group: config.supervisor.pinniped.dev + names: + categories: + - pinniped + kind: OIDCClient + listKind: OIDCClientList + plural: oidcclients + singular: oidcclient + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: OIDCClient describes the configuration of an OIDC client. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec of the OIDC client. + properties: + allowedGrantTypes: + description: "allowedGrantTypes is a list of the allowed grant_type + param values that should be accepted during OIDC flows with this + client. \n Must only contain the following values: - authorization_code: + allows the client to perform the authorization code grant flow, + i.e. allows the webapp to authenticate users. This grant must always + be listed. - refresh_token: allows the client to perform refresh + grants for the user to extend the user's session. This grant must + be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: + allows the client to perform RFC8693 token exchange, which is a + step in the process to be able to get a cluster credential for the + user. This grant must be listed if allowedScopes lists pinniped:request-audience." + items: + enum: + - authorization_code + - refresh_token + - urn:ietf:params:oauth:grant-type:token-exchange + type: string + minItems: 1 + type: array + allowedRedirectURIs: + description: allowedRedirectURIs is a list of the allowed redirect_uri + param values that should be accepted during OIDC flows with this + client. Any other uris will be rejected. Must be https, unless it + is a loopback. + items: + type: string + minItems: 1 + type: array + allowedScopes: + description: "allowedScopes is a list of the allowed scopes param + values that should be accepted during OIDC flows with this client. + \n Must only contain the following values: - openid: The client + is allowed to request ID tokens. ID tokens only include the required + claims by default (iss, sub, aud, exp, iat). This scope must always + be listed. - offline_access: The client is allowed to request an + initial refresh token during the authorization code grant flow. + This scope must be listed if allowedGrantTypes lists refresh_token. + - pinniped:request-audience: The client is allowed to request a + new audience value during a RFC8693 token exchange, which is a step + in the process to be able to get a cluster credential for the user. + openid, username and groups scopes must be listed when this scope + is present. This scope must be listed if allowedGrantTypes lists + urn:ietf:params:oauth:grant-type:token-exchange. - username: The + client is allowed to request that ID tokens contain the user's username. + Without the username scope being requested and allowed, the ID token + will not contain the user's username. - groups: The client is allowed + to request that ID tokens contain the user's group membership, if + their group membership is discoverable by the Supervisor. Without + the groups scope being requested and allowed, the ID token will + not contain groups." + items: + enum: + - openid + - offline_access + - username + - groups + - pinniped:request-audience + type: string + minItems: 1 + type: array + required: + - allowedGrantTypes + - allowedRedirectURIs + - allowedScopes + type: object + status: + description: Status of the OIDC client. + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/generated/1.23/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.23/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml deleted file mode 100644 index 589a9154..00000000 --- a/generated/1.23/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ /dev/null @@ -1,125 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.8.0 - creationTimestamp: null - name: oidcclients.oauth.supervisor.pinniped.dev -spec: - group: oauth.supervisor.pinniped.dev - names: - categories: - - pinniped - kind: OIDCClient - listKind: OIDCClientList - plural: oidcclients - singular: oidcclient - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: OIDCClient describes the configuration of an OIDC client. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec of the OIDC client. - properties: - allowedGrantTypes: - description: "allowedGrantTypes is a list of the allowed grant_type - param values that should be accepted during OIDC flows with this - client. \n Must only contain the following values: - authorization_code: - allows the client to perform the authorization code grant flow, - i.e. allows the webapp to authenticate users. This grant must always - be listed. - refresh_token: allows the client to perform refresh - grants for the user to extend the user's session. This grant must - be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: - allows the client to perform RFC8693 token exchange, which is a - step in the process to be able to get a cluster credential for the - user. This grant must be listed if allowedScopes lists pinniped:request-audience." - items: - enum: - - authorization_code - - refresh_token - - urn:ietf:params:oauth:grant-type:token-exchange - type: string - minItems: 1 - type: array - allowedRedirectURIs: - description: allowedRedirectURIs is a list of the allowed redirect_uri - param values that should be accepted during OIDC flows with this - client. Any other uris will be rejected. Must be https, unless it - is a loopback. - items: - type: string - minItems: 1 - type: array - allowedScopes: - description: "allowedScopes is a list of the allowed scopes param - values that should be accepted during OIDC flows with this client. - \n Must only contain the following values: - openid: The client - is allowed to request ID tokens. ID tokens only include the required - claims by default (iss, sub, aud, exp, iat). This scope must always - be listed. - offline_access: The client is allowed to request an - initial refresh token during the authorization code grant flow. - This scope must be listed if allowedGrantTypes lists refresh_token. - - pinniped:request-audience: The client is allowed to request a - new audience value during a RFC8693 token exchange, which is a step - in the process to be able to get a cluster credential for the user. - openid, username and groups scopes must be listed when this scope - is present. This scope must be listed if allowedGrantTypes lists - urn:ietf:params:oauth:grant-type:token-exchange. - username: The - client is allowed to request that ID tokens contain the user's username. - Without the username scope being requested and allowed, the ID token - will not contain the user's username. - groups: The client is allowed - to request that ID tokens contain the user's group membership, if - their group membership is discoverable by the Supervisor. Without - the groups scope being requested and allowed, the ID token will - not contain groups." - items: - enum: - - openid - - offline_access - - username - - groups - - pinniped:request-audience - type: string - minItems: 1 - type: array - required: - - allowedGrantTypes - - allowedRedirectURIs - - allowedScopes - type: object - status: - description: Status of the OIDC client. - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/generated/1.24/README.adoc b/generated/1.24/README.adoc index 381b2f7e..9255c3d4 100644 --- a/generated/1.24/README.adoc +++ b/generated/1.24/README.adoc @@ -12,7 +12,6 @@ - xref:{anchor_prefix}-identity-concierge-pinniped-dev-v1alpha1[$$identity.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1[$$idp.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$] -- xref:{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1[$$oauth.supervisor.pinniped.dev/v1alpha1$$] [id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"] @@ -544,6 +543,51 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-oidcclient"] +==== OIDCClient + +OIDCClient describes the configuration of an OIDC client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-oidcclientlist[$$OIDCClientList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC client. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC client. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-oidcclientspec"] +==== OIDCClientSpec + +OIDCClientSpec is a struct that describes an OIDC Client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-oidcclient[$$OIDCClient$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. +| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. +| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. +|=== + + + + [id="{anchor_prefix}-identity-concierge-pinniped-dev-identity"] === identity.concierge.pinniped.dev/identity @@ -1333,56 +1377,3 @@ TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned |=== - -[id="{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1"] -=== oauth.supervisor.pinniped.dev/v1alpha1 - -Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-oauth-v1alpha1-oidcclient"] -==== OIDCClient - -OIDCClient describes the configuration of an OIDC client. - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-oauth-v1alpha1-oidcclientlist[$$OIDCClientList$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. - -| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-oauth-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC client. -| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-oauth-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC client. -|=== - - - - -[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-oauth-v1alpha1-oidcclientspec"] -==== OIDCClientSpec - -OIDCClientSpec is a struct that describes an OIDC Client. - -.Appears In: -**** -- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-oauth-v1alpha1-oidcclient[$$OIDCClient$$] -**** - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. -| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. -| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. - Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. -|=== - - - - diff --git a/generated/1.24/apis/supervisor/config/v1alpha1/register.go b/generated/1.24/apis/supervisor/config/v1alpha1/register.go index 69045298..54c51699 100644 --- a/generated/1.24/apis/supervisor/config/v1alpha1/register.go +++ b/generated/1.24/apis/supervisor/config/v1alpha1/register.go @@ -32,6 +32,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &FederationDomain{}, &FederationDomainList{}, + &OIDCClient{}, + &OIDCClientList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.24/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.24/apis/supervisor/config/v1alpha1/types_oidcclient.go similarity index 100% rename from generated/1.24/apis/supervisor/oauth/v1alpha1/types_oidcclient.go rename to generated/1.24/apis/supervisor/config/v1alpha1/types_oidcclient.go diff --git a/generated/1.24/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.24/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go index 856b8988..a55d88e7 100644 --- a/generated/1.24/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.24/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go @@ -150,3 +150,111 @@ func (in *FederationDomainTLSSpec) DeepCopy() *FederationDomainTLSSpec { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. +func (in *OIDCClient) DeepCopy() *OIDCClient { + if in == nil { + return nil + } + out := new(OIDCClient) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClient) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClient, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. +func (in *OIDCClientList) DeepCopy() *OIDCClientList { + if in == nil { + return nil + } + out := new(OIDCClientList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { + *out = *in + if in.AllowedRedirectURIs != nil { + in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.AllowedGrantTypes != nil { + in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes + *out = make([]GrantType, len(*in)) + copy(*out, *in) + } + if in.AllowedScopes != nil { + in, out := &in.AllowedScopes, &out.AllowedScopes + *out = make([]Scope, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. +func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { + if in == nil { + return nil + } + out := new(OIDCClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. +func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { + if in == nil { + return nil + } + out := new(OIDCClientStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.24/apis/supervisor/oauth/v1alpha1/doc.go b/generated/1.24/apis/supervisor/oauth/v1alpha1/doc.go deleted file mode 100644 index 75580481..00000000 --- a/generated/1.24/apis/supervisor/oauth/v1alpha1/doc.go +++ /dev/null @@ -1,10 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// +k8s:openapi-gen=true -// +k8s:deepcopy-gen=package -// +k8s:defaulter-gen=TypeMeta -// +groupName=oauth.supervisor.pinniped.dev - -// Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. -package v1alpha1 diff --git a/generated/1.24/apis/supervisor/oauth/v1alpha1/register.go b/generated/1.24/apis/supervisor/oauth/v1alpha1/register.go deleted file mode 100644 index 37ae1fbf..00000000 --- a/generated/1.24/apis/supervisor/oauth/v1alpha1/register.go +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -package v1alpha1 - -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" -) - -const GroupName = "oauth.supervisor.pinniped.dev" - -// SchemeGroupVersion is group version used to register these objects. -var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} - -var ( - SchemeBuilder runtime.SchemeBuilder - localSchemeBuilder = &SchemeBuilder - AddToScheme = localSchemeBuilder.AddToScheme -) - -func init() { - // We only register manually written functions here. The registration of the - // generated functions takes place in the generated files. The separation - // makes the code compile even when the generated files are missing. - localSchemeBuilder.Register(addKnownTypes) -} - -// Adds the list of known types to the given scheme. -func addKnownTypes(scheme *runtime.Scheme) error { - scheme.AddKnownTypes(SchemeGroupVersion, - &OIDCClient{}, - &OIDCClientList{}, - ) - metav1.AddToGroupVersion(scheme, SchemeGroupVersion) - return nil -} - -// Resource takes an unqualified resource and returns a Group qualified GroupResource. -func Resource(resource string) schema.GroupResource { - return SchemeGroupVersion.WithResource(resource).GroupResource() -} diff --git a/generated/1.24/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/1.24/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go deleted file mode 100644 index 1aba8aea..00000000 --- a/generated/1.24/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go +++ /dev/null @@ -1,121 +0,0 @@ -//go:build !ignore_autogenerated -// +build !ignore_autogenerated - -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by deepcopy-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - runtime "k8s.io/apimachinery/pkg/runtime" -) - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - in.Spec.DeepCopyInto(&out.Spec) - out.Status = in.Status - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. -func (in *OIDCClient) DeepCopy() *OIDCClient { - if in == nil { - return nil - } - out := new(OIDCClient) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *OIDCClient) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ListMeta.DeepCopyInto(&out.ListMeta) - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]OIDCClient, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. -func (in *OIDCClientList) DeepCopy() *OIDCClientList { - if in == nil { - return nil - } - out := new(OIDCClientList) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *OIDCClientList) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { - *out = *in - if in.AllowedRedirectURIs != nil { - in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.AllowedGrantTypes != nil { - in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes - *out = make([]GrantType, len(*in)) - copy(*out, *in) - } - if in.AllowedScopes != nil { - in, out := &in.AllowedScopes, &out.AllowedScopes - *out = make([]Scope, len(*in)) - copy(*out, *in) - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. -func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { - if in == nil { - return nil - } - out := new(OIDCClientSpec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. -func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { - if in == nil { - return nil - } - out := new(OIDCClientStatus) - in.DeepCopyInto(out) - return out -} diff --git a/generated/1.24/client/supervisor/clientset/versioned/clientset.go b/generated/1.24/client/supervisor/clientset/versioned/clientset.go index faf9359f..39ee1be5 100644 --- a/generated/1.24/client/supervisor/clientset/versioned/clientset.go +++ b/generated/1.24/client/supervisor/clientset/versioned/clientset.go @@ -11,7 +11,6 @@ import ( configv1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" discovery "k8s.io/client-go/discovery" rest "k8s.io/client-go/rest" flowcontrol "k8s.io/client-go/util/flowcontrol" @@ -21,7 +20,6 @@ type Interface interface { Discovery() discovery.DiscoveryInterface ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface - OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface } // Clientset contains the clients for groups. Each group has exactly one @@ -30,7 +28,6 @@ type Clientset struct { *discovery.DiscoveryClient configV1alpha1 *configv1alpha1.ConfigV1alpha1Client iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client - oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client } // ConfigV1alpha1 retrieves the ConfigV1alpha1Client @@ -43,11 +40,6 @@ func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return c.iDPV1alpha1 } -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return c.oauthV1alpha1 -} - // Discovery retrieves the DiscoveryClient func (c *Clientset) Discovery() discovery.DiscoveryInterface { if c == nil { @@ -100,10 +92,6 @@ func NewForConfigAndClient(c *rest.Config, httpClient *http.Client) (*Clientset, if err != nil { return nil, err } - cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfigAndClient(&configShallowCopy, httpClient) - if err != nil { - return nil, err - } cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfigAndClient(&configShallowCopy, httpClient) if err != nil { @@ -127,7 +115,6 @@ func New(c rest.Interface) *Clientset { var cs Clientset cs.configV1alpha1 = configv1alpha1.New(c) cs.iDPV1alpha1 = idpv1alpha1.New(c) - cs.oauthV1alpha1 = oauthv1alpha1.New(c) cs.DiscoveryClient = discovery.NewDiscoveryClient(c) return &cs diff --git a/generated/1.24/client/supervisor/clientset/versioned/fake/clientset_generated.go b/generated/1.24/client/supervisor/clientset/versioned/fake/clientset_generated.go index 3784bd68..f613b900 100644 --- a/generated/1.24/client/supervisor/clientset/versioned/fake/clientset_generated.go +++ b/generated/1.24/client/supervisor/clientset/versioned/fake/clientset_generated.go @@ -11,8 +11,6 @@ import ( fakeconfigv1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake" idpv1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1" fakeidpv1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake" - oauthv1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" - fakeoauthv1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/watch" "k8s.io/client-go/discovery" @@ -79,8 +77,3 @@ func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake} } - -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} -} diff --git a/generated/1.24/client/supervisor/clientset/versioned/fake/register.go b/generated/1.24/client/supervisor/clientset/versioned/fake/register.go index 3ac8970f..e74fd77e 100644 --- a/generated/1.24/client/supervisor/clientset/versioned/fake/register.go +++ b/generated/1.24/client/supervisor/clientset/versioned/fake/register.go @@ -8,7 +8,6 @@ package fake import ( configv1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -22,7 +21,6 @@ var codecs = serializer.NewCodecFactory(scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, - oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.24/client/supervisor/clientset/versioned/scheme/register.go b/generated/1.24/client/supervisor/clientset/versioned/scheme/register.go index 696c9bcc..4e2cb90f 100644 --- a/generated/1.24/client/supervisor/clientset/versioned/scheme/register.go +++ b/generated/1.24/client/supervisor/clientset/versioned/scheme/register.go @@ -8,7 +8,6 @@ package scheme import ( configv1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -22,7 +21,6 @@ var ParameterCodec = runtime.NewParameterCodec(Scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, - oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go b/generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go index dc9ff4c2..975ae72c 100644 --- a/generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go +++ b/generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go @@ -16,6 +16,7 @@ import ( type ConfigV1alpha1Interface interface { RESTClient() rest.Interface FederationDomainsGetter + OIDCClientsGetter } // ConfigV1alpha1Client is used to interact with features provided by the config.supervisor.pinniped.dev group. @@ -27,6 +28,10 @@ func (c *ConfigV1alpha1Client) FederationDomains(namespace string) FederationDom return newFederationDomains(c, namespace) } +func (c *ConfigV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { + return newOIDCClients(c, namespace) +} + // NewForConfig creates a new ConfigV1alpha1Client for the given config. // NewForConfig is equivalent to NewForConfigAndClient(c, httpClient), // where httpClient was generated with rest.HTTPClientFor(c). diff --git a/generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go b/generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go index 19460208..79b8be68 100644 --- a/generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go +++ b/generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go @@ -19,6 +19,10 @@ func (c *FakeConfigV1alpha1) FederationDomains(namespace string) v1alpha1.Federa return &FakeFederationDomains{c, namespace} } +func (c *FakeConfigV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { + return &FakeOIDCClients{c, namespace} +} + // RESTClient returns a RESTClient that is used to communicate // with API server by this client implementation. func (c *FakeConfigV1alpha1) RESTClient() rest.Interface { diff --git a/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go b/generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go similarity index 92% rename from generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go rename to generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go index ec6ea5cd..550031b4 100644 --- a/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go +++ b/generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go @@ -8,7 +8,7 @@ package fake import ( "context" - v1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/config/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" labels "k8s.io/apimachinery/pkg/labels" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -19,13 +19,13 @@ import ( // FakeOIDCClients implements OIDCClientInterface type FakeOIDCClients struct { - Fake *FakeOauthV1alpha1 + Fake *FakeConfigV1alpha1 ns string } -var oidcclientsResource = schema.GroupVersionResource{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} +var oidcclientsResource = schema.GroupVersionResource{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} -var oidcclientsKind = schema.GroupVersionKind{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} +var oidcclientsKind = schema.GroupVersionKind{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} // Get takes name of the oIDCClient, and returns the corresponding oIDCClient object, and an error if there is any. func (c *FakeOIDCClients) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCClient, err error) { diff --git a/generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go b/generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go index ba9c9173..35b9ee3d 100644 --- a/generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go +++ b/generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go @@ -6,3 +6,5 @@ package v1alpha1 type FederationDomainExpansion interface{} + +type OIDCClientExpansion interface{} diff --git a/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go b/generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go similarity index 97% rename from generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go rename to generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go index cdbc0f4a..c7656132 100644 --- a/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go +++ b/generated/1.24/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go @@ -9,7 +9,7 @@ import ( "context" "time" - v1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/config/v1alpha1" scheme "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/scheme" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" types "k8s.io/apimachinery/pkg/types" @@ -44,7 +44,7 @@ type oIDCClients struct { } // newOIDCClients returns a OIDCClients -func newOIDCClients(c *OauthV1alpha1Client, namespace string) *oIDCClients { +func newOIDCClients(c *ConfigV1alpha1Client, namespace string) *oIDCClients { return &oIDCClients{ client: c.RESTClient(), ns: namespace, diff --git a/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go deleted file mode 100644 index e7a470b6..00000000 --- a/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package has the automatically generated typed clients. -package v1alpha1 diff --git a/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go deleted file mode 100644 index 7906901b..00000000 --- a/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// Package fake has the automatically generated clients. -package fake diff --git a/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go deleted file mode 100644 index f35814e2..00000000 --- a/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go +++ /dev/null @@ -1,27 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - v1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" - rest "k8s.io/client-go/rest" - testing "k8s.io/client-go/testing" -) - -type FakeOauthV1alpha1 struct { - *testing.Fake -} - -func (c *FakeOauthV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { - return &FakeOIDCClients{c, namespace} -} - -// RESTClient returns a RESTClient that is used to communicate -// with API server by this client implementation. -func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { - var ret *rest.RESTClient - return ret -} diff --git a/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go deleted file mode 100644 index 87d22ea9..00000000 --- a/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -type OIDCClientExpansion interface{} diff --git a/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go deleted file mode 100644 index 3f71b07e..00000000 --- a/generated/1.24/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go +++ /dev/null @@ -1,94 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - "net/http" - - v1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/oauth/v1alpha1" - "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/scheme" - rest "k8s.io/client-go/rest" -) - -type OauthV1alpha1Interface interface { - RESTClient() rest.Interface - OIDCClientsGetter -} - -// OauthV1alpha1Client is used to interact with features provided by the oauth.supervisor.pinniped.dev group. -type OauthV1alpha1Client struct { - restClient rest.Interface -} - -func (c *OauthV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { - return newOIDCClients(c, namespace) -} - -// NewForConfig creates a new OauthV1alpha1Client for the given config. -// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient), -// where httpClient was generated with rest.HTTPClientFor(c). -func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { - config := *c - if err := setConfigDefaults(&config); err != nil { - return nil, err - } - httpClient, err := rest.HTTPClientFor(&config) - if err != nil { - return nil, err - } - return NewForConfigAndClient(&config, httpClient) -} - -// NewForConfigAndClient creates a new OauthV1alpha1Client for the given config and http client. -// Note the http client provided takes precedence over the configured transport values. -func NewForConfigAndClient(c *rest.Config, h *http.Client) (*OauthV1alpha1Client, error) { - config := *c - if err := setConfigDefaults(&config); err != nil { - return nil, err - } - client, err := rest.RESTClientForConfigAndClient(&config, h) - if err != nil { - return nil, err - } - return &OauthV1alpha1Client{client}, nil -} - -// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and -// panics if there is an error in the config. -func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { - client, err := NewForConfig(c) - if err != nil { - panic(err) - } - return client -} - -// New creates a new OauthV1alpha1Client for the given RESTClient. -func New(c rest.Interface) *OauthV1alpha1Client { - return &OauthV1alpha1Client{c} -} - -func setConfigDefaults(config *rest.Config) error { - gv := v1alpha1.SchemeGroupVersion - config.GroupVersion = &gv - config.APIPath = "/apis" - config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() - - if config.UserAgent == "" { - config.UserAgent = rest.DefaultKubernetesUserAgent() - } - - return nil -} - -// RESTClient returns a RESTClient that is used to communicate -// with API server by this client implementation. -func (c *OauthV1alpha1Client) RESTClient() rest.Interface { - if c == nil { - return nil - } - return c.restClient -} diff --git a/generated/1.24/client/supervisor/informers/externalversions/config/v1alpha1/interface.go b/generated/1.24/client/supervisor/informers/externalversions/config/v1alpha1/interface.go index 37374c24..4367467b 100644 --- a/generated/1.24/client/supervisor/informers/externalversions/config/v1alpha1/interface.go +++ b/generated/1.24/client/supervisor/informers/externalversions/config/v1alpha1/interface.go @@ -13,6 +13,8 @@ import ( type Interface interface { // FederationDomains returns a FederationDomainInformer. FederationDomains() FederationDomainInformer + // OIDCClients returns a OIDCClientInformer. + OIDCClients() OIDCClientInformer } type version struct { @@ -30,3 +32,8 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList func (v *version) FederationDomains() FederationDomainInformer { return &federationDomainInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } + +// OIDCClients returns a OIDCClientInformer. +func (v *version) OIDCClients() OIDCClientInformer { + return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} diff --git a/generated/1.24/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go b/generated/1.24/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go similarity index 88% rename from generated/1.24/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go rename to generated/1.24/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go index 51bc882d..ea999067 100644 --- a/generated/1.24/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go +++ b/generated/1.24/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go @@ -9,10 +9,10 @@ import ( "context" time "time" - oauthv1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/oauth/v1alpha1" + configv1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/config/v1alpha1" versioned "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned" internalinterfaces "go.pinniped.dev/generated/1.24/client/supervisor/informers/externalversions/internalinterfaces" - v1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/listers/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/listers/config/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" watch "k8s.io/apimachinery/pkg/watch" @@ -49,16 +49,16 @@ func NewFilteredOIDCClientInformer(client versioned.Interface, namespace string, if tweakListOptions != nil { tweakListOptions(&options) } - return client.OauthV1alpha1().OIDCClients(namespace).List(context.TODO(), options) + return client.ConfigV1alpha1().OIDCClients(namespace).List(context.TODO(), options) }, WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { if tweakListOptions != nil { tweakListOptions(&options) } - return client.OauthV1alpha1().OIDCClients(namespace).Watch(context.TODO(), options) + return client.ConfigV1alpha1().OIDCClients(namespace).Watch(context.TODO(), options) }, }, - &oauthv1alpha1.OIDCClient{}, + &configv1alpha1.OIDCClient{}, resyncPeriod, indexers, ) @@ -69,7 +69,7 @@ func (f *oIDCClientInformer) defaultInformer(client versioned.Interface, resyncP } func (f *oIDCClientInformer) Informer() cache.SharedIndexInformer { - return f.factory.InformerFor(&oauthv1alpha1.OIDCClient{}, f.defaultInformer) + return f.factory.InformerFor(&configv1alpha1.OIDCClient{}, f.defaultInformer) } func (f *oIDCClientInformer) Lister() v1alpha1.OIDCClientLister { diff --git a/generated/1.24/client/supervisor/informers/externalversions/factory.go b/generated/1.24/client/supervisor/informers/externalversions/factory.go index 1160af22..cd409f8c 100644 --- a/generated/1.24/client/supervisor/informers/externalversions/factory.go +++ b/generated/1.24/client/supervisor/informers/externalversions/factory.go @@ -14,7 +14,6 @@ import ( config "go.pinniped.dev/generated/1.24/client/supervisor/informers/externalversions/config" idp "go.pinniped.dev/generated/1.24/client/supervisor/informers/externalversions/idp" internalinterfaces "go.pinniped.dev/generated/1.24/client/supervisor/informers/externalversions/internalinterfaces" - oauth "go.pinniped.dev/generated/1.24/client/supervisor/informers/externalversions/oauth" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -163,7 +162,6 @@ type SharedInformerFactory interface { Config() config.Interface IDP() idp.Interface - Oauth() oauth.Interface } func (f *sharedInformerFactory) Config() config.Interface { @@ -173,7 +171,3 @@ func (f *sharedInformerFactory) Config() config.Interface { func (f *sharedInformerFactory) IDP() idp.Interface { return idp.New(f, f.namespace, f.tweakListOptions) } - -func (f *sharedInformerFactory) Oauth() oauth.Interface { - return oauth.New(f, f.namespace, f.tweakListOptions) -} diff --git a/generated/1.24/client/supervisor/informers/externalversions/generic.go b/generated/1.24/client/supervisor/informers/externalversions/generic.go index cff2d5db..c8e3dd37 100644 --- a/generated/1.24/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.24/client/supervisor/informers/externalversions/generic.go @@ -10,7 +10,6 @@ import ( v1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/oauth/v1alpha1" schema "k8s.io/apimachinery/pkg/runtime/schema" cache "k8s.io/client-go/tools/cache" ) @@ -44,6 +43,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource // Group=config.supervisor.pinniped.dev, Version=v1alpha1 case v1alpha1.SchemeGroupVersion.WithResource("federationdomains"): return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().FederationDomains().Informer()}, nil + case v1alpha1.SchemeGroupVersion.WithResource("oidcclients"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCClients().Informer()}, nil // Group=idp.supervisor.pinniped.dev, Version=v1alpha1 case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"): @@ -53,10 +54,6 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().OIDCIdentityProviders().Informer()}, nil - // Group=oauth.supervisor.pinniped.dev, Version=v1alpha1 - case oauthv1alpha1.SchemeGroupVersion.WithResource("oidcclients"): - return &genericInformer{resource: resource.GroupResource(), informer: f.Oauth().V1alpha1().OIDCClients().Informer()}, nil - } return nil, fmt.Errorf("no informer found for %v", resource) diff --git a/generated/1.24/client/supervisor/informers/externalversions/oauth/interface.go b/generated/1.24/client/supervisor/informers/externalversions/oauth/interface.go deleted file mode 100644 index de6a600c..00000000 --- a/generated/1.24/client/supervisor/informers/externalversions/oauth/interface.go +++ /dev/null @@ -1,33 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by informer-gen. DO NOT EDIT. - -package oauth - -import ( - internalinterfaces "go.pinniped.dev/generated/1.24/client/supervisor/informers/externalversions/internalinterfaces" - v1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/informers/externalversions/oauth/v1alpha1" -) - -// Interface provides access to each of this group's versions. -type Interface interface { - // V1alpha1 provides access to shared informers for resources in V1alpha1. - V1alpha1() v1alpha1.Interface -} - -type group struct { - factory internalinterfaces.SharedInformerFactory - namespace string - tweakListOptions internalinterfaces.TweakListOptionsFunc -} - -// New returns a new Interface. -func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { - return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} -} - -// V1alpha1 returns a new v1alpha1.Interface. -func (g *group) V1alpha1() v1alpha1.Interface { - return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions) -} diff --git a/generated/1.24/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go b/generated/1.24/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go deleted file mode 100644 index 7abf7d4f..00000000 --- a/generated/1.24/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go +++ /dev/null @@ -1,32 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by informer-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - internalinterfaces "go.pinniped.dev/generated/1.24/client/supervisor/informers/externalversions/internalinterfaces" -) - -// Interface provides access to all the informers in this group version. -type Interface interface { - // OIDCClients returns a OIDCClientInformer. - OIDCClients() OIDCClientInformer -} - -type version struct { - factory internalinterfaces.SharedInformerFactory - namespace string - tweakListOptions internalinterfaces.TweakListOptionsFunc -} - -// New returns a new Interface. -func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { - return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} -} - -// OIDCClients returns a OIDCClientInformer. -func (v *version) OIDCClients() OIDCClientInformer { - return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} -} diff --git a/generated/1.24/client/supervisor/listers/config/v1alpha1/expansion_generated.go b/generated/1.24/client/supervisor/listers/config/v1alpha1/expansion_generated.go index d59892c4..bda2f20e 100644 --- a/generated/1.24/client/supervisor/listers/config/v1alpha1/expansion_generated.go +++ b/generated/1.24/client/supervisor/listers/config/v1alpha1/expansion_generated.go @@ -12,3 +12,11 @@ type FederationDomainListerExpansion interface{} // FederationDomainNamespaceListerExpansion allows custom methods to be added to // FederationDomainNamespaceLister. type FederationDomainNamespaceListerExpansion interface{} + +// OIDCClientListerExpansion allows custom methods to be added to +// OIDCClientLister. +type OIDCClientListerExpansion interface{} + +// OIDCClientNamespaceListerExpansion allows custom methods to be added to +// OIDCClientNamespaceLister. +type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/1.24/client/supervisor/listers/config/v1alpha1/oidcclient.go b/generated/1.24/client/supervisor/listers/config/v1alpha1/oidcclient.go new file mode 100644 index 00000000..d69dd1fc --- /dev/null +++ b/generated/1.24/client/supervisor/listers/config/v1alpha1/oidcclient.go @@ -0,0 +1,86 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/config/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// OIDCClientLister helps list OIDCClients. +// All objects returned here must be treated as read-only. +type OIDCClientLister interface { + // List lists all OIDCClients in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) + // OIDCClients returns an object that can list and get OIDCClients. + OIDCClients(namespace string) OIDCClientNamespaceLister + OIDCClientListerExpansion +} + +// oIDCClientLister implements the OIDCClientLister interface. +type oIDCClientLister struct { + indexer cache.Indexer +} + +// NewOIDCClientLister returns a new OIDCClientLister. +func NewOIDCClientLister(indexer cache.Indexer) OIDCClientLister { + return &oIDCClientLister{indexer: indexer} +} + +// List lists all OIDCClients in the indexer. +func (s *oIDCClientLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.OIDCClient)) + }) + return ret, err +} + +// OIDCClients returns an object that can list and get OIDCClients. +func (s *oIDCClientLister) OIDCClients(namespace string) OIDCClientNamespaceLister { + return oIDCClientNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// OIDCClientNamespaceLister helps list and get OIDCClients. +// All objects returned here must be treated as read-only. +type OIDCClientNamespaceLister interface { + // List lists all OIDCClients in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) + // Get retrieves the OIDCClient from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha1.OIDCClient, error) + OIDCClientNamespaceListerExpansion +} + +// oIDCClientNamespaceLister implements the OIDCClientNamespaceLister +// interface. +type oIDCClientNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all OIDCClients in the indexer for a given namespace. +func (s oIDCClientNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.OIDCClient)) + }) + return ret, err +} + +// Get retrieves the OIDCClient from the indexer for a given namespace and name. +func (s oIDCClientNamespaceLister) Get(name string) (*v1alpha1.OIDCClient, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("oidcclient"), name) + } + return obj.(*v1alpha1.OIDCClient), nil +} diff --git a/generated/1.24/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go b/generated/1.24/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go deleted file mode 100644 index c19310da..00000000 --- a/generated/1.24/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go +++ /dev/null @@ -1,14 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by lister-gen. DO NOT EDIT. - -package v1alpha1 - -// OIDCClientListerExpansion allows custom methods to be added to -// OIDCClientLister. -type OIDCClientListerExpansion interface{} - -// OIDCClientNamespaceListerExpansion allows custom methods to be added to -// OIDCClientNamespaceLister. -type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/1.24/client/supervisor/listers/oauth/v1alpha1/oidcclient.go b/generated/1.24/client/supervisor/listers/oauth/v1alpha1/oidcclient.go deleted file mode 100644 index a969aa96..00000000 --- a/generated/1.24/client/supervisor/listers/oauth/v1alpha1/oidcclient.go +++ /dev/null @@ -1,86 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by lister-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - v1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/oauth/v1alpha1" - "k8s.io/apimachinery/pkg/api/errors" - "k8s.io/apimachinery/pkg/labels" - "k8s.io/client-go/tools/cache" -) - -// OIDCClientLister helps list OIDCClients. -// All objects returned here must be treated as read-only. -type OIDCClientLister interface { - // List lists all OIDCClients in the indexer. - // Objects returned here must be treated as read-only. - List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) - // OIDCClients returns an object that can list and get OIDCClients. - OIDCClients(namespace string) OIDCClientNamespaceLister - OIDCClientListerExpansion -} - -// oIDCClientLister implements the OIDCClientLister interface. -type oIDCClientLister struct { - indexer cache.Indexer -} - -// NewOIDCClientLister returns a new OIDCClientLister. -func NewOIDCClientLister(indexer cache.Indexer) OIDCClientLister { - return &oIDCClientLister{indexer: indexer} -} - -// List lists all OIDCClients in the indexer. -func (s *oIDCClientLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { - err = cache.ListAll(s.indexer, selector, func(m interface{}) { - ret = append(ret, m.(*v1alpha1.OIDCClient)) - }) - return ret, err -} - -// OIDCClients returns an object that can list and get OIDCClients. -func (s *oIDCClientLister) OIDCClients(namespace string) OIDCClientNamespaceLister { - return oIDCClientNamespaceLister{indexer: s.indexer, namespace: namespace} -} - -// OIDCClientNamespaceLister helps list and get OIDCClients. -// All objects returned here must be treated as read-only. -type OIDCClientNamespaceLister interface { - // List lists all OIDCClients in the indexer for a given namespace. - // Objects returned here must be treated as read-only. - List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) - // Get retrieves the OIDCClient from the indexer for a given namespace and name. - // Objects returned here must be treated as read-only. - Get(name string) (*v1alpha1.OIDCClient, error) - OIDCClientNamespaceListerExpansion -} - -// oIDCClientNamespaceLister implements the OIDCClientNamespaceLister -// interface. -type oIDCClientNamespaceLister struct { - indexer cache.Indexer - namespace string -} - -// List lists all OIDCClients in the indexer for a given namespace. -func (s oIDCClientNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { - err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { - ret = append(ret, m.(*v1alpha1.OIDCClient)) - }) - return ret, err -} - -// Get retrieves the OIDCClient from the indexer for a given namespace and name. -func (s oIDCClientNamespaceLister) Get(name string) (*v1alpha1.OIDCClient, error) { - obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) - if err != nil { - return nil, err - } - if !exists { - return nil, errors.NewNotFound(v1alpha1.Resource("oidcclient"), name) - } - return obj.(*v1alpha1.OIDCClient), nil -} diff --git a/generated/1.24/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.24/crds/config.supervisor.pinniped.dev_oidcclients.yaml new file mode 100644 index 00000000..4efa445e --- /dev/null +++ b/generated/1.24/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -0,0 +1,125 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: oidcclients.config.supervisor.pinniped.dev +spec: + group: config.supervisor.pinniped.dev + names: + categories: + - pinniped + kind: OIDCClient + listKind: OIDCClientList + plural: oidcclients + singular: oidcclient + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: OIDCClient describes the configuration of an OIDC client. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec of the OIDC client. + properties: + allowedGrantTypes: + description: "allowedGrantTypes is a list of the allowed grant_type + param values that should be accepted during OIDC flows with this + client. \n Must only contain the following values: - authorization_code: + allows the client to perform the authorization code grant flow, + i.e. allows the webapp to authenticate users. This grant must always + be listed. - refresh_token: allows the client to perform refresh + grants for the user to extend the user's session. This grant must + be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: + allows the client to perform RFC8693 token exchange, which is a + step in the process to be able to get a cluster credential for the + user. This grant must be listed if allowedScopes lists pinniped:request-audience." + items: + enum: + - authorization_code + - refresh_token + - urn:ietf:params:oauth:grant-type:token-exchange + type: string + minItems: 1 + type: array + allowedRedirectURIs: + description: allowedRedirectURIs is a list of the allowed redirect_uri + param values that should be accepted during OIDC flows with this + client. Any other uris will be rejected. Must be https, unless it + is a loopback. + items: + type: string + minItems: 1 + type: array + allowedScopes: + description: "allowedScopes is a list of the allowed scopes param + values that should be accepted during OIDC flows with this client. + \n Must only contain the following values: - openid: The client + is allowed to request ID tokens. ID tokens only include the required + claims by default (iss, sub, aud, exp, iat). This scope must always + be listed. - offline_access: The client is allowed to request an + initial refresh token during the authorization code grant flow. + This scope must be listed if allowedGrantTypes lists refresh_token. + - pinniped:request-audience: The client is allowed to request a + new audience value during a RFC8693 token exchange, which is a step + in the process to be able to get a cluster credential for the user. + openid, username and groups scopes must be listed when this scope + is present. This scope must be listed if allowedGrantTypes lists + urn:ietf:params:oauth:grant-type:token-exchange. - username: The + client is allowed to request that ID tokens contain the user's username. + Without the username scope being requested and allowed, the ID token + will not contain the user's username. - groups: The client is allowed + to request that ID tokens contain the user's group membership, if + their group membership is discoverable by the Supervisor. Without + the groups scope being requested and allowed, the ID token will + not contain groups." + items: + enum: + - openid + - offline_access + - username + - groups + - pinniped:request-audience + type: string + minItems: 1 + type: array + required: + - allowedGrantTypes + - allowedRedirectURIs + - allowedScopes + type: object + status: + description: Status of the OIDC client. + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/generated/1.24/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.24/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml deleted file mode 100644 index 589a9154..00000000 --- a/generated/1.24/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ /dev/null @@ -1,125 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.8.0 - creationTimestamp: null - name: oidcclients.oauth.supervisor.pinniped.dev -spec: - group: oauth.supervisor.pinniped.dev - names: - categories: - - pinniped - kind: OIDCClient - listKind: OIDCClientList - plural: oidcclients - singular: oidcclient - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: OIDCClient describes the configuration of an OIDC client. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec of the OIDC client. - properties: - allowedGrantTypes: - description: "allowedGrantTypes is a list of the allowed grant_type - param values that should be accepted during OIDC flows with this - client. \n Must only contain the following values: - authorization_code: - allows the client to perform the authorization code grant flow, - i.e. allows the webapp to authenticate users. This grant must always - be listed. - refresh_token: allows the client to perform refresh - grants for the user to extend the user's session. This grant must - be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: - allows the client to perform RFC8693 token exchange, which is a - step in the process to be able to get a cluster credential for the - user. This grant must be listed if allowedScopes lists pinniped:request-audience." - items: - enum: - - authorization_code - - refresh_token - - urn:ietf:params:oauth:grant-type:token-exchange - type: string - minItems: 1 - type: array - allowedRedirectURIs: - description: allowedRedirectURIs is a list of the allowed redirect_uri - param values that should be accepted during OIDC flows with this - client. Any other uris will be rejected. Must be https, unless it - is a loopback. - items: - type: string - minItems: 1 - type: array - allowedScopes: - description: "allowedScopes is a list of the allowed scopes param - values that should be accepted during OIDC flows with this client. - \n Must only contain the following values: - openid: The client - is allowed to request ID tokens. ID tokens only include the required - claims by default (iss, sub, aud, exp, iat). This scope must always - be listed. - offline_access: The client is allowed to request an - initial refresh token during the authorization code grant flow. - This scope must be listed if allowedGrantTypes lists refresh_token. - - pinniped:request-audience: The client is allowed to request a - new audience value during a RFC8693 token exchange, which is a step - in the process to be able to get a cluster credential for the user. - openid, username and groups scopes must be listed when this scope - is present. This scope must be listed if allowedGrantTypes lists - urn:ietf:params:oauth:grant-type:token-exchange. - username: The - client is allowed to request that ID tokens contain the user's username. - Without the username scope being requested and allowed, the ID token - will not contain the user's username. - groups: The client is allowed - to request that ID tokens contain the user's group membership, if - their group membership is discoverable by the Supervisor. Without - the groups scope being requested and allowed, the ID token will - not contain groups." - items: - enum: - - openid - - offline_access - - username - - groups - - pinniped:request-audience - type: string - minItems: 1 - type: array - required: - - allowedGrantTypes - - allowedRedirectURIs - - allowedScopes - type: object - status: - description: Status of the OIDC client. - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/generated/latest/apis/supervisor/config/v1alpha1/register.go b/generated/latest/apis/supervisor/config/v1alpha1/register.go index 69045298..54c51699 100644 --- a/generated/latest/apis/supervisor/config/v1alpha1/register.go +++ b/generated/latest/apis/supervisor/config/v1alpha1/register.go @@ -32,6 +32,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &FederationDomain{}, &FederationDomainList{}, + &OIDCClient{}, + &OIDCClientList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/latest/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/latest/apis/supervisor/config/v1alpha1/types_oidcclient.go similarity index 100% rename from generated/latest/apis/supervisor/oauth/v1alpha1/types_oidcclient.go rename to generated/latest/apis/supervisor/config/v1alpha1/types_oidcclient.go diff --git a/generated/latest/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go b/generated/latest/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go index 856b8988..a55d88e7 100644 --- a/generated/latest/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/latest/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go @@ -150,3 +150,111 @@ func (in *FederationDomainTLSSpec) DeepCopy() *FederationDomainTLSSpec { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. +func (in *OIDCClient) DeepCopy() *OIDCClient { + if in == nil { + return nil + } + out := new(OIDCClient) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClient) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClient, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. +func (in *OIDCClientList) DeepCopy() *OIDCClientList { + if in == nil { + return nil + } + out := new(OIDCClientList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { + *out = *in + if in.AllowedRedirectURIs != nil { + in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.AllowedGrantTypes != nil { + in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes + *out = make([]GrantType, len(*in)) + copy(*out, *in) + } + if in.AllowedScopes != nil { + in, out := &in.AllowedScopes, &out.AllowedScopes + *out = make([]Scope, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. +func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { + if in == nil { + return nil + } + out := new(OIDCClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. +func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { + if in == nil { + return nil + } + out := new(OIDCClientStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/latest/apis/supervisor/oauth/v1alpha1/doc.go b/generated/latest/apis/supervisor/oauth/v1alpha1/doc.go deleted file mode 100644 index 75580481..00000000 --- a/generated/latest/apis/supervisor/oauth/v1alpha1/doc.go +++ /dev/null @@ -1,10 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// +k8s:openapi-gen=true -// +k8s:deepcopy-gen=package -// +k8s:defaulter-gen=TypeMeta -// +groupName=oauth.supervisor.pinniped.dev - -// Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor oauth API. -package v1alpha1 diff --git a/generated/latest/apis/supervisor/oauth/v1alpha1/register.go b/generated/latest/apis/supervisor/oauth/v1alpha1/register.go deleted file mode 100644 index 37ae1fbf..00000000 --- a/generated/latest/apis/supervisor/oauth/v1alpha1/register.go +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -package v1alpha1 - -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" -) - -const GroupName = "oauth.supervisor.pinniped.dev" - -// SchemeGroupVersion is group version used to register these objects. -var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} - -var ( - SchemeBuilder runtime.SchemeBuilder - localSchemeBuilder = &SchemeBuilder - AddToScheme = localSchemeBuilder.AddToScheme -) - -func init() { - // We only register manually written functions here. The registration of the - // generated functions takes place in the generated files. The separation - // makes the code compile even when the generated files are missing. - localSchemeBuilder.Register(addKnownTypes) -} - -// Adds the list of known types to the given scheme. -func addKnownTypes(scheme *runtime.Scheme) error { - scheme.AddKnownTypes(SchemeGroupVersion, - &OIDCClient{}, - &OIDCClientList{}, - ) - metav1.AddToGroupVersion(scheme, SchemeGroupVersion) - return nil -} - -// Resource takes an unqualified resource and returns a Group qualified GroupResource. -func Resource(resource string) schema.GroupResource { - return SchemeGroupVersion.WithResource(resource).GroupResource() -} diff --git a/generated/latest/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go b/generated/latest/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go deleted file mode 100644 index 1aba8aea..00000000 --- a/generated/latest/apis/supervisor/oauth/v1alpha1/zz_generated.deepcopy.go +++ /dev/null @@ -1,121 +0,0 @@ -//go:build !ignore_autogenerated -// +build !ignore_autogenerated - -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by deepcopy-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - runtime "k8s.io/apimachinery/pkg/runtime" -) - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - in.Spec.DeepCopyInto(&out.Spec) - out.Status = in.Status - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. -func (in *OIDCClient) DeepCopy() *OIDCClient { - if in == nil { - return nil - } - out := new(OIDCClient) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *OIDCClient) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ListMeta.DeepCopyInto(&out.ListMeta) - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]OIDCClient, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. -func (in *OIDCClientList) DeepCopy() *OIDCClientList { - if in == nil { - return nil - } - out := new(OIDCClientList) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *OIDCClientList) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { - *out = *in - if in.AllowedRedirectURIs != nil { - in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.AllowedGrantTypes != nil { - in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes - *out = make([]GrantType, len(*in)) - copy(*out, *in) - } - if in.AllowedScopes != nil { - in, out := &in.AllowedScopes, &out.AllowedScopes - *out = make([]Scope, len(*in)) - copy(*out, *in) - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. -func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { - if in == nil { - return nil - } - out := new(OIDCClientSpec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. -func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { - if in == nil { - return nil - } - out := new(OIDCClientStatus) - in.DeepCopyInto(out) - return out -} diff --git a/generated/latest/client/supervisor/clientset/versioned/clientset.go b/generated/latest/client/supervisor/clientset/versioned/clientset.go index cc05d311..206751d2 100644 --- a/generated/latest/client/supervisor/clientset/versioned/clientset.go +++ b/generated/latest/client/supervisor/clientset/versioned/clientset.go @@ -11,7 +11,6 @@ import ( configv1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" discovery "k8s.io/client-go/discovery" rest "k8s.io/client-go/rest" flowcontrol "k8s.io/client-go/util/flowcontrol" @@ -21,7 +20,6 @@ type Interface interface { Discovery() discovery.DiscoveryInterface ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface - OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface } // Clientset contains the clients for groups. Each group has exactly one @@ -30,7 +28,6 @@ type Clientset struct { *discovery.DiscoveryClient configV1alpha1 *configv1alpha1.ConfigV1alpha1Client iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client - oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client } // ConfigV1alpha1 retrieves the ConfigV1alpha1Client @@ -43,11 +40,6 @@ func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return c.iDPV1alpha1 } -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return c.oauthV1alpha1 -} - // Discovery retrieves the DiscoveryClient func (c *Clientset) Discovery() discovery.DiscoveryInterface { if c == nil { @@ -100,10 +92,6 @@ func NewForConfigAndClient(c *rest.Config, httpClient *http.Client) (*Clientset, if err != nil { return nil, err } - cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfigAndClient(&configShallowCopy, httpClient) - if err != nil { - return nil, err - } cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfigAndClient(&configShallowCopy, httpClient) if err != nil { @@ -127,7 +115,6 @@ func New(c rest.Interface) *Clientset { var cs Clientset cs.configV1alpha1 = configv1alpha1.New(c) cs.iDPV1alpha1 = idpv1alpha1.New(c) - cs.oauthV1alpha1 = oauthv1alpha1.New(c) cs.DiscoveryClient = discovery.NewDiscoveryClient(c) return &cs diff --git a/generated/latest/client/supervisor/clientset/versioned/fake/clientset_generated.go b/generated/latest/client/supervisor/clientset/versioned/fake/clientset_generated.go index 6b73fc47..783ec35f 100644 --- a/generated/latest/client/supervisor/clientset/versioned/fake/clientset_generated.go +++ b/generated/latest/client/supervisor/clientset/versioned/fake/clientset_generated.go @@ -11,8 +11,6 @@ import ( fakeconfigv1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake" idpv1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1" fakeidpv1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake" - oauthv1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" - fakeoauthv1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/watch" "k8s.io/client-go/discovery" @@ -79,8 +77,3 @@ func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake} } - -// OauthV1alpha1 retrieves the OauthV1alpha1Client -func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface { - return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake} -} diff --git a/generated/latest/client/supervisor/clientset/versioned/fake/register.go b/generated/latest/client/supervisor/clientset/versioned/fake/register.go index db9bb1a4..4d84f079 100644 --- a/generated/latest/client/supervisor/clientset/versioned/fake/register.go +++ b/generated/latest/client/supervisor/clientset/versioned/fake/register.go @@ -8,7 +8,6 @@ package fake import ( configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -22,7 +21,6 @@ var codecs = serializer.NewCodecFactory(scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, - oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/latest/client/supervisor/clientset/versioned/scheme/register.go b/generated/latest/client/supervisor/clientset/versioned/scheme/register.go index 9456d619..7b874df0 100644 --- a/generated/latest/client/supervisor/clientset/versioned/scheme/register.go +++ b/generated/latest/client/supervisor/clientset/versioned/scheme/register.go @@ -8,7 +8,6 @@ package scheme import ( configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/oauth/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -22,7 +21,6 @@ var ParameterCodec = runtime.NewParameterCodec(Scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, - oauthv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go b/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go index c946632a..ea41ad67 100644 --- a/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go +++ b/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go @@ -16,6 +16,7 @@ import ( type ConfigV1alpha1Interface interface { RESTClient() rest.Interface FederationDomainsGetter + OIDCClientsGetter } // ConfigV1alpha1Client is used to interact with features provided by the config.supervisor.pinniped.dev group. @@ -27,6 +28,10 @@ func (c *ConfigV1alpha1Client) FederationDomains(namespace string) FederationDom return newFederationDomains(c, namespace) } +func (c *ConfigV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { + return newOIDCClients(c, namespace) +} + // NewForConfig creates a new ConfigV1alpha1Client for the given config. // NewForConfig is equivalent to NewForConfigAndClient(c, httpClient), // where httpClient was generated with rest.HTTPClientFor(c). diff --git a/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go b/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go index 088e66a2..2ca19bd6 100644 --- a/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go +++ b/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go @@ -19,6 +19,10 @@ func (c *FakeConfigV1alpha1) FederationDomains(namespace string) v1alpha1.Federa return &FakeFederationDomains{c, namespace} } +func (c *FakeConfigV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { + return &FakeOIDCClients{c, namespace} +} + // RESTClient returns a RESTClient that is used to communicate // with API server by this client implementation. func (c *FakeConfigV1alpha1) RESTClient() rest.Interface { diff --git a/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go b/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go similarity index 92% rename from generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go rename to generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go index 89568d1a..aba465a9 100644 --- a/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclient.go +++ b/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go @@ -8,7 +8,7 @@ package fake import ( "context" - v1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" labels "k8s.io/apimachinery/pkg/labels" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -19,13 +19,13 @@ import ( // FakeOIDCClients implements OIDCClientInterface type FakeOIDCClients struct { - Fake *FakeOauthV1alpha1 + Fake *FakeConfigV1alpha1 ns string } -var oidcclientsResource = schema.GroupVersionResource{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} +var oidcclientsResource = schema.GroupVersionResource{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} -var oidcclientsKind = schema.GroupVersionKind{Group: "oauth.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} +var oidcclientsKind = schema.GroupVersionKind{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} // Get takes name of the oIDCClient, and returns the corresponding oIDCClient object, and an error if there is any. func (c *FakeOIDCClients) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCClient, err error) { diff --git a/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go b/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go index ba9c9173..35b9ee3d 100644 --- a/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go +++ b/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go @@ -6,3 +6,5 @@ package v1alpha1 type FederationDomainExpansion interface{} + +type OIDCClientExpansion interface{} diff --git a/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go b/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go similarity index 97% rename from generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go rename to generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go index 888c2a7e..68fa884e 100644 --- a/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oidcclient.go +++ b/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go @@ -9,7 +9,7 @@ import ( "context" "time" - v1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" scheme "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/scheme" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" types "k8s.io/apimachinery/pkg/types" @@ -44,7 +44,7 @@ type oIDCClients struct { } // newOIDCClients returns a OIDCClients -func newOIDCClients(c *OauthV1alpha1Client, namespace string) *oIDCClients { +func newOIDCClients(c *ConfigV1alpha1Client, namespace string) *oIDCClients { return &oIDCClients{ client: c.RESTClient(), ns: namespace, diff --git a/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go b/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go deleted file mode 100644 index e7a470b6..00000000 --- a/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// This package has the automatically generated typed clients. -package v1alpha1 diff --git a/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go b/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go deleted file mode 100644 index 7906901b..00000000 --- a/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -// Package fake has the automatically generated clients. -package fake diff --git a/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go b/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go deleted file mode 100644 index abcc6a0c..00000000 --- a/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go +++ /dev/null @@ -1,27 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - v1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1" - rest "k8s.io/client-go/rest" - testing "k8s.io/client-go/testing" -) - -type FakeOauthV1alpha1 struct { - *testing.Fake -} - -func (c *FakeOauthV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { - return &FakeOIDCClients{c, namespace} -} - -// RESTClient returns a RESTClient that is used to communicate -// with API server by this client implementation. -func (c *FakeOauthV1alpha1) RESTClient() rest.Interface { - var ret *rest.RESTClient - return ret -} diff --git a/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go b/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go deleted file mode 100644 index 87d22ea9..00000000 --- a/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -type OIDCClientExpansion interface{} diff --git a/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go b/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go deleted file mode 100644 index 80077607..00000000 --- a/generated/latest/client/supervisor/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go +++ /dev/null @@ -1,94 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - "net/http" - - v1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/oauth/v1alpha1" - "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/scheme" - rest "k8s.io/client-go/rest" -) - -type OauthV1alpha1Interface interface { - RESTClient() rest.Interface - OIDCClientsGetter -} - -// OauthV1alpha1Client is used to interact with features provided by the oauth.supervisor.pinniped.dev group. -type OauthV1alpha1Client struct { - restClient rest.Interface -} - -func (c *OauthV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { - return newOIDCClients(c, namespace) -} - -// NewForConfig creates a new OauthV1alpha1Client for the given config. -// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient), -// where httpClient was generated with rest.HTTPClientFor(c). -func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) { - config := *c - if err := setConfigDefaults(&config); err != nil { - return nil, err - } - httpClient, err := rest.HTTPClientFor(&config) - if err != nil { - return nil, err - } - return NewForConfigAndClient(&config, httpClient) -} - -// NewForConfigAndClient creates a new OauthV1alpha1Client for the given config and http client. -// Note the http client provided takes precedence over the configured transport values. -func NewForConfigAndClient(c *rest.Config, h *http.Client) (*OauthV1alpha1Client, error) { - config := *c - if err := setConfigDefaults(&config); err != nil { - return nil, err - } - client, err := rest.RESTClientForConfigAndClient(&config, h) - if err != nil { - return nil, err - } - return &OauthV1alpha1Client{client}, nil -} - -// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and -// panics if there is an error in the config. -func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client { - client, err := NewForConfig(c) - if err != nil { - panic(err) - } - return client -} - -// New creates a new OauthV1alpha1Client for the given RESTClient. -func New(c rest.Interface) *OauthV1alpha1Client { - return &OauthV1alpha1Client{c} -} - -func setConfigDefaults(config *rest.Config) error { - gv := v1alpha1.SchemeGroupVersion - config.GroupVersion = &gv - config.APIPath = "/apis" - config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() - - if config.UserAgent == "" { - config.UserAgent = rest.DefaultKubernetesUserAgent() - } - - return nil -} - -// RESTClient returns a RESTClient that is used to communicate -// with API server by this client implementation. -func (c *OauthV1alpha1Client) RESTClient() rest.Interface { - if c == nil { - return nil - } - return c.restClient -} diff --git a/generated/latest/client/supervisor/informers/externalversions/config/v1alpha1/interface.go b/generated/latest/client/supervisor/informers/externalversions/config/v1alpha1/interface.go index 5273529b..a86c165c 100644 --- a/generated/latest/client/supervisor/informers/externalversions/config/v1alpha1/interface.go +++ b/generated/latest/client/supervisor/informers/externalversions/config/v1alpha1/interface.go @@ -13,6 +13,8 @@ import ( type Interface interface { // FederationDomains returns a FederationDomainInformer. FederationDomains() FederationDomainInformer + // OIDCClients returns a OIDCClientInformer. + OIDCClients() OIDCClientInformer } type version struct { @@ -30,3 +32,8 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList func (v *version) FederationDomains() FederationDomainInformer { return &federationDomainInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } + +// OIDCClients returns a OIDCClientInformer. +func (v *version) OIDCClients() OIDCClientInformer { + return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} diff --git a/generated/latest/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go b/generated/latest/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go similarity index 88% rename from generated/latest/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go rename to generated/latest/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go index d3eec3d2..00d2f521 100644 --- a/generated/latest/client/supervisor/informers/externalversions/oauth/v1alpha1/oidcclient.go +++ b/generated/latest/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go @@ -9,10 +9,10 @@ import ( "context" time "time" - oauthv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/oauth/v1alpha1" + configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" versioned "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" internalinterfaces "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/internalinterfaces" - v1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/listers/oauth/v1alpha1" + v1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/listers/config/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" watch "k8s.io/apimachinery/pkg/watch" @@ -49,16 +49,16 @@ func NewFilteredOIDCClientInformer(client versioned.Interface, namespace string, if tweakListOptions != nil { tweakListOptions(&options) } - return client.OauthV1alpha1().OIDCClients(namespace).List(context.TODO(), options) + return client.ConfigV1alpha1().OIDCClients(namespace).List(context.TODO(), options) }, WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { if tweakListOptions != nil { tweakListOptions(&options) } - return client.OauthV1alpha1().OIDCClients(namespace).Watch(context.TODO(), options) + return client.ConfigV1alpha1().OIDCClients(namespace).Watch(context.TODO(), options) }, }, - &oauthv1alpha1.OIDCClient{}, + &configv1alpha1.OIDCClient{}, resyncPeriod, indexers, ) @@ -69,7 +69,7 @@ func (f *oIDCClientInformer) defaultInformer(client versioned.Interface, resyncP } func (f *oIDCClientInformer) Informer() cache.SharedIndexInformer { - return f.factory.InformerFor(&oauthv1alpha1.OIDCClient{}, f.defaultInformer) + return f.factory.InformerFor(&configv1alpha1.OIDCClient{}, f.defaultInformer) } func (f *oIDCClientInformer) Lister() v1alpha1.OIDCClientLister { diff --git a/generated/latest/client/supervisor/informers/externalversions/factory.go b/generated/latest/client/supervisor/informers/externalversions/factory.go index d3c714e7..252195d3 100644 --- a/generated/latest/client/supervisor/informers/externalversions/factory.go +++ b/generated/latest/client/supervisor/informers/externalversions/factory.go @@ -14,7 +14,6 @@ import ( config "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/config" idp "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/idp" internalinterfaces "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/internalinterfaces" - oauth "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/oauth" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -163,7 +162,6 @@ type SharedInformerFactory interface { Config() config.Interface IDP() idp.Interface - Oauth() oauth.Interface } func (f *sharedInformerFactory) Config() config.Interface { @@ -173,7 +171,3 @@ func (f *sharedInformerFactory) Config() config.Interface { func (f *sharedInformerFactory) IDP() idp.Interface { return idp.New(f, f.namespace, f.tweakListOptions) } - -func (f *sharedInformerFactory) Oauth() oauth.Interface { - return oauth.New(f, f.namespace, f.tweakListOptions) -} diff --git a/generated/latest/client/supervisor/informers/externalversions/generic.go b/generated/latest/client/supervisor/informers/externalversions/generic.go index ba708933..eb3f5543 100644 --- a/generated/latest/client/supervisor/informers/externalversions/generic.go +++ b/generated/latest/client/supervisor/informers/externalversions/generic.go @@ -10,7 +10,6 @@ import ( v1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" - oauthv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/oauth/v1alpha1" schema "k8s.io/apimachinery/pkg/runtime/schema" cache "k8s.io/client-go/tools/cache" ) @@ -44,6 +43,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource // Group=config.supervisor.pinniped.dev, Version=v1alpha1 case v1alpha1.SchemeGroupVersion.WithResource("federationdomains"): return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().FederationDomains().Informer()}, nil + case v1alpha1.SchemeGroupVersion.WithResource("oidcclients"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCClients().Informer()}, nil // Group=idp.supervisor.pinniped.dev, Version=v1alpha1 case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"): @@ -53,10 +54,6 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().OIDCIdentityProviders().Informer()}, nil - // Group=oauth.supervisor.pinniped.dev, Version=v1alpha1 - case oauthv1alpha1.SchemeGroupVersion.WithResource("oidcclients"): - return &genericInformer{resource: resource.GroupResource(), informer: f.Oauth().V1alpha1().OIDCClients().Informer()}, nil - } return nil, fmt.Errorf("no informer found for %v", resource) diff --git a/generated/latest/client/supervisor/informers/externalversions/oauth/interface.go b/generated/latest/client/supervisor/informers/externalversions/oauth/interface.go deleted file mode 100644 index b0c7105b..00000000 --- a/generated/latest/client/supervisor/informers/externalversions/oauth/interface.go +++ /dev/null @@ -1,33 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by informer-gen. DO NOT EDIT. - -package oauth - -import ( - internalinterfaces "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/internalinterfaces" - v1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/oauth/v1alpha1" -) - -// Interface provides access to each of this group's versions. -type Interface interface { - // V1alpha1 provides access to shared informers for resources in V1alpha1. - V1alpha1() v1alpha1.Interface -} - -type group struct { - factory internalinterfaces.SharedInformerFactory - namespace string - tweakListOptions internalinterfaces.TweakListOptionsFunc -} - -// New returns a new Interface. -func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { - return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} -} - -// V1alpha1 returns a new v1alpha1.Interface. -func (g *group) V1alpha1() v1alpha1.Interface { - return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions) -} diff --git a/generated/latest/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go b/generated/latest/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go deleted file mode 100644 index 48e12497..00000000 --- a/generated/latest/client/supervisor/informers/externalversions/oauth/v1alpha1/interface.go +++ /dev/null @@ -1,32 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by informer-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - internalinterfaces "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/internalinterfaces" -) - -// Interface provides access to all the informers in this group version. -type Interface interface { - // OIDCClients returns a OIDCClientInformer. - OIDCClients() OIDCClientInformer -} - -type version struct { - factory internalinterfaces.SharedInformerFactory - namespace string - tweakListOptions internalinterfaces.TweakListOptionsFunc -} - -// New returns a new Interface. -func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { - return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} -} - -// OIDCClients returns a OIDCClientInformer. -func (v *version) OIDCClients() OIDCClientInformer { - return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} -} diff --git a/generated/latest/client/supervisor/listers/config/v1alpha1/expansion_generated.go b/generated/latest/client/supervisor/listers/config/v1alpha1/expansion_generated.go index d59892c4..bda2f20e 100644 --- a/generated/latest/client/supervisor/listers/config/v1alpha1/expansion_generated.go +++ b/generated/latest/client/supervisor/listers/config/v1alpha1/expansion_generated.go @@ -12,3 +12,11 @@ type FederationDomainListerExpansion interface{} // FederationDomainNamespaceListerExpansion allows custom methods to be added to // FederationDomainNamespaceLister. type FederationDomainNamespaceListerExpansion interface{} + +// OIDCClientListerExpansion allows custom methods to be added to +// OIDCClientLister. +type OIDCClientListerExpansion interface{} + +// OIDCClientNamespaceListerExpansion allows custom methods to be added to +// OIDCClientNamespaceLister. +type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/latest/client/supervisor/listers/config/v1alpha1/oidcclient.go b/generated/latest/client/supervisor/listers/config/v1alpha1/oidcclient.go new file mode 100644 index 00000000..34297ee1 --- /dev/null +++ b/generated/latest/client/supervisor/listers/config/v1alpha1/oidcclient.go @@ -0,0 +1,86 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// OIDCClientLister helps list OIDCClients. +// All objects returned here must be treated as read-only. +type OIDCClientLister interface { + // List lists all OIDCClients in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) + // OIDCClients returns an object that can list and get OIDCClients. + OIDCClients(namespace string) OIDCClientNamespaceLister + OIDCClientListerExpansion +} + +// oIDCClientLister implements the OIDCClientLister interface. +type oIDCClientLister struct { + indexer cache.Indexer +} + +// NewOIDCClientLister returns a new OIDCClientLister. +func NewOIDCClientLister(indexer cache.Indexer) OIDCClientLister { + return &oIDCClientLister{indexer: indexer} +} + +// List lists all OIDCClients in the indexer. +func (s *oIDCClientLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.OIDCClient)) + }) + return ret, err +} + +// OIDCClients returns an object that can list and get OIDCClients. +func (s *oIDCClientLister) OIDCClients(namespace string) OIDCClientNamespaceLister { + return oIDCClientNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// OIDCClientNamespaceLister helps list and get OIDCClients. +// All objects returned here must be treated as read-only. +type OIDCClientNamespaceLister interface { + // List lists all OIDCClients in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) + // Get retrieves the OIDCClient from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha1.OIDCClient, error) + OIDCClientNamespaceListerExpansion +} + +// oIDCClientNamespaceLister implements the OIDCClientNamespaceLister +// interface. +type oIDCClientNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all OIDCClients in the indexer for a given namespace. +func (s oIDCClientNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.OIDCClient)) + }) + return ret, err +} + +// Get retrieves the OIDCClient from the indexer for a given namespace and name. +func (s oIDCClientNamespaceLister) Get(name string) (*v1alpha1.OIDCClient, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("oidcclient"), name) + } + return obj.(*v1alpha1.OIDCClient), nil +} diff --git a/generated/latest/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go b/generated/latest/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go deleted file mode 100644 index c19310da..00000000 --- a/generated/latest/client/supervisor/listers/oauth/v1alpha1/expansion_generated.go +++ /dev/null @@ -1,14 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by lister-gen. DO NOT EDIT. - -package v1alpha1 - -// OIDCClientListerExpansion allows custom methods to be added to -// OIDCClientLister. -type OIDCClientListerExpansion interface{} - -// OIDCClientNamespaceListerExpansion allows custom methods to be added to -// OIDCClientNamespaceLister. -type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/latest/client/supervisor/listers/oauth/v1alpha1/oidcclient.go b/generated/latest/client/supervisor/listers/oauth/v1alpha1/oidcclient.go deleted file mode 100644 index 189936b6..00000000 --- a/generated/latest/client/supervisor/listers/oauth/v1alpha1/oidcclient.go +++ /dev/null @@ -1,86 +0,0 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Code generated by lister-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - v1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/oauth/v1alpha1" - "k8s.io/apimachinery/pkg/api/errors" - "k8s.io/apimachinery/pkg/labels" - "k8s.io/client-go/tools/cache" -) - -// OIDCClientLister helps list OIDCClients. -// All objects returned here must be treated as read-only. -type OIDCClientLister interface { - // List lists all OIDCClients in the indexer. - // Objects returned here must be treated as read-only. - List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) - // OIDCClients returns an object that can list and get OIDCClients. - OIDCClients(namespace string) OIDCClientNamespaceLister - OIDCClientListerExpansion -} - -// oIDCClientLister implements the OIDCClientLister interface. -type oIDCClientLister struct { - indexer cache.Indexer -} - -// NewOIDCClientLister returns a new OIDCClientLister. -func NewOIDCClientLister(indexer cache.Indexer) OIDCClientLister { - return &oIDCClientLister{indexer: indexer} -} - -// List lists all OIDCClients in the indexer. -func (s *oIDCClientLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { - err = cache.ListAll(s.indexer, selector, func(m interface{}) { - ret = append(ret, m.(*v1alpha1.OIDCClient)) - }) - return ret, err -} - -// OIDCClients returns an object that can list and get OIDCClients. -func (s *oIDCClientLister) OIDCClients(namespace string) OIDCClientNamespaceLister { - return oIDCClientNamespaceLister{indexer: s.indexer, namespace: namespace} -} - -// OIDCClientNamespaceLister helps list and get OIDCClients. -// All objects returned here must be treated as read-only. -type OIDCClientNamespaceLister interface { - // List lists all OIDCClients in the indexer for a given namespace. - // Objects returned here must be treated as read-only. - List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) - // Get retrieves the OIDCClient from the indexer for a given namespace and name. - // Objects returned here must be treated as read-only. - Get(name string) (*v1alpha1.OIDCClient, error) - OIDCClientNamespaceListerExpansion -} - -// oIDCClientNamespaceLister implements the OIDCClientNamespaceLister -// interface. -type oIDCClientNamespaceLister struct { - indexer cache.Indexer - namespace string -} - -// List lists all OIDCClients in the indexer for a given namespace. -func (s oIDCClientNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { - err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { - ret = append(ret, m.(*v1alpha1.OIDCClient)) - }) - return ret, err -} - -// Get retrieves the OIDCClient from the indexer for a given namespace and name. -func (s oIDCClientNamespaceLister) Get(name string) (*v1alpha1.OIDCClient, error) { - obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) - if err != nil { - return nil, err - } - if !exists { - return nil, errors.NewNotFound(v1alpha1.Resource("oidcclient"), name) - } - return obj.(*v1alpha1.OIDCClient), nil -} diff --git a/hack/lib/update-codegen.sh b/hack/lib/update-codegen.sh index f50499ad..59a0887b 100755 --- a/hack/lib/update-codegen.sh +++ b/hack/lib/update-codegen.sh @@ -124,7 +124,7 @@ echo "generating API-related code for our public API groups..." "deepcopy" \ "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/apis" \ "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/apis" \ - "supervisor/config:v1alpha1 supervisor/idp:v1alpha1 supervisor/oauth:v1alpha1 concierge/config:v1alpha1 concierge/authentication:v1alpha1 concierge/login:v1alpha1 concierge/identity:v1alpha1" \ + "supervisor/config:v1alpha1 supervisor/idp:v1alpha1 concierge/config:v1alpha1 concierge/authentication:v1alpha1 concierge/login:v1alpha1 concierge/identity:v1alpha1" \ --go-header-file "${ROOT}/hack/boilerplate.go.txt" -v "$debug_level" 2>&1 | sed "s|^|gen-api > |" ) @@ -160,7 +160,7 @@ echo "generating client code for our public API groups..." "client,lister,informer" \ "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/client/supervisor" \ "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/apis" \ - "supervisor/config:v1alpha1 supervisor/idp:v1alpha1 supervisor/oauth:v1alpha1" \ + "supervisor/config:v1alpha1 supervisor/idp:v1alpha1" \ --go-header-file "${ROOT}/hack/boilerplate.go.txt" -v "$debug_level" 2>&1 | sed "s|^|gen-client > |" ) @@ -181,7 +181,6 @@ crd-ref-docs \ (cd apis && controller-gen paths=./supervisor/config/v1alpha1 crd output:crd:artifacts:config=../crds && controller-gen paths=./supervisor/idp/v1alpha1 crd output:crd:artifacts:config=../crds && - controller-gen paths=./supervisor/oauth/v1alpha1 crd output:crd:artifacts:config=../crds && controller-gen paths=./concierge/config/v1alpha1 crd output:crd:artifacts:config=../crds && controller-gen paths=./concierge/authentication/v1alpha1 crd output:crd:artifacts:config=../crds ) diff --git a/test/integration/kube_api_discovery_test.go b/test/integration/kube_api_discovery_test.go index c0d243cf..e375bc75 100644 --- a/test/integration/kube_api_discovery_test.go +++ b/test/integration/kube_api_discovery_test.go @@ -53,7 +53,6 @@ func TestGetAPIResourceList(t *testing.T) { configConciergeGV := makeGV("config", "concierge") idpSupervisorGV := makeGV("idp", "supervisor") configSupervisorGV := makeGV("config", "supervisor") - oauthSupervisorGV := makeGV("oauth", "supervisor") tests := []struct { group metav1.APIGroup @@ -141,25 +140,6 @@ func TestGetAPIResourceList(t *testing.T) { Kind: "FederationDomain", Verbs: []string{"get", "patch", "update"}, }, - }, - }, - }, - { - group: metav1.APIGroup{ - Name: oauthSupervisorGV.Group, - Versions: []metav1.GroupVersionForDiscovery{ - { - GroupVersion: oauthSupervisorGV.String(), - Version: oauthSupervisorGV.Version, - }, - }, - PreferredVersion: metav1.GroupVersionForDiscovery{ - GroupVersion: oauthSupervisorGV.String(), - Version: oauthSupervisorGV.Version, - }, - }, - resourceByVersion: map[string][]metav1.APIResource{ - oauthSupervisorGV.String(): { { Name: "oidcclients", SingularName: "oidcclient", @@ -518,7 +498,7 @@ func TestCRDAdditionalPrinterColumns_Parallel(t *testing.T) { {Name: "Age", Type: "date", JSONPath: ".metadata.creationTimestamp"}, }, }, - addSuffix("oidcclients.oauth.supervisor"): { + addSuffix("oidcclients.config.supervisor"): { "v1alpha1": []apiextensionsv1.CustomResourceColumnDefinition{ {Name: "Age", Type: "date", JSONPath: ".metadata.creationTimestamp"}, }, From 4d0c2e16f4b89a65a9ca1f7ee543a56d3a905a95 Mon Sep 17 00:00:00 2001 From: Margo Crawford Date: Wed, 15 Jun 2022 08:00:17 -0700 Subject: [PATCH 16/61] require groups scope to get groups back from supervisor Signed-off-by: Margo Crawford --- internal/oidc/auth/auth_handler.go | 6 +- internal/oidc/auth/auth_handler_test.go | 10 +-- internal/oidc/callback/callback_handler.go | 5 +- .../oidc/callback/callback_handler_test.go | 75 +++++++++++++++++-- .../oidc/clientregistry/clientregistry.go | 3 +- .../clientregistry/clientregistry_test.go | 7 +- .../downstreamsession/downstream_session.go | 17 +++-- internal/oidc/login/post_login_handler.go | 8 +- .../oidc/login/post_login_handler_test.go | 33 +++++++- internal/oidc/oidc.go | 8 ++ .../testutil/oidctestutil/oidctestutil.go | 16 +++- test/integration/e2e_test.go | 28 +++++-- test/integration/supervisor_login_test.go | 4 +- 13 files changed, 172 insertions(+), 48 deletions(-) diff --git a/internal/oidc/auth/auth_handler.go b/internal/oidc/auth/auth_handler.go index 698ea7f3..67b1581b 100644 --- a/internal/oidc/auth/auth_handler.go +++ b/internal/oidc/auth/auth_handler.go @@ -146,7 +146,7 @@ func handleAuthRequestForLDAPUpstreamCLIFlow( username = authenticateResponse.User.GetName() groups := authenticateResponse.User.GetGroups() customSessionData := downstreamsession.MakeDownstreamLDAPOrADCustomSessionData(ldapUpstream, idpType, authenticateResponse) - openIDSession := downstreamsession.MakeDownstreamSession(subject, username, groups, customSessionData) + openIDSession := downstreamsession.MakeDownstreamSession(subject, username, groups, authorizeRequester.GetGrantedScopes(), customSessionData) oidc.PerformAuthcodeRedirect(r, w, oauthHelper, authorizeRequester, openIDSession, true) return nil @@ -243,7 +243,7 @@ func handleAuthRequestForOIDCUpstreamPasswordGrant( return nil } - openIDSession := downstreamsession.MakeDownstreamSession(subject, username, groups, customSessionData) + openIDSession := downstreamsession.MakeDownstreamSession(subject, username, groups, authorizeRequester.GetGrantedScopes(), customSessionData) oidc.PerformAuthcodeRedirect(r, w, oauthHelper, authorizeRequester, openIDSession, true) @@ -334,7 +334,7 @@ func newAuthorizeRequest(r *http.Request, w http.ResponseWriter, oauthHelper fos // Grant the openid scope (for now) if they asked for it so that `NewAuthorizeResponse` will perform its OIDC validations. // There don't seem to be any validations inside `NewAuthorizeResponse` related to the offline_access scope // at this time, however we will temporarily grant the scope just in case that changes in a future release of fosite. - downstreamsession.GrantScopesIfRequested(authorizeRequester) + downstreamsession.GrantScopesIfRequested(authorizeRequester, []string{coreosoidc.ScopeOpenID, coreosoidc.ScopeOfflineAccess, oidc.RequestAudienceScope, oidc.DownstreamGroupsScope}) return authorizeRequester, true } diff --git a/internal/oidc/auth/auth_handler_test.go b/internal/oidc/auth/auth_handler_test.go index 11431a0b..8847d8c4 100644 --- a/internal/oidc/auth/auth_handler_test.go +++ b/internal/oidc/auth/auth_handler_test.go @@ -375,8 +375,8 @@ func TestAuthorizationEndpoint(t *testing.T) { return urlToReturn } - happyDownstreamScopesRequested := []string{"openid", "profile", "email"} - happyDownstreamScopesGranted := []string{"openid"} + happyDownstreamScopesRequested := []string{"openid", "profile", "email", "groups"} + happyDownstreamScopesGranted := []string{"openid", "groups"} happyGetRequestQueryMap := map[string]string{ "response_type": "code", @@ -495,7 +495,7 @@ func TestAuthorizationEndpoint(t *testing.T) { } // Note that fosite puts the granted scopes as a param in the redirect URI even though the spec doesn't seem to require it - happyAuthcodeDownstreamRedirectLocationRegexp := downstreamRedirectURI + `\?code=([^&]+)&scope=openid&state=` + happyState + happyAuthcodeDownstreamRedirectLocationRegexp := downstreamRedirectURI + `\?code=([^&]+)&scope=openid\+groups&state=` + happyState incomingCookieCSRFValue := "csrf-value-from-cookie" encodedIncomingCookieCSRFValue, err := happyCookieEncoder.Encode("csrf", incomingCookieCSRFValue) @@ -957,7 +957,7 @@ func TestAuthorizationEndpoint(t *testing.T) { wantPasswordGrantCall: happyUpstreamPasswordGrantMockExpectation, wantStatus: http.StatusFound, wantContentType: htmlContentType, - wantRedirectLocationRegexp: downstreamRedirectURIWithDifferentPort + `\?code=([^&]+)&scope=openid&state=` + happyState, + wantRedirectLocationRegexp: downstreamRedirectURIWithDifferentPort + `\?code=([^&]+)&scope=openid\+groups&state=` + happyState, wantDownstreamIDTokenSubject: oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped, wantDownstreamIDTokenUsername: oidcUpstreamUsername, wantDownstreamIDTokenGroups: oidcUpstreamGroupMembership, @@ -980,7 +980,7 @@ func TestAuthorizationEndpoint(t *testing.T) { customPasswordHeader: pointer.StringPtr(happyLDAPPassword), wantStatus: http.StatusFound, wantContentType: htmlContentType, - wantRedirectLocationRegexp: downstreamRedirectURIWithDifferentPort + `\?code=([^&]+)&scope=openid&state=` + happyState, + wantRedirectLocationRegexp: downstreamRedirectURIWithDifferentPort + `\?code=([^&]+)&scope=openid\+groups&state=` + happyState, wantDownstreamIDTokenSubject: upstreamLDAPURL + "&sub=" + happyLDAPUID, wantDownstreamIDTokenUsername: happyLDAPUsernameFromAuthenticator, wantDownstreamIDTokenGroups: happyLDAPGroups, diff --git a/internal/oidc/callback/callback_handler.go b/internal/oidc/callback/callback_handler.go index bcb8bf1b..683de017 100644 --- a/internal/oidc/callback/callback_handler.go +++ b/internal/oidc/callback/callback_handler.go @@ -8,6 +8,7 @@ import ( "net/http" "net/url" + coreosoidc "github.com/coreos/go-oidc/v3/oidc" "github.com/ory/fosite" "go.pinniped.dev/internal/httputil/httperr" @@ -52,7 +53,7 @@ func NewHandler( } // Automatically grant the openid, offline_access, and pinniped:request-audience scopes, but only if they were requested. - downstreamsession.GrantScopesIfRequested(authorizeRequester) + downstreamsession.GrantScopesIfRequested(authorizeRequester, []string{coreosoidc.ScopeOpenID, coreosoidc.ScopeOfflineAccess, oidc.RequestAudienceScope, oidc.DownstreamGroupsScope}) token, err := upstreamIDPConfig.ExchangeAuthcodeAndValidateTokens( r.Context(), @@ -76,7 +77,7 @@ func NewHandler( return httperr.Wrap(http.StatusUnprocessableEntity, err.Error(), err) } - openIDSession := downstreamsession.MakeDownstreamSession(subject, username, groups, customSessionData) + openIDSession := downstreamsession.MakeDownstreamSession(subject, username, groups, authorizeRequester.GetGrantedScopes(), customSessionData) authorizeResponder, err := oauthHelper.NewAuthorizeResponse(r.Context(), authorizeRequester, openIDSession) if err != nil { diff --git a/internal/oidc/callback/callback_handler_test.go b/internal/oidc/callback/callback_handler_test.go index d8f08822..8230e4c8 100644 --- a/internal/oidc/callback/callback_handler_test.go +++ b/internal/oidc/callback/callback_handler_test.go @@ -62,8 +62,8 @@ const ( var ( oidcUpstreamGroupMembership = []string{"test-pinniped-group-0", "test-pinniped-group-1"} - happyDownstreamScopesRequested = []string{"openid"} - happyDownstreamScopesGranted = []string{"openid"} + happyDownstreamScopesRequested = []string{"openid", "groups"} + happyDownstreamScopesGranted = []string{"openid", "groups"} happyDownstreamRequestParamsQuery = url.Values{ "response_type": []string{"code"}, @@ -133,7 +133,7 @@ func TestCallbackEndpoint(t *testing.T) { } // Note that fosite puts the granted scopes as a param in the redirect URI even though the spec doesn't seem to require it - happyDownstreamRedirectLocationRegexp := downstreamRedirectURI + `\?code=([^&]+)&scope=openid&state=` + happyDownstreamState + happyDownstreamRedirectLocationRegexp := downstreamRedirectURI + `\?code=([^&]+)&scope=openid\+groups&state=` + happyDownstreamState tests := []struct { name string @@ -236,6 +236,38 @@ func TestCallbackEndpoint(t *testing.T) { args: happyExchangeAndValidateTokensArgs, }, }, + { + name: "form_post happy path with no groups scope requested", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyUpstream().Build()), + method: http.MethodGet, + path: newRequestPath().WithState( + happyUpstreamStateParam().WithAuthorizeRequestParams( + shallowCopyAndModifyQuery( + happyDownstreamRequestParamsQuery, + map[string]string{ + "response_mode": "form_post", + "scope": "openid", + }, + ).Encode(), + ).Build(t, happyStateCodec), + ).String(), + csrfCookie: happyCSRFCookie, + wantStatus: http.StatusOK, + wantContentType: "text/html;charset=UTF-8", + wantBodyFormResponseRegexp: `(.+)`, + wantDownstreamIDTokenSubject: oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped, + wantDownstreamIDTokenUsername: oidcUpstreamUsername, + wantDownstreamRequestedScopes: []string{"openid"}, + wantDownstreamGrantedScopes: []string{"openid"}, + wantDownstreamNonce: downstreamNonce, + wantDownstreamPKCEChallenge: downstreamPKCEChallenge, + wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, + wantDownstreamCustomSessionData: happyDownstreamCustomSessionData, + wantAuthcodeExchangeCall: &expectedAuthcodeExchange{ + performedByUpstreamName: happyUpstreamIDPName, + args: happyExchangeAndValidateTokensArgs, + }, + }, { name: "GET with authcode exchange that returns an access token but no refresh token but has a short token lifetime which is stored as a warning in the session", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyUpstream().WithEmptyRefreshToken().WithAccessToken(oidcUpstreamAccessToken, metav1.NewTime(time.Now().Add(1*time.Hour))).WithUserInfoURL().Build()), @@ -683,6 +715,33 @@ func TestCallbackEndpoint(t *testing.T) { name: "state's downstream auth params does not contain openid scope", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyUpstream().Build()), method: http.MethodGet, + path: newRequestPath(). + WithState( + happyUpstreamStateParam(). + WithAuthorizeRequestParams(shallowCopyAndModifyQuery(happyDownstreamRequestParamsQuery, map[string]string{"scope": "profile email groups"}).Encode()). + Build(t, happyStateCodec), + ).String(), + csrfCookie: happyCSRFCookie, + wantStatus: http.StatusSeeOther, + wantRedirectLocationRegexp: downstreamRedirectURI + `\?code=([^&]+)&scope=groups&state=` + happyDownstreamState, + wantDownstreamIDTokenUsername: oidcUpstreamUsername, + wantDownstreamIDTokenSubject: oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped, + wantDownstreamRequestedScopes: []string{"profile", "email", "groups"}, + wantDownstreamGrantedScopes: []string{"groups"}, + wantDownstreamIDTokenGroups: oidcUpstreamGroupMembership, + wantDownstreamNonce: downstreamNonce, + wantDownstreamPKCEChallenge: downstreamPKCEChallenge, + wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, + wantDownstreamCustomSessionData: happyDownstreamCustomSessionData, + wantAuthcodeExchangeCall: &expectedAuthcodeExchange{ + performedByUpstreamName: happyUpstreamIDPName, + args: happyExchangeAndValidateTokensArgs, + }, + }, + { + name: "state's downstream auth params does not contain openid or groups scope", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyUpstream().Build()), + method: http.MethodGet, path: newRequestPath(). WithState( happyUpstreamStateParam(). @@ -695,7 +754,7 @@ func TestCallbackEndpoint(t *testing.T) { wantDownstreamIDTokenUsername: oidcUpstreamUsername, wantDownstreamIDTokenSubject: oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped, wantDownstreamRequestedScopes: []string{"profile", "email"}, - wantDownstreamIDTokenGroups: oidcUpstreamGroupMembership, + wantDownstreamGrantedScopes: []string{}, wantDownstreamNonce: downstreamNonce, wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, @@ -712,16 +771,16 @@ func TestCallbackEndpoint(t *testing.T) { path: newRequestPath(). WithState( happyUpstreamStateParam(). - WithAuthorizeRequestParams(shallowCopyAndModifyQuery(happyDownstreamRequestParamsQuery, map[string]string{"scope": "openid offline_access"}).Encode()). + WithAuthorizeRequestParams(shallowCopyAndModifyQuery(happyDownstreamRequestParamsQuery, map[string]string{"scope": "openid offline_access groups"}).Encode()). Build(t, happyStateCodec), ).String(), csrfCookie: happyCSRFCookie, wantStatus: http.StatusSeeOther, - wantRedirectLocationRegexp: downstreamRedirectURI + `\?code=([^&]+)&scope=openid\+offline_access&state=` + happyDownstreamState, + wantRedirectLocationRegexp: downstreamRedirectURI + `\?code=([^&]+)&scope=openid\+offline_access\+groups&state=` + happyDownstreamState, wantDownstreamIDTokenUsername: oidcUpstreamUsername, wantDownstreamIDTokenSubject: oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped, - wantDownstreamRequestedScopes: []string{"openid", "offline_access"}, - wantDownstreamGrantedScopes: []string{"openid", "offline_access"}, + wantDownstreamRequestedScopes: []string{"openid", "offline_access", "groups"}, + wantDownstreamGrantedScopes: []string{"openid", "offline_access", "groups"}, wantDownstreamIDTokenGroups: oidcUpstreamGroupMembership, wantDownstreamNonce: downstreamNonce, wantDownstreamPKCEChallenge: downstreamPKCEChallenge, diff --git a/internal/oidc/clientregistry/clientregistry.go b/internal/oidc/clientregistry/clientregistry.go index c01caa7d..123a3d3a 100644 --- a/internal/oidc/clientregistry/clientregistry.go +++ b/internal/oidc/clientregistry/clientregistry.go @@ -1,4 +1,4 @@ -// Copyright 2021 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 // Package clientregistry defines Pinniped's OAuth2/OIDC clients. @@ -85,6 +85,7 @@ func PinnipedCLI() *Client { "profile", "email", "pinniped:request-audience", + "groups", }, Audience: nil, Public: true, diff --git a/internal/oidc/clientregistry/clientregistry_test.go b/internal/oidc/clientregistry/clientregistry_test.go index 5062f629..ac70aa65 100644 --- a/internal/oidc/clientregistry/clientregistry_test.go +++ b/internal/oidc/clientregistry/clientregistry_test.go @@ -1,4 +1,4 @@ -// Copyright 2021 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package clientregistry @@ -50,7 +50,7 @@ func TestPinnipedCLI(t *testing.T) { require.Equal(t, []string{"http://127.0.0.1/callback"}, c.GetRedirectURIs()) require.Equal(t, fosite.Arguments{"authorization_code", "refresh_token", "urn:ietf:params:oauth:grant-type:token-exchange"}, c.GetGrantTypes()) require.Equal(t, fosite.Arguments{"code"}, c.GetResponseTypes()) - require.Equal(t, fosite.Arguments{oidc.ScopeOpenID, oidc.ScopeOfflineAccess, "profile", "email", "pinniped:request-audience"}, c.GetScopes()) + require.Equal(t, fosite.Arguments{oidc.ScopeOpenID, oidc.ScopeOfflineAccess, "profile", "email", "pinniped:request-audience", "groups"}, c.GetScopes()) require.True(t, c.IsPublic()) require.Nil(t, c.GetAudience()) require.Nil(t, c.GetRequestURIs()) @@ -82,7 +82,8 @@ func TestPinnipedCLI(t *testing.T) { "offline_access", "profile", "email", - "pinniped:request-audience" + "pinniped:request-audience", + "groups" ], "audience": null, "public": true, diff --git a/internal/oidc/downstreamsession/downstream_session.go b/internal/oidc/downstreamsession/downstream_session.go index 2343c833..d5783e5e 100644 --- a/internal/oidc/downstreamsession/downstream_session.go +++ b/internal/oidc/downstreamsession/downstream_session.go @@ -10,7 +10,8 @@ import ( "net/url" "time" - coreosoidc "github.com/coreos/go-oidc/v3/oidc" + "k8s.io/utils/strings/slices" + "github.com/ory/fosite" "github.com/ory/fosite/handler/openid" "github.com/ory/fosite/token/jwt" @@ -40,7 +41,7 @@ const ( ) // MakeDownstreamSession creates a downstream OIDC session. -func MakeDownstreamSession(subject string, username string, groups []string, custom *psession.CustomSessionData) *psession.PinnipedSession { +func MakeDownstreamSession(subject string, username string, groups []string, grantedScopes []string, custom *psession.CustomSessionData) *psession.PinnipedSession { now := time.Now().UTC() openIDSession := &psession.PinnipedSession{ Fosite: &openid.DefaultSession{ @@ -57,7 +58,9 @@ func MakeDownstreamSession(subject string, username string, groups []string, cus } openIDSession.IDTokenClaims().Extra = map[string]interface{}{ oidc.DownstreamUsernameClaim: username, - oidc.DownstreamGroupsClaim: groups, + } + if slices.Contains(grantedScopes, oidc.DownstreamGroupsScope) { + openIDSession.IDTokenClaims().Extra[oidc.DownstreamGroupsClaim] = groups } return openIDSession } @@ -147,10 +150,10 @@ func MakeDownstreamOIDCCustomSessionData(oidcUpstream provider.UpstreamOIDCIdent } // GrantScopesIfRequested auto-grants the scopes for which we do not require end-user approval, if they were requested. -func GrantScopesIfRequested(authorizeRequester fosite.AuthorizeRequester) { - oidc.GrantScopeIfRequested(authorizeRequester, coreosoidc.ScopeOpenID) - oidc.GrantScopeIfRequested(authorizeRequester, coreosoidc.ScopeOfflineAccess) - oidc.GrantScopeIfRequested(authorizeRequester, "pinniped:request-audience") +func GrantScopesIfRequested(authorizeRequester fosite.AuthorizeRequester, scopes []string) { + for _, scope := range scopes { + oidc.GrantScopeIfRequested(authorizeRequester, scope) + } } // GetDownstreamIdentityFromUpstreamIDToken returns the mapped subject, username, and group names, in that order. diff --git a/internal/oidc/login/post_login_handler.go b/internal/oidc/login/post_login_handler.go index 5eb3a2e0..fdc480c0 100644 --- a/internal/oidc/login/post_login_handler.go +++ b/internal/oidc/login/post_login_handler.go @@ -7,6 +7,8 @@ import ( "net/http" "net/url" + coreosoidc "github.com/coreos/go-oidc/v3/oidc" + "github.com/ory/fosite" "go.pinniped.dev/internal/httputil/httperr" @@ -44,8 +46,8 @@ func NewPostHandler(issuerURL string, upstreamIDPs oidc.UpstreamIdentityProvider return httperr.New(http.StatusBadRequest, "error using state downstream auth params") } - // Automatically grant the openid, offline_access, and pinniped:request-audience scopes, but only if they were requested. - downstreamsession.GrantScopesIfRequested(authorizeRequester) + // Automatically grant the openid, offline_access, pinniped:request-audience and groups scopes, but only if they were requested. + downstreamsession.GrantScopesIfRequested(authorizeRequester, []string{coreosoidc.ScopeOpenID, coreosoidc.ScopeOfflineAccess, oidc.RequestAudienceScope, oidc.DownstreamGroupsScope}) // Get the username and password form params from the POST body. username := r.PostFormValue(usernameParamName) @@ -80,7 +82,7 @@ func NewPostHandler(issuerURL string, upstreamIDPs oidc.UpstreamIdentityProvider username = authenticateResponse.User.GetName() groups := authenticateResponse.User.GetGroups() customSessionData := downstreamsession.MakeDownstreamLDAPOrADCustomSessionData(ldapUpstream, idpType, authenticateResponse) - openIDSession := downstreamsession.MakeDownstreamSession(subject, username, groups, customSessionData) + openIDSession := downstreamsession.MakeDownstreamSession(subject, username, groups, authorizeRequester.GetGrantedScopes(), customSessionData) oidc.PerformAuthcodeRedirect(r, w, oauthHelper, authorizeRequester, openIDSession, false) return nil diff --git a/internal/oidc/login/post_login_handler_test.go b/internal/oidc/login/post_login_handler_test.go index 267c5e08..e6f44cc2 100644 --- a/internal/oidc/login/post_login_handler_test.go +++ b/internal/oidc/login/post_login_handler_test.go @@ -82,8 +82,8 @@ func TestPostLoginEndpoint(t *testing.T) { } ) - happyDownstreamScopesRequested := []string{"openid"} - happyDownstreamScopesGranted := []string{"openid"} + happyDownstreamScopesRequested := []string{"openid", "groups"} + happyDownstreamScopesGranted := []string{"openid", "groups"} happyDownstreamRequestParamsQuery := url.Values{ "response_type": []string{"code"}, @@ -211,7 +211,7 @@ func TestPostLoginEndpoint(t *testing.T) { } // Note that fosite puts the granted scopes as a param in the redirect URI even though the spec doesn't seem to require it - happyAuthcodeDownstreamRedirectLocationRegexp := downstreamRedirectURI + `\?code=([^&]+)&scope=openid&state=` + happyDownstreamState + happyAuthcodeDownstreamRedirectLocationRegexp := downstreamRedirectURI + `\?code=([^&]+)&scope=openid\+groups&state=` + happyDownstreamState happyUsernamePasswordFormParams := url.Values{userParam: []string{happyLDAPUsername}, passParam: []string{happyLDAPPassword}} @@ -348,7 +348,7 @@ func TestPostLoginEndpoint(t *testing.T) { wantStatus: http.StatusSeeOther, wantContentType: htmlContentType, wantBodyString: "", - wantRedirectLocationRegexp: "http://127.0.0.1:4242/callback" + `\?code=([^&]+)&scope=openid&state=` + happyDownstreamState, + wantRedirectLocationRegexp: "http://127.0.0.1:4242/callback" + `\?code=([^&]+)&scope=openid\+groups&state=` + happyDownstreamState, wantDownstreamIDTokenSubject: upstreamLDAPURL + "&sub=" + happyLDAPUID, wantDownstreamIDTokenUsername: happyLDAPUsernameFromAuthenticator, wantDownstreamIDTokenGroups: happyLDAPGroups, @@ -410,6 +410,31 @@ func TestPostLoginEndpoint(t *testing.T) { wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamCustomSessionData: expectedHappyLDAPUpstreamCustomSession, }, + { + name: "happy LDAP login when groups scope is not requested", + idps: oidctestutil.NewUpstreamIDPListerBuilder(). + WithLDAP(&upstreamLDAPIdentityProvider). // should pick this one + WithActiveDirectory(&erroringUpstreamLDAPIdentityProvider), + decodedState: modifyHappyLDAPDecodedState(func(data *oidc.UpstreamStateParamData) { + query := copyOfHappyDownstreamRequestParamsQuery() + query["scope"] = []string{"openid"} + data.AuthParams = query.Encode() + }), + formParams: happyUsernamePasswordFormParams, + wantStatus: http.StatusSeeOther, + wantContentType: htmlContentType, + wantBodyString: "", + wantRedirectLocationRegexp: downstreamRedirectURI + `\?code=([^&]+)&scope=openid&state=` + happyDownstreamState, + wantDownstreamIDTokenSubject: upstreamLDAPURL + "&sub=" + happyLDAPUID, + wantDownstreamIDTokenUsername: happyLDAPUsernameFromAuthenticator, + wantDownstreamRequestedScopes: []string{"openid"}, + wantDownstreamRedirectURI: downstreamRedirectURI, + wantDownstreamGrantedScopes: []string{"openid"}, + wantDownstreamNonce: downstreamNonce, + wantDownstreamPKCEChallenge: downstreamPKCEChallenge, + wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, + wantDownstreamCustomSessionData: expectedHappyLDAPUpstreamCustomSession, + }, { name: "bad username LDAP login", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider), diff --git a/internal/oidc/oidc.go b/internal/oidc/oidc.go index 79380df7..0b8df785 100644 --- a/internal/oidc/oidc.go +++ b/internal/oidc/oidc.go @@ -76,6 +76,14 @@ const ( // information. DownstreamGroupsClaim = "groups" + // DownstreamGroupsScope is a custom scope that determines whether the + // groups claim will be returned in ID tokens. + DownstreamGroupsScope = "groups" + + // RequestAudienceScope is a custom scope that determines whether a RFC8693 token + // exchange is allowed to request a different audience. + RequestAudienceScope = "pinniped:request-audience" + // CSRFCookieLifespan is the length of time that the CSRF cookie is valid. After this time, the // Supervisor's authorization endpoint should give the browser a new CSRF cookie. We set it to // a week so that it is unlikely to expire during a login. diff --git a/internal/testutil/oidctestutil/oidctestutil.go b/internal/testutil/oidctestutil/oidctestutil.go index c408ada9..f5598edc 100644 --- a/internal/testutil/oidctestutil/oidctestutil.go +++ b/internal/testutil/oidctestutil/oidctestutil.go @@ -14,6 +14,8 @@ import ( "testing" "time" + "k8s.io/utils/strings/slices" + coreosoidc "github.com/coreos/go-oidc/v3/oidc" "github.com/gorilla/securecookie" "github.com/ory/fosite" @@ -1063,10 +1065,16 @@ func validateAuthcodeStorage( // Check the user's identity, which are put into the downstream ID token's subject, username and groups claims. require.Equal(t, wantDownstreamIDTokenSubject, actualClaims.Subject) require.Equal(t, wantDownstreamIDTokenUsername, actualClaims.Extra["username"]) - require.Len(t, actualClaims.Extra, 2) - actualDownstreamIDTokenGroups := actualClaims.Extra["groups"] - require.NotNil(t, actualDownstreamIDTokenGroups) - require.ElementsMatch(t, wantDownstreamIDTokenGroups, actualDownstreamIDTokenGroups) + if slices.Contains(wantDownstreamGrantedScopes, "groups") { + require.Len(t, actualClaims.Extra, 2) + actualDownstreamIDTokenGroups := actualClaims.Extra["groups"] + require.NotNil(t, actualDownstreamIDTokenGroups) + require.ElementsMatch(t, wantDownstreamIDTokenGroups, actualDownstreamIDTokenGroups) + } else { + require.Len(t, actualClaims.Extra, 1) + actualDownstreamIDTokenGroups := actualClaims.Extra["groups"] + require.Nil(t, actualDownstreamIDTokenGroups) + } // Check the rest of the downstream ID token's claims. Fosite wants us to set these (in UTC time). testutil.RequireTimeInDelta(t, time.Now().UTC(), actualClaims.RequestedAt, timeComparisonFudgeFactor) diff --git a/test/integration/e2e_test.go b/test/integration/e2e_test.go index 9bafffde..b2305da8 100644 --- a/test/integration/e2e_test.go +++ b/test/integration/e2e_test.go @@ -170,6 +170,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { "--oidc-skip-browser", "--oidc-ca-bundle", testCABundlePath, "--oidc-session-cache", sessionCachePath, + "--oidc-scopes", "offline_access,openid,pinniped:request-audience,groups", }) // Run "kubectl get namespaces" which should trigger a browser login via the plugin. @@ -256,6 +257,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { "--oidc-skip-listen", "--oidc-ca-bundle", testCABundlePath, "--oidc-session-cache", sessionCachePath, + "--oidc-scopes", "offline_access,openid,pinniped:request-audience,groups", }) // Run "kubectl get namespaces" which should trigger a browser login via the plugin. @@ -381,6 +383,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { "--oidc-skip-listen", "--oidc-ca-bundle", testCABundlePath, "--oidc-session-cache", sessionCachePath, + "--oidc-scopes", "offline_access,openid,pinniped:request-audience,groups", }) // Run "kubectl get namespaces" which should trigger a browser login via the plugin. @@ -514,6 +517,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { "--upstream-identity-provider-flow", "cli_password", // create a kubeconfig configured to use the cli_password flow "--oidc-ca-bundle", testCABundlePath, "--oidc-session-cache", sessionCachePath, + "--oidc-scopes", "offline_access,openid,pinniped:request-audience,groups", }) // Run "kubectl get namespaces" which should trigger a browser-less CLI prompt login via the plugin. @@ -594,6 +598,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { "--upstream-identity-provider-flow", "cli_password", "--oidc-ca-bundle", testCABundlePath, "--oidc-session-cache", sessionCachePath, + "--oidc-scopes", "offline_access,openid,pinniped:request-audience,groups", }) // Run "kubectl get --raw /healthz" which should trigger a browser-less CLI prompt login via the plugin. @@ -655,6 +660,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { "--concierge-authenticator-type", "jwt", "--concierge-authenticator-name", authenticator.Name, "--oidc-session-cache", sessionCachePath, + "--oidc-scopes", "offline_access,openid,pinniped:request-audience,groups", }) // Run "kubectl get namespaces" which should trigger an LDAP-style login CLI prompt via the plugin. @@ -715,6 +721,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { "--concierge-authenticator-type", "jwt", "--concierge-authenticator-name", authenticator.Name, "--oidc-session-cache", sessionCachePath, + "--oidc-scopes", "offline_access,openid,pinniped:request-audience,groups", }) // Set up the username and password env vars to avoid the interactive prompts. @@ -787,6 +794,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { "--concierge-authenticator-type", "jwt", "--concierge-authenticator-name", authenticator.Name, "--oidc-session-cache", sessionCachePath, + "--oidc-scopes", "offline_access,openid,pinniped:request-audience,groups", }) // Run "kubectl get namespaces" which should trigger an LDAP-style login CLI prompt via the plugin. @@ -847,6 +855,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { "--concierge-authenticator-type", "jwt", "--concierge-authenticator-name", authenticator.Name, "--oidc-session-cache", sessionCachePath, + "--oidc-scopes", "offline_access,openid,pinniped:request-audience,groups", }) // Set up the username and password env vars to avoid the interactive prompts. @@ -924,6 +933,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { "--oidc-ca-bundle", testCABundlePath, "--upstream-identity-provider-flow", "browser_authcode", "--oidc-session-cache", sessionCachePath, + "--oidc-scopes", "offline_access,openid,pinniped:request-audience,groups", }) // Run "kubectl get namespaces" which should trigger a browser login via the plugin. @@ -980,6 +990,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { "--oidc-ca-bundle", testCABundlePath, "--upstream-identity-provider-flow", "browser_authcode", "--oidc-session-cache", sessionCachePath, + "--oidc-scopes", "offline_access,openid,pinniped:request-audience,groups", }) // Run "kubectl get namespaces" which should trigger a browser login via the plugin. @@ -1036,6 +1047,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { "--oidc-ca-bundle", testCABundlePath, "--upstream-identity-provider-flow", "cli_password", // put cli_password in the kubeconfig, so we can override it with the env var "--oidc-session-cache", sessionCachePath, + "--oidc-scopes", "offline_access,openid,pinniped:request-audience,groups", }) // Override the --upstream-identity-provider-flow flag from the kubeconfig using the env var. @@ -1311,7 +1323,7 @@ func requireUserCanUseKubectlWithoutAuthenticatingAgain( require.NoError(t, err) })) - downstreamScopes := []string{coreosoidc.ScopeOfflineAccess, coreosoidc.ScopeOpenID, "pinniped:request-audience"} + downstreamScopes := []string{coreosoidc.ScopeOfflineAccess, coreosoidc.ScopeOpenID, "pinniped:request-audience", "groups"} sort.Strings(downstreamScopes) token := cache.GetToken(oidcclient.SessionCacheKey{ Issuer: downstream.Spec.Issuer, @@ -1326,12 +1338,16 @@ func requireUserCanUseKubectlWithoutAuthenticatingAgain( idTokenClaims := token.IDToken.Claims require.Equal(t, expectedUsername, idTokenClaims[oidc.DownstreamUsernameClaim]) - // The groups claim in the file ends up as an []interface{}, so adjust our expectation to match. - expectedGroupsAsEmptyInterfaces := make([]interface{}, 0, len(expectedGroups)) - for _, g := range expectedGroups { - expectedGroupsAsEmptyInterfaces = append(expectedGroupsAsEmptyInterfaces, g) + if expectedGroups == nil { + require.Nil(t, idTokenClaims[oidc.DownstreamGroupsClaim]) + } else { + // The groups claim in the file ends up as an []interface{}, so adjust our expectation to match. + expectedGroupsAsEmptyInterfaces := make([]interface{}, 0, len(expectedGroups)) + for _, g := range expectedGroups { + expectedGroupsAsEmptyInterfaces = append(expectedGroupsAsEmptyInterfaces, g) + } + require.ElementsMatch(t, expectedGroupsAsEmptyInterfaces, idTokenClaims[oidc.DownstreamGroupsClaim]) } - require.ElementsMatch(t, expectedGroupsAsEmptyInterfaces, idTokenClaims[oidc.DownstreamGroupsClaim]) expectedGroupsPlusAuthenticated := append([]string{}, expectedGroups...) expectedGroupsPlusAuthenticated = append(expectedGroupsPlusAuthenticated, "system:authenticated") diff --git a/test/integration/supervisor_login_test.go b/test/integration/supervisor_login_test.go index 47587db7..2fa1679b 100644 --- a/test/integration/supervisor_login_test.go +++ b/test/integration/supervisor_login_test.go @@ -1381,7 +1381,7 @@ func testSupervisorLogin( ClientID: "pinniped-cli", Endpoint: discovery.Endpoint(), RedirectURL: localCallbackServer.URL, - Scopes: []string{"openid", "pinniped:request-audience", "offline_access"}, + Scopes: []string{"openid", "pinniped:request-audience", "offline_access", "groups"}, } // Build a valid downstream authorize URL for the supervisor. @@ -1416,7 +1416,7 @@ func testSupervisorLogin( t.Logf("got callback request: %s", testlib.MaskTokens(callback.URL.String())) if wantErrorType == "" { require.Equal(t, stateParam.String(), callback.URL.Query().Get("state")) - require.ElementsMatch(t, []string{"openid", "pinniped:request-audience", "offline_access"}, strings.Split(callback.URL.Query().Get("scope"), " ")) + require.ElementsMatch(t, []string{"openid", "pinniped:request-audience", "offline_access", "groups"}, strings.Split(callback.URL.Query().Get("scope"), " ")) authcode := callback.URL.Query().Get("code") require.NotEmpty(t, authcode) From c117329553aa278691802cf15e27d3f6ced1a4e9 Mon Sep 17 00:00:00 2001 From: Margo Crawford Date: Wed, 15 Jun 2022 09:38:21 -0700 Subject: [PATCH 17/61] Updates based on code review Signed-off-by: Margo Crawford --- apis/supervisor/clientsecret/register.go.tmpl | 1 + .../types_oidcclientsecretrequest.go.tmpl | 27 +++++++++-- .../clientsecret/v1alpha1/register.go.tmpl | 1 + .../types_oidcclientsecretrequest.go.tmpl | 8 ++++ generated/1.17/README.adoc | 48 +++++++++++++++++-- .../apis/supervisor/clientsecret/register.go | 1 + .../types_oidcclientsecretrequest.go | 27 +++++++++-- .../clientsecret/v1alpha1/register.go | 1 + .../v1alpha1/types_oidcclientsecretrequest.go | 8 ++++ .../v1alpha1/zz_generated.conversion.go | 34 +++++++++++++ .../v1alpha1/zz_generated.deepcopy.go | 33 +++++++++++++ .../clientsecret/zz_generated.deepcopy.go | 33 +++++++++++++ generated/1.18/README.adoc | 48 +++++++++++++++++-- .../apis/supervisor/clientsecret/register.go | 1 + .../types_oidcclientsecretrequest.go | 27 +++++++++-- .../clientsecret/v1alpha1/register.go | 1 + .../v1alpha1/types_oidcclientsecretrequest.go | 8 ++++ .../v1alpha1/zz_generated.conversion.go | 34 +++++++++++++ .../v1alpha1/zz_generated.deepcopy.go | 33 +++++++++++++ .../clientsecret/zz_generated.deepcopy.go | 33 +++++++++++++ generated/1.19/README.adoc | 48 +++++++++++++++++-- .../apis/supervisor/clientsecret/register.go | 1 + .../types_oidcclientsecretrequest.go | 27 +++++++++-- .../clientsecret/v1alpha1/register.go | 1 + .../v1alpha1/types_oidcclientsecretrequest.go | 8 ++++ .../v1alpha1/zz_generated.conversion.go | 34 +++++++++++++ .../v1alpha1/zz_generated.deepcopy.go | 33 +++++++++++++ .../clientsecret/zz_generated.deepcopy.go | 33 +++++++++++++ generated/1.20/README.adoc | 48 +++++++++++++++++-- .../apis/supervisor/clientsecret/register.go | 1 + .../types_oidcclientsecretrequest.go | 27 +++++++++-- .../clientsecret/v1alpha1/register.go | 1 + .../v1alpha1/types_oidcclientsecretrequest.go | 8 ++++ .../v1alpha1/zz_generated.conversion.go | 34 +++++++++++++ .../v1alpha1/zz_generated.deepcopy.go | 33 +++++++++++++ .../clientsecret/zz_generated.deepcopy.go | 33 +++++++++++++ generated/1.21/README.adoc | 48 +++++++++++++++++-- .../apis/supervisor/clientsecret/register.go | 1 + .../types_oidcclientsecretrequest.go | 27 +++++++++-- .../clientsecret/v1alpha1/register.go | 1 + .../v1alpha1/types_oidcclientsecretrequest.go | 8 ++++ .../v1alpha1/zz_generated.conversion.go | 34 +++++++++++++ .../v1alpha1/zz_generated.deepcopy.go | 33 +++++++++++++ .../clientsecret/zz_generated.deepcopy.go | 33 +++++++++++++ generated/1.22/README.adoc | 48 +++++++++++++++++-- .../apis/supervisor/clientsecret/register.go | 1 + .../types_oidcclientsecretrequest.go | 27 +++++++++-- .../clientsecret/v1alpha1/register.go | 1 + .../v1alpha1/types_oidcclientsecretrequest.go | 8 ++++ .../v1alpha1/zz_generated.conversion.go | 34 +++++++++++++ .../v1alpha1/zz_generated.deepcopy.go | 33 +++++++++++++ .../clientsecret/zz_generated.deepcopy.go | 33 +++++++++++++ generated/1.23/README.adoc | 48 +++++++++++++++++-- .../apis/supervisor/clientsecret/register.go | 1 + .../types_oidcclientsecretrequest.go | 27 +++++++++-- .../clientsecret/v1alpha1/register.go | 1 + .../v1alpha1/types_oidcclientsecretrequest.go | 8 ++++ .../v1alpha1/zz_generated.conversion.go | 34 +++++++++++++ .../v1alpha1/zz_generated.deepcopy.go | 33 +++++++++++++ .../clientsecret/zz_generated.deepcopy.go | 33 +++++++++++++ generated/1.24/README.adoc | 48 +++++++++++++++++-- .../apis/supervisor/clientsecret/register.go | 1 + .../types_oidcclientsecretrequest.go | 27 +++++++++-- .../clientsecret/v1alpha1/register.go | 1 + .../v1alpha1/types_oidcclientsecretrequest.go | 8 ++++ .../v1alpha1/zz_generated.conversion.go | 34 +++++++++++++ .../v1alpha1/zz_generated.deepcopy.go | 33 +++++++++++++ .../clientsecret/zz_generated.deepcopy.go | 33 +++++++++++++ .../apis/supervisor/clientsecret/register.go | 1 + .../types_oidcclientsecretrequest.go | 27 +++++++++-- .../clientsecret/v1alpha1/register.go | 1 + .../v1alpha1/types_oidcclientsecretrequest.go | 8 ++++ .../v1alpha1/zz_generated.conversion.go | 34 +++++++++++++ .../v1alpha1/zz_generated.deepcopy.go | 33 +++++++++++++ .../clientsecret/zz_generated.deepcopy.go | 33 +++++++++++++ internal/config/supervisor/config.go | 26 ++++++++++ internal/config/supervisor/config_test.go | 30 ++++++++++-- internal/config/supervisor/types.go | 9 ++-- internal/registry/clientsecretrequest/rest.go | 32 +++++++++++-- internal/supervisor/apiserver/apiserver.go | 6 +-- internal/supervisor/scheme/scheme.go | 6 +-- internal/supervisor/scheme/scheme_test.go | 28 ++++++----- internal/supervisor/server/server.go | 39 +++++++-------- test/integration/kube_api_discovery_test.go | 23 ++++----- 84 files changed, 1729 insertions(+), 124 deletions(-) diff --git a/apis/supervisor/clientsecret/register.go.tmpl b/apis/supervisor/clientsecret/register.go.tmpl index 4a1c0173..8a76f0fe 100644 --- a/apis/supervisor/clientsecret/register.go.tmpl +++ b/apis/supervisor/clientsecret/register.go.tmpl @@ -32,6 +32,7 @@ var ( func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &OIDCClientSecretRequest{}, + &OIDCClientSecretRequestList{}, ) return nil } diff --git a/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go.tmpl b/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go.tmpl index 7fd1eb65..c7ef37b2 100644 --- a/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go.tmpl +++ b/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go.tmpl @@ -6,15 +6,26 @@ package clientsecret import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" type OIDCClientSecretRequestSpec struct { + // Request a new client secret to for the OIDCClient referenced by the metadata.name field. GenerateNewSecret bool `json:"generateNewSecret"` - RevokeOldSecrets bool `json:"revokeOldSecrets"` + + // Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name + // field. + RevokeOldSecrets bool `json:"revokeOldSecrets"` } type OIDCClientSecretRequestStatus struct { - GeneratedSecret string `json:"generatedSecret,omitempty"` - TotalClientSecrets int `json:"totalClientSecrets"` + // The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot + // be recovered if you lose it. + GeneratedSecret string `json:"generatedSecret,omitempty"` + + // The total number of client secrets associated with the OIDCClient referenced by the + // metadata.name field. + TotalClientSecrets int `json:"totalClientSecrets"` } +// OIDCClientSecretRequest can be used to update the client secrets associated with an +// OIDCClient. // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object type OIDCClientSecretRequest struct { metav1.TypeMeta `json:",inline"` @@ -23,3 +34,13 @@ type OIDCClientSecretRequest struct { Spec OIDCClientSecretRequestSpec `json:"spec"` Status OIDCClientSecretRequestStatus `json:"status"` } + +// OIDCClientSecretList is a list of OIDCClientSecretRequest objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequestList struct { + metav1.TypeMeta + metav1.ListMeta + + // Items is a list of OIDCClientSecretRequest + Items []OIDCClientSecretRequest +} diff --git a/apis/supervisor/clientsecret/v1alpha1/register.go.tmpl b/apis/supervisor/clientsecret/v1alpha1/register.go.tmpl index 49602125..4660e407 100644 --- a/apis/supervisor/clientsecret/v1alpha1/register.go.tmpl +++ b/apis/supervisor/clientsecret/v1alpha1/register.go.tmpl @@ -31,6 +31,7 @@ func init() { func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &OIDCClientSecretRequest{}, + &OIDCClientSecretRequestList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go.tmpl b/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go.tmpl index dda2f3bb..ef48e6c0 100644 --- a/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go.tmpl +++ b/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go.tmpl @@ -26,3 +26,11 @@ type OIDCClientSecretRequest struct { Spec OIDCClientSecretRequestSpec `json:"spec"` Status OIDCClientSecretRequestStatus `json:"status"` } + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequestList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []OIDCClientSecretRequest `json:"items"` +} diff --git a/generated/1.17/README.adoc b/generated/1.17/README.adoc index 739a669e..b3957510 100644 --- a/generated/1.17/README.adoc +++ b/generated/1.17/README.adoc @@ -219,6 +219,26 @@ Package clientsecret is the internal version of the Pinniped client secret API. +[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-clientsecret-oidcclientsecretrequest"] +==== OIDCClientSecretRequest + +OIDCClientSecretRequest can be used to update the client secrets associated with an OIDCClient. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-clientsecret-oidcclientsecretrequestlist[$$OIDCClientSecretRequestList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-clientsecret-oidcclientsecretrequestspec[$$OIDCClientSecretRequestSpec$$]__ | +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-clientsecret-oidcclientsecretrequeststatus[$$OIDCClientSecretRequestStatus$$]__ | +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-clientsecret-oidcclientsecretrequestspec"] @@ -234,8 +254,8 @@ Package clientsecret is the internal version of the Pinniped client secret API. [cols="25a,75a", options="header"] |=== | Field | Description -| *`generateNewSecret`* __boolean__ | -| *`revokeOldSecrets`* __boolean__ | +| *`generateNewSecret`* __boolean__ | Request a new client secret to for the OIDCClient referenced by the metadata.name field. +| *`revokeOldSecrets`* __boolean__ | Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name field. |=== @@ -252,8 +272,8 @@ Package clientsecret is the internal version of the Pinniped client secret API. [cols="25a,75a", options="header"] |=== | Field | Description -| *`generatedSecret`* __string__ | -| *`totalClientSecrets`* __integer__ | +| *`generatedSecret`* __string__ | The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot be recovered if you lose it. +| *`totalClientSecrets`* __integer__ | The total number of client secrets associated with the OIDCClient referenced by the metadata.name field. |=== @@ -265,6 +285,26 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped client secret API. +[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequest"] +==== OIDCClientSecretRequest + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestlist[$$OIDCClientSecretRequestList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestspec[$$OIDCClientSecretRequestSpec$$]__ | +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequeststatus[$$OIDCClientSecretRequestStatus$$]__ | +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestspec"] diff --git a/generated/1.17/apis/supervisor/clientsecret/register.go b/generated/1.17/apis/supervisor/clientsecret/register.go index 4a1c0173..8a76f0fe 100644 --- a/generated/1.17/apis/supervisor/clientsecret/register.go +++ b/generated/1.17/apis/supervisor/clientsecret/register.go @@ -32,6 +32,7 @@ var ( func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &OIDCClientSecretRequest{}, + &OIDCClientSecretRequestList{}, ) return nil } diff --git a/generated/1.17/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go b/generated/1.17/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go index 7fd1eb65..c7ef37b2 100644 --- a/generated/1.17/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go +++ b/generated/1.17/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go @@ -6,15 +6,26 @@ package clientsecret import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" type OIDCClientSecretRequestSpec struct { + // Request a new client secret to for the OIDCClient referenced by the metadata.name field. GenerateNewSecret bool `json:"generateNewSecret"` - RevokeOldSecrets bool `json:"revokeOldSecrets"` + + // Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name + // field. + RevokeOldSecrets bool `json:"revokeOldSecrets"` } type OIDCClientSecretRequestStatus struct { - GeneratedSecret string `json:"generatedSecret,omitempty"` - TotalClientSecrets int `json:"totalClientSecrets"` + // The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot + // be recovered if you lose it. + GeneratedSecret string `json:"generatedSecret,omitempty"` + + // The total number of client secrets associated with the OIDCClient referenced by the + // metadata.name field. + TotalClientSecrets int `json:"totalClientSecrets"` } +// OIDCClientSecretRequest can be used to update the client secrets associated with an +// OIDCClient. // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object type OIDCClientSecretRequest struct { metav1.TypeMeta `json:",inline"` @@ -23,3 +34,13 @@ type OIDCClientSecretRequest struct { Spec OIDCClientSecretRequestSpec `json:"spec"` Status OIDCClientSecretRequestStatus `json:"status"` } + +// OIDCClientSecretList is a list of OIDCClientSecretRequest objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequestList struct { + metav1.TypeMeta + metav1.ListMeta + + // Items is a list of OIDCClientSecretRequest + Items []OIDCClientSecretRequest +} diff --git a/generated/1.17/apis/supervisor/clientsecret/v1alpha1/register.go b/generated/1.17/apis/supervisor/clientsecret/v1alpha1/register.go index 49602125..4660e407 100644 --- a/generated/1.17/apis/supervisor/clientsecret/v1alpha1/register.go +++ b/generated/1.17/apis/supervisor/clientsecret/v1alpha1/register.go @@ -31,6 +31,7 @@ func init() { func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &OIDCClientSecretRequest{}, + &OIDCClientSecretRequestList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.17/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go b/generated/1.17/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go index dda2f3bb..ef48e6c0 100644 --- a/generated/1.17/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go +++ b/generated/1.17/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go @@ -26,3 +26,11 @@ type OIDCClientSecretRequest struct { Spec OIDCClientSecretRequestSpec `json:"spec"` Status OIDCClientSecretRequestStatus `json:"status"` } + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequestList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []OIDCClientSecretRequest `json:"items"` +} diff --git a/generated/1.17/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go b/generated/1.17/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go index c559d1c2..7f29beb6 100644 --- a/generated/1.17/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go +++ b/generated/1.17/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go @@ -9,6 +9,8 @@ package v1alpha1 import ( + unsafe "unsafe" + clientsecret "go.pinniped.dev/generated/1.17/apis/supervisor/clientsecret" conversion "k8s.io/apimachinery/pkg/conversion" runtime "k8s.io/apimachinery/pkg/runtime" @@ -31,6 +33,16 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestList)(nil), (*clientsecret.OIDCClientSecretRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(a.(*OIDCClientSecretRequestList), b.(*clientsecret.OIDCClientSecretRequestList), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequestList)(nil), (*OIDCClientSecretRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(a.(*clientsecret.OIDCClientSecretRequestList), b.(*OIDCClientSecretRequestList), scope) + }); err != nil { + return err + } if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*clientsecret.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*clientsecret.OIDCClientSecretRequestSpec), scope) }); err != nil { @@ -86,6 +98,28 @@ func Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRe return autoConvert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s) } +func autoConvert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in *OIDCClientSecretRequestList, out *clientsecret.OIDCClientSecretRequestList, s conversion.Scope) error { + out.ListMeta = in.ListMeta + out.Items = *(*[]clientsecret.OIDCClientSecretRequest)(unsafe.Pointer(&in.Items)) + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in *OIDCClientSecretRequestList, out *clientsecret.OIDCClientSecretRequestList, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in, out, s) +} + +func autoConvert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in *clientsecret.OIDCClientSecretRequestList, out *OIDCClientSecretRequestList, s conversion.Scope) error { + out.ListMeta = in.ListMeta + out.Items = *(*[]OIDCClientSecretRequest)(unsafe.Pointer(&in.Items)) + return nil +} + +// Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList is an autogenerated conversion function. +func Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in *clientsecret.OIDCClientSecretRequestList, out *OIDCClientSecretRequestList, s conversion.Scope) error { + return autoConvert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in, out, s) +} + func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *clientsecret.OIDCClientSecretRequestSpec, s conversion.Scope) error { out.GenerateNewSecret = in.GenerateNewSecret out.RevokeOldSecrets = in.RevokeOldSecrets diff --git a/generated/1.17/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go b/generated/1.17/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go index e4fce842..781e9831 100644 --- a/generated/1.17/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.17/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go @@ -40,6 +40,39 @@ func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestList) DeepCopyInto(out *OIDCClientSecretRequestList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClientSecretRequest, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestList. +func (in *OIDCClientSecretRequestList) DeepCopy() *OIDCClientSecretRequestList { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequestList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { *out = *in diff --git a/generated/1.17/apis/supervisor/clientsecret/zz_generated.deepcopy.go b/generated/1.17/apis/supervisor/clientsecret/zz_generated.deepcopy.go index e0dc7d68..ffd5e96e 100644 --- a/generated/1.17/apis/supervisor/clientsecret/zz_generated.deepcopy.go +++ b/generated/1.17/apis/supervisor/clientsecret/zz_generated.deepcopy.go @@ -40,6 +40,39 @@ func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestList) DeepCopyInto(out *OIDCClientSecretRequestList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClientSecretRequest, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestList. +func (in *OIDCClientSecretRequestList) DeepCopy() *OIDCClientSecretRequestList { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequestList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { *out = *in diff --git a/generated/1.18/README.adoc b/generated/1.18/README.adoc index 21512761..c16afbfc 100644 --- a/generated/1.18/README.adoc +++ b/generated/1.18/README.adoc @@ -219,6 +219,26 @@ Package clientsecret is the internal version of the Pinniped client secret API. +[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-clientsecret-oidcclientsecretrequest"] +==== OIDCClientSecretRequest + +OIDCClientSecretRequest can be used to update the client secrets associated with an OIDCClient. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-clientsecret-oidcclientsecretrequestlist[$$OIDCClientSecretRequestList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-clientsecret-oidcclientsecretrequestspec[$$OIDCClientSecretRequestSpec$$]__ | +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-clientsecret-oidcclientsecretrequeststatus[$$OIDCClientSecretRequestStatus$$]__ | +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-clientsecret-oidcclientsecretrequestspec"] @@ -234,8 +254,8 @@ Package clientsecret is the internal version of the Pinniped client secret API. [cols="25a,75a", options="header"] |=== | Field | Description -| *`generateNewSecret`* __boolean__ | -| *`revokeOldSecrets`* __boolean__ | +| *`generateNewSecret`* __boolean__ | Request a new client secret to for the OIDCClient referenced by the metadata.name field. +| *`revokeOldSecrets`* __boolean__ | Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name field. |=== @@ -252,8 +272,8 @@ Package clientsecret is the internal version of the Pinniped client secret API. [cols="25a,75a", options="header"] |=== | Field | Description -| *`generatedSecret`* __string__ | -| *`totalClientSecrets`* __integer__ | +| *`generatedSecret`* __string__ | The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot be recovered if you lose it. +| *`totalClientSecrets`* __integer__ | The total number of client secrets associated with the OIDCClient referenced by the metadata.name field. |=== @@ -265,6 +285,26 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped client secret API. +[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequest"] +==== OIDCClientSecretRequest + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestlist[$$OIDCClientSecretRequestList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestspec[$$OIDCClientSecretRequestSpec$$]__ | +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequeststatus[$$OIDCClientSecretRequestStatus$$]__ | +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestspec"] diff --git a/generated/1.18/apis/supervisor/clientsecret/register.go b/generated/1.18/apis/supervisor/clientsecret/register.go index 4a1c0173..8a76f0fe 100644 --- a/generated/1.18/apis/supervisor/clientsecret/register.go +++ b/generated/1.18/apis/supervisor/clientsecret/register.go @@ -32,6 +32,7 @@ var ( func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &OIDCClientSecretRequest{}, + &OIDCClientSecretRequestList{}, ) return nil } diff --git a/generated/1.18/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go b/generated/1.18/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go index 7fd1eb65..c7ef37b2 100644 --- a/generated/1.18/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go +++ b/generated/1.18/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go @@ -6,15 +6,26 @@ package clientsecret import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" type OIDCClientSecretRequestSpec struct { + // Request a new client secret to for the OIDCClient referenced by the metadata.name field. GenerateNewSecret bool `json:"generateNewSecret"` - RevokeOldSecrets bool `json:"revokeOldSecrets"` + + // Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name + // field. + RevokeOldSecrets bool `json:"revokeOldSecrets"` } type OIDCClientSecretRequestStatus struct { - GeneratedSecret string `json:"generatedSecret,omitempty"` - TotalClientSecrets int `json:"totalClientSecrets"` + // The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot + // be recovered if you lose it. + GeneratedSecret string `json:"generatedSecret,omitempty"` + + // The total number of client secrets associated with the OIDCClient referenced by the + // metadata.name field. + TotalClientSecrets int `json:"totalClientSecrets"` } +// OIDCClientSecretRequest can be used to update the client secrets associated with an +// OIDCClient. // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object type OIDCClientSecretRequest struct { metav1.TypeMeta `json:",inline"` @@ -23,3 +34,13 @@ type OIDCClientSecretRequest struct { Spec OIDCClientSecretRequestSpec `json:"spec"` Status OIDCClientSecretRequestStatus `json:"status"` } + +// OIDCClientSecretList is a list of OIDCClientSecretRequest objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequestList struct { + metav1.TypeMeta + metav1.ListMeta + + // Items is a list of OIDCClientSecretRequest + Items []OIDCClientSecretRequest +} diff --git a/generated/1.18/apis/supervisor/clientsecret/v1alpha1/register.go b/generated/1.18/apis/supervisor/clientsecret/v1alpha1/register.go index 49602125..4660e407 100644 --- a/generated/1.18/apis/supervisor/clientsecret/v1alpha1/register.go +++ b/generated/1.18/apis/supervisor/clientsecret/v1alpha1/register.go @@ -31,6 +31,7 @@ func init() { func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &OIDCClientSecretRequest{}, + &OIDCClientSecretRequestList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.18/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go b/generated/1.18/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go index dda2f3bb..ef48e6c0 100644 --- a/generated/1.18/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go +++ b/generated/1.18/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go @@ -26,3 +26,11 @@ type OIDCClientSecretRequest struct { Spec OIDCClientSecretRequestSpec `json:"spec"` Status OIDCClientSecretRequestStatus `json:"status"` } + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequestList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []OIDCClientSecretRequest `json:"items"` +} diff --git a/generated/1.18/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go b/generated/1.18/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go index 990c4deb..0ced8135 100644 --- a/generated/1.18/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go +++ b/generated/1.18/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go @@ -9,6 +9,8 @@ package v1alpha1 import ( + unsafe "unsafe" + clientsecret "go.pinniped.dev/generated/1.18/apis/supervisor/clientsecret" conversion "k8s.io/apimachinery/pkg/conversion" runtime "k8s.io/apimachinery/pkg/runtime" @@ -31,6 +33,16 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestList)(nil), (*clientsecret.OIDCClientSecretRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(a.(*OIDCClientSecretRequestList), b.(*clientsecret.OIDCClientSecretRequestList), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequestList)(nil), (*OIDCClientSecretRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(a.(*clientsecret.OIDCClientSecretRequestList), b.(*OIDCClientSecretRequestList), scope) + }); err != nil { + return err + } if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*clientsecret.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*clientsecret.OIDCClientSecretRequestSpec), scope) }); err != nil { @@ -86,6 +98,28 @@ func Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRe return autoConvert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s) } +func autoConvert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in *OIDCClientSecretRequestList, out *clientsecret.OIDCClientSecretRequestList, s conversion.Scope) error { + out.ListMeta = in.ListMeta + out.Items = *(*[]clientsecret.OIDCClientSecretRequest)(unsafe.Pointer(&in.Items)) + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in *OIDCClientSecretRequestList, out *clientsecret.OIDCClientSecretRequestList, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in, out, s) +} + +func autoConvert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in *clientsecret.OIDCClientSecretRequestList, out *OIDCClientSecretRequestList, s conversion.Scope) error { + out.ListMeta = in.ListMeta + out.Items = *(*[]OIDCClientSecretRequest)(unsafe.Pointer(&in.Items)) + return nil +} + +// Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList is an autogenerated conversion function. +func Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in *clientsecret.OIDCClientSecretRequestList, out *OIDCClientSecretRequestList, s conversion.Scope) error { + return autoConvert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in, out, s) +} + func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *clientsecret.OIDCClientSecretRequestSpec, s conversion.Scope) error { out.GenerateNewSecret = in.GenerateNewSecret out.RevokeOldSecrets = in.RevokeOldSecrets diff --git a/generated/1.18/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go b/generated/1.18/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go index e4fce842..781e9831 100644 --- a/generated/1.18/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.18/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go @@ -40,6 +40,39 @@ func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestList) DeepCopyInto(out *OIDCClientSecretRequestList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClientSecretRequest, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestList. +func (in *OIDCClientSecretRequestList) DeepCopy() *OIDCClientSecretRequestList { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequestList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { *out = *in diff --git a/generated/1.18/apis/supervisor/clientsecret/zz_generated.deepcopy.go b/generated/1.18/apis/supervisor/clientsecret/zz_generated.deepcopy.go index e0dc7d68..ffd5e96e 100644 --- a/generated/1.18/apis/supervisor/clientsecret/zz_generated.deepcopy.go +++ b/generated/1.18/apis/supervisor/clientsecret/zz_generated.deepcopy.go @@ -40,6 +40,39 @@ func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestList) DeepCopyInto(out *OIDCClientSecretRequestList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClientSecretRequest, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestList. +func (in *OIDCClientSecretRequestList) DeepCopy() *OIDCClientSecretRequestList { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequestList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { *out = *in diff --git a/generated/1.19/README.adoc b/generated/1.19/README.adoc index bdba4347..cacb5f67 100644 --- a/generated/1.19/README.adoc +++ b/generated/1.19/README.adoc @@ -219,6 +219,26 @@ Package clientsecret is the internal version of the Pinniped client secret API. +[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-clientsecret-oidcclientsecretrequest"] +==== OIDCClientSecretRequest + +OIDCClientSecretRequest can be used to update the client secrets associated with an OIDCClient. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-clientsecret-oidcclientsecretrequestlist[$$OIDCClientSecretRequestList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-clientsecret-oidcclientsecretrequestspec[$$OIDCClientSecretRequestSpec$$]__ | +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-clientsecret-oidcclientsecretrequeststatus[$$OIDCClientSecretRequestStatus$$]__ | +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-clientsecret-oidcclientsecretrequestspec"] @@ -234,8 +254,8 @@ Package clientsecret is the internal version of the Pinniped client secret API. [cols="25a,75a", options="header"] |=== | Field | Description -| *`generateNewSecret`* __boolean__ | -| *`revokeOldSecrets`* __boolean__ | +| *`generateNewSecret`* __boolean__ | Request a new client secret to for the OIDCClient referenced by the metadata.name field. +| *`revokeOldSecrets`* __boolean__ | Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name field. |=== @@ -252,8 +272,8 @@ Package clientsecret is the internal version of the Pinniped client secret API. [cols="25a,75a", options="header"] |=== | Field | Description -| *`generatedSecret`* __string__ | -| *`totalClientSecrets`* __integer__ | +| *`generatedSecret`* __string__ | The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot be recovered if you lose it. +| *`totalClientSecrets`* __integer__ | The total number of client secrets associated with the OIDCClient referenced by the metadata.name field. |=== @@ -265,6 +285,26 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped client secret API. +[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequest"] +==== OIDCClientSecretRequest + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestlist[$$OIDCClientSecretRequestList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestspec[$$OIDCClientSecretRequestSpec$$]__ | +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequeststatus[$$OIDCClientSecretRequestStatus$$]__ | +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestspec"] diff --git a/generated/1.19/apis/supervisor/clientsecret/register.go b/generated/1.19/apis/supervisor/clientsecret/register.go index 4a1c0173..8a76f0fe 100644 --- a/generated/1.19/apis/supervisor/clientsecret/register.go +++ b/generated/1.19/apis/supervisor/clientsecret/register.go @@ -32,6 +32,7 @@ var ( func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &OIDCClientSecretRequest{}, + &OIDCClientSecretRequestList{}, ) return nil } diff --git a/generated/1.19/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go b/generated/1.19/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go index 7fd1eb65..c7ef37b2 100644 --- a/generated/1.19/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go +++ b/generated/1.19/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go @@ -6,15 +6,26 @@ package clientsecret import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" type OIDCClientSecretRequestSpec struct { + // Request a new client secret to for the OIDCClient referenced by the metadata.name field. GenerateNewSecret bool `json:"generateNewSecret"` - RevokeOldSecrets bool `json:"revokeOldSecrets"` + + // Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name + // field. + RevokeOldSecrets bool `json:"revokeOldSecrets"` } type OIDCClientSecretRequestStatus struct { - GeneratedSecret string `json:"generatedSecret,omitempty"` - TotalClientSecrets int `json:"totalClientSecrets"` + // The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot + // be recovered if you lose it. + GeneratedSecret string `json:"generatedSecret,omitempty"` + + // The total number of client secrets associated with the OIDCClient referenced by the + // metadata.name field. + TotalClientSecrets int `json:"totalClientSecrets"` } +// OIDCClientSecretRequest can be used to update the client secrets associated with an +// OIDCClient. // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object type OIDCClientSecretRequest struct { metav1.TypeMeta `json:",inline"` @@ -23,3 +34,13 @@ type OIDCClientSecretRequest struct { Spec OIDCClientSecretRequestSpec `json:"spec"` Status OIDCClientSecretRequestStatus `json:"status"` } + +// OIDCClientSecretList is a list of OIDCClientSecretRequest objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequestList struct { + metav1.TypeMeta + metav1.ListMeta + + // Items is a list of OIDCClientSecretRequest + Items []OIDCClientSecretRequest +} diff --git a/generated/1.19/apis/supervisor/clientsecret/v1alpha1/register.go b/generated/1.19/apis/supervisor/clientsecret/v1alpha1/register.go index 49602125..4660e407 100644 --- a/generated/1.19/apis/supervisor/clientsecret/v1alpha1/register.go +++ b/generated/1.19/apis/supervisor/clientsecret/v1alpha1/register.go @@ -31,6 +31,7 @@ func init() { func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &OIDCClientSecretRequest{}, + &OIDCClientSecretRequestList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.19/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go b/generated/1.19/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go index dda2f3bb..ef48e6c0 100644 --- a/generated/1.19/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go +++ b/generated/1.19/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go @@ -26,3 +26,11 @@ type OIDCClientSecretRequest struct { Spec OIDCClientSecretRequestSpec `json:"spec"` Status OIDCClientSecretRequestStatus `json:"status"` } + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequestList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []OIDCClientSecretRequest `json:"items"` +} diff --git a/generated/1.19/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go b/generated/1.19/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go index bf34cde1..c9c13bee 100644 --- a/generated/1.19/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go +++ b/generated/1.19/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go @@ -9,6 +9,8 @@ package v1alpha1 import ( + unsafe "unsafe" + clientsecret "go.pinniped.dev/generated/1.19/apis/supervisor/clientsecret" conversion "k8s.io/apimachinery/pkg/conversion" runtime "k8s.io/apimachinery/pkg/runtime" @@ -31,6 +33,16 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestList)(nil), (*clientsecret.OIDCClientSecretRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(a.(*OIDCClientSecretRequestList), b.(*clientsecret.OIDCClientSecretRequestList), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequestList)(nil), (*OIDCClientSecretRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(a.(*clientsecret.OIDCClientSecretRequestList), b.(*OIDCClientSecretRequestList), scope) + }); err != nil { + return err + } if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*clientsecret.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*clientsecret.OIDCClientSecretRequestSpec), scope) }); err != nil { @@ -86,6 +98,28 @@ func Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRe return autoConvert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s) } +func autoConvert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in *OIDCClientSecretRequestList, out *clientsecret.OIDCClientSecretRequestList, s conversion.Scope) error { + out.ListMeta = in.ListMeta + out.Items = *(*[]clientsecret.OIDCClientSecretRequest)(unsafe.Pointer(&in.Items)) + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in *OIDCClientSecretRequestList, out *clientsecret.OIDCClientSecretRequestList, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in, out, s) +} + +func autoConvert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in *clientsecret.OIDCClientSecretRequestList, out *OIDCClientSecretRequestList, s conversion.Scope) error { + out.ListMeta = in.ListMeta + out.Items = *(*[]OIDCClientSecretRequest)(unsafe.Pointer(&in.Items)) + return nil +} + +// Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList is an autogenerated conversion function. +func Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in *clientsecret.OIDCClientSecretRequestList, out *OIDCClientSecretRequestList, s conversion.Scope) error { + return autoConvert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in, out, s) +} + func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *clientsecret.OIDCClientSecretRequestSpec, s conversion.Scope) error { out.GenerateNewSecret = in.GenerateNewSecret out.RevokeOldSecrets = in.RevokeOldSecrets diff --git a/generated/1.19/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go b/generated/1.19/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go index e4fce842..781e9831 100644 --- a/generated/1.19/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.19/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go @@ -40,6 +40,39 @@ func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestList) DeepCopyInto(out *OIDCClientSecretRequestList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClientSecretRequest, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestList. +func (in *OIDCClientSecretRequestList) DeepCopy() *OIDCClientSecretRequestList { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequestList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { *out = *in diff --git a/generated/1.19/apis/supervisor/clientsecret/zz_generated.deepcopy.go b/generated/1.19/apis/supervisor/clientsecret/zz_generated.deepcopy.go index e0dc7d68..ffd5e96e 100644 --- a/generated/1.19/apis/supervisor/clientsecret/zz_generated.deepcopy.go +++ b/generated/1.19/apis/supervisor/clientsecret/zz_generated.deepcopy.go @@ -40,6 +40,39 @@ func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestList) DeepCopyInto(out *OIDCClientSecretRequestList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClientSecretRequest, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestList. +func (in *OIDCClientSecretRequestList) DeepCopy() *OIDCClientSecretRequestList { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequestList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { *out = *in diff --git a/generated/1.20/README.adoc b/generated/1.20/README.adoc index 958b952c..2483e34a 100644 --- a/generated/1.20/README.adoc +++ b/generated/1.20/README.adoc @@ -219,6 +219,26 @@ Package clientsecret is the internal version of the Pinniped client secret API. +[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-clientsecret-oidcclientsecretrequest"] +==== OIDCClientSecretRequest + +OIDCClientSecretRequest can be used to update the client secrets associated with an OIDCClient. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-clientsecret-oidcclientsecretrequestlist[$$OIDCClientSecretRequestList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.2/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-clientsecret-oidcclientsecretrequestspec[$$OIDCClientSecretRequestSpec$$]__ | +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-clientsecret-oidcclientsecretrequeststatus[$$OIDCClientSecretRequestStatus$$]__ | +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-clientsecret-oidcclientsecretrequestspec"] @@ -234,8 +254,8 @@ Package clientsecret is the internal version of the Pinniped client secret API. [cols="25a,75a", options="header"] |=== | Field | Description -| *`generateNewSecret`* __boolean__ | -| *`revokeOldSecrets`* __boolean__ | +| *`generateNewSecret`* __boolean__ | Request a new client secret to for the OIDCClient referenced by the metadata.name field. +| *`revokeOldSecrets`* __boolean__ | Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name field. |=== @@ -252,8 +272,8 @@ Package clientsecret is the internal version of the Pinniped client secret API. [cols="25a,75a", options="header"] |=== | Field | Description -| *`generatedSecret`* __string__ | -| *`totalClientSecrets`* __integer__ | +| *`generatedSecret`* __string__ | The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot be recovered if you lose it. +| *`totalClientSecrets`* __integer__ | The total number of client secrets associated with the OIDCClient referenced by the metadata.name field. |=== @@ -265,6 +285,26 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped client secret API. +[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequest"] +==== OIDCClientSecretRequest + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestlist[$$OIDCClientSecretRequestList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.2/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestspec[$$OIDCClientSecretRequestSpec$$]__ | +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequeststatus[$$OIDCClientSecretRequestStatus$$]__ | +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestspec"] diff --git a/generated/1.20/apis/supervisor/clientsecret/register.go b/generated/1.20/apis/supervisor/clientsecret/register.go index 4a1c0173..8a76f0fe 100644 --- a/generated/1.20/apis/supervisor/clientsecret/register.go +++ b/generated/1.20/apis/supervisor/clientsecret/register.go @@ -32,6 +32,7 @@ var ( func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &OIDCClientSecretRequest{}, + &OIDCClientSecretRequestList{}, ) return nil } diff --git a/generated/1.20/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go b/generated/1.20/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go index 7fd1eb65..c7ef37b2 100644 --- a/generated/1.20/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go +++ b/generated/1.20/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go @@ -6,15 +6,26 @@ package clientsecret import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" type OIDCClientSecretRequestSpec struct { + // Request a new client secret to for the OIDCClient referenced by the metadata.name field. GenerateNewSecret bool `json:"generateNewSecret"` - RevokeOldSecrets bool `json:"revokeOldSecrets"` + + // Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name + // field. + RevokeOldSecrets bool `json:"revokeOldSecrets"` } type OIDCClientSecretRequestStatus struct { - GeneratedSecret string `json:"generatedSecret,omitempty"` - TotalClientSecrets int `json:"totalClientSecrets"` + // The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot + // be recovered if you lose it. + GeneratedSecret string `json:"generatedSecret,omitempty"` + + // The total number of client secrets associated with the OIDCClient referenced by the + // metadata.name field. + TotalClientSecrets int `json:"totalClientSecrets"` } +// OIDCClientSecretRequest can be used to update the client secrets associated with an +// OIDCClient. // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object type OIDCClientSecretRequest struct { metav1.TypeMeta `json:",inline"` @@ -23,3 +34,13 @@ type OIDCClientSecretRequest struct { Spec OIDCClientSecretRequestSpec `json:"spec"` Status OIDCClientSecretRequestStatus `json:"status"` } + +// OIDCClientSecretList is a list of OIDCClientSecretRequest objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequestList struct { + metav1.TypeMeta + metav1.ListMeta + + // Items is a list of OIDCClientSecretRequest + Items []OIDCClientSecretRequest +} diff --git a/generated/1.20/apis/supervisor/clientsecret/v1alpha1/register.go b/generated/1.20/apis/supervisor/clientsecret/v1alpha1/register.go index 49602125..4660e407 100644 --- a/generated/1.20/apis/supervisor/clientsecret/v1alpha1/register.go +++ b/generated/1.20/apis/supervisor/clientsecret/v1alpha1/register.go @@ -31,6 +31,7 @@ func init() { func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &OIDCClientSecretRequest{}, + &OIDCClientSecretRequestList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.20/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go b/generated/1.20/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go index dda2f3bb..ef48e6c0 100644 --- a/generated/1.20/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go +++ b/generated/1.20/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go @@ -26,3 +26,11 @@ type OIDCClientSecretRequest struct { Spec OIDCClientSecretRequestSpec `json:"spec"` Status OIDCClientSecretRequestStatus `json:"status"` } + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequestList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []OIDCClientSecretRequest `json:"items"` +} diff --git a/generated/1.20/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go b/generated/1.20/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go index f33c9a56..0f9f7ed3 100644 --- a/generated/1.20/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go +++ b/generated/1.20/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go @@ -9,6 +9,8 @@ package v1alpha1 import ( + unsafe "unsafe" + clientsecret "go.pinniped.dev/generated/1.20/apis/supervisor/clientsecret" conversion "k8s.io/apimachinery/pkg/conversion" runtime "k8s.io/apimachinery/pkg/runtime" @@ -31,6 +33,16 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestList)(nil), (*clientsecret.OIDCClientSecretRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(a.(*OIDCClientSecretRequestList), b.(*clientsecret.OIDCClientSecretRequestList), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequestList)(nil), (*OIDCClientSecretRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(a.(*clientsecret.OIDCClientSecretRequestList), b.(*OIDCClientSecretRequestList), scope) + }); err != nil { + return err + } if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*clientsecret.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*clientsecret.OIDCClientSecretRequestSpec), scope) }); err != nil { @@ -86,6 +98,28 @@ func Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRe return autoConvert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s) } +func autoConvert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in *OIDCClientSecretRequestList, out *clientsecret.OIDCClientSecretRequestList, s conversion.Scope) error { + out.ListMeta = in.ListMeta + out.Items = *(*[]clientsecret.OIDCClientSecretRequest)(unsafe.Pointer(&in.Items)) + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in *OIDCClientSecretRequestList, out *clientsecret.OIDCClientSecretRequestList, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in, out, s) +} + +func autoConvert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in *clientsecret.OIDCClientSecretRequestList, out *OIDCClientSecretRequestList, s conversion.Scope) error { + out.ListMeta = in.ListMeta + out.Items = *(*[]OIDCClientSecretRequest)(unsafe.Pointer(&in.Items)) + return nil +} + +// Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList is an autogenerated conversion function. +func Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in *clientsecret.OIDCClientSecretRequestList, out *OIDCClientSecretRequestList, s conversion.Scope) error { + return autoConvert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in, out, s) +} + func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *clientsecret.OIDCClientSecretRequestSpec, s conversion.Scope) error { out.GenerateNewSecret = in.GenerateNewSecret out.RevokeOldSecrets = in.RevokeOldSecrets diff --git a/generated/1.20/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go b/generated/1.20/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go index e4fce842..781e9831 100644 --- a/generated/1.20/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.20/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go @@ -40,6 +40,39 @@ func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestList) DeepCopyInto(out *OIDCClientSecretRequestList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClientSecretRequest, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestList. +func (in *OIDCClientSecretRequestList) DeepCopy() *OIDCClientSecretRequestList { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequestList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { *out = *in diff --git a/generated/1.20/apis/supervisor/clientsecret/zz_generated.deepcopy.go b/generated/1.20/apis/supervisor/clientsecret/zz_generated.deepcopy.go index e0dc7d68..ffd5e96e 100644 --- a/generated/1.20/apis/supervisor/clientsecret/zz_generated.deepcopy.go +++ b/generated/1.20/apis/supervisor/clientsecret/zz_generated.deepcopy.go @@ -40,6 +40,39 @@ func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestList) DeepCopyInto(out *OIDCClientSecretRequestList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClientSecretRequest, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestList. +func (in *OIDCClientSecretRequestList) DeepCopy() *OIDCClientSecretRequestList { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequestList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { *out = *in diff --git a/generated/1.21/README.adoc b/generated/1.21/README.adoc index 9eb23eb5..57a7b10c 100644 --- a/generated/1.21/README.adoc +++ b/generated/1.21/README.adoc @@ -219,6 +219,26 @@ Package clientsecret is the internal version of the Pinniped client secret API. +[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-clientsecret-oidcclientsecretrequest"] +==== OIDCClientSecretRequest + +OIDCClientSecretRequest can be used to update the client secrets associated with an OIDCClient. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-clientsecret-oidcclientsecretrequestlist[$$OIDCClientSecretRequestList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-clientsecret-oidcclientsecretrequestspec[$$OIDCClientSecretRequestSpec$$]__ | +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-clientsecret-oidcclientsecretrequeststatus[$$OIDCClientSecretRequestStatus$$]__ | +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-clientsecret-oidcclientsecretrequestspec"] @@ -234,8 +254,8 @@ Package clientsecret is the internal version of the Pinniped client secret API. [cols="25a,75a", options="header"] |=== | Field | Description -| *`generateNewSecret`* __boolean__ | -| *`revokeOldSecrets`* __boolean__ | +| *`generateNewSecret`* __boolean__ | Request a new client secret to for the OIDCClient referenced by the metadata.name field. +| *`revokeOldSecrets`* __boolean__ | Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name field. |=== @@ -252,8 +272,8 @@ Package clientsecret is the internal version of the Pinniped client secret API. [cols="25a,75a", options="header"] |=== | Field | Description -| *`generatedSecret`* __string__ | -| *`totalClientSecrets`* __integer__ | +| *`generatedSecret`* __string__ | The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot be recovered if you lose it. +| *`totalClientSecrets`* __integer__ | The total number of client secrets associated with the OIDCClient referenced by the metadata.name field. |=== @@ -265,6 +285,26 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped client secret API. +[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequest"] +==== OIDCClientSecretRequest + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestlist[$$OIDCClientSecretRequestList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestspec[$$OIDCClientSecretRequestSpec$$]__ | +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequeststatus[$$OIDCClientSecretRequestStatus$$]__ | +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestspec"] diff --git a/generated/1.21/apis/supervisor/clientsecret/register.go b/generated/1.21/apis/supervisor/clientsecret/register.go index 4a1c0173..8a76f0fe 100644 --- a/generated/1.21/apis/supervisor/clientsecret/register.go +++ b/generated/1.21/apis/supervisor/clientsecret/register.go @@ -32,6 +32,7 @@ var ( func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &OIDCClientSecretRequest{}, + &OIDCClientSecretRequestList{}, ) return nil } diff --git a/generated/1.21/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go b/generated/1.21/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go index 7fd1eb65..c7ef37b2 100644 --- a/generated/1.21/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go +++ b/generated/1.21/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go @@ -6,15 +6,26 @@ package clientsecret import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" type OIDCClientSecretRequestSpec struct { + // Request a new client secret to for the OIDCClient referenced by the metadata.name field. GenerateNewSecret bool `json:"generateNewSecret"` - RevokeOldSecrets bool `json:"revokeOldSecrets"` + + // Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name + // field. + RevokeOldSecrets bool `json:"revokeOldSecrets"` } type OIDCClientSecretRequestStatus struct { - GeneratedSecret string `json:"generatedSecret,omitempty"` - TotalClientSecrets int `json:"totalClientSecrets"` + // The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot + // be recovered if you lose it. + GeneratedSecret string `json:"generatedSecret,omitempty"` + + // The total number of client secrets associated with the OIDCClient referenced by the + // metadata.name field. + TotalClientSecrets int `json:"totalClientSecrets"` } +// OIDCClientSecretRequest can be used to update the client secrets associated with an +// OIDCClient. // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object type OIDCClientSecretRequest struct { metav1.TypeMeta `json:",inline"` @@ -23,3 +34,13 @@ type OIDCClientSecretRequest struct { Spec OIDCClientSecretRequestSpec `json:"spec"` Status OIDCClientSecretRequestStatus `json:"status"` } + +// OIDCClientSecretList is a list of OIDCClientSecretRequest objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequestList struct { + metav1.TypeMeta + metav1.ListMeta + + // Items is a list of OIDCClientSecretRequest + Items []OIDCClientSecretRequest +} diff --git a/generated/1.21/apis/supervisor/clientsecret/v1alpha1/register.go b/generated/1.21/apis/supervisor/clientsecret/v1alpha1/register.go index 49602125..4660e407 100644 --- a/generated/1.21/apis/supervisor/clientsecret/v1alpha1/register.go +++ b/generated/1.21/apis/supervisor/clientsecret/v1alpha1/register.go @@ -31,6 +31,7 @@ func init() { func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &OIDCClientSecretRequest{}, + &OIDCClientSecretRequestList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.21/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go b/generated/1.21/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go index dda2f3bb..ef48e6c0 100644 --- a/generated/1.21/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go +++ b/generated/1.21/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go @@ -26,3 +26,11 @@ type OIDCClientSecretRequest struct { Spec OIDCClientSecretRequestSpec `json:"spec"` Status OIDCClientSecretRequestStatus `json:"status"` } + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequestList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []OIDCClientSecretRequest `json:"items"` +} diff --git a/generated/1.21/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go b/generated/1.21/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go index a5fbb3bb..f5aabafa 100644 --- a/generated/1.21/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go +++ b/generated/1.21/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go @@ -9,6 +9,8 @@ package v1alpha1 import ( + unsafe "unsafe" + clientsecret "go.pinniped.dev/generated/1.21/apis/supervisor/clientsecret" conversion "k8s.io/apimachinery/pkg/conversion" runtime "k8s.io/apimachinery/pkg/runtime" @@ -31,6 +33,16 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestList)(nil), (*clientsecret.OIDCClientSecretRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(a.(*OIDCClientSecretRequestList), b.(*clientsecret.OIDCClientSecretRequestList), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequestList)(nil), (*OIDCClientSecretRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(a.(*clientsecret.OIDCClientSecretRequestList), b.(*OIDCClientSecretRequestList), scope) + }); err != nil { + return err + } if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*clientsecret.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*clientsecret.OIDCClientSecretRequestSpec), scope) }); err != nil { @@ -86,6 +98,28 @@ func Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRe return autoConvert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s) } +func autoConvert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in *OIDCClientSecretRequestList, out *clientsecret.OIDCClientSecretRequestList, s conversion.Scope) error { + out.ListMeta = in.ListMeta + out.Items = *(*[]clientsecret.OIDCClientSecretRequest)(unsafe.Pointer(&in.Items)) + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in *OIDCClientSecretRequestList, out *clientsecret.OIDCClientSecretRequestList, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in, out, s) +} + +func autoConvert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in *clientsecret.OIDCClientSecretRequestList, out *OIDCClientSecretRequestList, s conversion.Scope) error { + out.ListMeta = in.ListMeta + out.Items = *(*[]OIDCClientSecretRequest)(unsafe.Pointer(&in.Items)) + return nil +} + +// Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList is an autogenerated conversion function. +func Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in *clientsecret.OIDCClientSecretRequestList, out *OIDCClientSecretRequestList, s conversion.Scope) error { + return autoConvert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in, out, s) +} + func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *clientsecret.OIDCClientSecretRequestSpec, s conversion.Scope) error { out.GenerateNewSecret = in.GenerateNewSecret out.RevokeOldSecrets = in.RevokeOldSecrets diff --git a/generated/1.21/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go b/generated/1.21/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go index e4fce842..781e9831 100644 --- a/generated/1.21/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.21/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go @@ -40,6 +40,39 @@ func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestList) DeepCopyInto(out *OIDCClientSecretRequestList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClientSecretRequest, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestList. +func (in *OIDCClientSecretRequestList) DeepCopy() *OIDCClientSecretRequestList { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequestList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { *out = *in diff --git a/generated/1.21/apis/supervisor/clientsecret/zz_generated.deepcopy.go b/generated/1.21/apis/supervisor/clientsecret/zz_generated.deepcopy.go index e0dc7d68..ffd5e96e 100644 --- a/generated/1.21/apis/supervisor/clientsecret/zz_generated.deepcopy.go +++ b/generated/1.21/apis/supervisor/clientsecret/zz_generated.deepcopy.go @@ -40,6 +40,39 @@ func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestList) DeepCopyInto(out *OIDCClientSecretRequestList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClientSecretRequest, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestList. +func (in *OIDCClientSecretRequestList) DeepCopy() *OIDCClientSecretRequestList { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequestList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { *out = *in diff --git a/generated/1.22/README.adoc b/generated/1.22/README.adoc index 0a4498b9..a51284cf 100644 --- a/generated/1.22/README.adoc +++ b/generated/1.22/README.adoc @@ -219,6 +219,26 @@ Package clientsecret is the internal version of the Pinniped client secret API. +[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-clientsecret-oidcclientsecretrequest"] +==== OIDCClientSecretRequest + +OIDCClientSecretRequest can be used to update the client secrets associated with an OIDCClient. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-clientsecret-oidcclientsecretrequestlist[$$OIDCClientSecretRequestList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-clientsecret-oidcclientsecretrequestspec[$$OIDCClientSecretRequestSpec$$]__ | +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-clientsecret-oidcclientsecretrequeststatus[$$OIDCClientSecretRequestStatus$$]__ | +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-clientsecret-oidcclientsecretrequestspec"] @@ -234,8 +254,8 @@ Package clientsecret is the internal version of the Pinniped client secret API. [cols="25a,75a", options="header"] |=== | Field | Description -| *`generateNewSecret`* __boolean__ | -| *`revokeOldSecrets`* __boolean__ | +| *`generateNewSecret`* __boolean__ | Request a new client secret to for the OIDCClient referenced by the metadata.name field. +| *`revokeOldSecrets`* __boolean__ | Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name field. |=== @@ -252,8 +272,8 @@ Package clientsecret is the internal version of the Pinniped client secret API. [cols="25a,75a", options="header"] |=== | Field | Description -| *`generatedSecret`* __string__ | -| *`totalClientSecrets`* __integer__ | +| *`generatedSecret`* __string__ | The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot be recovered if you lose it. +| *`totalClientSecrets`* __integer__ | The total number of client secrets associated with the OIDCClient referenced by the metadata.name field. |=== @@ -265,6 +285,26 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped client secret API. +[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequest"] +==== OIDCClientSecretRequest + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestlist[$$OIDCClientSecretRequestList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestspec[$$OIDCClientSecretRequestSpec$$]__ | +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequeststatus[$$OIDCClientSecretRequestStatus$$]__ | +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestspec"] diff --git a/generated/1.22/apis/supervisor/clientsecret/register.go b/generated/1.22/apis/supervisor/clientsecret/register.go index 4a1c0173..8a76f0fe 100644 --- a/generated/1.22/apis/supervisor/clientsecret/register.go +++ b/generated/1.22/apis/supervisor/clientsecret/register.go @@ -32,6 +32,7 @@ var ( func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &OIDCClientSecretRequest{}, + &OIDCClientSecretRequestList{}, ) return nil } diff --git a/generated/1.22/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go b/generated/1.22/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go index 7fd1eb65..c7ef37b2 100644 --- a/generated/1.22/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go +++ b/generated/1.22/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go @@ -6,15 +6,26 @@ package clientsecret import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" type OIDCClientSecretRequestSpec struct { + // Request a new client secret to for the OIDCClient referenced by the metadata.name field. GenerateNewSecret bool `json:"generateNewSecret"` - RevokeOldSecrets bool `json:"revokeOldSecrets"` + + // Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name + // field. + RevokeOldSecrets bool `json:"revokeOldSecrets"` } type OIDCClientSecretRequestStatus struct { - GeneratedSecret string `json:"generatedSecret,omitempty"` - TotalClientSecrets int `json:"totalClientSecrets"` + // The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot + // be recovered if you lose it. + GeneratedSecret string `json:"generatedSecret,omitempty"` + + // The total number of client secrets associated with the OIDCClient referenced by the + // metadata.name field. + TotalClientSecrets int `json:"totalClientSecrets"` } +// OIDCClientSecretRequest can be used to update the client secrets associated with an +// OIDCClient. // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object type OIDCClientSecretRequest struct { metav1.TypeMeta `json:",inline"` @@ -23,3 +34,13 @@ type OIDCClientSecretRequest struct { Spec OIDCClientSecretRequestSpec `json:"spec"` Status OIDCClientSecretRequestStatus `json:"status"` } + +// OIDCClientSecretList is a list of OIDCClientSecretRequest objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequestList struct { + metav1.TypeMeta + metav1.ListMeta + + // Items is a list of OIDCClientSecretRequest + Items []OIDCClientSecretRequest +} diff --git a/generated/1.22/apis/supervisor/clientsecret/v1alpha1/register.go b/generated/1.22/apis/supervisor/clientsecret/v1alpha1/register.go index 49602125..4660e407 100644 --- a/generated/1.22/apis/supervisor/clientsecret/v1alpha1/register.go +++ b/generated/1.22/apis/supervisor/clientsecret/v1alpha1/register.go @@ -31,6 +31,7 @@ func init() { func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &OIDCClientSecretRequest{}, + &OIDCClientSecretRequestList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.22/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go b/generated/1.22/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go index dda2f3bb..ef48e6c0 100644 --- a/generated/1.22/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go +++ b/generated/1.22/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go @@ -26,3 +26,11 @@ type OIDCClientSecretRequest struct { Spec OIDCClientSecretRequestSpec `json:"spec"` Status OIDCClientSecretRequestStatus `json:"status"` } + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequestList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []OIDCClientSecretRequest `json:"items"` +} diff --git a/generated/1.22/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go b/generated/1.22/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go index 4071a9d2..8de08fb5 100644 --- a/generated/1.22/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go +++ b/generated/1.22/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go @@ -9,6 +9,8 @@ package v1alpha1 import ( + unsafe "unsafe" + clientsecret "go.pinniped.dev/generated/1.22/apis/supervisor/clientsecret" conversion "k8s.io/apimachinery/pkg/conversion" runtime "k8s.io/apimachinery/pkg/runtime" @@ -31,6 +33,16 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestList)(nil), (*clientsecret.OIDCClientSecretRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(a.(*OIDCClientSecretRequestList), b.(*clientsecret.OIDCClientSecretRequestList), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequestList)(nil), (*OIDCClientSecretRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(a.(*clientsecret.OIDCClientSecretRequestList), b.(*OIDCClientSecretRequestList), scope) + }); err != nil { + return err + } if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*clientsecret.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*clientsecret.OIDCClientSecretRequestSpec), scope) }); err != nil { @@ -86,6 +98,28 @@ func Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRe return autoConvert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s) } +func autoConvert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in *OIDCClientSecretRequestList, out *clientsecret.OIDCClientSecretRequestList, s conversion.Scope) error { + out.ListMeta = in.ListMeta + out.Items = *(*[]clientsecret.OIDCClientSecretRequest)(unsafe.Pointer(&in.Items)) + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in *OIDCClientSecretRequestList, out *clientsecret.OIDCClientSecretRequestList, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in, out, s) +} + +func autoConvert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in *clientsecret.OIDCClientSecretRequestList, out *OIDCClientSecretRequestList, s conversion.Scope) error { + out.ListMeta = in.ListMeta + out.Items = *(*[]OIDCClientSecretRequest)(unsafe.Pointer(&in.Items)) + return nil +} + +// Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList is an autogenerated conversion function. +func Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in *clientsecret.OIDCClientSecretRequestList, out *OIDCClientSecretRequestList, s conversion.Scope) error { + return autoConvert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in, out, s) +} + func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *clientsecret.OIDCClientSecretRequestSpec, s conversion.Scope) error { out.GenerateNewSecret = in.GenerateNewSecret out.RevokeOldSecrets = in.RevokeOldSecrets diff --git a/generated/1.22/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go b/generated/1.22/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go index e4fce842..781e9831 100644 --- a/generated/1.22/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.22/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go @@ -40,6 +40,39 @@ func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestList) DeepCopyInto(out *OIDCClientSecretRequestList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClientSecretRequest, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestList. +func (in *OIDCClientSecretRequestList) DeepCopy() *OIDCClientSecretRequestList { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequestList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { *out = *in diff --git a/generated/1.22/apis/supervisor/clientsecret/zz_generated.deepcopy.go b/generated/1.22/apis/supervisor/clientsecret/zz_generated.deepcopy.go index e0dc7d68..ffd5e96e 100644 --- a/generated/1.22/apis/supervisor/clientsecret/zz_generated.deepcopy.go +++ b/generated/1.22/apis/supervisor/clientsecret/zz_generated.deepcopy.go @@ -40,6 +40,39 @@ func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestList) DeepCopyInto(out *OIDCClientSecretRequestList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClientSecretRequest, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestList. +func (in *OIDCClientSecretRequestList) DeepCopy() *OIDCClientSecretRequestList { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequestList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { *out = *in diff --git a/generated/1.23/README.adoc b/generated/1.23/README.adoc index 2e9fde69..5f4ad98b 100644 --- a/generated/1.23/README.adoc +++ b/generated/1.23/README.adoc @@ -219,6 +219,26 @@ Package clientsecret is the internal version of the Pinniped client secret API. +[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-clientsecret-oidcclientsecretrequest"] +==== OIDCClientSecretRequest + +OIDCClientSecretRequest can be used to update the client secrets associated with an OIDCClient. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-clientsecret-oidcclientsecretrequestlist[$$OIDCClientSecretRequestList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-clientsecret-oidcclientsecretrequestspec[$$OIDCClientSecretRequestSpec$$]__ | +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-clientsecret-oidcclientsecretrequeststatus[$$OIDCClientSecretRequestStatus$$]__ | +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-clientsecret-oidcclientsecretrequestspec"] @@ -234,8 +254,8 @@ Package clientsecret is the internal version of the Pinniped client secret API. [cols="25a,75a", options="header"] |=== | Field | Description -| *`generateNewSecret`* __boolean__ | -| *`revokeOldSecrets`* __boolean__ | +| *`generateNewSecret`* __boolean__ | Request a new client secret to for the OIDCClient referenced by the metadata.name field. +| *`revokeOldSecrets`* __boolean__ | Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name field. |=== @@ -252,8 +272,8 @@ Package clientsecret is the internal version of the Pinniped client secret API. [cols="25a,75a", options="header"] |=== | Field | Description -| *`generatedSecret`* __string__ | -| *`totalClientSecrets`* __integer__ | +| *`generatedSecret`* __string__ | The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot be recovered if you lose it. +| *`totalClientSecrets`* __integer__ | The total number of client secrets associated with the OIDCClient referenced by the metadata.name field. |=== @@ -265,6 +285,26 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped client secret API. +[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequest"] +==== OIDCClientSecretRequest + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestlist[$$OIDCClientSecretRequestList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestspec[$$OIDCClientSecretRequestSpec$$]__ | +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequeststatus[$$OIDCClientSecretRequestStatus$$]__ | +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestspec"] diff --git a/generated/1.23/apis/supervisor/clientsecret/register.go b/generated/1.23/apis/supervisor/clientsecret/register.go index 4a1c0173..8a76f0fe 100644 --- a/generated/1.23/apis/supervisor/clientsecret/register.go +++ b/generated/1.23/apis/supervisor/clientsecret/register.go @@ -32,6 +32,7 @@ var ( func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &OIDCClientSecretRequest{}, + &OIDCClientSecretRequestList{}, ) return nil } diff --git a/generated/1.23/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go b/generated/1.23/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go index 7fd1eb65..c7ef37b2 100644 --- a/generated/1.23/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go +++ b/generated/1.23/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go @@ -6,15 +6,26 @@ package clientsecret import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" type OIDCClientSecretRequestSpec struct { + // Request a new client secret to for the OIDCClient referenced by the metadata.name field. GenerateNewSecret bool `json:"generateNewSecret"` - RevokeOldSecrets bool `json:"revokeOldSecrets"` + + // Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name + // field. + RevokeOldSecrets bool `json:"revokeOldSecrets"` } type OIDCClientSecretRequestStatus struct { - GeneratedSecret string `json:"generatedSecret,omitempty"` - TotalClientSecrets int `json:"totalClientSecrets"` + // The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot + // be recovered if you lose it. + GeneratedSecret string `json:"generatedSecret,omitempty"` + + // The total number of client secrets associated with the OIDCClient referenced by the + // metadata.name field. + TotalClientSecrets int `json:"totalClientSecrets"` } +// OIDCClientSecretRequest can be used to update the client secrets associated with an +// OIDCClient. // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object type OIDCClientSecretRequest struct { metav1.TypeMeta `json:",inline"` @@ -23,3 +34,13 @@ type OIDCClientSecretRequest struct { Spec OIDCClientSecretRequestSpec `json:"spec"` Status OIDCClientSecretRequestStatus `json:"status"` } + +// OIDCClientSecretList is a list of OIDCClientSecretRequest objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequestList struct { + metav1.TypeMeta + metav1.ListMeta + + // Items is a list of OIDCClientSecretRequest + Items []OIDCClientSecretRequest +} diff --git a/generated/1.23/apis/supervisor/clientsecret/v1alpha1/register.go b/generated/1.23/apis/supervisor/clientsecret/v1alpha1/register.go index 49602125..4660e407 100644 --- a/generated/1.23/apis/supervisor/clientsecret/v1alpha1/register.go +++ b/generated/1.23/apis/supervisor/clientsecret/v1alpha1/register.go @@ -31,6 +31,7 @@ func init() { func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &OIDCClientSecretRequest{}, + &OIDCClientSecretRequestList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.23/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go b/generated/1.23/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go index dda2f3bb..ef48e6c0 100644 --- a/generated/1.23/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go +++ b/generated/1.23/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go @@ -26,3 +26,11 @@ type OIDCClientSecretRequest struct { Spec OIDCClientSecretRequestSpec `json:"spec"` Status OIDCClientSecretRequestStatus `json:"status"` } + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequestList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []OIDCClientSecretRequest `json:"items"` +} diff --git a/generated/1.23/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go b/generated/1.23/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go index 4b0bc6ae..3c37704b 100644 --- a/generated/1.23/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go +++ b/generated/1.23/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go @@ -9,6 +9,8 @@ package v1alpha1 import ( + unsafe "unsafe" + clientsecret "go.pinniped.dev/generated/1.23/apis/supervisor/clientsecret" conversion "k8s.io/apimachinery/pkg/conversion" runtime "k8s.io/apimachinery/pkg/runtime" @@ -31,6 +33,16 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestList)(nil), (*clientsecret.OIDCClientSecretRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(a.(*OIDCClientSecretRequestList), b.(*clientsecret.OIDCClientSecretRequestList), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequestList)(nil), (*OIDCClientSecretRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(a.(*clientsecret.OIDCClientSecretRequestList), b.(*OIDCClientSecretRequestList), scope) + }); err != nil { + return err + } if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*clientsecret.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*clientsecret.OIDCClientSecretRequestSpec), scope) }); err != nil { @@ -86,6 +98,28 @@ func Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRe return autoConvert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s) } +func autoConvert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in *OIDCClientSecretRequestList, out *clientsecret.OIDCClientSecretRequestList, s conversion.Scope) error { + out.ListMeta = in.ListMeta + out.Items = *(*[]clientsecret.OIDCClientSecretRequest)(unsafe.Pointer(&in.Items)) + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in *OIDCClientSecretRequestList, out *clientsecret.OIDCClientSecretRequestList, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in, out, s) +} + +func autoConvert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in *clientsecret.OIDCClientSecretRequestList, out *OIDCClientSecretRequestList, s conversion.Scope) error { + out.ListMeta = in.ListMeta + out.Items = *(*[]OIDCClientSecretRequest)(unsafe.Pointer(&in.Items)) + return nil +} + +// Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList is an autogenerated conversion function. +func Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in *clientsecret.OIDCClientSecretRequestList, out *OIDCClientSecretRequestList, s conversion.Scope) error { + return autoConvert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in, out, s) +} + func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *clientsecret.OIDCClientSecretRequestSpec, s conversion.Scope) error { out.GenerateNewSecret = in.GenerateNewSecret out.RevokeOldSecrets = in.RevokeOldSecrets diff --git a/generated/1.23/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go b/generated/1.23/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go index e4fce842..781e9831 100644 --- a/generated/1.23/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.23/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go @@ -40,6 +40,39 @@ func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestList) DeepCopyInto(out *OIDCClientSecretRequestList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClientSecretRequest, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestList. +func (in *OIDCClientSecretRequestList) DeepCopy() *OIDCClientSecretRequestList { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequestList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { *out = *in diff --git a/generated/1.23/apis/supervisor/clientsecret/zz_generated.deepcopy.go b/generated/1.23/apis/supervisor/clientsecret/zz_generated.deepcopy.go index e0dc7d68..ffd5e96e 100644 --- a/generated/1.23/apis/supervisor/clientsecret/zz_generated.deepcopy.go +++ b/generated/1.23/apis/supervisor/clientsecret/zz_generated.deepcopy.go @@ -40,6 +40,39 @@ func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestList) DeepCopyInto(out *OIDCClientSecretRequestList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClientSecretRequest, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestList. +func (in *OIDCClientSecretRequestList) DeepCopy() *OIDCClientSecretRequestList { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequestList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { *out = *in diff --git a/generated/1.24/README.adoc b/generated/1.24/README.adoc index 8d9d524d..c711183b 100644 --- a/generated/1.24/README.adoc +++ b/generated/1.24/README.adoc @@ -219,6 +219,26 @@ Package clientsecret is the internal version of the Pinniped client secret API. +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-clientsecret-oidcclientsecretrequest"] +==== OIDCClientSecretRequest + +OIDCClientSecretRequest can be used to update the client secrets associated with an OIDCClient. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-clientsecret-oidcclientsecretrequestlist[$$OIDCClientSecretRequestList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-clientsecret-oidcclientsecretrequestspec[$$OIDCClientSecretRequestSpec$$]__ | +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-clientsecret-oidcclientsecretrequeststatus[$$OIDCClientSecretRequestStatus$$]__ | +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-clientsecret-oidcclientsecretrequestspec"] @@ -234,8 +254,8 @@ Package clientsecret is the internal version of the Pinniped client secret API. [cols="25a,75a", options="header"] |=== | Field | Description -| *`generateNewSecret`* __boolean__ | -| *`revokeOldSecrets`* __boolean__ | +| *`generateNewSecret`* __boolean__ | Request a new client secret to for the OIDCClient referenced by the metadata.name field. +| *`revokeOldSecrets`* __boolean__ | Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name field. |=== @@ -252,8 +272,8 @@ Package clientsecret is the internal version of the Pinniped client secret API. [cols="25a,75a", options="header"] |=== | Field | Description -| *`generatedSecret`* __string__ | -| *`totalClientSecrets`* __integer__ | +| *`generatedSecret`* __string__ | The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot be recovered if you lose it. +| *`totalClientSecrets`* __integer__ | The total number of client secrets associated with the OIDCClient referenced by the metadata.name field. |=== @@ -265,6 +285,26 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped client secret API. +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequest"] +==== OIDCClientSecretRequest + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestlist[$$OIDCClientSecretRequestList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestspec[$$OIDCClientSecretRequestSpec$$]__ | +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequeststatus[$$OIDCClientSecretRequestStatus$$]__ | +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestspec"] diff --git a/generated/1.24/apis/supervisor/clientsecret/register.go b/generated/1.24/apis/supervisor/clientsecret/register.go index 4a1c0173..8a76f0fe 100644 --- a/generated/1.24/apis/supervisor/clientsecret/register.go +++ b/generated/1.24/apis/supervisor/clientsecret/register.go @@ -32,6 +32,7 @@ var ( func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &OIDCClientSecretRequest{}, + &OIDCClientSecretRequestList{}, ) return nil } diff --git a/generated/1.24/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go b/generated/1.24/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go index 7fd1eb65..c7ef37b2 100644 --- a/generated/1.24/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go +++ b/generated/1.24/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go @@ -6,15 +6,26 @@ package clientsecret import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" type OIDCClientSecretRequestSpec struct { + // Request a new client secret to for the OIDCClient referenced by the metadata.name field. GenerateNewSecret bool `json:"generateNewSecret"` - RevokeOldSecrets bool `json:"revokeOldSecrets"` + + // Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name + // field. + RevokeOldSecrets bool `json:"revokeOldSecrets"` } type OIDCClientSecretRequestStatus struct { - GeneratedSecret string `json:"generatedSecret,omitempty"` - TotalClientSecrets int `json:"totalClientSecrets"` + // The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot + // be recovered if you lose it. + GeneratedSecret string `json:"generatedSecret,omitempty"` + + // The total number of client secrets associated with the OIDCClient referenced by the + // metadata.name field. + TotalClientSecrets int `json:"totalClientSecrets"` } +// OIDCClientSecretRequest can be used to update the client secrets associated with an +// OIDCClient. // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object type OIDCClientSecretRequest struct { metav1.TypeMeta `json:",inline"` @@ -23,3 +34,13 @@ type OIDCClientSecretRequest struct { Spec OIDCClientSecretRequestSpec `json:"spec"` Status OIDCClientSecretRequestStatus `json:"status"` } + +// OIDCClientSecretList is a list of OIDCClientSecretRequest objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequestList struct { + metav1.TypeMeta + metav1.ListMeta + + // Items is a list of OIDCClientSecretRequest + Items []OIDCClientSecretRequest +} diff --git a/generated/1.24/apis/supervisor/clientsecret/v1alpha1/register.go b/generated/1.24/apis/supervisor/clientsecret/v1alpha1/register.go index 49602125..4660e407 100644 --- a/generated/1.24/apis/supervisor/clientsecret/v1alpha1/register.go +++ b/generated/1.24/apis/supervisor/clientsecret/v1alpha1/register.go @@ -31,6 +31,7 @@ func init() { func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &OIDCClientSecretRequest{}, + &OIDCClientSecretRequestList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.24/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go b/generated/1.24/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go index dda2f3bb..ef48e6c0 100644 --- a/generated/1.24/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go +++ b/generated/1.24/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go @@ -26,3 +26,11 @@ type OIDCClientSecretRequest struct { Spec OIDCClientSecretRequestSpec `json:"spec"` Status OIDCClientSecretRequestStatus `json:"status"` } + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequestList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []OIDCClientSecretRequest `json:"items"` +} diff --git a/generated/1.24/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go b/generated/1.24/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go index fd6f7ceb..78fbd0dc 100644 --- a/generated/1.24/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go +++ b/generated/1.24/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go @@ -9,6 +9,8 @@ package v1alpha1 import ( + unsafe "unsafe" + clientsecret "go.pinniped.dev/generated/1.24/apis/supervisor/clientsecret" conversion "k8s.io/apimachinery/pkg/conversion" runtime "k8s.io/apimachinery/pkg/runtime" @@ -31,6 +33,16 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestList)(nil), (*clientsecret.OIDCClientSecretRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(a.(*OIDCClientSecretRequestList), b.(*clientsecret.OIDCClientSecretRequestList), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequestList)(nil), (*OIDCClientSecretRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(a.(*clientsecret.OIDCClientSecretRequestList), b.(*OIDCClientSecretRequestList), scope) + }); err != nil { + return err + } if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*clientsecret.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*clientsecret.OIDCClientSecretRequestSpec), scope) }); err != nil { @@ -86,6 +98,28 @@ func Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRe return autoConvert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s) } +func autoConvert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in *OIDCClientSecretRequestList, out *clientsecret.OIDCClientSecretRequestList, s conversion.Scope) error { + out.ListMeta = in.ListMeta + out.Items = *(*[]clientsecret.OIDCClientSecretRequest)(unsafe.Pointer(&in.Items)) + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in *OIDCClientSecretRequestList, out *clientsecret.OIDCClientSecretRequestList, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in, out, s) +} + +func autoConvert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in *clientsecret.OIDCClientSecretRequestList, out *OIDCClientSecretRequestList, s conversion.Scope) error { + out.ListMeta = in.ListMeta + out.Items = *(*[]OIDCClientSecretRequest)(unsafe.Pointer(&in.Items)) + return nil +} + +// Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList is an autogenerated conversion function. +func Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in *clientsecret.OIDCClientSecretRequestList, out *OIDCClientSecretRequestList, s conversion.Scope) error { + return autoConvert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in, out, s) +} + func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *clientsecret.OIDCClientSecretRequestSpec, s conversion.Scope) error { out.GenerateNewSecret = in.GenerateNewSecret out.RevokeOldSecrets = in.RevokeOldSecrets diff --git a/generated/1.24/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go b/generated/1.24/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go index e4fce842..781e9831 100644 --- a/generated/1.24/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.24/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go @@ -40,6 +40,39 @@ func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestList) DeepCopyInto(out *OIDCClientSecretRequestList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClientSecretRequest, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestList. +func (in *OIDCClientSecretRequestList) DeepCopy() *OIDCClientSecretRequestList { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequestList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { *out = *in diff --git a/generated/1.24/apis/supervisor/clientsecret/zz_generated.deepcopy.go b/generated/1.24/apis/supervisor/clientsecret/zz_generated.deepcopy.go index e0dc7d68..ffd5e96e 100644 --- a/generated/1.24/apis/supervisor/clientsecret/zz_generated.deepcopy.go +++ b/generated/1.24/apis/supervisor/clientsecret/zz_generated.deepcopy.go @@ -40,6 +40,39 @@ func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestList) DeepCopyInto(out *OIDCClientSecretRequestList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClientSecretRequest, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestList. +func (in *OIDCClientSecretRequestList) DeepCopy() *OIDCClientSecretRequestList { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequestList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { *out = *in diff --git a/generated/latest/apis/supervisor/clientsecret/register.go b/generated/latest/apis/supervisor/clientsecret/register.go index 4a1c0173..8a76f0fe 100644 --- a/generated/latest/apis/supervisor/clientsecret/register.go +++ b/generated/latest/apis/supervisor/clientsecret/register.go @@ -32,6 +32,7 @@ var ( func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &OIDCClientSecretRequest{}, + &OIDCClientSecretRequestList{}, ) return nil } diff --git a/generated/latest/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go b/generated/latest/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go index 7fd1eb65..c7ef37b2 100644 --- a/generated/latest/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go +++ b/generated/latest/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go @@ -6,15 +6,26 @@ package clientsecret import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" type OIDCClientSecretRequestSpec struct { + // Request a new client secret to for the OIDCClient referenced by the metadata.name field. GenerateNewSecret bool `json:"generateNewSecret"` - RevokeOldSecrets bool `json:"revokeOldSecrets"` + + // Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name + // field. + RevokeOldSecrets bool `json:"revokeOldSecrets"` } type OIDCClientSecretRequestStatus struct { - GeneratedSecret string `json:"generatedSecret,omitempty"` - TotalClientSecrets int `json:"totalClientSecrets"` + // The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot + // be recovered if you lose it. + GeneratedSecret string `json:"generatedSecret,omitempty"` + + // The total number of client secrets associated with the OIDCClient referenced by the + // metadata.name field. + TotalClientSecrets int `json:"totalClientSecrets"` } +// OIDCClientSecretRequest can be used to update the client secrets associated with an +// OIDCClient. // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object type OIDCClientSecretRequest struct { metav1.TypeMeta `json:",inline"` @@ -23,3 +34,13 @@ type OIDCClientSecretRequest struct { Spec OIDCClientSecretRequestSpec `json:"spec"` Status OIDCClientSecretRequestStatus `json:"status"` } + +// OIDCClientSecretList is a list of OIDCClientSecretRequest objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequestList struct { + metav1.TypeMeta + metav1.ListMeta + + // Items is a list of OIDCClientSecretRequest + Items []OIDCClientSecretRequest +} diff --git a/generated/latest/apis/supervisor/clientsecret/v1alpha1/register.go b/generated/latest/apis/supervisor/clientsecret/v1alpha1/register.go index 49602125..4660e407 100644 --- a/generated/latest/apis/supervisor/clientsecret/v1alpha1/register.go +++ b/generated/latest/apis/supervisor/clientsecret/v1alpha1/register.go @@ -31,6 +31,7 @@ func init() { func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &OIDCClientSecretRequest{}, + &OIDCClientSecretRequestList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/latest/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go b/generated/latest/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go index dda2f3bb..ef48e6c0 100644 --- a/generated/latest/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go +++ b/generated/latest/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go @@ -26,3 +26,11 @@ type OIDCClientSecretRequest struct { Spec OIDCClientSecretRequestSpec `json:"spec"` Status OIDCClientSecretRequestStatus `json:"status"` } + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequestList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []OIDCClientSecretRequest `json:"items"` +} diff --git a/generated/latest/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go b/generated/latest/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go index b2a4d732..d52f2c10 100644 --- a/generated/latest/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go +++ b/generated/latest/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go @@ -9,6 +9,8 @@ package v1alpha1 import ( + unsafe "unsafe" + clientsecret "go.pinniped.dev/generated/latest/apis/supervisor/clientsecret" conversion "k8s.io/apimachinery/pkg/conversion" runtime "k8s.io/apimachinery/pkg/runtime" @@ -31,6 +33,16 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestList)(nil), (*clientsecret.OIDCClientSecretRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(a.(*OIDCClientSecretRequestList), b.(*clientsecret.OIDCClientSecretRequestList), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequestList)(nil), (*OIDCClientSecretRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(a.(*clientsecret.OIDCClientSecretRequestList), b.(*OIDCClientSecretRequestList), scope) + }); err != nil { + return err + } if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*clientsecret.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*clientsecret.OIDCClientSecretRequestSpec), scope) }); err != nil { @@ -86,6 +98,28 @@ func Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRe return autoConvert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s) } +func autoConvert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in *OIDCClientSecretRequestList, out *clientsecret.OIDCClientSecretRequestList, s conversion.Scope) error { + out.ListMeta = in.ListMeta + out.Items = *(*[]clientsecret.OIDCClientSecretRequest)(unsafe.Pointer(&in.Items)) + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in *OIDCClientSecretRequestList, out *clientsecret.OIDCClientSecretRequestList, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in, out, s) +} + +func autoConvert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in *clientsecret.OIDCClientSecretRequestList, out *OIDCClientSecretRequestList, s conversion.Scope) error { + out.ListMeta = in.ListMeta + out.Items = *(*[]OIDCClientSecretRequest)(unsafe.Pointer(&in.Items)) + return nil +} + +// Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList is an autogenerated conversion function. +func Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in *clientsecret.OIDCClientSecretRequestList, out *OIDCClientSecretRequestList, s conversion.Scope) error { + return autoConvert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in, out, s) +} + func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *clientsecret.OIDCClientSecretRequestSpec, s conversion.Scope) error { out.GenerateNewSecret = in.GenerateNewSecret out.RevokeOldSecrets = in.RevokeOldSecrets diff --git a/generated/latest/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go b/generated/latest/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go index e4fce842..781e9831 100644 --- a/generated/latest/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go +++ b/generated/latest/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go @@ -40,6 +40,39 @@ func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestList) DeepCopyInto(out *OIDCClientSecretRequestList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClientSecretRequest, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestList. +func (in *OIDCClientSecretRequestList) DeepCopy() *OIDCClientSecretRequestList { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequestList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { *out = *in diff --git a/generated/latest/apis/supervisor/clientsecret/zz_generated.deepcopy.go b/generated/latest/apis/supervisor/clientsecret/zz_generated.deepcopy.go index e0dc7d68..ffd5e96e 100644 --- a/generated/latest/apis/supervisor/clientsecret/zz_generated.deepcopy.go +++ b/generated/latest/apis/supervisor/clientsecret/zz_generated.deepcopy.go @@ -40,6 +40,39 @@ func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestList) DeepCopyInto(out *OIDCClientSecretRequestList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClientSecretRequest, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestList. +func (in *OIDCClientSecretRequestList) DeepCopy() *OIDCClientSecretRequestList { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequestList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { *out = *in diff --git a/internal/config/supervisor/config.go b/internal/config/supervisor/config.go index 192d9790..44c98eef 100644 --- a/internal/config/supervisor/config.go +++ b/internal/config/supervisor/config.go @@ -24,6 +24,12 @@ const ( NetworkDisabled = "disabled" NetworkUnix = "unix" NetworkTCP = "tcp" + + // Use 10250 because it happens to be the same port on which the Kubelet listens, so some cluster types + // are more permissive with servers that run on this port. For example, GKE private clusters do not + // allow traffic from the control plane to most ports, but do allow traffic to port 10250. This allows + // the Concierge to work without additional configuration on these types of clusters. + aggregatedAPIServerPortDefault = 10250 ) // FromPath loads an Config from a provided local file path, inserts any @@ -50,6 +56,12 @@ func FromPath(ctx context.Context, path string) (*Config, error) { return nil, fmt.Errorf("validate apiGroupSuffix: %w", err) } + maybeSetAggregatedAPIServerPortDefaults(&config.AggregatedAPIServerPort) + + if err := validateServerPort(config.AggregatedAPIServerPort); err != nil { + return nil, fmt.Errorf("validate aggregatedAPIServerPort: %w", err) + } + if err := validateNames(&config.NamesConfig); err != nil { return nil, fmt.Errorf("validate names: %w", err) } @@ -105,6 +117,12 @@ func validateAPIGroupSuffix(apiGroupSuffix string) error { return groupsuffix.Validate(apiGroupSuffix) } +func maybeSetAggregatedAPIServerPortDefaults(port **int64) { + if *port == nil { + *port = pointer.Int64Ptr(aggregatedAPIServerPortDefault) + } +} + func validateNames(names *NamesConfigSpec) error { missingNames := []string{} if names.DefaultTLSCertificateSecret == "" { @@ -193,3 +211,11 @@ func addrIsOnlyOnLoopback(addr string) bool { } return ip.IsLoopback() } + +func validateServerPort(port *int64) error { + // It cannot be below 1024 because the container is not running as root. + if *port < 1024 || *port > 65535 { + return constable.Error("must be within range 1024 to 65535") + } + return nil +} diff --git a/internal/config/supervisor/config_test.go b/internal/config/supervisor/config_test.go index ac4651a7..44da6ec5 100644 --- a/internal/config/supervisor/config_test.go +++ b/internal/config/supervisor/config_test.go @@ -43,6 +43,7 @@ func TestFromPath(t *testing.T) { address: 127.0.0.1:1234 insecureAcceptExternalUnencryptedHttpRequests: false logLevel: trace + aggregatedAPIServerPort: 12345 `), wantConfig: &Config{ APIGroupSuffix: pointer.StringPtr("some.suffix.com"), @@ -68,6 +69,7 @@ func TestFromPath(t *testing.T) { Log: plog.LogSpec{ Level: plog.LevelTrace, }, + AggregatedAPIServerPort: pointer.Int64Ptr(12345), }, }, { @@ -91,6 +93,7 @@ func TestFromPath(t *testing.T) { log: level: info format: text + aggregatedAPIServerPort: 12345 `), wantConfig: &Config{ APIGroupSuffix: pointer.StringPtr("some.suffix.com"), @@ -116,6 +119,7 @@ func TestFromPath(t *testing.T) { Level: plog.LevelInfo, Format: plog.FormatText, }, + AggregatedAPIServerPort: pointer.Int64Ptr(12345), }, }, { @@ -166,6 +170,7 @@ func TestFromPath(t *testing.T) { Level: plog.LevelTrace, Format: plog.FormatText, }, + AggregatedAPIServerPort: pointer.Int64Ptr(10250), }, }, { @@ -202,7 +207,8 @@ func TestFromPath(t *testing.T) { Network: "disabled", }, }, - AllowExternalHTTP: false, + AllowExternalHTTP: false, + AggregatedAPIServerPort: pointer.Int64Ptr(10250), }, }, { @@ -332,7 +338,8 @@ func TestFromPath(t *testing.T) { Address: ":1234", }, }, - AllowExternalHTTP: true, + AllowExternalHTTP: true, + AggregatedAPIServerPort: pointer.Int64Ptr(10250), }, }, { @@ -363,7 +370,8 @@ func TestFromPath(t *testing.T) { Address: ":1234", }, }, - AllowExternalHTTP: true, + AllowExternalHTTP: true, + AggregatedAPIServerPort: pointer.Int64Ptr(10250), }, }, { @@ -420,6 +428,22 @@ func TestFromPath(t *testing.T) { `), wantError: "validate apiGroupSuffix: a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')", }, + { + name: "AggregatedAPIServerPortDefault too small", + yaml: here.Doc(` + --- + aggregatedAPIServerPort: 1023 + `), + wantError: "validate aggregatedAPIServerPort: must be within range 1024 to 65535", + }, + { + name: "AggregatedAPIServerPortDefault too large", + yaml: here.Doc(` + --- + aggregatedAPIServerPort: 65536 + `), + wantError: "validate aggregatedAPIServerPort: must be within range 1024 to 65535", + }, } for _, test := range tests { test := test diff --git a/internal/config/supervisor/types.go b/internal/config/supervisor/types.go index edef3ce7..bd89e2c7 100644 --- a/internal/config/supervisor/types.go +++ b/internal/config/supervisor/types.go @@ -15,10 +15,11 @@ type Config struct { Labels map[string]string `json:"labels"` NamesConfig NamesConfigSpec `json:"names"` // Deprecated: use log.level instead - LogLevel *plog.LogLevel `json:"logLevel"` - Log plog.LogSpec `json:"log"` - Endpoints *Endpoints `json:"endpoints"` - AllowExternalHTTP stringOrBoolAsBool `json:"insecureAcceptExternalUnencryptedHttpRequests"` + LogLevel *plog.LogLevel `json:"logLevel"` + Log plog.LogSpec `json:"log"` + Endpoints *Endpoints `json:"endpoints"` + AllowExternalHTTP stringOrBoolAsBool `json:"insecureAcceptExternalUnencryptedHttpRequests"` + AggregatedAPIServerPort *int64 `json:"aggregatedAPIServerPort"` } // NamesConfigSpec configures the names of some Kubernetes resources for the Supervisor. diff --git a/internal/registry/clientsecretrequest/rest.go b/internal/registry/clientsecretrequest/rest.go index 70a7eb07..12621f1f 100644 --- a/internal/registry/clientsecretrequest/rest.go +++ b/internal/registry/clientsecretrequest/rest.go @@ -9,19 +9,24 @@ import ( "fmt" apierrors "k8s.io/apimachinery/pkg/api/errors" + metainternalversion "k8s.io/apimachinery/pkg/apis/meta/internalversion" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apiserver/pkg/registry/rest" "k8s.io/utils/trace" clientsecretapi "go.pinniped.dev/generated/latest/apis/supervisor/clientsecret" ) -func NewREST() *REST { - return &REST{} +func NewREST(resource schema.GroupResource) *REST { + return &REST{ + tableConvertor: rest.NewDefaultTableConvertor(resource), + } } type REST struct { + tableConvertor rest.TableConvertor } // Assert that our *REST implements all the optional interfaces that we expect it to implement. @@ -30,19 +35,38 @@ var _ interface { rest.NamespaceScopedStrategy rest.Scoper rest.Storage + rest.CategoriesProvider + rest.Lister + rest.TableConvertor } = (*REST)(nil) func (*REST) New() runtime.Object { return &clientsecretapi.OIDCClientSecretRequest{} } +func (*REST) NewList() runtime.Object { + return &clientsecretapi.OIDCClientSecretRequestList{} +} + +func (*REST) List(_ context.Context, _ *metainternalversion.ListOptions) (runtime.Object, error) { + return &clientsecretapi.OIDCClientSecretRequestList{ + ListMeta: metav1.ListMeta{ + ResourceVersion: "0", // this resource version means "from the API server cache" + }, + Items: []clientsecretapi.OIDCClientSecretRequest{}, // avoid sending nil items list + }, nil +} + +func (r *REST) ConvertToTable(ctx context.Context, obj runtime.Object, tableOptions runtime.Object) (*metav1.Table, error) { + return r.tableConvertor.ConvertToTable(ctx, obj, tableOptions) +} + func (*REST) NamespaceScoped() bool { return true } func (*REST) Categories() []string { - // because we haven't implemented lister, adding it to categories breaks things. - return []string{} + return []string{"pinniped"} } func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation rest.ValidateObjectFunc, options *metav1.CreateOptions) (runtime.Object, error) { diff --git a/internal/supervisor/apiserver/apiserver.go b/internal/supervisor/apiserver/apiserver.go index 21c620e3..135aeca9 100644 --- a/internal/supervisor/apiserver/apiserver.go +++ b/internal/supervisor/apiserver/apiserver.go @@ -30,7 +30,7 @@ type ExtraConfig struct { BuildControllersPostStartHook controllerinit.RunnerBuilder Scheme *runtime.Scheme NegotiatedSerializer runtime.NegotiatedSerializer - OauthVirtualSupervisorGroupVersion schema.GroupVersion + ClientSecretSupervisorGroupVersion schema.GroupVersion } type PinnipedServer struct { @@ -74,8 +74,8 @@ func (c completedConfig) New() (*PinnipedServer, error) { var errs []error //nolint: prealloc for _, f := range []func() (schema.GroupVersionResource, rest.Storage){ func() (schema.GroupVersionResource, rest.Storage) { - clientSecretReqGVR := c.ExtraConfig.OauthVirtualSupervisorGroupVersion.WithResource("oidcclientsecretrequests") - clientSecretReqStorage := clientsecretrequest.NewREST() + clientSecretReqGVR := c.ExtraConfig.ClientSecretSupervisorGroupVersion.WithResource("oidcclientsecretrequests") + clientSecretReqStorage := clientsecretrequest.NewREST(clientSecretReqGVR.GroupResource()) return clientSecretReqGVR, clientSecretReqStorage }, } { diff --git a/internal/supervisor/scheme/scheme.go b/internal/supervisor/scheme/scheme.go index d977d012..ad6f3aba 100644 --- a/internal/supervisor/scheme/scheme.go +++ b/internal/supervisor/scheme/scheme.go @@ -38,9 +38,9 @@ func New(apiGroupSuffix string) (_ *runtime.Scheme, oauth schema.GroupVersion) { return scheme, clientsecretv1alpha1.SchemeGroupVersion } - oauthVirtualSupervisorGroupData := groupsuffix.SupervisorAggregatedGroups(apiGroupSuffix) + clientSecretSupervisorGroupData := groupsuffix.SupervisorAggregatedGroups(apiGroupSuffix) - addToSchemeAtNewGroup(scheme, clientsecretv1alpha1.GroupName, oauthVirtualSupervisorGroupData.Group, clientsecretv1alpha1.AddToScheme, clientsecretapi.AddToScheme) + addToSchemeAtNewGroup(scheme, clientsecretv1alpha1.GroupName, clientSecretSupervisorGroupData.Group, clientsecretv1alpha1.AddToScheme, clientsecretapi.AddToScheme) // manually register conversions and defaulting into the correct scheme since we cannot directly call AddToScheme schemeBuilder := runtime.NewSchemeBuilder( @@ -57,7 +57,7 @@ func New(apiGroupSuffix string) (_ *runtime.Scheme, oauth schema.GroupVersion) { // defaulting func registered, but it will almost certainly panic if one is added. scheme.Default((*clientsecretv1alpha1.OIDCClientSecretRequest)(nil)) - return scheme, schema.GroupVersion(oauthVirtualSupervisorGroupData) + return scheme, schema.GroupVersion(clientSecretSupervisorGroupData) } func addToSchemeAtNewGroup(scheme *runtime.Scheme, oldGroup, newGroup string, funcs ...func(*runtime.Scheme) error) { diff --git a/internal/supervisor/scheme/scheme_test.go b/internal/supervisor/scheme/scheme_test.go index fa860773..8c0b0bde 100644 --- a/internal/supervisor/scheme/scheme_test.go +++ b/internal/supervisor/scheme/scheme_test.go @@ -44,10 +44,10 @@ func TestNew(t *testing.T) { } tests := []struct { - name string - apiGroupSuffix string - want map[schema.GroupVersionKind]reflect.Type - wantOAuthGroupVersion schema.GroupVersion + name string + apiGroupSuffix string + want map[schema.GroupVersionKind]reflect.Type + wantClientSecretGroupVersion schema.GroupVersion }{ { name: "regular api group", @@ -55,9 +55,11 @@ func TestNew(t *testing.T) { want: map[schema.GroupVersionKind]reflect.Type{ // all the types that are in the aggregated API group - regularClientSecretGV.WithKind("OIDCClientSecretRequest"): reflect.TypeOf(&clientsecretv1alpha1.OIDCClientSecretRequest{}).Elem(), + regularClientSecretGV.WithKind("OIDCClientSecretRequest"): reflect.TypeOf(&clientsecretv1alpha1.OIDCClientSecretRequest{}).Elem(), + regularClientSecretGV.WithKind("OIDCClientSecretRequestList"): reflect.TypeOf(&clientsecretv1alpha1.OIDCClientSecretRequestList{}).Elem(), - regularClientSecretGVInternal.WithKind("OIDCClientSecretRequest"): reflect.TypeOf(&clientsecretapi.OIDCClientSecretRequest{}).Elem(), + regularClientSecretGVInternal.WithKind("OIDCClientSecretRequest"): reflect.TypeOf(&clientsecretapi.OIDCClientSecretRequest{}).Elem(), + regularClientSecretGVInternal.WithKind("OIDCClientSecretRequestList"): reflect.TypeOf(&clientsecretapi.OIDCClientSecretRequestList{}).Elem(), regularClientSecretGV.WithKind("CreateOptions"): reflect.TypeOf(&metav1.CreateOptions{}).Elem(), regularClientSecretGV.WithKind("DeleteOptions"): reflect.TypeOf(&metav1.DeleteOptions{}).Elem(), @@ -86,7 +88,7 @@ func TestNew(t *testing.T) { metav1.Unversioned.WithKind("UpdateOptions"): reflect.TypeOf(&metav1.UpdateOptions{}).Elem(), metav1.Unversioned.WithKind("WatchEvent"): reflect.TypeOf(&metav1.WatchEvent{}).Elem(), }, - wantOAuthGroupVersion: regularClientSecretGV, + wantClientSecretGroupVersion: regularClientSecretGV, }, { name: "other api group", @@ -94,9 +96,11 @@ func TestNew(t *testing.T) { want: map[schema.GroupVersionKind]reflect.Type{ // all the types that are in the aggregated API group - otherClientSecretGV.WithKind("OIDCClientSecretRequest"): reflect.TypeOf(&clientsecretv1alpha1.OIDCClientSecretRequest{}).Elem(), + otherClientSecretGV.WithKind("OIDCClientSecretRequest"): reflect.TypeOf(&clientsecretv1alpha1.OIDCClientSecretRequest{}).Elem(), + otherClientSecretGV.WithKind("OIDCClientSecretRequestList"): reflect.TypeOf(&clientsecretv1alpha1.OIDCClientSecretRequestList{}).Elem(), - otherClientSecretGVInternal.WithKind("OIDCClientSecretRequest"): reflect.TypeOf(&clientsecretapi.OIDCClientSecretRequest{}).Elem(), + otherClientSecretGVInternal.WithKind("OIDCClientSecretRequest"): reflect.TypeOf(&clientsecretapi.OIDCClientSecretRequest{}).Elem(), + otherClientSecretGVInternal.WithKind("OIDCClientSecretRequestList"): reflect.TypeOf(&clientsecretapi.OIDCClientSecretRequestList{}).Elem(), otherClientSecretGV.WithKind("CreateOptions"): reflect.TypeOf(&metav1.CreateOptions{}).Elem(), otherClientSecretGV.WithKind("DeleteOptions"): reflect.TypeOf(&metav1.DeleteOptions{}).Elem(), @@ -125,15 +129,15 @@ func TestNew(t *testing.T) { metav1.Unversioned.WithKind("UpdateOptions"): reflect.TypeOf(&metav1.UpdateOptions{}).Elem(), metav1.Unversioned.WithKind("WatchEvent"): reflect.TypeOf(&metav1.WatchEvent{}).Elem(), }, - wantOAuthGroupVersion: otherClientSecretGV, + wantClientSecretGroupVersion: otherClientSecretGV, }, } for _, tt := range tests { tt := tt t.Run(tt.name, func(t *testing.T) { - scheme, oauthGV := New(tt.apiGroupSuffix) + scheme, clientSecretGV := New(tt.apiGroupSuffix) require.Equal(t, tt.want, scheme.AllKnownTypes()) - require.Equal(t, tt.wantOAuthGroupVersion, oauthGV) + require.Equal(t, tt.wantClientSecretGroupVersion, clientSecretGV) }) } } diff --git a/internal/supervisor/server/server.go b/internal/supervisor/server/server.go index d4320091..30cdf48f 100644 --- a/internal/supervisor/server/server.go +++ b/internal/supervisor/server/server.go @@ -138,7 +138,8 @@ func prepareControllers( leaderElector controllerinit.RunnerWrapper, podInfo *downward.PodInfo, ) controllerinit.RunnerBuilder { - oauthSupervisorGroupData := groupsuffix.SupervisorAggregatedGroups(*cfg.APIGroupSuffix) + const certificateName string = "pinniped-supervisor-api-tls-serving-certificate" + clientSecretSupervisorGroupData := groupsuffix.SupervisorAggregatedGroups(*cfg.APIGroupSuffix) federationDomainInformer := pinnipedInformers.Config().V1alpha1().FederationDomains() secretInformer := kubeInformers.Core().V1().Secrets() @@ -310,14 +311,14 @@ func prepareControllers( WithController( apicerts.NewCertsManagerController( podInfo.Namespace, - "pinniped-supervisor-api-tls-serving-certificate", + certificateName, cfg.Labels, kubeClient, secretInformer, controllerlib.WithInformer, controllerlib.WithInitialEvent, - 31536000*time.Second, - "Pinniped Aggregation CA", + 365*24*time.Hour, // about one year + "Pinniped Supervisor Aggregation CA", cfg.NamesConfig.APIService, ), singletonWorker, @@ -325,8 +326,8 @@ func prepareControllers( WithController( apicerts.NewAPIServiceUpdaterController( podInfo.Namespace, - "pinniped-supervisor-api-tls-serving-certificate", - oauthSupervisorGroupData.APIServiceName(), + certificateName, + clientSecretSupervisorGroupData.APIServiceName(), aggregatorClient, secretInformer, controllerlib.WithInformer, @@ -336,7 +337,7 @@ func prepareControllers( WithController( apicerts.NewCertsObserverController( podInfo.Namespace, - "pinniped-supervisor-api-tls-serving-certificate", + certificateName, dynamicServingCertProvider, secretInformer, controllerlib.WithInformer, @@ -346,11 +347,11 @@ func prepareControllers( WithController( apicerts.NewCertsExpirerController( podInfo.Namespace, - "pinniped-supervisor-api-tls-serving-certificate", + certificateName, kubeClient, secretInformer, controllerlib.WithInformer, - 23328000*time.Second, + 9*30*24*time.Hour, // about 9 months apicerts.TLSCertificateChainSecretKey, plog.New(), ), @@ -363,9 +364,9 @@ func prepareControllers( //nolint:funlen func runSupervisor(ctx context.Context, podInfo *downward.PodInfo, cfg *supervisor.Config) error { serverInstallationNamespace := podInfo.Namespace - oauthSupervisorGroupData := groupsuffix.SupervisorAggregatedGroups(*cfg.APIGroupSuffix) + clientSecretSupervisorGroupData := groupsuffix.SupervisorAggregatedGroups(*cfg.APIGroupSuffix) - apiServiceRef, err := apiserviceref.New(oauthSupervisorGroupData.APIServiceName()) + apiServiceRef, err := apiserviceref.New(clientSecretSupervisorGroupData.APIServiceName()) if err != nil { return fmt.Errorf("cannot create API service ref: %w", err) } @@ -429,9 +430,9 @@ func runSupervisor(ctx context.Context, podInfo *downward.PodInfo, cfg *supervis clientWithoutLeaderElection.Kubernetes.CoreV1().Secrets(serverInstallationNamespace), // writes to kube storage are allowed for non-leaders ) - // Get the "real" name of the oauth virtual supervisor API group (i.e., the API group name with the + // Get the "real" name of the client secret supervisor API group (i.e., the API group name with the // injected suffix). - scheme, oauthGV := supervisorscheme.New(*cfg.APIGroupSuffix) + scheme, clientSecretGV := supervisorscheme.New(*cfg.APIGroupSuffix) buildControllersFunc := prepareControllers( cfg, @@ -458,9 +459,9 @@ func runSupervisor(ctx context.Context, podInfo *downward.PodInfo, cfg *supervis dynamicServingCertProvider, buildControllersFunc, *cfg.APIGroupSuffix, - 10250, + *cfg.AggregatedAPIServerPort, scheme, - oauthGV, + clientSecretGV, ) if err != nil { return fmt.Errorf("could not configure aggregated API server: %w", err) @@ -561,16 +562,16 @@ func getAggregatedAPIServerConfig( apiGroupSuffix string, aggregatedAPIServerPort int64, scheme *runtime.Scheme, - oauthVirtualSupervisorGroupVersion schema.GroupVersion, + clientSecretSupervisorGroupVersion schema.GroupVersion, ) (*apiserver.Config, error) { codecs := serializer.NewCodecFactory(scheme) // this is unused for now but it is a safe value that we could use in the future - defaultEtcdPathPrefix := fmt.Sprintf("/pinniped-concierge-registry/%s", apiGroupSuffix) + defaultEtcdPathPrefix := fmt.Sprintf("/pinniped-supervisor-registry/%s", apiGroupSuffix) recommendedOptions := genericoptions.NewRecommendedOptions( defaultEtcdPathPrefix, - codecs.LegacyCodec(oauthVirtualSupervisorGroupVersion), + codecs.LegacyCodec(clientSecretSupervisorGroupVersion), ) recommendedOptions.Etcd = nil // turn off etcd storage because we don't need it yet recommendedOptions.SecureServing.ServerCert.GeneratedCert = dynamicCertProvider @@ -605,7 +606,7 @@ func getAggregatedAPIServerConfig( BuildControllersPostStartHook: buildControllers, Scheme: scheme, NegotiatedSerializer: codecs, - OauthVirtualSupervisorGroupVersion: oauthVirtualSupervisorGroupVersion, + ClientSecretSupervisorGroupVersion: clientSecretSupervisorGroupVersion, }, } return apiServerConfig, nil diff --git a/test/integration/kube_api_discovery_test.go b/test/integration/kube_api_discovery_test.go index 9c3b9602..c46d01bf 100644 --- a/test/integration/kube_api_discovery_test.go +++ b/test/integration/kube_api_discovery_test.go @@ -53,7 +53,7 @@ func TestGetAPIResourceList(t *testing.T) { configConciergeGV := makeGV("config", "concierge") idpSupervisorGV := makeGV("idp", "supervisor") configSupervisorGV := makeGV("config", "supervisor") - oauthVirtualSupervisorGV := makeGV("clientsecret", "supervisor") + clientSecretSupervisorGV := makeGV("clientsecret", "supervisor") tests := []struct { group metav1.APIGroup @@ -113,26 +113,26 @@ func TestGetAPIResourceList(t *testing.T) { }, { group: metav1.APIGroup{ - Name: oauthVirtualSupervisorGV.Group, + Name: clientSecretSupervisorGV.Group, Versions: []metav1.GroupVersionForDiscovery{ { - GroupVersion: oauthVirtualSupervisorGV.String(), - Version: oauthVirtualSupervisorGV.Version, + GroupVersion: clientSecretSupervisorGV.String(), + Version: clientSecretSupervisorGV.Version, }, }, PreferredVersion: metav1.GroupVersionForDiscovery{ - GroupVersion: oauthVirtualSupervisorGV.String(), - Version: oauthVirtualSupervisorGV.Version, + GroupVersion: clientSecretSupervisorGV.String(), + Version: clientSecretSupervisorGV.Version, }, }, resourceByVersion: map[string][]metav1.APIResource{ - oauthVirtualSupervisorGV.String(): { + clientSecretSupervisorGV.String(): { { Name: "oidcclientsecretrequests", Kind: "OIDCClientSecretRequest", - Verbs: []string{"create"}, + Verbs: []string{"create", "list"}, Namespaced: true, - Categories: nil, + Categories: []string{"pinniped"}, }, }, }, @@ -354,11 +354,6 @@ func TestGetAPIResourceList(t *testing.T) { if strings.HasSuffix(a.Name, "/status") { continue } - if a.Name == "oidcclientsecretrequests" { - // OIDCClientSecretRequest does not implement list, - // so it doesn't make sense for it to belong to a category. - continue - } assert.Containsf(t, a.Categories, "pinniped", "expected resource %q to be in the 'pinniped' category", a.Name) assert.NotContainsf(t, a.Categories, "all", "expected resource %q not to be in the 'all' category", a.Name) } From ff26c424ae4701f6ba500ccd49a4201f6ee84141 Mon Sep 17 00:00:00 2001 From: Margo Crawford Date: Wed, 15 Jun 2022 10:19:56 -0700 Subject: [PATCH 18/61] Remove unused role binding Signed-off-by: Margo Crawford --- deploy/supervisor/rbac.yaml | 27 --------------------------- 1 file changed, 27 deletions(-) diff --git a/deploy/supervisor/rbac.yaml b/deploy/supervisor/rbac.yaml index 8fe7e58d..a56818fe 100644 --- a/deploy/supervisor/rbac.yaml +++ b/deploy/supervisor/rbac.yaml @@ -92,18 +92,6 @@ roleRef: name: extension-apiserver-authentication-reader apiGroup: rbac.authorization.k8s.io -#! Give permission to list and watch ConfigMaps in kube-public ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: #@ defaultResourceNameWithSuffix("cluster-info-lister-watcher") - namespace: kube-public - labels: #@ labels() -rules: - - apiGroups: [ "" ] - resources: [ configmaps ] - verbs: [ list, watch ] #! Give permissions for subjectaccessreviews, tokenreview that is needed by aggregated api servers --- kind: ClusterRoleBinding @@ -119,21 +107,6 @@ roleRef: kind: ClusterRole name: system:auth-delegator apiGroup: rbac.authorization.k8s.io ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: #@ defaultResourceNameWithSuffix("cluster-info-lister-watcher") - namespace: kube-public - labels: #@ labels() -subjects: - - kind: ServiceAccount - name: #@ defaultResourceName() - namespace: #@ namespace() -roleRef: - kind: Role - name: #@ defaultResourceNameWithSuffix("cluster-info-lister-watcher") - apiGroup: rbac.authorization.k8s.io #! Give permission to various cluster-scoped objects --- From 59d67322d3a91a5c222a943cb47668b529f9f462 Mon Sep 17 00:00:00 2001 From: Monis Khan Date: Mon, 13 Jun 2022 20:06:47 -0400 Subject: [PATCH 19/61] Static validation for OIDC clients The following validation is enforced: 1. Names must start with client.oauth.pinniped.dev- 2. Redirect URIs must start with https:// or http://127.0.0.1 or http://::1 3. All spec lists must not have duplicates Added an integration test to assert all static validations. Signed-off-by: Monis Khan --- .../config/v1alpha1/types_oidcclient.go.tmpl | 11 +- ...g.supervisor.pinniped.dev_oidcclients.yaml | 10 +- deploy/supervisor/z0_crd_overlay.yaml | 12 + generated/1.17/README.adoc | 2 +- .../config/v1alpha1/types_oidcclient.go | 11 +- .../config/v1alpha1/zz_generated.deepcopy.go | 2 +- ...g.supervisor.pinniped.dev_oidcclients.yaml | 10 +- generated/1.18/README.adoc | 2 +- .../config/v1alpha1/types_oidcclient.go | 11 +- .../config/v1alpha1/zz_generated.deepcopy.go | 2 +- ...g.supervisor.pinniped.dev_oidcclients.yaml | 10 +- generated/1.19/README.adoc | 2 +- .../config/v1alpha1/types_oidcclient.go | 11 +- .../config/v1alpha1/zz_generated.deepcopy.go | 2 +- ...g.supervisor.pinniped.dev_oidcclients.yaml | 10 +- generated/1.20/README.adoc | 2 +- .../config/v1alpha1/types_oidcclient.go | 11 +- .../config/v1alpha1/zz_generated.deepcopy.go | 2 +- ...g.supervisor.pinniped.dev_oidcclients.yaml | 10 +- generated/1.21/README.adoc | 2 +- .../config/v1alpha1/types_oidcclient.go | 11 +- .../config/v1alpha1/zz_generated.deepcopy.go | 2 +- ...g.supervisor.pinniped.dev_oidcclients.yaml | 10 +- generated/1.22/README.adoc | 2 +- .../config/v1alpha1/types_oidcclient.go | 11 +- .../config/v1alpha1/zz_generated.deepcopy.go | 2 +- ...g.supervisor.pinniped.dev_oidcclients.yaml | 10 +- generated/1.23/README.adoc | 2 +- .../config/v1alpha1/types_oidcclient.go | 11 +- .../config/v1alpha1/zz_generated.deepcopy.go | 2 +- ...g.supervisor.pinniped.dev_oidcclients.yaml | 10 +- generated/1.24/README.adoc | 2 +- .../config/v1alpha1/types_oidcclient.go | 11 +- .../config/v1alpha1/zz_generated.deepcopy.go | 2 +- ...g.supervisor.pinniped.dev_oidcclients.yaml | 10 +- .../config/v1alpha1/types_oidcclient.go | 11 +- .../config/v1alpha1/zz_generated.deepcopy.go | 2 +- internal/oidc/oidc.go | 3 + test/integration/oidc_client_test.go | 408 ++++++++++++++++++ 39 files changed, 602 insertions(+), 55 deletions(-) create mode 100644 test/integration/oidc_client_test.go diff --git a/apis/supervisor/config/v1alpha1/types_oidcclient.go.tmpl b/apis/supervisor/config/v1alpha1/types_oidcclient.go.tmpl index e905c61a..17a1103f 100644 --- a/apis/supervisor/config/v1alpha1/types_oidcclient.go.tmpl +++ b/apis/supervisor/config/v1alpha1/types_oidcclient.go.tmpl @@ -7,6 +7,9 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) +// +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/` +type RedirectURI string + // +kubebuilder:validation:Enum="authorization_code";"refresh_token";"urn:ietf:params:oauth:grant-type:token-exchange" type GrantType string @@ -17,9 +20,11 @@ type Scope string type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // client. Any other uris will be rejected. - // Must be https, unless it is a loopback. + // Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. + // Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri. + // +listType=set // +kubebuilder:validation:MinItems=1 - AllowedRedirectURIs []string `json:"allowedRedirectURIs"` + AllowedRedirectURIs []RedirectURI `json:"allowedRedirectURIs"` // allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this // client. @@ -32,6 +37,7 @@ type OIDCClientSpec struct { // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. + // +listType=set // +kubebuilder:validation:MinItems=1 AllowedGrantTypes []GrantType `json:"allowedGrantTypes"` @@ -51,6 +57,7 @@ type OIDCClientSpec struct { // - groups: The client is allowed to request that ID tokens contain the user's group membership, // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. + // +listType=set // +kubebuilder:validation:MinItems=1 AllowedScopes []Scope `json:"allowedScopes"` } diff --git a/deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml b/deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml index 4efa445e..6030582f 100644 --- a/deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml @@ -61,15 +61,20 @@ spec: type: string minItems: 1 type: array + x-kubernetes-list-type: set allowedRedirectURIs: description: allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this - client. Any other uris will be rejected. Must be https, unless it - is a loopback. + client. Any other uris will be rejected. Must be a URI with the + https scheme, unless the hostname is 127.0.0.1 or ::1 which may + use the http scheme. Port numbers are not required for 127.0.0.1 + or ::1 and are ignored when checking for a matching redirect_uri. items: + pattern: ^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/ type: string minItems: 1 type: array + x-kubernetes-list-type: set allowedScopes: description: "allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. @@ -102,6 +107,7 @@ spec: type: string minItems: 1 type: array + x-kubernetes-list-type: set required: - allowedGrantTypes - allowedRedirectURIs diff --git a/deploy/supervisor/z0_crd_overlay.yaml b/deploy/supervisor/z0_crd_overlay.yaml index a658091b..f7a50a88 100644 --- a/deploy/supervisor/z0_crd_overlay.yaml +++ b/deploy/supervisor/z0_crd_overlay.yaml @@ -49,3 +49,15 @@ metadata: name: #@ pinnipedDevAPIGroupWithPrefix("oidcclients.config.supervisor") spec: group: #@ pinnipedDevAPIGroupWithPrefix("config.supervisor") + versions: + #@overlay/match by=overlay.all, expects="1+" + - schema: + openAPIV3Schema: + #@overlay/match by=overlay.subset({"metadata":{"type":"object"}}), expects=1 + properties: + metadata: + #@overlay/match missing_ok=True + properties: + name: + pattern: ^client\.oauth\.pinniped\.dev- + type: string diff --git a/generated/1.17/README.adoc b/generated/1.17/README.adoc index 624f035f..33ccf479 100644 --- a/generated/1.17/README.adoc +++ b/generated/1.17/README.adoc @@ -578,7 +578,7 @@ OIDCClientSpec is a struct that describes an OIDC Client. [cols="25a,75a", options="header"] |=== | Field | Description -| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. +| *`allowedRedirectURIs`* __RedirectURI array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri. | *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. | *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. diff --git a/generated/1.17/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/1.17/apis/supervisor/config/v1alpha1/types_oidcclient.go index e905c61a..17a1103f 100644 --- a/generated/1.17/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/1.17/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -7,6 +7,9 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) +// +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/` +type RedirectURI string + // +kubebuilder:validation:Enum="authorization_code";"refresh_token";"urn:ietf:params:oauth:grant-type:token-exchange" type GrantType string @@ -17,9 +20,11 @@ type Scope string type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // client. Any other uris will be rejected. - // Must be https, unless it is a loopback. + // Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. + // Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri. + // +listType=set // +kubebuilder:validation:MinItems=1 - AllowedRedirectURIs []string `json:"allowedRedirectURIs"` + AllowedRedirectURIs []RedirectURI `json:"allowedRedirectURIs"` // allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this // client. @@ -32,6 +37,7 @@ type OIDCClientSpec struct { // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. + // +listType=set // +kubebuilder:validation:MinItems=1 AllowedGrantTypes []GrantType `json:"allowedGrantTypes"` @@ -51,6 +57,7 @@ type OIDCClientSpec struct { // - groups: The client is allowed to request that ID tokens contain the user's group membership, // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. + // +listType=set // +kubebuilder:validation:MinItems=1 AllowedScopes []Scope `json:"allowedScopes"` } diff --git a/generated/1.17/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.17/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go index a55d88e7..f4468886 100644 --- a/generated/1.17/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.17/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go @@ -217,7 +217,7 @@ func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { *out = *in if in.AllowedRedirectURIs != nil { in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs - *out = make([]string, len(*in)) + *out = make([]RedirectURI, len(*in)) copy(*out, *in) } if in.AllowedGrantTypes != nil { diff --git a/generated/1.17/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.17/crds/config.supervisor.pinniped.dev_oidcclients.yaml index 4efa445e..6030582f 100644 --- a/generated/1.17/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.17/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -61,15 +61,20 @@ spec: type: string minItems: 1 type: array + x-kubernetes-list-type: set allowedRedirectURIs: description: allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this - client. Any other uris will be rejected. Must be https, unless it - is a loopback. + client. Any other uris will be rejected. Must be a URI with the + https scheme, unless the hostname is 127.0.0.1 or ::1 which may + use the http scheme. Port numbers are not required for 127.0.0.1 + or ::1 and are ignored when checking for a matching redirect_uri. items: + pattern: ^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/ type: string minItems: 1 type: array + x-kubernetes-list-type: set allowedScopes: description: "allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. @@ -102,6 +107,7 @@ spec: type: string minItems: 1 type: array + x-kubernetes-list-type: set required: - allowedGrantTypes - allowedRedirectURIs diff --git a/generated/1.18/README.adoc b/generated/1.18/README.adoc index 63ec9f13..c8f1cdb1 100644 --- a/generated/1.18/README.adoc +++ b/generated/1.18/README.adoc @@ -578,7 +578,7 @@ OIDCClientSpec is a struct that describes an OIDC Client. [cols="25a,75a", options="header"] |=== | Field | Description -| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. +| *`allowedRedirectURIs`* __RedirectURI array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri. | *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. | *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. diff --git a/generated/1.18/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/1.18/apis/supervisor/config/v1alpha1/types_oidcclient.go index e905c61a..17a1103f 100644 --- a/generated/1.18/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/1.18/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -7,6 +7,9 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) +// +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/` +type RedirectURI string + // +kubebuilder:validation:Enum="authorization_code";"refresh_token";"urn:ietf:params:oauth:grant-type:token-exchange" type GrantType string @@ -17,9 +20,11 @@ type Scope string type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // client. Any other uris will be rejected. - // Must be https, unless it is a loopback. + // Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. + // Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri. + // +listType=set // +kubebuilder:validation:MinItems=1 - AllowedRedirectURIs []string `json:"allowedRedirectURIs"` + AllowedRedirectURIs []RedirectURI `json:"allowedRedirectURIs"` // allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this // client. @@ -32,6 +37,7 @@ type OIDCClientSpec struct { // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. + // +listType=set // +kubebuilder:validation:MinItems=1 AllowedGrantTypes []GrantType `json:"allowedGrantTypes"` @@ -51,6 +57,7 @@ type OIDCClientSpec struct { // - groups: The client is allowed to request that ID tokens contain the user's group membership, // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. + // +listType=set // +kubebuilder:validation:MinItems=1 AllowedScopes []Scope `json:"allowedScopes"` } diff --git a/generated/1.18/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.18/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go index a55d88e7..f4468886 100644 --- a/generated/1.18/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.18/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go @@ -217,7 +217,7 @@ func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { *out = *in if in.AllowedRedirectURIs != nil { in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs - *out = make([]string, len(*in)) + *out = make([]RedirectURI, len(*in)) copy(*out, *in) } if in.AllowedGrantTypes != nil { diff --git a/generated/1.18/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.18/crds/config.supervisor.pinniped.dev_oidcclients.yaml index 4efa445e..6030582f 100644 --- a/generated/1.18/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.18/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -61,15 +61,20 @@ spec: type: string minItems: 1 type: array + x-kubernetes-list-type: set allowedRedirectURIs: description: allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this - client. Any other uris will be rejected. Must be https, unless it - is a loopback. + client. Any other uris will be rejected. Must be a URI with the + https scheme, unless the hostname is 127.0.0.1 or ::1 which may + use the http scheme. Port numbers are not required for 127.0.0.1 + or ::1 and are ignored when checking for a matching redirect_uri. items: + pattern: ^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/ type: string minItems: 1 type: array + x-kubernetes-list-type: set allowedScopes: description: "allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. @@ -102,6 +107,7 @@ spec: type: string minItems: 1 type: array + x-kubernetes-list-type: set required: - allowedGrantTypes - allowedRedirectURIs diff --git a/generated/1.19/README.adoc b/generated/1.19/README.adoc index f04d438f..2db7eb41 100644 --- a/generated/1.19/README.adoc +++ b/generated/1.19/README.adoc @@ -578,7 +578,7 @@ OIDCClientSpec is a struct that describes an OIDC Client. [cols="25a,75a", options="header"] |=== | Field | Description -| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. +| *`allowedRedirectURIs`* __RedirectURI array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri. | *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. | *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. diff --git a/generated/1.19/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/1.19/apis/supervisor/config/v1alpha1/types_oidcclient.go index e905c61a..17a1103f 100644 --- a/generated/1.19/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/1.19/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -7,6 +7,9 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) +// +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/` +type RedirectURI string + // +kubebuilder:validation:Enum="authorization_code";"refresh_token";"urn:ietf:params:oauth:grant-type:token-exchange" type GrantType string @@ -17,9 +20,11 @@ type Scope string type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // client. Any other uris will be rejected. - // Must be https, unless it is a loopback. + // Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. + // Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri. + // +listType=set // +kubebuilder:validation:MinItems=1 - AllowedRedirectURIs []string `json:"allowedRedirectURIs"` + AllowedRedirectURIs []RedirectURI `json:"allowedRedirectURIs"` // allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this // client. @@ -32,6 +37,7 @@ type OIDCClientSpec struct { // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. + // +listType=set // +kubebuilder:validation:MinItems=1 AllowedGrantTypes []GrantType `json:"allowedGrantTypes"` @@ -51,6 +57,7 @@ type OIDCClientSpec struct { // - groups: The client is allowed to request that ID tokens contain the user's group membership, // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. + // +listType=set // +kubebuilder:validation:MinItems=1 AllowedScopes []Scope `json:"allowedScopes"` } diff --git a/generated/1.19/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.19/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go index a55d88e7..f4468886 100644 --- a/generated/1.19/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.19/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go @@ -217,7 +217,7 @@ func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { *out = *in if in.AllowedRedirectURIs != nil { in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs - *out = make([]string, len(*in)) + *out = make([]RedirectURI, len(*in)) copy(*out, *in) } if in.AllowedGrantTypes != nil { diff --git a/generated/1.19/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.19/crds/config.supervisor.pinniped.dev_oidcclients.yaml index 4efa445e..6030582f 100644 --- a/generated/1.19/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.19/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -61,15 +61,20 @@ spec: type: string minItems: 1 type: array + x-kubernetes-list-type: set allowedRedirectURIs: description: allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this - client. Any other uris will be rejected. Must be https, unless it - is a loopback. + client. Any other uris will be rejected. Must be a URI with the + https scheme, unless the hostname is 127.0.0.1 or ::1 which may + use the http scheme. Port numbers are not required for 127.0.0.1 + or ::1 and are ignored when checking for a matching redirect_uri. items: + pattern: ^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/ type: string minItems: 1 type: array + x-kubernetes-list-type: set allowedScopes: description: "allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. @@ -102,6 +107,7 @@ spec: type: string minItems: 1 type: array + x-kubernetes-list-type: set required: - allowedGrantTypes - allowedRedirectURIs diff --git a/generated/1.20/README.adoc b/generated/1.20/README.adoc index 2e989cd3..2eaf98f6 100644 --- a/generated/1.20/README.adoc +++ b/generated/1.20/README.adoc @@ -578,7 +578,7 @@ OIDCClientSpec is a struct that describes an OIDC Client. [cols="25a,75a", options="header"] |=== | Field | Description -| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. +| *`allowedRedirectURIs`* __RedirectURI array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri. | *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. | *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. diff --git a/generated/1.20/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/1.20/apis/supervisor/config/v1alpha1/types_oidcclient.go index e905c61a..17a1103f 100644 --- a/generated/1.20/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/1.20/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -7,6 +7,9 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) +// +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/` +type RedirectURI string + // +kubebuilder:validation:Enum="authorization_code";"refresh_token";"urn:ietf:params:oauth:grant-type:token-exchange" type GrantType string @@ -17,9 +20,11 @@ type Scope string type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // client. Any other uris will be rejected. - // Must be https, unless it is a loopback. + // Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. + // Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri. + // +listType=set // +kubebuilder:validation:MinItems=1 - AllowedRedirectURIs []string `json:"allowedRedirectURIs"` + AllowedRedirectURIs []RedirectURI `json:"allowedRedirectURIs"` // allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this // client. @@ -32,6 +37,7 @@ type OIDCClientSpec struct { // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. + // +listType=set // +kubebuilder:validation:MinItems=1 AllowedGrantTypes []GrantType `json:"allowedGrantTypes"` @@ -51,6 +57,7 @@ type OIDCClientSpec struct { // - groups: The client is allowed to request that ID tokens contain the user's group membership, // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. + // +listType=set // +kubebuilder:validation:MinItems=1 AllowedScopes []Scope `json:"allowedScopes"` } diff --git a/generated/1.20/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.20/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go index a55d88e7..f4468886 100644 --- a/generated/1.20/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.20/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go @@ -217,7 +217,7 @@ func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { *out = *in if in.AllowedRedirectURIs != nil { in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs - *out = make([]string, len(*in)) + *out = make([]RedirectURI, len(*in)) copy(*out, *in) } if in.AllowedGrantTypes != nil { diff --git a/generated/1.20/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.20/crds/config.supervisor.pinniped.dev_oidcclients.yaml index 4efa445e..6030582f 100644 --- a/generated/1.20/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.20/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -61,15 +61,20 @@ spec: type: string minItems: 1 type: array + x-kubernetes-list-type: set allowedRedirectURIs: description: allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this - client. Any other uris will be rejected. Must be https, unless it - is a loopback. + client. Any other uris will be rejected. Must be a URI with the + https scheme, unless the hostname is 127.0.0.1 or ::1 which may + use the http scheme. Port numbers are not required for 127.0.0.1 + or ::1 and are ignored when checking for a matching redirect_uri. items: + pattern: ^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/ type: string minItems: 1 type: array + x-kubernetes-list-type: set allowedScopes: description: "allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. @@ -102,6 +107,7 @@ spec: type: string minItems: 1 type: array + x-kubernetes-list-type: set required: - allowedGrantTypes - allowedRedirectURIs diff --git a/generated/1.21/README.adoc b/generated/1.21/README.adoc index 7635b9a6..5a8ed2ea 100644 --- a/generated/1.21/README.adoc +++ b/generated/1.21/README.adoc @@ -578,7 +578,7 @@ OIDCClientSpec is a struct that describes an OIDC Client. [cols="25a,75a", options="header"] |=== | Field | Description -| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. +| *`allowedRedirectURIs`* __RedirectURI array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri. | *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. | *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. diff --git a/generated/1.21/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/1.21/apis/supervisor/config/v1alpha1/types_oidcclient.go index e905c61a..17a1103f 100644 --- a/generated/1.21/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/1.21/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -7,6 +7,9 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) +// +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/` +type RedirectURI string + // +kubebuilder:validation:Enum="authorization_code";"refresh_token";"urn:ietf:params:oauth:grant-type:token-exchange" type GrantType string @@ -17,9 +20,11 @@ type Scope string type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // client. Any other uris will be rejected. - // Must be https, unless it is a loopback. + // Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. + // Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri. + // +listType=set // +kubebuilder:validation:MinItems=1 - AllowedRedirectURIs []string `json:"allowedRedirectURIs"` + AllowedRedirectURIs []RedirectURI `json:"allowedRedirectURIs"` // allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this // client. @@ -32,6 +37,7 @@ type OIDCClientSpec struct { // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. + // +listType=set // +kubebuilder:validation:MinItems=1 AllowedGrantTypes []GrantType `json:"allowedGrantTypes"` @@ -51,6 +57,7 @@ type OIDCClientSpec struct { // - groups: The client is allowed to request that ID tokens contain the user's group membership, // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. + // +listType=set // +kubebuilder:validation:MinItems=1 AllowedScopes []Scope `json:"allowedScopes"` } diff --git a/generated/1.21/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.21/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go index a55d88e7..f4468886 100644 --- a/generated/1.21/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.21/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go @@ -217,7 +217,7 @@ func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { *out = *in if in.AllowedRedirectURIs != nil { in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs - *out = make([]string, len(*in)) + *out = make([]RedirectURI, len(*in)) copy(*out, *in) } if in.AllowedGrantTypes != nil { diff --git a/generated/1.21/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.21/crds/config.supervisor.pinniped.dev_oidcclients.yaml index 4efa445e..6030582f 100644 --- a/generated/1.21/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.21/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -61,15 +61,20 @@ spec: type: string minItems: 1 type: array + x-kubernetes-list-type: set allowedRedirectURIs: description: allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this - client. Any other uris will be rejected. Must be https, unless it - is a loopback. + client. Any other uris will be rejected. Must be a URI with the + https scheme, unless the hostname is 127.0.0.1 or ::1 which may + use the http scheme. Port numbers are not required for 127.0.0.1 + or ::1 and are ignored when checking for a matching redirect_uri. items: + pattern: ^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/ type: string minItems: 1 type: array + x-kubernetes-list-type: set allowedScopes: description: "allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. @@ -102,6 +107,7 @@ spec: type: string minItems: 1 type: array + x-kubernetes-list-type: set required: - allowedGrantTypes - allowedRedirectURIs diff --git a/generated/1.22/README.adoc b/generated/1.22/README.adoc index 5ba5e839..39973f52 100644 --- a/generated/1.22/README.adoc +++ b/generated/1.22/README.adoc @@ -578,7 +578,7 @@ OIDCClientSpec is a struct that describes an OIDC Client. [cols="25a,75a", options="header"] |=== | Field | Description -| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. +| *`allowedRedirectURIs`* __RedirectURI array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri. | *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. | *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. diff --git a/generated/1.22/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/1.22/apis/supervisor/config/v1alpha1/types_oidcclient.go index e905c61a..17a1103f 100644 --- a/generated/1.22/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/1.22/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -7,6 +7,9 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) +// +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/` +type RedirectURI string + // +kubebuilder:validation:Enum="authorization_code";"refresh_token";"urn:ietf:params:oauth:grant-type:token-exchange" type GrantType string @@ -17,9 +20,11 @@ type Scope string type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // client. Any other uris will be rejected. - // Must be https, unless it is a loopback. + // Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. + // Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri. + // +listType=set // +kubebuilder:validation:MinItems=1 - AllowedRedirectURIs []string `json:"allowedRedirectURIs"` + AllowedRedirectURIs []RedirectURI `json:"allowedRedirectURIs"` // allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this // client. @@ -32,6 +37,7 @@ type OIDCClientSpec struct { // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. + // +listType=set // +kubebuilder:validation:MinItems=1 AllowedGrantTypes []GrantType `json:"allowedGrantTypes"` @@ -51,6 +57,7 @@ type OIDCClientSpec struct { // - groups: The client is allowed to request that ID tokens contain the user's group membership, // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. + // +listType=set // +kubebuilder:validation:MinItems=1 AllowedScopes []Scope `json:"allowedScopes"` } diff --git a/generated/1.22/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.22/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go index a55d88e7..f4468886 100644 --- a/generated/1.22/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.22/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go @@ -217,7 +217,7 @@ func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { *out = *in if in.AllowedRedirectURIs != nil { in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs - *out = make([]string, len(*in)) + *out = make([]RedirectURI, len(*in)) copy(*out, *in) } if in.AllowedGrantTypes != nil { diff --git a/generated/1.22/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.22/crds/config.supervisor.pinniped.dev_oidcclients.yaml index 4efa445e..6030582f 100644 --- a/generated/1.22/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.22/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -61,15 +61,20 @@ spec: type: string minItems: 1 type: array + x-kubernetes-list-type: set allowedRedirectURIs: description: allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this - client. Any other uris will be rejected. Must be https, unless it - is a loopback. + client. Any other uris will be rejected. Must be a URI with the + https scheme, unless the hostname is 127.0.0.1 or ::1 which may + use the http scheme. Port numbers are not required for 127.0.0.1 + or ::1 and are ignored when checking for a matching redirect_uri. items: + pattern: ^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/ type: string minItems: 1 type: array + x-kubernetes-list-type: set allowedScopes: description: "allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. @@ -102,6 +107,7 @@ spec: type: string minItems: 1 type: array + x-kubernetes-list-type: set required: - allowedGrantTypes - allowedRedirectURIs diff --git a/generated/1.23/README.adoc b/generated/1.23/README.adoc index 78612146..85ea04f0 100644 --- a/generated/1.23/README.adoc +++ b/generated/1.23/README.adoc @@ -578,7 +578,7 @@ OIDCClientSpec is a struct that describes an OIDC Client. [cols="25a,75a", options="header"] |=== | Field | Description -| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. +| *`allowedRedirectURIs`* __RedirectURI array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri. | *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. | *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. diff --git a/generated/1.23/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/1.23/apis/supervisor/config/v1alpha1/types_oidcclient.go index e905c61a..17a1103f 100644 --- a/generated/1.23/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/1.23/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -7,6 +7,9 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) +// +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/` +type RedirectURI string + // +kubebuilder:validation:Enum="authorization_code";"refresh_token";"urn:ietf:params:oauth:grant-type:token-exchange" type GrantType string @@ -17,9 +20,11 @@ type Scope string type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // client. Any other uris will be rejected. - // Must be https, unless it is a loopback. + // Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. + // Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri. + // +listType=set // +kubebuilder:validation:MinItems=1 - AllowedRedirectURIs []string `json:"allowedRedirectURIs"` + AllowedRedirectURIs []RedirectURI `json:"allowedRedirectURIs"` // allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this // client. @@ -32,6 +37,7 @@ type OIDCClientSpec struct { // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. + // +listType=set // +kubebuilder:validation:MinItems=1 AllowedGrantTypes []GrantType `json:"allowedGrantTypes"` @@ -51,6 +57,7 @@ type OIDCClientSpec struct { // - groups: The client is allowed to request that ID tokens contain the user's group membership, // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. + // +listType=set // +kubebuilder:validation:MinItems=1 AllowedScopes []Scope `json:"allowedScopes"` } diff --git a/generated/1.23/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.23/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go index a55d88e7..f4468886 100644 --- a/generated/1.23/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.23/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go @@ -217,7 +217,7 @@ func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { *out = *in if in.AllowedRedirectURIs != nil { in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs - *out = make([]string, len(*in)) + *out = make([]RedirectURI, len(*in)) copy(*out, *in) } if in.AllowedGrantTypes != nil { diff --git a/generated/1.23/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.23/crds/config.supervisor.pinniped.dev_oidcclients.yaml index 4efa445e..6030582f 100644 --- a/generated/1.23/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.23/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -61,15 +61,20 @@ spec: type: string minItems: 1 type: array + x-kubernetes-list-type: set allowedRedirectURIs: description: allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this - client. Any other uris will be rejected. Must be https, unless it - is a loopback. + client. Any other uris will be rejected. Must be a URI with the + https scheme, unless the hostname is 127.0.0.1 or ::1 which may + use the http scheme. Port numbers are not required for 127.0.0.1 + or ::1 and are ignored when checking for a matching redirect_uri. items: + pattern: ^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/ type: string minItems: 1 type: array + x-kubernetes-list-type: set allowedScopes: description: "allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. @@ -102,6 +107,7 @@ spec: type: string minItems: 1 type: array + x-kubernetes-list-type: set required: - allowedGrantTypes - allowedRedirectURIs diff --git a/generated/1.24/README.adoc b/generated/1.24/README.adoc index 9255c3d4..1280132f 100644 --- a/generated/1.24/README.adoc +++ b/generated/1.24/README.adoc @@ -578,7 +578,7 @@ OIDCClientSpec is a struct that describes an OIDC Client. [cols="25a,75a", options="header"] |=== | Field | Description -| *`allowedRedirectURIs`* __string array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be https, unless it is a loopback. +| *`allowedRedirectURIs`* __RedirectURI array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri. | *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. | *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. diff --git a/generated/1.24/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/1.24/apis/supervisor/config/v1alpha1/types_oidcclient.go index e905c61a..17a1103f 100644 --- a/generated/1.24/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/1.24/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -7,6 +7,9 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) +// +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/` +type RedirectURI string + // +kubebuilder:validation:Enum="authorization_code";"refresh_token";"urn:ietf:params:oauth:grant-type:token-exchange" type GrantType string @@ -17,9 +20,11 @@ type Scope string type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // client. Any other uris will be rejected. - // Must be https, unless it is a loopback. + // Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. + // Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri. + // +listType=set // +kubebuilder:validation:MinItems=1 - AllowedRedirectURIs []string `json:"allowedRedirectURIs"` + AllowedRedirectURIs []RedirectURI `json:"allowedRedirectURIs"` // allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this // client. @@ -32,6 +37,7 @@ type OIDCClientSpec struct { // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. + // +listType=set // +kubebuilder:validation:MinItems=1 AllowedGrantTypes []GrantType `json:"allowedGrantTypes"` @@ -51,6 +57,7 @@ type OIDCClientSpec struct { // - groups: The client is allowed to request that ID tokens contain the user's group membership, // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. + // +listType=set // +kubebuilder:validation:MinItems=1 AllowedScopes []Scope `json:"allowedScopes"` } diff --git a/generated/1.24/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.24/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go index a55d88e7..f4468886 100644 --- a/generated/1.24/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.24/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go @@ -217,7 +217,7 @@ func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { *out = *in if in.AllowedRedirectURIs != nil { in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs - *out = make([]string, len(*in)) + *out = make([]RedirectURI, len(*in)) copy(*out, *in) } if in.AllowedGrantTypes != nil { diff --git a/generated/1.24/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.24/crds/config.supervisor.pinniped.dev_oidcclients.yaml index 4efa445e..6030582f 100644 --- a/generated/1.24/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.24/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -61,15 +61,20 @@ spec: type: string minItems: 1 type: array + x-kubernetes-list-type: set allowedRedirectURIs: description: allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this - client. Any other uris will be rejected. Must be https, unless it - is a loopback. + client. Any other uris will be rejected. Must be a URI with the + https scheme, unless the hostname is 127.0.0.1 or ::1 which may + use the http scheme. Port numbers are not required for 127.0.0.1 + or ::1 and are ignored when checking for a matching redirect_uri. items: + pattern: ^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/ type: string minItems: 1 type: array + x-kubernetes-list-type: set allowedScopes: description: "allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. @@ -102,6 +107,7 @@ spec: type: string minItems: 1 type: array + x-kubernetes-list-type: set required: - allowedGrantTypes - allowedRedirectURIs diff --git a/generated/latest/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/latest/apis/supervisor/config/v1alpha1/types_oidcclient.go index e905c61a..17a1103f 100644 --- a/generated/latest/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/latest/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -7,6 +7,9 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) +// +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/` +type RedirectURI string + // +kubebuilder:validation:Enum="authorization_code";"refresh_token";"urn:ietf:params:oauth:grant-type:token-exchange" type GrantType string @@ -17,9 +20,11 @@ type Scope string type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // client. Any other uris will be rejected. - // Must be https, unless it is a loopback. + // Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. + // Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri. + // +listType=set // +kubebuilder:validation:MinItems=1 - AllowedRedirectURIs []string `json:"allowedRedirectURIs"` + AllowedRedirectURIs []RedirectURI `json:"allowedRedirectURIs"` // allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this // client. @@ -32,6 +37,7 @@ type OIDCClientSpec struct { // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. + // +listType=set // +kubebuilder:validation:MinItems=1 AllowedGrantTypes []GrantType `json:"allowedGrantTypes"` @@ -51,6 +57,7 @@ type OIDCClientSpec struct { // - groups: The client is allowed to request that ID tokens contain the user's group membership, // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. + // +listType=set // +kubebuilder:validation:MinItems=1 AllowedScopes []Scope `json:"allowedScopes"` } diff --git a/generated/latest/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go b/generated/latest/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go index a55d88e7..f4468886 100644 --- a/generated/latest/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/latest/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go @@ -217,7 +217,7 @@ func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { *out = *in if in.AllowedRedirectURIs != nil { in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs - *out = make([]string, len(*in)) + *out = make([]RedirectURI, len(*in)) copy(*out, *in) } if in.AllowedGrantTypes != nil { diff --git a/internal/oidc/oidc.go b/internal/oidc/oidc.go index 79380df7..1c5b7237 100644 --- a/internal/oidc/oidc.go +++ b/internal/oidc/oidc.go @@ -229,6 +229,9 @@ func FositeOauth2Helper( // Use the fosite default to make it more likely that off the shelf OIDC clients can work with the supervisor. MinParameterEntropy: fosite.MinParameterEntropy, + + // do not allow custom scheme redirects, only https and http (on loopback) + RedirectSecureChecker: fosite.IsRedirectURISecureStrict, } provider := compose.Compose( diff --git a/test/integration/oidc_client_test.go b/test/integration/oidc_client_test.go new file mode 100644 index 00000000..be987db9 --- /dev/null +++ b/test/integration/oidc_client_test.go @@ -0,0 +1,408 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package integration + +import ( + "context" + "fmt" + "sort" + "strings" + "testing" + "time" + + "github.com/stretchr/testify/require" + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + supervisorconfigv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" + "go.pinniped.dev/test/testlib" +) + +func TestOIDCClientStaticValidation_Parallel(t *testing.T) { + env := testlib.IntegrationEnv(t) + + groupFix := strings.NewReplacer(".supervisor.pinniped.dev", ".supervisor."+env.APIGroupSuffix) + + ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute) + t.Cleanup(cancel) + + namespaceClient := testlib.NewKubernetesClientset(t).CoreV1().Namespaces() + + ns, err := namespaceClient.Create(ctx, &corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + GenerateName: "test-oidc-client-", + }, + }, metav1.CreateOptions{}) + require.NoError(t, err) + + t.Cleanup(func() { + require.NoError(t, namespaceClient.Delete(ctx, ns.Name, metav1.DeleteOptions{})) + }) + + oidcClients := testlib.NewSupervisorClientset(t).ConfigV1alpha1().OIDCClients(ns.Name) + + tests := []struct { + name string + client *supervisorconfigv1alpha1.OIDCClient + fixWant func(t *testing.T, err error, want string) string + wantErr string + }{ + { + name: "bad name", + client: &supervisorconfigv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{ + Name: "panda", + }, + Spec: supervisorconfigv1alpha1.OIDCClientSpec{ + AllowedRedirectURIs: []supervisorconfigv1alpha1.RedirectURI{ + "https://a", + }, + AllowedGrantTypes: []supervisorconfigv1alpha1.GrantType{ + "refresh_token", + }, + AllowedScopes: []supervisorconfigv1alpha1.Scope{ + "username", + }, + }, + }, + wantErr: `OIDCClient.config.supervisor.pinniped.dev "panda" is invalid: metadata.name: Invalid value: "panda": metadata.name in body should match '^client\.oauth\.pinniped\.dev-'`, + }, + { + name: "bad name but close", + client: &supervisorconfigv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{ + Name: "client0oauth1pinniped2dev-regex", + }, + Spec: supervisorconfigv1alpha1.OIDCClientSpec{ + AllowedRedirectURIs: []supervisorconfigv1alpha1.RedirectURI{ + "https://a", + }, + AllowedGrantTypes: []supervisorconfigv1alpha1.GrantType{ + "refresh_token", + }, + AllowedScopes: []supervisorconfigv1alpha1.Scope{ + "username", + }, + }, + }, + wantErr: `OIDCClient.config.supervisor.pinniped.dev "client0oauth1pinniped2dev-regex" is invalid: metadata.name: Invalid value: "client0oauth1pinniped2dev-regex": metadata.name in body should match '^client\.oauth\.pinniped\.dev-'`, + }, + { + name: "bad generate name", + client: &supervisorconfigv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{ + GenerateName: "snorlax-", + }, + Spec: supervisorconfigv1alpha1.OIDCClientSpec{ + AllowedRedirectURIs: []supervisorconfigv1alpha1.RedirectURI{ + "http://127.0.0.1/callback", + }, + AllowedGrantTypes: []supervisorconfigv1alpha1.GrantType{ + "refresh_token", + }, + AllowedScopes: []supervisorconfigv1alpha1.Scope{ + "username", + }, + }, + }, + fixWant: func(t *testing.T, err error, want string) string { + require.Error(t, err) + gotErr := err.Error() + errPrefix := groupFix.Replace(`OIDCClient.config.supervisor.pinniped.dev "snorlax-`) + require.True(t, strings.HasPrefix(gotErr, errPrefix)) + gotErr = strings.TrimPrefix(gotErr, errPrefix) + end := strings.Index(gotErr, `"`) + require.Equal(t, end, 5) + gotErr = gotErr[:end] + return strings.Replace(want, "RAND", gotErr, 2) + }, + wantErr: `OIDCClient.config.supervisor.pinniped.dev "snorlax-RAND" is invalid: metadata.name: Invalid value: "snorlax-RAND": metadata.name in body should match '^client\.oauth\.pinniped\.dev-'`, + }, + { + name: "bad redirect uri", + client: &supervisorconfigv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{ + Name: "client.oauth.pinniped.dev-hello", + }, + Spec: supervisorconfigv1alpha1.OIDCClientSpec{ + AllowedRedirectURIs: []supervisorconfigv1alpha1.RedirectURI{ + "http://127.0.0.1/callback", + "oob", + "https://a", + }, + AllowedGrantTypes: []supervisorconfigv1alpha1.GrantType{ + "refresh_token", + }, + AllowedScopes: []supervisorconfigv1alpha1.Scope{ + "username", + }, + }, + }, + wantErr: `OIDCClient.config.supervisor.pinniped.dev "client.oauth.pinniped.dev-hello" is invalid: spec.allowedRedirectURIs[1]: Invalid value: "oob": spec.allowedRedirectURIs[1] in body should match '^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/'`, + }, + { + name: "bad grant type", + client: &supervisorconfigv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{ + Name: "client.oauth.pinniped.dev-sky", + }, + Spec: supervisorconfigv1alpha1.OIDCClientSpec{ + AllowedRedirectURIs: []supervisorconfigv1alpha1.RedirectURI{ + "http://127.0.0.1/callback", + }, + AllowedGrantTypes: []supervisorconfigv1alpha1.GrantType{ + "refresh_token", + "authorization_code", + "bird", + }, + AllowedScopes: []supervisorconfigv1alpha1.Scope{ + "username", + }, + }, + }, + wantErr: `OIDCClient.config.supervisor.pinniped.dev "client.oauth.pinniped.dev-sky" is invalid: spec.allowedGrantTypes[2]: Unsupported value: "bird": supported values: "authorization_code", "refresh_token", "urn:ietf:params:oauth:grant-type:token-exchange"`, + }, + { + name: "bad scope", + client: &supervisorconfigv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{ + Name: "client.oauth.pinniped.dev-blue", + }, + Spec: supervisorconfigv1alpha1.OIDCClientSpec{ + AllowedRedirectURIs: []supervisorconfigv1alpha1.RedirectURI{ + "http://127.0.0.1/callback", + }, + AllowedGrantTypes: []supervisorconfigv1alpha1.GrantType{ + "refresh_token", + }, + AllowedScopes: []supervisorconfigv1alpha1.Scope{ + "*", + "username", + }, + }, + }, + wantErr: `OIDCClient.config.supervisor.pinniped.dev "client.oauth.pinniped.dev-blue" is invalid: spec.allowedScopes[0]: Unsupported value: "*": supported values: "openid", "offline_access", "username", "groups", "pinniped:request-audience"`, + }, + { + name: "empty unset all", + client: &supervisorconfigv1alpha1.OIDCClient{}, + wantErr: `OIDCClient.config.supervisor.pinniped.dev "" is invalid: [metadata.name: Required value: name or generateName is required, spec.allowedGrantTypes: Required value, spec.allowedRedirectURIs: Required value, spec.allowedScopes: Required value]`, + }, + { + name: "empty uris", + client: &supervisorconfigv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{ + Name: "client.oauth.pinniped.dev-green-1", + }, + Spec: supervisorconfigv1alpha1.OIDCClientSpec{ + AllowedRedirectURIs: []supervisorconfigv1alpha1.RedirectURI{}, + AllowedGrantTypes: []supervisorconfigv1alpha1.GrantType{ + "refresh_token", + }, + AllowedScopes: []supervisorconfigv1alpha1.Scope{ + "username", + }, + }, + }, + wantErr: `OIDCClient.config.supervisor.pinniped.dev "client.oauth.pinniped.dev-green-1" is invalid: spec.allowedRedirectURIs: Invalid value: 0: spec.allowedRedirectURIs in body should have at least 1 items`, + }, + { + name: "empty grants", + client: &supervisorconfigv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{ + Name: "client.oauth.pinniped.dev-green-2", + }, + Spec: supervisorconfigv1alpha1.OIDCClientSpec{ + AllowedRedirectURIs: []supervisorconfigv1alpha1.RedirectURI{ + "http://127.0.0.1/callback", + }, + AllowedGrantTypes: []supervisorconfigv1alpha1.GrantType{}, + AllowedScopes: []supervisorconfigv1alpha1.Scope{ + "username", + }, + }, + }, + wantErr: `OIDCClient.config.supervisor.pinniped.dev "client.oauth.pinniped.dev-green-2" is invalid: spec.allowedGrantTypes: Invalid value: 0: spec.allowedGrantTypes in body should have at least 1 items`, + }, + { + name: "empty scopes", + client: &supervisorconfigv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{ + Name: "client.oauth.pinniped.dev-green-3", + }, + Spec: supervisorconfigv1alpha1.OIDCClientSpec{ + AllowedRedirectURIs: []supervisorconfigv1alpha1.RedirectURI{ + "http://127.0.0.1/callback", + }, + AllowedGrantTypes: []supervisorconfigv1alpha1.GrantType{ + "refresh_token", + }, + AllowedScopes: []supervisorconfigv1alpha1.Scope{}, + }, + }, + wantErr: `OIDCClient.config.supervisor.pinniped.dev "client.oauth.pinniped.dev-green-3" is invalid: spec.allowedScopes: Invalid value: 0: spec.allowedScopes in body should have at least 1 items`, + }, + { + name: "duplicate uris", + client: &supervisorconfigv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{ + Name: "client.oauth.pinniped.dev-red-1", + }, + Spec: supervisorconfigv1alpha1.OIDCClientSpec{ + AllowedRedirectURIs: []supervisorconfigv1alpha1.RedirectURI{ + "http://127.0.0.1/callback", + "http://127.0.0.1/callback", + }, + AllowedGrantTypes: []supervisorconfigv1alpha1.GrantType{ + "refresh_token", + }, + AllowedScopes: []supervisorconfigv1alpha1.Scope{ + "username", + }, + }, + }, + wantErr: `OIDCClient.config.supervisor.pinniped.dev "client.oauth.pinniped.dev-red-1" is invalid: spec.allowedRedirectURIs[1]: Duplicate value: "http://127.0.0.1/callback"`, + }, + { + name: "duplicate grants", + client: &supervisorconfigv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{ + Name: "client.oauth.pinniped.dev-red-2", + }, + Spec: supervisorconfigv1alpha1.OIDCClientSpec{ + AllowedRedirectURIs: []supervisorconfigv1alpha1.RedirectURI{ + "http://127.0.0.1/callback", + }, + AllowedGrantTypes: []supervisorconfigv1alpha1.GrantType{ + "refresh_token", + "refresh_token", + }, + AllowedScopes: []supervisorconfigv1alpha1.Scope{ + "username", + }, + }, + }, + wantErr: `OIDCClient.config.supervisor.pinniped.dev "client.oauth.pinniped.dev-red-2" is invalid: spec.allowedGrantTypes[1]: Duplicate value: "refresh_token"`, + }, + { + name: "duplicate scopes", + client: &supervisorconfigv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{ + Name: "client.oauth.pinniped.dev-red-3", + }, + Spec: supervisorconfigv1alpha1.OIDCClientSpec{ + AllowedRedirectURIs: []supervisorconfigv1alpha1.RedirectURI{ + "http://127.0.0.1/callback", + }, + AllowedGrantTypes: []supervisorconfigv1alpha1.GrantType{ + "refresh_token", + }, + AllowedScopes: []supervisorconfigv1alpha1.Scope{ + "username", + "username", + }, + }, + }, + wantErr: `OIDCClient.config.supervisor.pinniped.dev "client.oauth.pinniped.dev-red-3" is invalid: spec.allowedScopes[1]: Duplicate value: "username"`, + }, + { + name: "bad everything", + client: &supervisorconfigv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{ + Name: "zone", + }, + Spec: supervisorconfigv1alpha1.OIDCClientSpec{ + AllowedRedirectURIs: []supervisorconfigv1alpha1.RedirectURI{ + "of", + }, + AllowedGrantTypes: []supervisorconfigv1alpha1.GrantType{ + "the", + }, + AllowedScopes: []supervisorconfigv1alpha1.Scope{ + "enders", + }, + }, + }, + fixWant: func(t *testing.T, err error, want string) string { + // sort the error causes and use that to rebuild a sorted error message + statusErr := &errors.StatusError{} + require.ErrorAs(t, err, &statusErr) + require.Len(t, statusErr.ErrStatus.Details.Causes, 4) + out := make([]string, 0, len(statusErr.ErrStatus.Details.Causes)) + for _, cause := range statusErr.ErrStatus.Details.Causes { + cause := cause + out = append(out, fmt.Sprintf("%s: %s", cause.Field, cause.Message)) + } + sort.Strings(out) + errPrefix := groupFix.Replace(`OIDCClient.config.supervisor.pinniped.dev "zone" is invalid: [`) + require.True(t, strings.HasPrefix(err.Error(), errPrefix)) + require.Equal(t, err.Error(), statusErr.ErrStatus.Message) + statusErr.ErrStatus.Message = errPrefix + strings.Join(out, ", ") + "]" + return want // leave the wanted error unchanged + }, + wantErr: `OIDCClient.config.supervisor.pinniped.dev "zone" is invalid: [metadata.name: Invalid value: "zone": metadata.name in body should match '^client\.oauth\.pinniped\.dev-', spec.allowedGrantTypes[0]: Unsupported value: "the": supported values: "authorization_code", "refresh_token", "urn:ietf:params:oauth:grant-type:token-exchange", spec.allowedRedirectURIs[0]: Invalid value: "of": spec.allowedRedirectURIs[0] in body should match '^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/', spec.allowedScopes[0]: Unsupported value: "enders": supported values: "openid", "offline_access", "username", "groups", "pinniped:request-audience"]`, + }, + { + name: "everything valid", + client: &supervisorconfigv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{ + Name: "client.oauth.pinniped.dev-lava", + }, + Spec: supervisorconfigv1alpha1.OIDCClientSpec{ + AllowedRedirectURIs: []supervisorconfigv1alpha1.RedirectURI{ + "https://example.com", + "http://127.0.0.1/yoyo", + }, + AllowedGrantTypes: []supervisorconfigv1alpha1.GrantType{ + "authorization_code", + "refresh_token", + "urn:ietf:params:oauth:grant-type:token-exchange", + }, + AllowedScopes: []supervisorconfigv1alpha1.Scope{ + "openid", + "offline_access", + "username", + "groups", + "pinniped:request-audience", + }, + }, + }, + wantErr: "", + }, + } + for _, tt := range tests { + tt := tt + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + + client, err := oidcClients.Create(ctx, tt.client, metav1.CreateOptions{}) + + want := tt.wantErr + + if len(want) == 0 { + require.NoError(t, err) + + // unset server generated fields + client.Namespace = "" + client.UID = "" + client.ResourceVersion = "" + client.ManagedFields = nil + client.CreationTimestamp = metav1.Time{} + client.Generation = 0 + + require.Equal(t, tt.client, client) + return + } + + if tt.fixWant != nil { + want = tt.fixWant(t, err, want) + } + + want = groupFix.Replace(want) + + require.EqualError(t, err, want) + }) + } +} From 64cd8b0b9fe32e826548b2692e64e876f2b41700 Mon Sep 17 00:00:00 2001 From: Margo Crawford Date: Wed, 15 Jun 2022 13:41:22 -0700 Subject: [PATCH 20/61] Add e2e test for groups scope Signed-off-by: Margo Crawford --- .../testutil/oidctestutil/oidctestutil.go | 3 +- test/integration/e2e_test.go | 177 +++++++++--------- 2 files changed, 90 insertions(+), 90 deletions(-) diff --git a/internal/testutil/oidctestutil/oidctestutil.go b/internal/testutil/oidctestutil/oidctestutil.go index f5598edc..508e4bf0 100644 --- a/internal/testutil/oidctestutil/oidctestutil.go +++ b/internal/testutil/oidctestutil/oidctestutil.go @@ -14,8 +14,6 @@ import ( "testing" "time" - "k8s.io/utils/strings/slices" - coreosoidc "github.com/coreos/go-oidc/v3/oidc" "github.com/gorilla/securecookie" "github.com/ory/fosite" @@ -27,6 +25,7 @@ import ( "k8s.io/apimachinery/pkg/types" "k8s.io/client-go/kubernetes/fake" v1 "k8s.io/client-go/kubernetes/typed/core/v1" + "k8s.io/utils/strings/slices" "go.pinniped.dev/internal/authenticators" "go.pinniped.dev/internal/crud" diff --git a/test/integration/e2e_test.go b/test/integration/e2e_test.go index b2305da8..9bbf1589 100644 --- a/test/integration/e2e_test.go +++ b/test/integration/e2e_test.go @@ -193,14 +193,85 @@ func TestE2EFullIntegration_Browser(t *testing.T) { requireKubectlGetNamespaceOutput(t, env, waitForKubectlOutput(t, kubectlOutputChan)) - requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, - downstream, - kubeconfigPath, - sessionCachePath, - pinnipedExe, - expectedUsername, - expectedGroups, + requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, []string{coreosoidc.ScopeOfflineAccess, coreosoidc.ScopeOpenID, "pinniped:request-audience", "groups"}) + }) + + // If scopes aren't specified, we don't request the groups scope, which means we won't get any groups back in our token. + t.Run("with Supervisor OIDC upstream IDP and browser flow, scopes not specified", func(t *testing.T) { + testCtx, cancel := context.WithTimeout(context.Background(), 5*time.Minute) + t.Cleanup(cancel) + + tempDir := testutil.TempDir(t) // per-test tmp dir to avoid sharing files between tests + + // Start a fresh browser driver because we don't want to share cookies between the various tests in this file. + page := browsertest.Open(t) + + expectedUsername := env.SupervisorUpstreamOIDC.Username + + // Create a ClusterRoleBinding to give our test user from the upstream read-only access to the cluster. + testlib.CreateTestClusterRoleBinding(t, + rbacv1.Subject{Kind: rbacv1.UserKind, APIGroup: rbacv1.GroupName, Name: expectedUsername}, + rbacv1.RoleRef{Kind: "ClusterRole", APIGroup: rbacv1.GroupName, Name: "view"}, ) + testlib.WaitForUserToHaveAccess(t, expectedUsername, []string{}, &authorizationv1.ResourceAttributes{ + Verb: "get", + Group: "", + Version: "v1", + Resource: "namespaces", + }) + + // Create upstream OIDC provider and wait for it to become ready. + testlib.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{ + Issuer: env.SupervisorUpstreamOIDC.Issuer, + TLS: &idpv1alpha1.TLSSpec{ + CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)), + }, + AuthorizationConfig: idpv1alpha1.OIDCAuthorizationConfig{ + AdditionalScopes: env.SupervisorUpstreamOIDC.AdditionalScopes, + }, + Claims: idpv1alpha1.OIDCClaims{ + Username: env.SupervisorUpstreamOIDC.UsernameClaim, + Groups: env.SupervisorUpstreamOIDC.GroupsClaim, + }, + Client: idpv1alpha1.OIDCClient{ + SecretName: testlib.CreateClientCredsSecret(t, env.SupervisorUpstreamOIDC.ClientID, env.SupervisorUpstreamOIDC.ClientSecret).Name, + }, + }, idpv1alpha1.PhaseReady) + + // Use a specific session cache for this test. + sessionCachePath := tempDir + "/test-sessions.yaml" + + kubeconfigPath := runPinnipedGetKubeconfig(t, env, pinnipedExe, tempDir, []string{ + "get", "kubeconfig", + "--concierge-api-group-suffix", env.APIGroupSuffix, + "--concierge-authenticator-type", "jwt", + "--concierge-authenticator-name", authenticator.Name, + "--oidc-skip-browser", + "--oidc-ca-bundle", testCABundlePath, + "--oidc-session-cache", sessionCachePath, + }) + + // Run "kubectl get namespaces" which should trigger a browser login via the plugin. + kubectlCmd := exec.CommandContext(testCtx, "kubectl", "get", "namespace", "--kubeconfig", kubeconfigPath, "-v", "6") + kubectlCmd.Env = append(os.Environ(), env.ProxyEnv()...) + + // Run the kubectl command, wait for the Pinniped CLI to print the authorization URL, and open it in the browser. + kubectlOutputChan := startKubectlAndOpenAuthorizationURLInBrowser(testCtx, t, kubectlCmd, page) + + // Confirm that we got to the upstream IDP's login page, fill out the form, and submit the form. + browsertest.LoginToUpstreamOIDC(t, page, env.SupervisorUpstreamOIDC) + + // Expect to be redirected to the downstream callback which is serving the form_post HTML. + t.Logf("waiting for response page %s", downstream.Spec.Issuer) + browsertest.WaitForURL(t, page, regexp.MustCompile(regexp.QuoteMeta(downstream.Spec.Issuer))) + + // The response page should have done the background fetch() and POST'ed to the CLI's callback. + // It should now be in the "success" state. + formpostExpectSuccessState(t, page) + + requireKubectlGetNamespaceOutput(t, env, waitForKubectlOutput(t, kubectlOutputChan)) + + requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, []string{}, []string{coreosoidc.ScopeOfflineAccess, coreosoidc.ScopeOpenID, "pinniped:request-audience"}) }) t.Run("with Supervisor OIDC upstream IDP and manual authcode copy-paste from browser flow", func(t *testing.T) { @@ -311,14 +382,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { t.Logf("first kubectl command took %s", time.Since(start).String()) - requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, - downstream, - kubeconfigPath, - sessionCachePath, - pinnipedExe, - expectedUsername, - expectedGroups, - ) + requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, []string{coreosoidc.ScopeOfflineAccess, coreosoidc.ScopeOpenID, "pinniped:request-audience", "groups"}) }) t.Run("access token based refresh with Supervisor OIDC upstream IDP and manual authcode copy-paste from browser flow", func(t *testing.T) { @@ -454,14 +518,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { t.Logf("first kubectl command took %s", time.Since(start).String()) - requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, - downstream, - kubeconfigPath, - sessionCachePath, - pinnipedExe, - expectedUsername, - expectedGroups, - ) + requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, []string{coreosoidc.ScopeOfflineAccess, coreosoidc.ScopeOpenID, "pinniped:request-audience", "groups"}) }) t.Run("with Supervisor OIDC upstream IDP and CLI password flow without web browser", func(t *testing.T) { @@ -544,14 +601,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { t.Logf("first kubectl command took %s", time.Since(start).String()) - requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, - downstream, - kubeconfigPath, - sessionCachePath, - pinnipedExe, - expectedUsername, - expectedGroups, - ) + requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, []string{coreosoidc.ScopeOfflineAccess, coreosoidc.ScopeOpenID, "pinniped:request-audience", "groups"}) }) t.Run("with Supervisor OIDC upstream IDP and CLI password flow when OIDCIdentityProvider disallows it", func(t *testing.T) { @@ -687,14 +737,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { t.Logf("first kubectl command took %s", time.Since(start).String()) - requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, - downstream, - kubeconfigPath, - sessionCachePath, - pinnipedExe, - expectedUsername, - expectedGroups, - ) + requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, []string{coreosoidc.ScopeOfflineAccess, coreosoidc.ScopeOpenID, "pinniped:request-audience", "groups"}) }) // Add an LDAP upstream IDP and try using it to authenticate during kubectl commands @@ -760,14 +803,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { require.NoError(t, os.Unsetenv(usernameEnvVar)) require.NoError(t, os.Unsetenv(passwordEnvVar)) - requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, - downstream, - kubeconfigPath, - sessionCachePath, - pinnipedExe, - expectedUsername, - expectedGroups, - ) + requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, []string{coreosoidc.ScopeOfflineAccess, coreosoidc.ScopeOpenID, "pinniped:request-audience", "groups"}) }) // Add an Active Directory upstream IDP and try using it to authenticate during kubectl commands @@ -821,14 +857,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { t.Logf("first kubectl command took %s", time.Since(start).String()) - requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, - downstream, - kubeconfigPath, - sessionCachePath, - pinnipedExe, - expectedUsername, - expectedGroups, - ) + requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, []string{coreosoidc.ScopeOfflineAccess, coreosoidc.ScopeOpenID, "pinniped:request-audience", "groups"}) }) // Add an ActiveDirectory upstream IDP and try using it to authenticate during kubectl commands @@ -894,14 +923,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { require.NoError(t, os.Unsetenv(usernameEnvVar)) require.NoError(t, os.Unsetenv(passwordEnvVar)) - requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, - downstream, - kubeconfigPath, - sessionCachePath, - pinnipedExe, - expectedUsername, - expectedGroups, - ) + requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, []string{coreosoidc.ScopeOfflineAccess, coreosoidc.ScopeOpenID, "pinniped:request-audience", "groups"}) }) // Add an LDAP upstream IDP and try using it to authenticate during kubectl commands, using the browser flow. @@ -951,14 +973,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { requireKubectlGetNamespaceOutput(t, env, waitForKubectlOutput(t, kubectlOutputChan)) - requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, - downstream, - kubeconfigPath, - sessionCachePath, - pinnipedExe, - expectedUsername, - expectedGroups, - ) + requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, []string{coreosoidc.ScopeOfflineAccess, coreosoidc.ScopeOpenID, "pinniped:request-audience", "groups"}) }) // Add an Active Directory upstream IDP and try using it to authenticate during kubectl commands, using the browser flow. @@ -1008,14 +1023,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { requireKubectlGetNamespaceOutput(t, env, waitForKubectlOutput(t, kubectlOutputChan)) - requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, - downstream, - kubeconfigPath, - sessionCachePath, - pinnipedExe, - expectedUsername, - expectedGroups, - ) + requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, []string{coreosoidc.ScopeOfflineAccess, coreosoidc.ScopeOpenID, "pinniped:request-audience", "groups"}) }) // Add an LDAP upstream IDP and try using it to authenticate during kubectl commands, using the env var to choose the browser flow. @@ -1071,14 +1079,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { requireKubectlGetNamespaceOutput(t, env, waitForKubectlOutput(t, kubectlOutputChan)) - requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, - downstream, - kubeconfigPath, - sessionCachePath, - pinnipedExe, - expectedUsername, - expectedGroups, - ) + requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, []string{coreosoidc.ScopeOfflineAccess, coreosoidc.ScopeOpenID, "pinniped:request-audience", "groups"}) }) } @@ -1308,6 +1309,7 @@ func requireUserCanUseKubectlWithoutAuthenticatingAgain( pinnipedExe string, expectedUsername string, expectedGroups []string, + downstreamScopes []string, ) { // Run kubectl, which should work without any prompting for authentication. kubectlCmd := exec.CommandContext(ctx, "kubectl", "get", "namespace", "--kubeconfig", kubeconfigPath) @@ -1323,7 +1325,6 @@ func requireUserCanUseKubectlWithoutAuthenticatingAgain( require.NoError(t, err) })) - downstreamScopes := []string{coreosoidc.ScopeOfflineAccess, coreosoidc.ScopeOpenID, "pinniped:request-audience", "groups"} sort.Strings(downstreamScopes) token := cache.GetToken(oidcclient.SessionCacheKey{ Issuer: downstream.Spec.Issuer, From 36a5c4c20d8b61e9793e7ff651f7121ac7c18c95 Mon Sep 17 00:00:00 2001 From: Monis Khan Date: Thu, 16 Jun 2022 15:38:14 -0400 Subject: [PATCH 21/61] Fix TestOIDCClientStaticValidation on old servers Signed-off-by: Monis Khan --- .../testutil/kube_server_compatibility.go | 16 +++++ test/integration/oidc_client_test.go | 60 ++++++++++++++++++- 2 files changed, 75 insertions(+), 1 deletion(-) diff --git a/internal/testutil/kube_server_compatibility.go b/internal/testutil/kube_server_compatibility.go index 89cf15b4..fbf6fbc8 100644 --- a/internal/testutil/kube_server_compatibility.go +++ b/internal/testutil/kube_server_compatibility.go @@ -4,6 +4,8 @@ package testutil import ( + "strconv" + "strings" "testing" "github.com/stretchr/testify/require" @@ -28,3 +30,17 @@ func KubeServerSupportsCertificatesV1API(t *testing.T, discoveryClient discovery } return false } + +func KubeServerMinorVersionInBetweenInclusive(t *testing.T, discoveryClient discovery.DiscoveryInterface, min, max int) bool { + t.Helper() + + version, err := discoveryClient.ServerVersion() + require.NoError(t, err) + + require.Equal(t, "1", version.Major) + + minor, err := strconv.Atoi(strings.TrimSuffix(version.Minor, "+")) + require.NoError(t, err) + + return minor >= min && minor <= max +} diff --git a/test/integration/oidc_client_test.go b/test/integration/oidc_client_test.go index be987db9..fe77b3b8 100644 --- a/test/integration/oidc_client_test.go +++ b/test/integration/oidc_client_test.go @@ -17,18 +17,26 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" supervisorconfigv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" + "go.pinniped.dev/internal/testutil" "go.pinniped.dev/test/testlib" ) func TestOIDCClientStaticValidation_Parallel(t *testing.T) { env := testlib.IntegrationEnv(t) + adminClient := testlib.NewKubernetesClientset(t) + + needsErrFix := testutil.KubeServerMinorVersionInBetweenInclusive(t, adminClient.Discovery(), 0, 23) + reallyOld := testutil.KubeServerMinorVersionInBetweenInclusive(t, adminClient.Discovery(), 0, 19) + noSets := testutil.KubeServerMinorVersionInBetweenInclusive(t, adminClient.Discovery(), 0, 17) + groupFix := strings.NewReplacer(".supervisor.pinniped.dev", ".supervisor."+env.APIGroupSuffix) + errFix := strings.NewReplacer(makeErrFix(reallyOld)...) ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute) t.Cleanup(cancel) - namespaceClient := testlib.NewKubernetesClientset(t).CoreV1().Namespaces() + namespaceClient := adminClient.CoreV1().Namespaces() ns, err := namespaceClient.Create(ctx, &corev1.Namespace{ ObjectMeta: metav1.ObjectMeta{ @@ -48,6 +56,7 @@ func TestOIDCClientStaticValidation_Parallel(t *testing.T) { client *supervisorconfigv1alpha1.OIDCClient fixWant func(t *testing.T, err error, want string) string wantErr string + skip bool }{ { name: "bad name", @@ -116,6 +125,9 @@ func TestOIDCClientStaticValidation_Parallel(t *testing.T) { end := strings.Index(gotErr, `"`) require.Equal(t, end, 5) gotErr = gotErr[:end] + if reallyOld { // these servers do not show the actual invalid value + want = strings.Replace(want, `Invalid value: "snorlax-RAND"`, `Invalid value: ""`, 1) + } return strings.Replace(want, "RAND", gotErr, 2) }, wantErr: `OIDCClient.config.supervisor.pinniped.dev "snorlax-RAND" is invalid: metadata.name: Invalid value: "snorlax-RAND": metadata.name in body should match '^client\.oauth\.pinniped\.dev-'`, @@ -189,6 +201,7 @@ func TestOIDCClientStaticValidation_Parallel(t *testing.T) { name: "empty unset all", client: &supervisorconfigv1alpha1.OIDCClient{}, wantErr: `OIDCClient.config.supervisor.pinniped.dev "" is invalid: [metadata.name: Required value: name or generateName is required, spec.allowedGrantTypes: Required value, spec.allowedRedirectURIs: Required value, spec.allowedScopes: Required value]`, + skip: reallyOld, // the error is both different and has unstable order on older servers }, { name: "empty uris", @@ -264,6 +277,7 @@ func TestOIDCClientStaticValidation_Parallel(t *testing.T) { }, }, wantErr: `OIDCClient.config.supervisor.pinniped.dev "client.oauth.pinniped.dev-red-1" is invalid: spec.allowedRedirectURIs[1]: Duplicate value: "http://127.0.0.1/callback"`, + skip: noSets, // needs v1.18+ for x-kubernetes-list-type: set }, { name: "duplicate grants", @@ -285,6 +299,7 @@ func TestOIDCClientStaticValidation_Parallel(t *testing.T) { }, }, wantErr: `OIDCClient.config.supervisor.pinniped.dev "client.oauth.pinniped.dev-red-2" is invalid: spec.allowedGrantTypes[1]: Duplicate value: "refresh_token"`, + skip: noSets, // needs v1.18+ for x-kubernetes-list-type: set }, { name: "duplicate scopes", @@ -306,6 +321,7 @@ func TestOIDCClientStaticValidation_Parallel(t *testing.T) { }, }, wantErr: `OIDCClient.config.supervisor.pinniped.dev "client.oauth.pinniped.dev-red-3" is invalid: spec.allowedScopes[1]: Duplicate value: "username"`, + skip: noSets, // needs v1.18+ for x-kubernetes-list-type: set }, { name: "bad everything", @@ -375,6 +391,10 @@ func TestOIDCClientStaticValidation_Parallel(t *testing.T) { for _, tt := range tests { tt := tt t.Run(tt.name, func(t *testing.T) { + if tt.skip { + t.Skip() + } + t.Parallel() client, err := oidcClients.Create(ctx, tt.client, metav1.CreateOptions{}) @@ -391,6 +411,7 @@ func TestOIDCClientStaticValidation_Parallel(t *testing.T) { client.ManagedFields = nil client.CreationTimestamp = metav1.Time{} client.Generation = 0 + client.SelfLink = "" // nolint: staticcheck // old API servers still set this field require.Equal(t, tt.client, client) return @@ -402,7 +423,44 @@ func TestOIDCClientStaticValidation_Parallel(t *testing.T) { want = groupFix.Replace(want) + // old API servers have slightly different error messages + if needsErrFix && !strings.Contains(want, "Duplicate value:") { + want = errFix.Replace(want) + } + require.EqualError(t, err, want) }) } } + +func makeErrFix(reallyOld bool) []string { + const total = 10 // should be enough indexes + out := make([]string, 0, total*6) // good enough allocation + + // these servers do not show the actual index of where the error occurred + for i := 0; i < total; i++ { + idx := fmt.Sprintf("[%d]", i) + out = append(out, idx+":", ":") + out = append(out, idx+" ", " ") + } + + if reallyOld { + // these servers display empty values differently + out = append(out, "0:", `"":`) + + // these servers do not show the actual invalid value + for _, s := range []string{ + "of", + "oob", + "zone", + "panda", + "client0oauth1pinniped2dev-regex", + } { + out = append(out, + fmt.Sprintf(`Invalid value: "%s"`, s), + `Invalid value: ""`) + } + } + + return out +} From 5aa0d9126779496a3f9e2e631be8533301fa897e Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Fri, 17 Jun 2022 12:56:53 -0400 Subject: [PATCH 22/61] New controller watches OIDCClients and updates validation Conditions --- .../config/v1alpha1/types_meta.go.tmpl | 75 ++ .../config/v1alpha1/types_oidcclient.go.tmpl | 28 +- ...g.supervisor.pinniped.dev_oidcclients.yaml | 76 ++ deploy/supervisor/rbac.yaml | 8 + generated/1.17/README.adoc | 38 + .../supervisor/config/v1alpha1/types_meta.go | 75 ++ .../config/v1alpha1/types_oidcclient.go | 28 +- .../config/v1alpha1/zz_generated.deepcopy.go | 26 +- ...g.supervisor.pinniped.dev_oidcclients.yaml | 76 ++ generated/1.18/README.adoc | 38 + .../supervisor/config/v1alpha1/types_meta.go | 75 ++ .../config/v1alpha1/types_oidcclient.go | 28 +- .../config/v1alpha1/zz_generated.deepcopy.go | 26 +- ...g.supervisor.pinniped.dev_oidcclients.yaml | 76 ++ generated/1.19/README.adoc | 38 + .../supervisor/config/v1alpha1/types_meta.go | 75 ++ .../config/v1alpha1/types_oidcclient.go | 28 +- .../config/v1alpha1/zz_generated.deepcopy.go | 26 +- ...g.supervisor.pinniped.dev_oidcclients.yaml | 76 ++ generated/1.20/README.adoc | 38 + .../supervisor/config/v1alpha1/types_meta.go | 75 ++ .../config/v1alpha1/types_oidcclient.go | 28 +- .../config/v1alpha1/zz_generated.deepcopy.go | 26 +- ...g.supervisor.pinniped.dev_oidcclients.yaml | 76 ++ generated/1.21/README.adoc | 38 + .../supervisor/config/v1alpha1/types_meta.go | 75 ++ .../config/v1alpha1/types_oidcclient.go | 28 +- .../config/v1alpha1/zz_generated.deepcopy.go | 26 +- ...g.supervisor.pinniped.dev_oidcclients.yaml | 76 ++ generated/1.22/README.adoc | 38 + .../supervisor/config/v1alpha1/types_meta.go | 75 ++ .../config/v1alpha1/types_oidcclient.go | 28 +- .../config/v1alpha1/zz_generated.deepcopy.go | 26 +- ...g.supervisor.pinniped.dev_oidcclients.yaml | 76 ++ generated/1.23/README.adoc | 38 + .../supervisor/config/v1alpha1/types_meta.go | 75 ++ .../config/v1alpha1/types_oidcclient.go | 28 +- .../config/v1alpha1/zz_generated.deepcopy.go | 26 +- ...g.supervisor.pinniped.dev_oidcclients.yaml | 76 ++ generated/1.24/README.adoc | 38 + .../supervisor/config/v1alpha1/types_meta.go | 75 ++ .../config/v1alpha1/types_oidcclient.go | 28 +- .../config/v1alpha1/zz_generated.deepcopy.go | 26 +- ...g.supervisor.pinniped.dev_oidcclients.yaml | 76 ++ .../supervisor/config/v1alpha1/types_meta.go | 75 ++ .../config/v1alpha1/types_oidcclient.go | 28 +- .../config/v1alpha1/zz_generated.deepcopy.go | 26 +- .../conditionsutil/conditions_util.go | 123 +++ .../conditionsutil/conditions_util.go.go | 68 -- .../active_directory_upstream_watcher.go | 2 +- .../ldap_upstream_watcher.go | 2 +- .../oidcclientwatcher/oidc_client_watcher.go | 317 ++++++ .../oidc_client_watcher_test.go | 903 ++++++++++++++++++ .../oidc_upstream_watcher.go | 2 +- internal/crud/crud.go | 13 +- .../oidcclientsecretstorage.go | 67 ++ .../oidcclientsecretstorage_test.go | 125 +++ internal/supervisor/server/server.go | 11 + ...test.go => supervisor_oidc_client_test.go} | 203 ++++ 59 files changed, 3980 insertions(+), 116 deletions(-) create mode 100644 apis/supervisor/config/v1alpha1/types_meta.go.tmpl create mode 100644 generated/1.17/apis/supervisor/config/v1alpha1/types_meta.go create mode 100644 generated/1.18/apis/supervisor/config/v1alpha1/types_meta.go create mode 100644 generated/1.19/apis/supervisor/config/v1alpha1/types_meta.go create mode 100644 generated/1.20/apis/supervisor/config/v1alpha1/types_meta.go create mode 100644 generated/1.21/apis/supervisor/config/v1alpha1/types_meta.go create mode 100644 generated/1.22/apis/supervisor/config/v1alpha1/types_meta.go create mode 100644 generated/1.23/apis/supervisor/config/v1alpha1/types_meta.go create mode 100644 generated/1.24/apis/supervisor/config/v1alpha1/types_meta.go create mode 100644 generated/latest/apis/supervisor/config/v1alpha1/types_meta.go create mode 100644 internal/controller/conditionsutil/conditions_util.go delete mode 100644 internal/controller/conditionsutil/conditions_util.go.go create mode 100644 internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go create mode 100644 internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher_test.go create mode 100644 internal/oidcclientsecretstorage/oidcclientsecretstorage.go create mode 100644 internal/oidcclientsecretstorage/oidcclientsecretstorage_test.go rename test/integration/{oidc_client_test.go => supervisor_oidc_client_test.go} (66%) diff --git a/apis/supervisor/config/v1alpha1/types_meta.go.tmpl b/apis/supervisor/config/v1alpha1/types_meta.go.tmpl new file mode 100644 index 00000000..cd46a471 --- /dev/null +++ b/apis/supervisor/config/v1alpha1/types_meta.go.tmpl @@ -0,0 +1,75 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// ConditionStatus is effectively an enum type for Condition.Status. +type ConditionStatus string + +// These are valid condition statuses. "ConditionTrue" means a resource is in the condition. +// "ConditionFalse" means a resource is not in the condition. "ConditionUnknown" means kubernetes +// can't decide if a resource is in the condition or not. In the future, we could add other +// intermediate conditions, e.g. ConditionDegraded. +const ( + ConditionTrue ConditionStatus = "True" + ConditionFalse ConditionStatus = "False" + ConditionUnknown ConditionStatus = "Unknown" +) + +// Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API +// version we can switch to using the upstream type. +// See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. +type Condition struct { + // type of condition in CamelCase or in foo.example.com/CamelCase. + // --- + // Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + // useful (see .node.status.conditions), the ability to deconflict is important. + // The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$` + // +kubebuilder:validation:MaxLength=316 + Type string `json:"type"` + + // status of the condition, one of True, False, Unknown. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Enum=True;False;Unknown + Status ConditionStatus `json:"status"` + + // observedGeneration represents the .metadata.generation that the condition was set based upon. + // For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + // with respect to the current state of the instance. + // +optional + // +kubebuilder:validation:Minimum=0 + ObservedGeneration int64 `json:"observedGeneration,omitempty"` + + // lastTransitionTime is the last time the condition transitioned from one status to another. + // This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Type=string + // +kubebuilder:validation:Format=date-time + LastTransitionTime metav1.Time `json:"lastTransitionTime"` + + // reason contains a programmatic identifier indicating the reason for the condition's last transition. + // Producers of specific condition types may define expected values and meanings for this field, + // and whether the values are considered a guaranteed API. + // The value should be a CamelCase string. + // This field may not be empty. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=1024 + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$` + Reason string `json:"reason"` + + // message is a human readable message indicating details about the transition. + // This may be an empty string. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=32768 + Message string `json:"message"` +} diff --git a/apis/supervisor/config/v1alpha1/types_oidcclient.go.tmpl b/apis/supervisor/config/v1alpha1/types_oidcclient.go.tmpl index 17a1103f..1bc7399d 100644 --- a/apis/supervisor/config/v1alpha1/types_oidcclient.go.tmpl +++ b/apis/supervisor/config/v1alpha1/types_oidcclient.go.tmpl @@ -3,8 +3,19 @@ package v1alpha1 -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +type OIDCClientPhase string + +const ( + // PhasePending is the default phase for newly-created OIDCClient resources. + PhasePending OIDCClientPhase = "Pending" + + // PhaseReady is the phase for an OIDCClient resource in a healthy state. + PhaseReady OIDCClientPhase = "Ready" + + // PhaseError is the phase for an OIDCClient in an unhealthy state. + PhaseError OIDCClientPhase = "Error" ) // +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/` @@ -62,8 +73,19 @@ type OIDCClientSpec struct { AllowedScopes []Scope `json:"allowedScopes"` } -// OIDCClientStatus is a struct that describes the actual state of an OIDC Client. +// OIDCClientStatus is a struct that describes the actual state of an OIDCClient. type OIDCClientStatus struct { + // Phase summarizes the overall status of the OIDCClient. + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase OIDCClientPhase `json:"phase,omitempty"` + + // Represents the observations of an OIDCClient's current state. + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` } // OIDCClient describes the configuration of an OIDC client. diff --git a/deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml b/deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml index 6030582f..b5569275 100644 --- a/deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml @@ -115,6 +115,82 @@ spec: type: object status: description: Status of the OIDC client. + properties: + conditions: + description: Represents the observations of an OIDCClient's current + state. + items: + description: Condition status of a resource (mirrored from the metav1.Condition + type added in Kubernetes 1.19). In a future API version we can + switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + phase: + default: Pending + description: Phase summarizes the overall status of the OIDCClient. + enum: + - Pending + - Ready + - Error + type: string type: object required: - spec diff --git a/deploy/supervisor/rbac.yaml b/deploy/supervisor/rbac.yaml index a56818fe..97b542fe 100644 --- a/deploy/supervisor/rbac.yaml +++ b/deploy/supervisor/rbac.yaml @@ -24,6 +24,14 @@ rules: - #@ pinnipedDevAPIGroupWithPrefix("config.supervisor") resources: [federationdomains/status] verbs: [get, patch, update] + - apiGroups: + - #@ pinnipedDevAPIGroupWithPrefix("config.supervisor") + resources: [oidcclients] + verbs: [get, list, watch] + - apiGroups: + - #@ pinnipedDevAPIGroupWithPrefix("config.supervisor") + resources: [oidcclients/status] + verbs: [get, patch, update] - apiGroups: - #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor") resources: [oidcidentityproviders] diff --git a/generated/1.17/README.adoc b/generated/1.17/README.adoc index 4d70f8a7..2b29fc45 100644 --- a/generated/1.17/README.adoc +++ b/generated/1.17/README.adoc @@ -575,6 +575,28 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor configuratio +[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-condition"] +==== Condition + +Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`type`* __string__ | type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) +| *`status`* __ConditionStatus__ | status of the condition, one of True, False, Unknown. +| *`observedGeneration`* __integer__ | observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. +| *`lastTransitionTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#time-v1-meta[$$Time$$]__ | lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. +| *`reason`* __string__ | reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. +| *`message`* __string__ | message is a human readable message indicating details about the transition. This may be an empty string. +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-federationdomain"] ==== FederationDomain @@ -720,6 +742,22 @@ OIDCClientSpec is a struct that describes an OIDC Client. |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcclientstatus"] +==== OIDCClientStatus + +OIDCClientStatus is a struct that describes the actual state of an OIDCClient. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcclient[$$OIDCClient$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`phase`* __OIDCClientPhase__ | Phase summarizes the overall status of the OIDCClient. +| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-condition[$$Condition$$] array__ | Represents the observations of an OIDCClient's current state. +|=== diff --git a/generated/1.17/apis/supervisor/config/v1alpha1/types_meta.go b/generated/1.17/apis/supervisor/config/v1alpha1/types_meta.go new file mode 100644 index 00000000..cd46a471 --- /dev/null +++ b/generated/1.17/apis/supervisor/config/v1alpha1/types_meta.go @@ -0,0 +1,75 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// ConditionStatus is effectively an enum type for Condition.Status. +type ConditionStatus string + +// These are valid condition statuses. "ConditionTrue" means a resource is in the condition. +// "ConditionFalse" means a resource is not in the condition. "ConditionUnknown" means kubernetes +// can't decide if a resource is in the condition or not. In the future, we could add other +// intermediate conditions, e.g. ConditionDegraded. +const ( + ConditionTrue ConditionStatus = "True" + ConditionFalse ConditionStatus = "False" + ConditionUnknown ConditionStatus = "Unknown" +) + +// Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API +// version we can switch to using the upstream type. +// See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. +type Condition struct { + // type of condition in CamelCase or in foo.example.com/CamelCase. + // --- + // Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + // useful (see .node.status.conditions), the ability to deconflict is important. + // The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$` + // +kubebuilder:validation:MaxLength=316 + Type string `json:"type"` + + // status of the condition, one of True, False, Unknown. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Enum=True;False;Unknown + Status ConditionStatus `json:"status"` + + // observedGeneration represents the .metadata.generation that the condition was set based upon. + // For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + // with respect to the current state of the instance. + // +optional + // +kubebuilder:validation:Minimum=0 + ObservedGeneration int64 `json:"observedGeneration,omitempty"` + + // lastTransitionTime is the last time the condition transitioned from one status to another. + // This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Type=string + // +kubebuilder:validation:Format=date-time + LastTransitionTime metav1.Time `json:"lastTransitionTime"` + + // reason contains a programmatic identifier indicating the reason for the condition's last transition. + // Producers of specific condition types may define expected values and meanings for this field, + // and whether the values are considered a guaranteed API. + // The value should be a CamelCase string. + // This field may not be empty. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=1024 + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$` + Reason string `json:"reason"` + + // message is a human readable message indicating details about the transition. + // This may be an empty string. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=32768 + Message string `json:"message"` +} diff --git a/generated/1.17/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/1.17/apis/supervisor/config/v1alpha1/types_oidcclient.go index 17a1103f..1bc7399d 100644 --- a/generated/1.17/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/1.17/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -3,8 +3,19 @@ package v1alpha1 -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +type OIDCClientPhase string + +const ( + // PhasePending is the default phase for newly-created OIDCClient resources. + PhasePending OIDCClientPhase = "Pending" + + // PhaseReady is the phase for an OIDCClient resource in a healthy state. + PhaseReady OIDCClientPhase = "Ready" + + // PhaseError is the phase for an OIDCClient in an unhealthy state. + PhaseError OIDCClientPhase = "Error" ) // +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/` @@ -62,8 +73,19 @@ type OIDCClientSpec struct { AllowedScopes []Scope `json:"allowedScopes"` } -// OIDCClientStatus is a struct that describes the actual state of an OIDC Client. +// OIDCClientStatus is a struct that describes the actual state of an OIDCClient. type OIDCClientStatus struct { + // Phase summarizes the overall status of the OIDCClient. + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase OIDCClientPhase `json:"phase,omitempty"` + + // Represents the observations of an OIDCClient's current state. + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` } // OIDCClient describes the configuration of an OIDC client. diff --git a/generated/1.17/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.17/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go index f4468886..3e7f07d0 100644 --- a/generated/1.17/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.17/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go @@ -12,6 +12,23 @@ import ( runtime "k8s.io/apimachinery/pkg/runtime" ) +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Condition) DeepCopyInto(out *Condition) { + *out = *in + in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition. +func (in *Condition) DeepCopy() *Condition { + if in == nil { + return nil + } + out := new(Condition) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *FederationDomain) DeepCopyInto(out *FederationDomain) { *out = *in @@ -157,7 +174,7 @@ func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { out.TypeMeta = in.TypeMeta in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) in.Spec.DeepCopyInto(&out.Spec) - out.Status = in.Status + in.Status.DeepCopyInto(&out.Status) return } @@ -246,6 +263,13 @@ func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } return } diff --git a/generated/1.17/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.17/crds/config.supervisor.pinniped.dev_oidcclients.yaml index 6030582f..b5569275 100644 --- a/generated/1.17/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.17/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -115,6 +115,82 @@ spec: type: object status: description: Status of the OIDC client. + properties: + conditions: + description: Represents the observations of an OIDCClient's current + state. + items: + description: Condition status of a resource (mirrored from the metav1.Condition + type added in Kubernetes 1.19). In a future API version we can + switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + phase: + default: Pending + description: Phase summarizes the overall status of the OIDCClient. + enum: + - Pending + - Ready + - Error + type: string type: object required: - spec diff --git a/generated/1.18/README.adoc b/generated/1.18/README.adoc index a987b55c..e2fb5b80 100644 --- a/generated/1.18/README.adoc +++ b/generated/1.18/README.adoc @@ -575,6 +575,28 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor configuratio +[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-condition"] +==== Condition + +Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`type`* __string__ | type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) +| *`status`* __ConditionStatus__ | status of the condition, one of True, False, Unknown. +| *`observedGeneration`* __integer__ | observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. +| *`lastTransitionTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#time-v1-meta[$$Time$$]__ | lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. +| *`reason`* __string__ | reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. +| *`message`* __string__ | message is a human readable message indicating details about the transition. This may be an empty string. +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-federationdomain"] ==== FederationDomain @@ -720,6 +742,22 @@ OIDCClientSpec is a struct that describes an OIDC Client. |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcclientstatus"] +==== OIDCClientStatus + +OIDCClientStatus is a struct that describes the actual state of an OIDCClient. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcclient[$$OIDCClient$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`phase`* __OIDCClientPhase__ | Phase summarizes the overall status of the OIDCClient. +| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-condition[$$Condition$$] array__ | Represents the observations of an OIDCClient's current state. +|=== diff --git a/generated/1.18/apis/supervisor/config/v1alpha1/types_meta.go b/generated/1.18/apis/supervisor/config/v1alpha1/types_meta.go new file mode 100644 index 00000000..cd46a471 --- /dev/null +++ b/generated/1.18/apis/supervisor/config/v1alpha1/types_meta.go @@ -0,0 +1,75 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// ConditionStatus is effectively an enum type for Condition.Status. +type ConditionStatus string + +// These are valid condition statuses. "ConditionTrue" means a resource is in the condition. +// "ConditionFalse" means a resource is not in the condition. "ConditionUnknown" means kubernetes +// can't decide if a resource is in the condition or not. In the future, we could add other +// intermediate conditions, e.g. ConditionDegraded. +const ( + ConditionTrue ConditionStatus = "True" + ConditionFalse ConditionStatus = "False" + ConditionUnknown ConditionStatus = "Unknown" +) + +// Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API +// version we can switch to using the upstream type. +// See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. +type Condition struct { + // type of condition in CamelCase or in foo.example.com/CamelCase. + // --- + // Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + // useful (see .node.status.conditions), the ability to deconflict is important. + // The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$` + // +kubebuilder:validation:MaxLength=316 + Type string `json:"type"` + + // status of the condition, one of True, False, Unknown. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Enum=True;False;Unknown + Status ConditionStatus `json:"status"` + + // observedGeneration represents the .metadata.generation that the condition was set based upon. + // For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + // with respect to the current state of the instance. + // +optional + // +kubebuilder:validation:Minimum=0 + ObservedGeneration int64 `json:"observedGeneration,omitempty"` + + // lastTransitionTime is the last time the condition transitioned from one status to another. + // This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Type=string + // +kubebuilder:validation:Format=date-time + LastTransitionTime metav1.Time `json:"lastTransitionTime"` + + // reason contains a programmatic identifier indicating the reason for the condition's last transition. + // Producers of specific condition types may define expected values and meanings for this field, + // and whether the values are considered a guaranteed API. + // The value should be a CamelCase string. + // This field may not be empty. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=1024 + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$` + Reason string `json:"reason"` + + // message is a human readable message indicating details about the transition. + // This may be an empty string. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=32768 + Message string `json:"message"` +} diff --git a/generated/1.18/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/1.18/apis/supervisor/config/v1alpha1/types_oidcclient.go index 17a1103f..1bc7399d 100644 --- a/generated/1.18/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/1.18/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -3,8 +3,19 @@ package v1alpha1 -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +type OIDCClientPhase string + +const ( + // PhasePending is the default phase for newly-created OIDCClient resources. + PhasePending OIDCClientPhase = "Pending" + + // PhaseReady is the phase for an OIDCClient resource in a healthy state. + PhaseReady OIDCClientPhase = "Ready" + + // PhaseError is the phase for an OIDCClient in an unhealthy state. + PhaseError OIDCClientPhase = "Error" ) // +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/` @@ -62,8 +73,19 @@ type OIDCClientSpec struct { AllowedScopes []Scope `json:"allowedScopes"` } -// OIDCClientStatus is a struct that describes the actual state of an OIDC Client. +// OIDCClientStatus is a struct that describes the actual state of an OIDCClient. type OIDCClientStatus struct { + // Phase summarizes the overall status of the OIDCClient. + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase OIDCClientPhase `json:"phase,omitempty"` + + // Represents the observations of an OIDCClient's current state. + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` } // OIDCClient describes the configuration of an OIDC client. diff --git a/generated/1.18/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.18/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go index f4468886..3e7f07d0 100644 --- a/generated/1.18/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.18/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go @@ -12,6 +12,23 @@ import ( runtime "k8s.io/apimachinery/pkg/runtime" ) +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Condition) DeepCopyInto(out *Condition) { + *out = *in + in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition. +func (in *Condition) DeepCopy() *Condition { + if in == nil { + return nil + } + out := new(Condition) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *FederationDomain) DeepCopyInto(out *FederationDomain) { *out = *in @@ -157,7 +174,7 @@ func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { out.TypeMeta = in.TypeMeta in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) in.Spec.DeepCopyInto(&out.Spec) - out.Status = in.Status + in.Status.DeepCopyInto(&out.Status) return } @@ -246,6 +263,13 @@ func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } return } diff --git a/generated/1.18/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.18/crds/config.supervisor.pinniped.dev_oidcclients.yaml index 6030582f..b5569275 100644 --- a/generated/1.18/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.18/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -115,6 +115,82 @@ spec: type: object status: description: Status of the OIDC client. + properties: + conditions: + description: Represents the observations of an OIDCClient's current + state. + items: + description: Condition status of a resource (mirrored from the metav1.Condition + type added in Kubernetes 1.19). In a future API version we can + switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + phase: + default: Pending + description: Phase summarizes the overall status of the OIDCClient. + enum: + - Pending + - Ready + - Error + type: string type: object required: - spec diff --git a/generated/1.19/README.adoc b/generated/1.19/README.adoc index df1fdef2..337689da 100644 --- a/generated/1.19/README.adoc +++ b/generated/1.19/README.adoc @@ -575,6 +575,28 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor configuratio +[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-condition"] +==== Condition + +Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`type`* __string__ | type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) +| *`status`* __ConditionStatus__ | status of the condition, one of True, False, Unknown. +| *`observedGeneration`* __integer__ | observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. +| *`lastTransitionTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#time-v1-meta[$$Time$$]__ | lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. +| *`reason`* __string__ | reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. +| *`message`* __string__ | message is a human readable message indicating details about the transition. This may be an empty string. +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-federationdomain"] ==== FederationDomain @@ -720,6 +742,22 @@ OIDCClientSpec is a struct that describes an OIDC Client. |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcclientstatus"] +==== OIDCClientStatus + +OIDCClientStatus is a struct that describes the actual state of an OIDCClient. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcclient[$$OIDCClient$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`phase`* __OIDCClientPhase__ | Phase summarizes the overall status of the OIDCClient. +| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-condition[$$Condition$$] array__ | Represents the observations of an OIDCClient's current state. +|=== diff --git a/generated/1.19/apis/supervisor/config/v1alpha1/types_meta.go b/generated/1.19/apis/supervisor/config/v1alpha1/types_meta.go new file mode 100644 index 00000000..cd46a471 --- /dev/null +++ b/generated/1.19/apis/supervisor/config/v1alpha1/types_meta.go @@ -0,0 +1,75 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// ConditionStatus is effectively an enum type for Condition.Status. +type ConditionStatus string + +// These are valid condition statuses. "ConditionTrue" means a resource is in the condition. +// "ConditionFalse" means a resource is not in the condition. "ConditionUnknown" means kubernetes +// can't decide if a resource is in the condition or not. In the future, we could add other +// intermediate conditions, e.g. ConditionDegraded. +const ( + ConditionTrue ConditionStatus = "True" + ConditionFalse ConditionStatus = "False" + ConditionUnknown ConditionStatus = "Unknown" +) + +// Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API +// version we can switch to using the upstream type. +// See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. +type Condition struct { + // type of condition in CamelCase or in foo.example.com/CamelCase. + // --- + // Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + // useful (see .node.status.conditions), the ability to deconflict is important. + // The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$` + // +kubebuilder:validation:MaxLength=316 + Type string `json:"type"` + + // status of the condition, one of True, False, Unknown. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Enum=True;False;Unknown + Status ConditionStatus `json:"status"` + + // observedGeneration represents the .metadata.generation that the condition was set based upon. + // For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + // with respect to the current state of the instance. + // +optional + // +kubebuilder:validation:Minimum=0 + ObservedGeneration int64 `json:"observedGeneration,omitempty"` + + // lastTransitionTime is the last time the condition transitioned from one status to another. + // This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Type=string + // +kubebuilder:validation:Format=date-time + LastTransitionTime metav1.Time `json:"lastTransitionTime"` + + // reason contains a programmatic identifier indicating the reason for the condition's last transition. + // Producers of specific condition types may define expected values and meanings for this field, + // and whether the values are considered a guaranteed API. + // The value should be a CamelCase string. + // This field may not be empty. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=1024 + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$` + Reason string `json:"reason"` + + // message is a human readable message indicating details about the transition. + // This may be an empty string. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=32768 + Message string `json:"message"` +} diff --git a/generated/1.19/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/1.19/apis/supervisor/config/v1alpha1/types_oidcclient.go index 17a1103f..1bc7399d 100644 --- a/generated/1.19/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/1.19/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -3,8 +3,19 @@ package v1alpha1 -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +type OIDCClientPhase string + +const ( + // PhasePending is the default phase for newly-created OIDCClient resources. + PhasePending OIDCClientPhase = "Pending" + + // PhaseReady is the phase for an OIDCClient resource in a healthy state. + PhaseReady OIDCClientPhase = "Ready" + + // PhaseError is the phase for an OIDCClient in an unhealthy state. + PhaseError OIDCClientPhase = "Error" ) // +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/` @@ -62,8 +73,19 @@ type OIDCClientSpec struct { AllowedScopes []Scope `json:"allowedScopes"` } -// OIDCClientStatus is a struct that describes the actual state of an OIDC Client. +// OIDCClientStatus is a struct that describes the actual state of an OIDCClient. type OIDCClientStatus struct { + // Phase summarizes the overall status of the OIDCClient. + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase OIDCClientPhase `json:"phase,omitempty"` + + // Represents the observations of an OIDCClient's current state. + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` } // OIDCClient describes the configuration of an OIDC client. diff --git a/generated/1.19/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.19/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go index f4468886..3e7f07d0 100644 --- a/generated/1.19/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.19/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go @@ -12,6 +12,23 @@ import ( runtime "k8s.io/apimachinery/pkg/runtime" ) +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Condition) DeepCopyInto(out *Condition) { + *out = *in + in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition. +func (in *Condition) DeepCopy() *Condition { + if in == nil { + return nil + } + out := new(Condition) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *FederationDomain) DeepCopyInto(out *FederationDomain) { *out = *in @@ -157,7 +174,7 @@ func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { out.TypeMeta = in.TypeMeta in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) in.Spec.DeepCopyInto(&out.Spec) - out.Status = in.Status + in.Status.DeepCopyInto(&out.Status) return } @@ -246,6 +263,13 @@ func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } return } diff --git a/generated/1.19/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.19/crds/config.supervisor.pinniped.dev_oidcclients.yaml index 6030582f..b5569275 100644 --- a/generated/1.19/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.19/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -115,6 +115,82 @@ spec: type: object status: description: Status of the OIDC client. + properties: + conditions: + description: Represents the observations of an OIDCClient's current + state. + items: + description: Condition status of a resource (mirrored from the metav1.Condition + type added in Kubernetes 1.19). In a future API version we can + switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + phase: + default: Pending + description: Phase summarizes the overall status of the OIDCClient. + enum: + - Pending + - Ready + - Error + type: string type: object required: - spec diff --git a/generated/1.20/README.adoc b/generated/1.20/README.adoc index f570511d..493e4ba2 100644 --- a/generated/1.20/README.adoc +++ b/generated/1.20/README.adoc @@ -575,6 +575,28 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor configuratio +[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-config-v1alpha1-condition"] +==== Condition + +Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-config-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`type`* __string__ | type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) +| *`status`* __ConditionStatus__ | status of the condition, one of True, False, Unknown. +| *`observedGeneration`* __integer__ | observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. +| *`lastTransitionTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.2/#time-v1-meta[$$Time$$]__ | lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. +| *`reason`* __string__ | reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. +| *`message`* __string__ | message is a human readable message indicating details about the transition. This may be an empty string. +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-config-v1alpha1-federationdomain"] ==== FederationDomain @@ -720,6 +742,22 @@ OIDCClientSpec is a struct that describes an OIDC Client. |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-config-v1alpha1-oidcclientstatus"] +==== OIDCClientStatus + +OIDCClientStatus is a struct that describes the actual state of an OIDCClient. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-config-v1alpha1-oidcclient[$$OIDCClient$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`phase`* __OIDCClientPhase__ | Phase summarizes the overall status of the OIDCClient. +| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-config-v1alpha1-condition[$$Condition$$] array__ | Represents the observations of an OIDCClient's current state. +|=== diff --git a/generated/1.20/apis/supervisor/config/v1alpha1/types_meta.go b/generated/1.20/apis/supervisor/config/v1alpha1/types_meta.go new file mode 100644 index 00000000..cd46a471 --- /dev/null +++ b/generated/1.20/apis/supervisor/config/v1alpha1/types_meta.go @@ -0,0 +1,75 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// ConditionStatus is effectively an enum type for Condition.Status. +type ConditionStatus string + +// These are valid condition statuses. "ConditionTrue" means a resource is in the condition. +// "ConditionFalse" means a resource is not in the condition. "ConditionUnknown" means kubernetes +// can't decide if a resource is in the condition or not. In the future, we could add other +// intermediate conditions, e.g. ConditionDegraded. +const ( + ConditionTrue ConditionStatus = "True" + ConditionFalse ConditionStatus = "False" + ConditionUnknown ConditionStatus = "Unknown" +) + +// Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API +// version we can switch to using the upstream type. +// See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. +type Condition struct { + // type of condition in CamelCase or in foo.example.com/CamelCase. + // --- + // Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + // useful (see .node.status.conditions), the ability to deconflict is important. + // The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$` + // +kubebuilder:validation:MaxLength=316 + Type string `json:"type"` + + // status of the condition, one of True, False, Unknown. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Enum=True;False;Unknown + Status ConditionStatus `json:"status"` + + // observedGeneration represents the .metadata.generation that the condition was set based upon. + // For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + // with respect to the current state of the instance. + // +optional + // +kubebuilder:validation:Minimum=0 + ObservedGeneration int64 `json:"observedGeneration,omitempty"` + + // lastTransitionTime is the last time the condition transitioned from one status to another. + // This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Type=string + // +kubebuilder:validation:Format=date-time + LastTransitionTime metav1.Time `json:"lastTransitionTime"` + + // reason contains a programmatic identifier indicating the reason for the condition's last transition. + // Producers of specific condition types may define expected values and meanings for this field, + // and whether the values are considered a guaranteed API. + // The value should be a CamelCase string. + // This field may not be empty. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=1024 + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$` + Reason string `json:"reason"` + + // message is a human readable message indicating details about the transition. + // This may be an empty string. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=32768 + Message string `json:"message"` +} diff --git a/generated/1.20/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/1.20/apis/supervisor/config/v1alpha1/types_oidcclient.go index 17a1103f..1bc7399d 100644 --- a/generated/1.20/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/1.20/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -3,8 +3,19 @@ package v1alpha1 -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +type OIDCClientPhase string + +const ( + // PhasePending is the default phase for newly-created OIDCClient resources. + PhasePending OIDCClientPhase = "Pending" + + // PhaseReady is the phase for an OIDCClient resource in a healthy state. + PhaseReady OIDCClientPhase = "Ready" + + // PhaseError is the phase for an OIDCClient in an unhealthy state. + PhaseError OIDCClientPhase = "Error" ) // +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/` @@ -62,8 +73,19 @@ type OIDCClientSpec struct { AllowedScopes []Scope `json:"allowedScopes"` } -// OIDCClientStatus is a struct that describes the actual state of an OIDC Client. +// OIDCClientStatus is a struct that describes the actual state of an OIDCClient. type OIDCClientStatus struct { + // Phase summarizes the overall status of the OIDCClient. + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase OIDCClientPhase `json:"phase,omitempty"` + + // Represents the observations of an OIDCClient's current state. + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` } // OIDCClient describes the configuration of an OIDC client. diff --git a/generated/1.20/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.20/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go index f4468886..3e7f07d0 100644 --- a/generated/1.20/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.20/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go @@ -12,6 +12,23 @@ import ( runtime "k8s.io/apimachinery/pkg/runtime" ) +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Condition) DeepCopyInto(out *Condition) { + *out = *in + in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition. +func (in *Condition) DeepCopy() *Condition { + if in == nil { + return nil + } + out := new(Condition) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *FederationDomain) DeepCopyInto(out *FederationDomain) { *out = *in @@ -157,7 +174,7 @@ func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { out.TypeMeta = in.TypeMeta in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) in.Spec.DeepCopyInto(&out.Spec) - out.Status = in.Status + in.Status.DeepCopyInto(&out.Status) return } @@ -246,6 +263,13 @@ func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } return } diff --git a/generated/1.20/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.20/crds/config.supervisor.pinniped.dev_oidcclients.yaml index 6030582f..b5569275 100644 --- a/generated/1.20/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.20/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -115,6 +115,82 @@ spec: type: object status: description: Status of the OIDC client. + properties: + conditions: + description: Represents the observations of an OIDCClient's current + state. + items: + description: Condition status of a resource (mirrored from the metav1.Condition + type added in Kubernetes 1.19). In a future API version we can + switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + phase: + default: Pending + description: Phase summarizes the overall status of the OIDCClient. + enum: + - Pending + - Ready + - Error + type: string type: object required: - spec diff --git a/generated/1.21/README.adoc b/generated/1.21/README.adoc index 768478db..59be6db3 100644 --- a/generated/1.21/README.adoc +++ b/generated/1.21/README.adoc @@ -575,6 +575,28 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor configuratio +[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-condition"] +==== Condition + +Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`type`* __string__ | type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) +| *`status`* __ConditionStatus__ | status of the condition, one of True, False, Unknown. +| *`observedGeneration`* __integer__ | observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. +| *`lastTransitionTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#time-v1-meta[$$Time$$]__ | lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. +| *`reason`* __string__ | reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. +| *`message`* __string__ | message is a human readable message indicating details about the transition. This may be an empty string. +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomain"] ==== FederationDomain @@ -720,6 +742,22 @@ OIDCClientSpec is a struct that describes an OIDC Client. |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-oidcclientstatus"] +==== OIDCClientStatus + +OIDCClientStatus is a struct that describes the actual state of an OIDCClient. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-oidcclient[$$OIDCClient$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`phase`* __OIDCClientPhase__ | Phase summarizes the overall status of the OIDCClient. +| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-condition[$$Condition$$] array__ | Represents the observations of an OIDCClient's current state. +|=== diff --git a/generated/1.21/apis/supervisor/config/v1alpha1/types_meta.go b/generated/1.21/apis/supervisor/config/v1alpha1/types_meta.go new file mode 100644 index 00000000..cd46a471 --- /dev/null +++ b/generated/1.21/apis/supervisor/config/v1alpha1/types_meta.go @@ -0,0 +1,75 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// ConditionStatus is effectively an enum type for Condition.Status. +type ConditionStatus string + +// These are valid condition statuses. "ConditionTrue" means a resource is in the condition. +// "ConditionFalse" means a resource is not in the condition. "ConditionUnknown" means kubernetes +// can't decide if a resource is in the condition or not. In the future, we could add other +// intermediate conditions, e.g. ConditionDegraded. +const ( + ConditionTrue ConditionStatus = "True" + ConditionFalse ConditionStatus = "False" + ConditionUnknown ConditionStatus = "Unknown" +) + +// Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API +// version we can switch to using the upstream type. +// See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. +type Condition struct { + // type of condition in CamelCase or in foo.example.com/CamelCase. + // --- + // Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + // useful (see .node.status.conditions), the ability to deconflict is important. + // The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$` + // +kubebuilder:validation:MaxLength=316 + Type string `json:"type"` + + // status of the condition, one of True, False, Unknown. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Enum=True;False;Unknown + Status ConditionStatus `json:"status"` + + // observedGeneration represents the .metadata.generation that the condition was set based upon. + // For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + // with respect to the current state of the instance. + // +optional + // +kubebuilder:validation:Minimum=0 + ObservedGeneration int64 `json:"observedGeneration,omitempty"` + + // lastTransitionTime is the last time the condition transitioned from one status to another. + // This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Type=string + // +kubebuilder:validation:Format=date-time + LastTransitionTime metav1.Time `json:"lastTransitionTime"` + + // reason contains a programmatic identifier indicating the reason for the condition's last transition. + // Producers of specific condition types may define expected values and meanings for this field, + // and whether the values are considered a guaranteed API. + // The value should be a CamelCase string. + // This field may not be empty. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=1024 + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$` + Reason string `json:"reason"` + + // message is a human readable message indicating details about the transition. + // This may be an empty string. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=32768 + Message string `json:"message"` +} diff --git a/generated/1.21/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/1.21/apis/supervisor/config/v1alpha1/types_oidcclient.go index 17a1103f..1bc7399d 100644 --- a/generated/1.21/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/1.21/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -3,8 +3,19 @@ package v1alpha1 -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +type OIDCClientPhase string + +const ( + // PhasePending is the default phase for newly-created OIDCClient resources. + PhasePending OIDCClientPhase = "Pending" + + // PhaseReady is the phase for an OIDCClient resource in a healthy state. + PhaseReady OIDCClientPhase = "Ready" + + // PhaseError is the phase for an OIDCClient in an unhealthy state. + PhaseError OIDCClientPhase = "Error" ) // +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/` @@ -62,8 +73,19 @@ type OIDCClientSpec struct { AllowedScopes []Scope `json:"allowedScopes"` } -// OIDCClientStatus is a struct that describes the actual state of an OIDC Client. +// OIDCClientStatus is a struct that describes the actual state of an OIDCClient. type OIDCClientStatus struct { + // Phase summarizes the overall status of the OIDCClient. + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase OIDCClientPhase `json:"phase,omitempty"` + + // Represents the observations of an OIDCClient's current state. + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` } // OIDCClient describes the configuration of an OIDC client. diff --git a/generated/1.21/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.21/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go index f4468886..3e7f07d0 100644 --- a/generated/1.21/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.21/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go @@ -12,6 +12,23 @@ import ( runtime "k8s.io/apimachinery/pkg/runtime" ) +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Condition) DeepCopyInto(out *Condition) { + *out = *in + in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition. +func (in *Condition) DeepCopy() *Condition { + if in == nil { + return nil + } + out := new(Condition) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *FederationDomain) DeepCopyInto(out *FederationDomain) { *out = *in @@ -157,7 +174,7 @@ func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { out.TypeMeta = in.TypeMeta in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) in.Spec.DeepCopyInto(&out.Spec) - out.Status = in.Status + in.Status.DeepCopyInto(&out.Status) return } @@ -246,6 +263,13 @@ func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } return } diff --git a/generated/1.21/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.21/crds/config.supervisor.pinniped.dev_oidcclients.yaml index 6030582f..b5569275 100644 --- a/generated/1.21/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.21/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -115,6 +115,82 @@ spec: type: object status: description: Status of the OIDC client. + properties: + conditions: + description: Represents the observations of an OIDCClient's current + state. + items: + description: Condition status of a resource (mirrored from the metav1.Condition + type added in Kubernetes 1.19). In a future API version we can + switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + phase: + default: Pending + description: Phase summarizes the overall status of the OIDCClient. + enum: + - Pending + - Ready + - Error + type: string type: object required: - spec diff --git a/generated/1.22/README.adoc b/generated/1.22/README.adoc index 8212b9b8..7f4ace33 100644 --- a/generated/1.22/README.adoc +++ b/generated/1.22/README.adoc @@ -575,6 +575,28 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor configuratio +[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-condition"] +==== Condition + +Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`type`* __string__ | type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) +| *`status`* __ConditionStatus__ | status of the condition, one of True, False, Unknown. +| *`observedGeneration`* __integer__ | observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. +| *`lastTransitionTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#time-v1-meta[$$Time$$]__ | lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. +| *`reason`* __string__ | reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. +| *`message`* __string__ | message is a human readable message indicating details about the transition. This may be an empty string. +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomain"] ==== FederationDomain @@ -720,6 +742,22 @@ OIDCClientSpec is a struct that describes an OIDC Client. |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-oidcclientstatus"] +==== OIDCClientStatus + +OIDCClientStatus is a struct that describes the actual state of an OIDCClient. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-oidcclient[$$OIDCClient$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`phase`* __OIDCClientPhase__ | Phase summarizes the overall status of the OIDCClient. +| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-condition[$$Condition$$] array__ | Represents the observations of an OIDCClient's current state. +|=== diff --git a/generated/1.22/apis/supervisor/config/v1alpha1/types_meta.go b/generated/1.22/apis/supervisor/config/v1alpha1/types_meta.go new file mode 100644 index 00000000..cd46a471 --- /dev/null +++ b/generated/1.22/apis/supervisor/config/v1alpha1/types_meta.go @@ -0,0 +1,75 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// ConditionStatus is effectively an enum type for Condition.Status. +type ConditionStatus string + +// These are valid condition statuses. "ConditionTrue" means a resource is in the condition. +// "ConditionFalse" means a resource is not in the condition. "ConditionUnknown" means kubernetes +// can't decide if a resource is in the condition or not. In the future, we could add other +// intermediate conditions, e.g. ConditionDegraded. +const ( + ConditionTrue ConditionStatus = "True" + ConditionFalse ConditionStatus = "False" + ConditionUnknown ConditionStatus = "Unknown" +) + +// Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API +// version we can switch to using the upstream type. +// See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. +type Condition struct { + // type of condition in CamelCase or in foo.example.com/CamelCase. + // --- + // Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + // useful (see .node.status.conditions), the ability to deconflict is important. + // The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$` + // +kubebuilder:validation:MaxLength=316 + Type string `json:"type"` + + // status of the condition, one of True, False, Unknown. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Enum=True;False;Unknown + Status ConditionStatus `json:"status"` + + // observedGeneration represents the .metadata.generation that the condition was set based upon. + // For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + // with respect to the current state of the instance. + // +optional + // +kubebuilder:validation:Minimum=0 + ObservedGeneration int64 `json:"observedGeneration,omitempty"` + + // lastTransitionTime is the last time the condition transitioned from one status to another. + // This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Type=string + // +kubebuilder:validation:Format=date-time + LastTransitionTime metav1.Time `json:"lastTransitionTime"` + + // reason contains a programmatic identifier indicating the reason for the condition's last transition. + // Producers of specific condition types may define expected values and meanings for this field, + // and whether the values are considered a guaranteed API. + // The value should be a CamelCase string. + // This field may not be empty. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=1024 + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$` + Reason string `json:"reason"` + + // message is a human readable message indicating details about the transition. + // This may be an empty string. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=32768 + Message string `json:"message"` +} diff --git a/generated/1.22/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/1.22/apis/supervisor/config/v1alpha1/types_oidcclient.go index 17a1103f..1bc7399d 100644 --- a/generated/1.22/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/1.22/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -3,8 +3,19 @@ package v1alpha1 -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +type OIDCClientPhase string + +const ( + // PhasePending is the default phase for newly-created OIDCClient resources. + PhasePending OIDCClientPhase = "Pending" + + // PhaseReady is the phase for an OIDCClient resource in a healthy state. + PhaseReady OIDCClientPhase = "Ready" + + // PhaseError is the phase for an OIDCClient in an unhealthy state. + PhaseError OIDCClientPhase = "Error" ) // +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/` @@ -62,8 +73,19 @@ type OIDCClientSpec struct { AllowedScopes []Scope `json:"allowedScopes"` } -// OIDCClientStatus is a struct that describes the actual state of an OIDC Client. +// OIDCClientStatus is a struct that describes the actual state of an OIDCClient. type OIDCClientStatus struct { + // Phase summarizes the overall status of the OIDCClient. + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase OIDCClientPhase `json:"phase,omitempty"` + + // Represents the observations of an OIDCClient's current state. + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` } // OIDCClient describes the configuration of an OIDC client. diff --git a/generated/1.22/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.22/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go index f4468886..3e7f07d0 100644 --- a/generated/1.22/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.22/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go @@ -12,6 +12,23 @@ import ( runtime "k8s.io/apimachinery/pkg/runtime" ) +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Condition) DeepCopyInto(out *Condition) { + *out = *in + in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition. +func (in *Condition) DeepCopy() *Condition { + if in == nil { + return nil + } + out := new(Condition) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *FederationDomain) DeepCopyInto(out *FederationDomain) { *out = *in @@ -157,7 +174,7 @@ func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { out.TypeMeta = in.TypeMeta in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) in.Spec.DeepCopyInto(&out.Spec) - out.Status = in.Status + in.Status.DeepCopyInto(&out.Status) return } @@ -246,6 +263,13 @@ func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } return } diff --git a/generated/1.22/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.22/crds/config.supervisor.pinniped.dev_oidcclients.yaml index 6030582f..b5569275 100644 --- a/generated/1.22/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.22/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -115,6 +115,82 @@ spec: type: object status: description: Status of the OIDC client. + properties: + conditions: + description: Represents the observations of an OIDCClient's current + state. + items: + description: Condition status of a resource (mirrored from the metav1.Condition + type added in Kubernetes 1.19). In a future API version we can + switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + phase: + default: Pending + description: Phase summarizes the overall status of the OIDCClient. + enum: + - Pending + - Ready + - Error + type: string type: object required: - spec diff --git a/generated/1.23/README.adoc b/generated/1.23/README.adoc index e67a0344..ad7d96a6 100644 --- a/generated/1.23/README.adoc +++ b/generated/1.23/README.adoc @@ -575,6 +575,28 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor configuratio +[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-condition"] +==== Condition + +Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`type`* __string__ | type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) +| *`status`* __ConditionStatus__ | status of the condition, one of True, False, Unknown. +| *`observedGeneration`* __integer__ | observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. +| *`lastTransitionTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#time-v1-meta[$$Time$$]__ | lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. +| *`reason`* __string__ | reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. +| *`message`* __string__ | message is a human readable message indicating details about the transition. This may be an empty string. +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomain"] ==== FederationDomain @@ -720,6 +742,22 @@ OIDCClientSpec is a struct that describes an OIDC Client. |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-oidcclientstatus"] +==== OIDCClientStatus + +OIDCClientStatus is a struct that describes the actual state of an OIDCClient. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-oidcclient[$$OIDCClient$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`phase`* __OIDCClientPhase__ | Phase summarizes the overall status of the OIDCClient. +| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-condition[$$Condition$$] array__ | Represents the observations of an OIDCClient's current state. +|=== diff --git a/generated/1.23/apis/supervisor/config/v1alpha1/types_meta.go b/generated/1.23/apis/supervisor/config/v1alpha1/types_meta.go new file mode 100644 index 00000000..cd46a471 --- /dev/null +++ b/generated/1.23/apis/supervisor/config/v1alpha1/types_meta.go @@ -0,0 +1,75 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// ConditionStatus is effectively an enum type for Condition.Status. +type ConditionStatus string + +// These are valid condition statuses. "ConditionTrue" means a resource is in the condition. +// "ConditionFalse" means a resource is not in the condition. "ConditionUnknown" means kubernetes +// can't decide if a resource is in the condition or not. In the future, we could add other +// intermediate conditions, e.g. ConditionDegraded. +const ( + ConditionTrue ConditionStatus = "True" + ConditionFalse ConditionStatus = "False" + ConditionUnknown ConditionStatus = "Unknown" +) + +// Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API +// version we can switch to using the upstream type. +// See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. +type Condition struct { + // type of condition in CamelCase or in foo.example.com/CamelCase. + // --- + // Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + // useful (see .node.status.conditions), the ability to deconflict is important. + // The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$` + // +kubebuilder:validation:MaxLength=316 + Type string `json:"type"` + + // status of the condition, one of True, False, Unknown. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Enum=True;False;Unknown + Status ConditionStatus `json:"status"` + + // observedGeneration represents the .metadata.generation that the condition was set based upon. + // For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + // with respect to the current state of the instance. + // +optional + // +kubebuilder:validation:Minimum=0 + ObservedGeneration int64 `json:"observedGeneration,omitempty"` + + // lastTransitionTime is the last time the condition transitioned from one status to another. + // This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Type=string + // +kubebuilder:validation:Format=date-time + LastTransitionTime metav1.Time `json:"lastTransitionTime"` + + // reason contains a programmatic identifier indicating the reason for the condition's last transition. + // Producers of specific condition types may define expected values and meanings for this field, + // and whether the values are considered a guaranteed API. + // The value should be a CamelCase string. + // This field may not be empty. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=1024 + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$` + Reason string `json:"reason"` + + // message is a human readable message indicating details about the transition. + // This may be an empty string. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=32768 + Message string `json:"message"` +} diff --git a/generated/1.23/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/1.23/apis/supervisor/config/v1alpha1/types_oidcclient.go index 17a1103f..1bc7399d 100644 --- a/generated/1.23/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/1.23/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -3,8 +3,19 @@ package v1alpha1 -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +type OIDCClientPhase string + +const ( + // PhasePending is the default phase for newly-created OIDCClient resources. + PhasePending OIDCClientPhase = "Pending" + + // PhaseReady is the phase for an OIDCClient resource in a healthy state. + PhaseReady OIDCClientPhase = "Ready" + + // PhaseError is the phase for an OIDCClient in an unhealthy state. + PhaseError OIDCClientPhase = "Error" ) // +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/` @@ -62,8 +73,19 @@ type OIDCClientSpec struct { AllowedScopes []Scope `json:"allowedScopes"` } -// OIDCClientStatus is a struct that describes the actual state of an OIDC Client. +// OIDCClientStatus is a struct that describes the actual state of an OIDCClient. type OIDCClientStatus struct { + // Phase summarizes the overall status of the OIDCClient. + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase OIDCClientPhase `json:"phase,omitempty"` + + // Represents the observations of an OIDCClient's current state. + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` } // OIDCClient describes the configuration of an OIDC client. diff --git a/generated/1.23/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.23/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go index f4468886..3e7f07d0 100644 --- a/generated/1.23/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.23/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go @@ -12,6 +12,23 @@ import ( runtime "k8s.io/apimachinery/pkg/runtime" ) +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Condition) DeepCopyInto(out *Condition) { + *out = *in + in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition. +func (in *Condition) DeepCopy() *Condition { + if in == nil { + return nil + } + out := new(Condition) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *FederationDomain) DeepCopyInto(out *FederationDomain) { *out = *in @@ -157,7 +174,7 @@ func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { out.TypeMeta = in.TypeMeta in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) in.Spec.DeepCopyInto(&out.Spec) - out.Status = in.Status + in.Status.DeepCopyInto(&out.Status) return } @@ -246,6 +263,13 @@ func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } return } diff --git a/generated/1.23/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.23/crds/config.supervisor.pinniped.dev_oidcclients.yaml index 6030582f..b5569275 100644 --- a/generated/1.23/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.23/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -115,6 +115,82 @@ spec: type: object status: description: Status of the OIDC client. + properties: + conditions: + description: Represents the observations of an OIDCClient's current + state. + items: + description: Condition status of a resource (mirrored from the metav1.Condition + type added in Kubernetes 1.19). In a future API version we can + switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + phase: + default: Pending + description: Phase summarizes the overall status of the OIDCClient. + enum: + - Pending + - Ready + - Error + type: string type: object required: - spec diff --git a/generated/1.24/README.adoc b/generated/1.24/README.adoc index 73c3b4bf..9a7ab440 100644 --- a/generated/1.24/README.adoc +++ b/generated/1.24/README.adoc @@ -575,6 +575,28 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor configuratio +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-condition"] +==== Condition + +Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`type`* __string__ | type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) +| *`status`* __ConditionStatus__ | status of the condition, one of True, False, Unknown. +| *`observedGeneration`* __integer__ | observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. +| *`lastTransitionTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#time-v1-meta[$$Time$$]__ | lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. +| *`reason`* __string__ | reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. +| *`message`* __string__ | message is a human readable message indicating details about the transition. This may be an empty string. +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomain"] ==== FederationDomain @@ -720,6 +742,22 @@ OIDCClientSpec is a struct that describes an OIDC Client. |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-oidcclientstatus"] +==== OIDCClientStatus + +OIDCClientStatus is a struct that describes the actual state of an OIDCClient. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-oidcclient[$$OIDCClient$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`phase`* __OIDCClientPhase__ | Phase summarizes the overall status of the OIDCClient. +| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-condition[$$Condition$$] array__ | Represents the observations of an OIDCClient's current state. +|=== diff --git a/generated/1.24/apis/supervisor/config/v1alpha1/types_meta.go b/generated/1.24/apis/supervisor/config/v1alpha1/types_meta.go new file mode 100644 index 00000000..cd46a471 --- /dev/null +++ b/generated/1.24/apis/supervisor/config/v1alpha1/types_meta.go @@ -0,0 +1,75 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// ConditionStatus is effectively an enum type for Condition.Status. +type ConditionStatus string + +// These are valid condition statuses. "ConditionTrue" means a resource is in the condition. +// "ConditionFalse" means a resource is not in the condition. "ConditionUnknown" means kubernetes +// can't decide if a resource is in the condition or not. In the future, we could add other +// intermediate conditions, e.g. ConditionDegraded. +const ( + ConditionTrue ConditionStatus = "True" + ConditionFalse ConditionStatus = "False" + ConditionUnknown ConditionStatus = "Unknown" +) + +// Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API +// version we can switch to using the upstream type. +// See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. +type Condition struct { + // type of condition in CamelCase or in foo.example.com/CamelCase. + // --- + // Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + // useful (see .node.status.conditions), the ability to deconflict is important. + // The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$` + // +kubebuilder:validation:MaxLength=316 + Type string `json:"type"` + + // status of the condition, one of True, False, Unknown. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Enum=True;False;Unknown + Status ConditionStatus `json:"status"` + + // observedGeneration represents the .metadata.generation that the condition was set based upon. + // For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + // with respect to the current state of the instance. + // +optional + // +kubebuilder:validation:Minimum=0 + ObservedGeneration int64 `json:"observedGeneration,omitempty"` + + // lastTransitionTime is the last time the condition transitioned from one status to another. + // This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Type=string + // +kubebuilder:validation:Format=date-time + LastTransitionTime metav1.Time `json:"lastTransitionTime"` + + // reason contains a programmatic identifier indicating the reason for the condition's last transition. + // Producers of specific condition types may define expected values and meanings for this field, + // and whether the values are considered a guaranteed API. + // The value should be a CamelCase string. + // This field may not be empty. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=1024 + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$` + Reason string `json:"reason"` + + // message is a human readable message indicating details about the transition. + // This may be an empty string. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=32768 + Message string `json:"message"` +} diff --git a/generated/1.24/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/1.24/apis/supervisor/config/v1alpha1/types_oidcclient.go index 17a1103f..1bc7399d 100644 --- a/generated/1.24/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/1.24/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -3,8 +3,19 @@ package v1alpha1 -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +type OIDCClientPhase string + +const ( + // PhasePending is the default phase for newly-created OIDCClient resources. + PhasePending OIDCClientPhase = "Pending" + + // PhaseReady is the phase for an OIDCClient resource in a healthy state. + PhaseReady OIDCClientPhase = "Ready" + + // PhaseError is the phase for an OIDCClient in an unhealthy state. + PhaseError OIDCClientPhase = "Error" ) // +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/` @@ -62,8 +73,19 @@ type OIDCClientSpec struct { AllowedScopes []Scope `json:"allowedScopes"` } -// OIDCClientStatus is a struct that describes the actual state of an OIDC Client. +// OIDCClientStatus is a struct that describes the actual state of an OIDCClient. type OIDCClientStatus struct { + // Phase summarizes the overall status of the OIDCClient. + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase OIDCClientPhase `json:"phase,omitempty"` + + // Represents the observations of an OIDCClient's current state. + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` } // OIDCClient describes the configuration of an OIDC client. diff --git a/generated/1.24/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.24/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go index f4468886..3e7f07d0 100644 --- a/generated/1.24/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.24/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go @@ -12,6 +12,23 @@ import ( runtime "k8s.io/apimachinery/pkg/runtime" ) +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Condition) DeepCopyInto(out *Condition) { + *out = *in + in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition. +func (in *Condition) DeepCopy() *Condition { + if in == nil { + return nil + } + out := new(Condition) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *FederationDomain) DeepCopyInto(out *FederationDomain) { *out = *in @@ -157,7 +174,7 @@ func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { out.TypeMeta = in.TypeMeta in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) in.Spec.DeepCopyInto(&out.Spec) - out.Status = in.Status + in.Status.DeepCopyInto(&out.Status) return } @@ -246,6 +263,13 @@ func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } return } diff --git a/generated/1.24/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.24/crds/config.supervisor.pinniped.dev_oidcclients.yaml index 6030582f..b5569275 100644 --- a/generated/1.24/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.24/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -115,6 +115,82 @@ spec: type: object status: description: Status of the OIDC client. + properties: + conditions: + description: Represents the observations of an OIDCClient's current + state. + items: + description: Condition status of a resource (mirrored from the metav1.Condition + type added in Kubernetes 1.19). In a future API version we can + switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + phase: + default: Pending + description: Phase summarizes the overall status of the OIDCClient. + enum: + - Pending + - Ready + - Error + type: string type: object required: - spec diff --git a/generated/latest/apis/supervisor/config/v1alpha1/types_meta.go b/generated/latest/apis/supervisor/config/v1alpha1/types_meta.go new file mode 100644 index 00000000..cd46a471 --- /dev/null +++ b/generated/latest/apis/supervisor/config/v1alpha1/types_meta.go @@ -0,0 +1,75 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// ConditionStatus is effectively an enum type for Condition.Status. +type ConditionStatus string + +// These are valid condition statuses. "ConditionTrue" means a resource is in the condition. +// "ConditionFalse" means a resource is not in the condition. "ConditionUnknown" means kubernetes +// can't decide if a resource is in the condition or not. In the future, we could add other +// intermediate conditions, e.g. ConditionDegraded. +const ( + ConditionTrue ConditionStatus = "True" + ConditionFalse ConditionStatus = "False" + ConditionUnknown ConditionStatus = "Unknown" +) + +// Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API +// version we can switch to using the upstream type. +// See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. +type Condition struct { + // type of condition in CamelCase or in foo.example.com/CamelCase. + // --- + // Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + // useful (see .node.status.conditions), the ability to deconflict is important. + // The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$` + // +kubebuilder:validation:MaxLength=316 + Type string `json:"type"` + + // status of the condition, one of True, False, Unknown. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Enum=True;False;Unknown + Status ConditionStatus `json:"status"` + + // observedGeneration represents the .metadata.generation that the condition was set based upon. + // For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + // with respect to the current state of the instance. + // +optional + // +kubebuilder:validation:Minimum=0 + ObservedGeneration int64 `json:"observedGeneration,omitempty"` + + // lastTransitionTime is the last time the condition transitioned from one status to another. + // This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Type=string + // +kubebuilder:validation:Format=date-time + LastTransitionTime metav1.Time `json:"lastTransitionTime"` + + // reason contains a programmatic identifier indicating the reason for the condition's last transition. + // Producers of specific condition types may define expected values and meanings for this field, + // and whether the values are considered a guaranteed API. + // The value should be a CamelCase string. + // This field may not be empty. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=1024 + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$` + Reason string `json:"reason"` + + // message is a human readable message indicating details about the transition. + // This may be an empty string. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=32768 + Message string `json:"message"` +} diff --git a/generated/latest/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/latest/apis/supervisor/config/v1alpha1/types_oidcclient.go index 17a1103f..1bc7399d 100644 --- a/generated/latest/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/latest/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -3,8 +3,19 @@ package v1alpha1 -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +type OIDCClientPhase string + +const ( + // PhasePending is the default phase for newly-created OIDCClient resources. + PhasePending OIDCClientPhase = "Pending" + + // PhaseReady is the phase for an OIDCClient resource in a healthy state. + PhaseReady OIDCClientPhase = "Ready" + + // PhaseError is the phase for an OIDCClient in an unhealthy state. + PhaseError OIDCClientPhase = "Error" ) // +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/` @@ -62,8 +73,19 @@ type OIDCClientSpec struct { AllowedScopes []Scope `json:"allowedScopes"` } -// OIDCClientStatus is a struct that describes the actual state of an OIDC Client. +// OIDCClientStatus is a struct that describes the actual state of an OIDCClient. type OIDCClientStatus struct { + // Phase summarizes the overall status of the OIDCClient. + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase OIDCClientPhase `json:"phase,omitempty"` + + // Represents the observations of an OIDCClient's current state. + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` } // OIDCClient describes the configuration of an OIDC client. diff --git a/generated/latest/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go b/generated/latest/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go index f4468886..3e7f07d0 100644 --- a/generated/latest/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/latest/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go @@ -12,6 +12,23 @@ import ( runtime "k8s.io/apimachinery/pkg/runtime" ) +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Condition) DeepCopyInto(out *Condition) { + *out = *in + in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition. +func (in *Condition) DeepCopy() *Condition { + if in == nil { + return nil + } + out := new(Condition) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *FederationDomain) DeepCopyInto(out *FederationDomain) { *out = *in @@ -157,7 +174,7 @@ func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { out.TypeMeta = in.TypeMeta in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) in.Spec.DeepCopyInto(&out.Spec) - out.Status = in.Status + in.Status.DeepCopyInto(&out.Status) return } @@ -246,6 +263,13 @@ func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } return } diff --git a/internal/controller/conditionsutil/conditions_util.go b/internal/controller/conditionsutil/conditions_util.go new file mode 100644 index 00000000..431c1052 --- /dev/null +++ b/internal/controller/conditionsutil/conditions_util.go @@ -0,0 +1,123 @@ +// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package conditionsutil + +import ( + "sort" + + "k8s.io/apimachinery/pkg/api/equality" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" + idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" + "go.pinniped.dev/internal/plog" +) + +// MergeIDPConditions merges conditions into conditionsToUpdate. If returns true if it merged any error conditions. +func MergeIDPConditions(conditions []*idpv1alpha1.Condition, observedGeneration int64, conditionsToUpdate *[]idpv1alpha1.Condition, log plog.MinLogger) bool { + hadErrorCondition := false + for i := range conditions { + cond := conditions[i].DeepCopy() + cond.LastTransitionTime = v1.Now() + cond.ObservedGeneration = observedGeneration + if mergeIDPCondition(conditionsToUpdate, cond) { + log.Info("updated condition", "type", cond.Type, "status", cond.Status, "reason", cond.Reason, "message", cond.Message) + } + if cond.Status == idpv1alpha1.ConditionFalse { + hadErrorCondition = true + } + } + sort.SliceStable(*conditionsToUpdate, func(i, j int) bool { + return (*conditionsToUpdate)[i].Type < (*conditionsToUpdate)[j].Type + }) + return hadErrorCondition +} + +// mergeIDPCondition merges a new idpv1alpha1.Condition into a slice of existing conditions. It returns true +// if the condition has meaningfully changed. +func mergeIDPCondition(existing *[]idpv1alpha1.Condition, new *idpv1alpha1.Condition) bool { + // Find any existing condition with a matching type. + var old *idpv1alpha1.Condition + for i := range *existing { + if (*existing)[i].Type == new.Type { + old = &(*existing)[i] + continue + } + } + + // If there is no existing condition of this type, append this one and we're done. + if old == nil { + *existing = append(*existing, *new) + return true + } + + // Set the LastTransitionTime depending on whether the status has changed. + new = new.DeepCopy() + if old.Status == new.Status { + new.LastTransitionTime = old.LastTransitionTime + } + + // If anything has actually changed, update the entry and return true. + if !equality.Semantic.DeepEqual(old, new) { + *old = *new + return true + } + + // Otherwise the entry is already up to date. + return false +} + +// MergeConfigConditions merges conditions into conditionsToUpdate. If returns true if it merged any error conditions. +func MergeConfigConditions(conditions []*configv1alpha1.Condition, observedGeneration int64, conditionsToUpdate *[]configv1alpha1.Condition, log plog.MinLogger) bool { + hadErrorCondition := false + for i := range conditions { + cond := conditions[i].DeepCopy() + cond.LastTransitionTime = v1.Now() + cond.ObservedGeneration = observedGeneration + if mergeConfigCondition(conditionsToUpdate, cond) { + log.Info("updated condition", "type", cond.Type, "status", cond.Status, "reason", cond.Reason, "message", cond.Message) + } + if cond.Status == configv1alpha1.ConditionFalse { + hadErrorCondition = true + } + } + sort.SliceStable(*conditionsToUpdate, func(i, j int) bool { + return (*conditionsToUpdate)[i].Type < (*conditionsToUpdate)[j].Type + }) + return hadErrorCondition +} + +// mergeConfigCondition merges a new idpv1alpha1.Condition into a slice of existing conditions. It returns true +// if the condition has meaningfully changed. +func mergeConfigCondition(existing *[]configv1alpha1.Condition, new *configv1alpha1.Condition) bool { + // Find any existing condition with a matching type. + var old *configv1alpha1.Condition + for i := range *existing { + if (*existing)[i].Type == new.Type { + old = &(*existing)[i] + continue + } + } + + // If there is no existing condition of this type, append this one and we're done. + if old == nil { + *existing = append(*existing, *new) + return true + } + + // Set the LastTransitionTime depending on whether the status has changed. + new = new.DeepCopy() + if old.Status == new.Status { + new.LastTransitionTime = old.LastTransitionTime + } + + // If anything has actually changed, update the entry and return true. + if !equality.Semantic.DeepEqual(old, new) { + *old = *new + return true + } + + // Otherwise the entry is already up to date. + return false +} diff --git a/internal/controller/conditionsutil/conditions_util.go.go b/internal/controller/conditionsutil/conditions_util.go.go deleted file mode 100644 index dec4695a..00000000 --- a/internal/controller/conditionsutil/conditions_util.go.go +++ /dev/null @@ -1,68 +0,0 @@ -// Copyright 2021 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -package conditionsutil - -import ( - "sort" - - "k8s.io/apimachinery/pkg/api/equality" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - - "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" - "go.pinniped.dev/internal/plog" -) - -// Merge merges conditions into conditionsToUpdate. If returns true if it merged any error conditions. -func Merge(conditions []*v1alpha1.Condition, observedGeneration int64, conditionsToUpdate *[]v1alpha1.Condition, log plog.MinLogger) bool { - hadErrorCondition := false - for i := range conditions { - cond := conditions[i].DeepCopy() - cond.LastTransitionTime = v1.Now() - cond.ObservedGeneration = observedGeneration - if mergeCondition(conditionsToUpdate, cond) { - log.Info("updated condition", "type", cond.Type, "status", cond.Status, "reason", cond.Reason, "message", cond.Message) - } - if cond.Status == v1alpha1.ConditionFalse { - hadErrorCondition = true - } - } - sort.SliceStable(*conditionsToUpdate, func(i, j int) bool { - return (*conditionsToUpdate)[i].Type < (*conditionsToUpdate)[j].Type - }) - return hadErrorCondition -} - -// mergeCondition merges a new v1alpha1.Condition into a slice of existing conditions. It returns true -// if the condition has meaningfully changed. -func mergeCondition(existing *[]v1alpha1.Condition, new *v1alpha1.Condition) bool { - // Find any existing condition with a matching type. - var old *v1alpha1.Condition - for i := range *existing { - if (*existing)[i].Type == new.Type { - old = &(*existing)[i] - continue - } - } - - // If there is no existing condition of this type, append this one and we're done. - if old == nil { - *existing = append(*existing, *new) - return true - } - - // Set the LastTransitionTime depending on whether the status has changed. - new = new.DeepCopy() - if old.Status == new.Status { - new.LastTransitionTime = old.LastTransitionTime - } - - // If anything has actually changed, update the entry and return true. - if !equality.Semantic.DeepEqual(old, new) { - *old = *new - return true - } - - // Otherwise the entry is already up to date. - return false -} diff --git a/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go b/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go index 4aaa41b9..5fd198ea 100644 --- a/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go +++ b/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go @@ -362,7 +362,7 @@ func (c *activeDirectoryWatcherController) updateStatus(ctx context.Context, ups log := plog.WithValues("namespace", upstream.Namespace, "name", upstream.Name) updated := upstream.DeepCopy() - hadErrorCondition := conditionsutil.Merge(conditions, upstream.Generation, &updated.Status.Conditions, log) + hadErrorCondition := conditionsutil.MergeIDPConditions(conditions, upstream.Generation, &updated.Status.Conditions, log) updated.Status.Phase = v1alpha1.ActiveDirectoryPhaseReady if hadErrorCondition { diff --git a/internal/controller/supervisorconfig/ldapupstreamwatcher/ldap_upstream_watcher.go b/internal/controller/supervisorconfig/ldapupstreamwatcher/ldap_upstream_watcher.go index a942bbf9..6d370e26 100644 --- a/internal/controller/supervisorconfig/ldapupstreamwatcher/ldap_upstream_watcher.go +++ b/internal/controller/supervisorconfig/ldapupstreamwatcher/ldap_upstream_watcher.go @@ -255,7 +255,7 @@ func (c *ldapWatcherController) updateStatus(ctx context.Context, upstream *v1al log := plog.WithValues("namespace", upstream.Namespace, "name", upstream.Name) updated := upstream.DeepCopy() - hadErrorCondition := conditionsutil.Merge(conditions, upstream.Generation, &updated.Status.Conditions, log) + hadErrorCondition := conditionsutil.MergeIDPConditions(conditions, upstream.Generation, &updated.Status.Conditions, log) updated.Status.Phase = v1alpha1.LDAPPhaseReady if hadErrorCondition { diff --git a/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go b/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go new file mode 100644 index 00000000..600f7420 --- /dev/null +++ b/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go @@ -0,0 +1,317 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package oidcclientwatcher + +import ( + "context" + "fmt" + + v1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/equality" + k8serrors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/labels" + corev1informers "k8s.io/client-go/informers/core/v1" + + "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" + pinnipedclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" + configInformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/config/v1alpha1" + pinnipedcontroller "go.pinniped.dev/internal/controller" + "go.pinniped.dev/internal/controller/conditionsutil" + "go.pinniped.dev/internal/controllerlib" + "go.pinniped.dev/internal/oidcclientsecretstorage" + "go.pinniped.dev/internal/plog" +) + +const ( + clientSecretExists = "ClientSecretExists" + allowedGrantTypesValid = "AllowedGrantTypesValid" + allowedScopesValid = "AllowedScopesValid" + + reasonSuccess = "Success" + reasonMissingRequiredValue = "MissingRequiredValue" + reasonNoClientSecretFound = "NoClientSecretFound" + + authorizationCodeGrantTypeName = "authorization_code" + refreshTokenGrantTypeName = "refresh_token" + tokenExchangeGrantTypeName = "urn:ietf:params:oauth:grant-type:token-exchange" //nolint:gosec // this is not a credential + + openidScopeName = "openid" + offlineAccessScopeName = "offline_access" + requestAudienceScopeName = "pinniped:request-audience" + usernameScopeName = "username" + groupsScopeName = "groups" + + allowedGrantTypesFieldName = "allowedGrantTypes" + allowedScopesFieldName = "allowedScopes" + + secretTypeToObserve = "storage.pinniped.dev/oidc-client-secret" //nolint:gosec // this is not a credential +) + +type oidcClientWatcherController struct { + pinnipedClient pinnipedclientset.Interface + oidcClientInformer configInformers.OIDCClientInformer + secretInformer corev1informers.SecretInformer +} + +// NewOIDCClientWatcherController returns a controllerlib.Controller that watches OIDCClients and updates +// their status with validation errors. +func NewOIDCClientWatcherController( + pinnipedClient pinnipedclientset.Interface, + secretInformer corev1informers.SecretInformer, + oidcClientInformer configInformers.OIDCClientInformer, + withInformer pinnipedcontroller.WithInformerOptionFunc, +) controllerlib.Controller { + return controllerlib.New( + controllerlib.Config{ + Name: "OIDCClientWatcherController", + Syncer: &oidcClientWatcherController{ + pinnipedClient: pinnipedClient, + secretInformer: secretInformer, + oidcClientInformer: oidcClientInformer, + }, + }, + // We want to be notified when an OIDCClient's corresponding secret gets updated or deleted. + withInformer( + secretInformer, + pinnipedcontroller.MatchAnySecretOfTypeFilter(secretTypeToObserve, pinnipedcontroller.SingletonQueue()), + controllerlib.InformerOption{}, + ), + // We want to be notified when anything happens to an OIDCClient. + withInformer( + oidcClientInformer, + pinnipedcontroller.MatchAnythingFilter(pinnipedcontroller.SingletonQueue()), + controllerlib.InformerOption{}, + ), + ) +} + +// Sync implements controllerlib.Syncer. +func (c *oidcClientWatcherController) Sync(ctx controllerlib.Context) error { + // Sync could be called on either a Secret or an OIDCClient, so to keep it simple, revalidate + // all OIDCClients whenever anything changes. + oidcClients, err := c.oidcClientInformer.Lister().List(labels.Everything()) + if err != nil { + return fmt.Errorf("failed to list OIDCClients: %w", err) + } + + // We're only going to use storage to call GetName(), which happens to not need the constructor params. + // This is because we can read the Secrets from the informer cache here, instead of doing live reads. + storage := oidcclientsecretstorage.New(nil, nil) + + for _, oidcClient := range oidcClients { + correspondingSecretName := storage.GetName(oidcClient.UID) + + secret, err := c.secretInformer.Lister().Secrets(oidcClient.Namespace).Get(correspondingSecretName) + if err != nil { + if !k8serrors.IsNotFound(err) { + // Anything other than a NotFound error is unexpected when reading from an informer. + return fmt.Errorf("failed to get %s/%s secret: %w", oidcClient.Namespace, correspondingSecretName, err) + } + // Got a NotFound error, so continue. The Secret just doesn't exist yet, which is okay. + plog.DebugErr( + "OIDCClientWatcherController error getting storage Secret for OIDCClient's client secrets", err, + "oidcClientName", oidcClient.Name, + "oidcClientNamespace", oidcClient.Namespace, + "secretName", correspondingSecretName, + ) + secret = nil + } + + conditions := validateOIDCClient(oidcClient, secret) + + if err := c.updateStatus(ctx.Context, oidcClient, conditions); err != nil { + return fmt.Errorf("cannot update OIDCClient '%s/%s': %w", oidcClient.Namespace, oidcClient.Name, err) + } + + plog.Debug( + "OIDCClientWatcherController Sync updated an OIDCClient", + "oidcClientName", oidcClient.Name, + "oidcClientNamespace", oidcClient.Namespace, + "conditionsCount", len(conditions), + ) + } + + return nil +} + +// validateOIDCClient validates the OIDCClient and its corresponding client secret storage Secret. +// When the corresponding client secret storage Secret was not found, pass nil to this function to +// get the validation error for that case. +func validateOIDCClient(oidcClient *v1alpha1.OIDCClient, secret *v1.Secret) []*v1alpha1.Condition { + c := validateSecret(secret, []*v1alpha1.Condition{}) + c = validateAllowedGrantTypes(oidcClient, c) + c = validateAllowedScopes(oidcClient, c) + return c +} + +// validateAllowedScopes checks if allowedScopes is valid on the OIDCClient. +func validateAllowedScopes(oidcClient *v1alpha1.OIDCClient, conditions []*v1alpha1.Condition) []*v1alpha1.Condition { + switch { + case !allowedScopesContains(oidcClient, openidScopeName): + conditions = append(conditions, &v1alpha1.Condition{ + Type: allowedScopesValid, + Status: v1alpha1.ConditionFalse, + Reason: reasonMissingRequiredValue, + Message: fmt.Sprintf("%q must always be included in %q", openidScopeName, allowedScopesFieldName), + }) + case allowedGrantTypesContains(oidcClient, refreshTokenGrantTypeName) && !allowedScopesContains(oidcClient, offlineAccessScopeName): + conditions = append(conditions, &v1alpha1.Condition{ + Type: allowedScopesValid, + Status: v1alpha1.ConditionFalse, + Reason: reasonMissingRequiredValue, + Message: fmt.Sprintf("%q must be included in %q when %q is included in %q", + offlineAccessScopeName, allowedScopesFieldName, refreshTokenGrantTypeName, allowedGrantTypesFieldName), + }) + case allowedScopesContains(oidcClient, requestAudienceScopeName) && + (!allowedScopesContains(oidcClient, usernameScopeName) || !allowedScopesContains(oidcClient, groupsScopeName)): + conditions = append(conditions, &v1alpha1.Condition{ + Type: allowedScopesValid, + Status: v1alpha1.ConditionFalse, + Reason: reasonMissingRequiredValue, + Message: fmt.Sprintf("%q and %q must be included in %q when %q is included in %q", + usernameScopeName, groupsScopeName, allowedScopesFieldName, requestAudienceScopeName, allowedScopesFieldName), + }) + case allowedGrantTypesContains(oidcClient, tokenExchangeGrantTypeName) && !allowedScopesContains(oidcClient, requestAudienceScopeName): + conditions = append(conditions, &v1alpha1.Condition{ + Type: allowedScopesValid, + Status: v1alpha1.ConditionFalse, + Reason: reasonMissingRequiredValue, + Message: fmt.Sprintf("%q must be included in %q when %q is included in %q", + requestAudienceScopeName, allowedScopesFieldName, tokenExchangeGrantTypeName, allowedGrantTypesFieldName), + }) + default: + conditions = append(conditions, &v1alpha1.Condition{ + Type: allowedScopesValid, + Status: v1alpha1.ConditionTrue, + Reason: reasonSuccess, + Message: fmt.Sprintf("%q is valid", allowedScopesFieldName), + }) + } + return conditions +} + +// validateAllowedGrantTypes checks if allowedGrantTypes is valid on the OIDCClient. +func validateAllowedGrantTypes(oidcClient *v1alpha1.OIDCClient, conditions []*v1alpha1.Condition) []*v1alpha1.Condition { + switch { + case !allowedGrantTypesContains(oidcClient, authorizationCodeGrantTypeName): + conditions = append(conditions, &v1alpha1.Condition{ + Type: allowedGrantTypesValid, + Status: v1alpha1.ConditionFalse, + Reason: reasonMissingRequiredValue, + Message: fmt.Sprintf("%q must always be included in %q", + authorizationCodeGrantTypeName, allowedGrantTypesFieldName), + }) + case allowedScopesContains(oidcClient, offlineAccessScopeName) && !allowedGrantTypesContains(oidcClient, refreshTokenGrantTypeName): + conditions = append(conditions, &v1alpha1.Condition{ + Type: allowedGrantTypesValid, + Status: v1alpha1.ConditionFalse, + Reason: reasonMissingRequiredValue, + Message: fmt.Sprintf("%q must be included in %q when %q is included in %q", + refreshTokenGrantTypeName, allowedGrantTypesFieldName, offlineAccessScopeName, allowedScopesFieldName), + }) + case allowedScopesContains(oidcClient, requestAudienceScopeName) && !allowedGrantTypesContains(oidcClient, tokenExchangeGrantTypeName): + conditions = append(conditions, &v1alpha1.Condition{ + Type: allowedGrantTypesValid, + Status: v1alpha1.ConditionFalse, + Reason: reasonMissingRequiredValue, + Message: fmt.Sprintf("%q must be included in %q when %q is included in %q", + tokenExchangeGrantTypeName, allowedGrantTypesFieldName, requestAudienceScopeName, allowedScopesFieldName), + }) + default: + conditions = append(conditions, &v1alpha1.Condition{ + Type: allowedGrantTypesValid, + Status: v1alpha1.ConditionTrue, + Reason: reasonSuccess, + Message: fmt.Sprintf("%q is valid", allowedGrantTypesFieldName), + }) + } + return conditions +} + +// validateSecret checks if the client secret storage Secret is valid and contains at least one client secret. +func validateSecret(secret *v1.Secret, conditions []*v1alpha1.Condition) []*v1alpha1.Condition { + if secret == nil { + // Invalid: no storage Secret found. + conditions = append(conditions, &v1alpha1.Condition{ + Type: clientSecretExists, + Status: v1alpha1.ConditionFalse, + Reason: reasonNoClientSecretFound, + Message: "no client secret found (no Secret storage found)", + }) + return conditions + } + + storedClientSecret, err := oidcclientsecretstorage.ReadFromSecret(secret) + if err != nil { + // Invalid: storage Secret exists but its data could not be parsed. + conditions = append(conditions, &v1alpha1.Condition{ + Type: clientSecretExists, + Status: v1alpha1.ConditionFalse, + Reason: reasonNoClientSecretFound, + Message: fmt.Sprintf("error reading client secret storage: %s", err.Error()), + }) + return conditions + } + + // Successfully read the stored client secrets, so check if there are any stored in the list. + storedClientSecretsCount := len(storedClientSecret.SecretHashes) + if storedClientSecretsCount == 0 { + // Invalid: no client secrets stored. + conditions = append(conditions, &v1alpha1.Condition{ + Type: clientSecretExists, + Status: v1alpha1.ConditionFalse, + Reason: reasonNoClientSecretFound, + Message: "no client secret found (empty list in storage)", + }) + } else { + // Valid: has at least one client secret stored for this OIDC client. + conditions = append(conditions, &v1alpha1.Condition{ + Type: clientSecretExists, + Status: v1alpha1.ConditionTrue, + Reason: reasonSuccess, + Message: fmt.Sprintf("%d client secret(s) found", storedClientSecretsCount), + }) + } + return conditions +} + +func allowedGrantTypesContains(haystack *v1alpha1.OIDCClient, needle string) bool { + for _, hay := range haystack.Spec.AllowedGrantTypes { + if hay == v1alpha1.GrantType(needle) { + return true + } + } + return false +} + +func allowedScopesContains(haystack *v1alpha1.OIDCClient, needle string) bool { + for _, hay := range haystack.Spec.AllowedScopes { + if hay == v1alpha1.Scope(needle) { + return true + } + } + return false +} + +func (c *oidcClientWatcherController) updateStatus(ctx context.Context, upstream *v1alpha1.OIDCClient, conditions []*v1alpha1.Condition) error { + updated := upstream.DeepCopy() + + hadErrorCondition := conditionsutil.MergeConfigConditions(conditions, upstream.Generation, &updated.Status.Conditions, plog.New()) + + updated.Status.Phase = v1alpha1.PhaseReady + if hadErrorCondition { + updated.Status.Phase = v1alpha1.PhaseError + } + + if equality.Semantic.DeepEqual(upstream, updated) { + return nil + } + + _, err := c.pinnipedClient. + ConfigV1alpha1(). + OIDCClients(upstream.Namespace). + UpdateStatus(ctx, updated, metav1.UpdateOptions{}) + return err +} diff --git a/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher_test.go b/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher_test.go new file mode 100644 index 00000000..683c92ab --- /dev/null +++ b/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher_test.go @@ -0,0 +1,903 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package oidcclientwatcher + +import ( + "context" + "encoding/base32" + "fmt" + "strings" + "testing" + "time" + + "github.com/stretchr/testify/require" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + kubeinformers "k8s.io/client-go/informers" + kubernetesfake "k8s.io/client-go/kubernetes/fake" + + configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" + pinnipedfake "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/fake" + pinnipedinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions" + "go.pinniped.dev/internal/controllerlib" + "go.pinniped.dev/internal/testutil" +) + +func TestOIDCClientWatcherControllerFilterSecret(t *testing.T) { + t.Parallel() + + tests := []struct { + name string + secret metav1.Object + wantAdd bool + wantUpdate bool + wantDelete bool + }{ + { + name: "a secret of the right type", + secret: &corev1.Secret{ + Type: "storage.pinniped.dev/oidc-client-secret", + ObjectMeta: metav1.ObjectMeta{Name: "some-name", Namespace: "some-namespace"}, + }, + wantAdd: true, + wantUpdate: true, + wantDelete: true, + }, + { + name: "a secret of the wrong type", + secret: &corev1.Secret{ + Type: "secrets.pinniped.dev/some-other-type", + ObjectMeta: metav1.ObjectMeta{Name: "some-name", Namespace: "some-namespace"}, + }, + }, + { + name: "resource of wrong data type", + secret: &corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{Name: "some-name", Namespace: "some-namespace"}, + }, + }, + } + for _, test := range tests { + tt := test + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + + secretInformer := kubeinformers.NewSharedInformerFactory( + kubernetesfake.NewSimpleClientset(), + 0, + ).Core().V1().Secrets() + oidcClientsInformer := pinnipedinformers.NewSharedInformerFactory( + pinnipedfake.NewSimpleClientset(), + 0, + ).Config().V1alpha1().OIDCClients() + withInformer := testutil.NewObservableWithInformerOption() + _ = NewOIDCClientWatcherController( + nil, // pinnipedClient, not needed + secretInformer, + oidcClientsInformer, + withInformer.WithInformer, + ) + + unrelated := corev1.Secret{} + filter := withInformer.GetFilterForInformer(secretInformer) + require.Equal(t, tt.wantAdd, filter.Add(tt.secret)) + require.Equal(t, tt.wantUpdate, filter.Update(&unrelated, tt.secret)) + require.Equal(t, tt.wantUpdate, filter.Update(tt.secret, &unrelated)) + require.Equal(t, tt.wantDelete, filter.Delete(tt.secret)) + }) + } +} + +func TestOIDCClientWatcherControllerFilterOIDCClient(t *testing.T) { + t.Parallel() + + tests := []struct { + name string + oidcClient configv1alpha1.OIDCClient + wantAdd bool + wantUpdate bool + wantDelete bool + }{ + { + name: "anything goes", + oidcClient: configv1alpha1.OIDCClient{}, + wantAdd: true, + wantUpdate: true, + wantDelete: true, + }, + } + for _, test := range tests { + tt := test + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + + secretInformer := kubeinformers.NewSharedInformerFactory( + kubernetesfake.NewSimpleClientset(), + 0, + ).Core().V1().Secrets() + oidcClientsInformer := pinnipedinformers.NewSharedInformerFactory( + pinnipedfake.NewSimpleClientset(), + 0, + ).Config().V1alpha1().OIDCClients() + withInformer := testutil.NewObservableWithInformerOption() + _ = NewOIDCClientWatcherController( + nil, // pinnipedClient, not needed + secretInformer, + oidcClientsInformer, + withInformer.WithInformer, + ) + + unrelated := configv1alpha1.OIDCClient{} + filter := withInformer.GetFilterForInformer(oidcClientsInformer) + require.Equal(t, tt.wantAdd, filter.Add(&tt.oidcClient)) + require.Equal(t, tt.wantUpdate, filter.Update(&unrelated, &tt.oidcClient)) + require.Equal(t, tt.wantUpdate, filter.Update(&tt.oidcClient, &unrelated)) + require.Equal(t, tt.wantDelete, filter.Delete(&tt.oidcClient)) + }) + } +} + +func TestOIDCClientWatcherControllerSync(t *testing.T) { + t.Parallel() + + const ( + testName = "test-name" + testNamespace = "test-namespace" + testUID = "test-uid-123" + + //nolint:gosec // this is not a credential + testBcryptSecret1 = "$2y$15$Kh7cRj0ScSD5QelE3ZNSl.nF04JDv7zb3SgGN.tSfLIX.4kt3UX7m" // bcrypt of "password1" + + //nolint:gosec // this is not a credential + testBcryptSecret2 = "$2y$15$Kh7cRj0ScSD5QelE3ZNSl.nF04JDv7zb3SgGN.tSfLIX.4kt3UX7m" // bcrypt of "password2" + ) + + now := metav1.NewTime(time.Now().UTC()) + earlier := metav1.NewTime(now.Add(-1 * time.Hour).UTC()) + + happyAllowedGrantTypesCondition := func(time metav1.Time, observedGeneration int64) configv1alpha1.Condition { + return configv1alpha1.Condition{ + Type: "AllowedGrantTypesValid", + Status: "True", + LastTransitionTime: time, + Reason: "Success", + Message: `"allowedGrantTypes" is valid`, + ObservedGeneration: observedGeneration, + } + } + + sadAllowedGrantTypesCondition := func(time metav1.Time, observedGeneration int64, message string) configv1alpha1.Condition { + return configv1alpha1.Condition{ + Type: "AllowedGrantTypesValid", + Status: "False", + LastTransitionTime: time, + Reason: "MissingRequiredValue", + Message: message, + ObservedGeneration: observedGeneration, + } + } + + happyClientSecretsCondition := func(howMany int, time metav1.Time, observedGeneration int64) configv1alpha1.Condition { + return configv1alpha1.Condition{ + Type: "ClientSecretExists", + Status: "True", + LastTransitionTime: time, + Reason: "Success", + Message: fmt.Sprintf(`%d client secret(s) found`, howMany), + ObservedGeneration: observedGeneration, + } + } + + sadClientSecretsCondition := func(time metav1.Time, observedGeneration int64, message string) configv1alpha1.Condition { + return configv1alpha1.Condition{ + Type: "ClientSecretExists", + Status: "False", + LastTransitionTime: time, + Reason: "NoClientSecretFound", + Message: message, + ObservedGeneration: observedGeneration, + } + } + + happyAllowedScopesCondition := func(time metav1.Time, observedGeneration int64) configv1alpha1.Condition { + return configv1alpha1.Condition{ + Type: "AllowedScopesValid", + Status: "True", + LastTransitionTime: time, + Reason: "Success", + Message: `"allowedScopes" is valid`, + ObservedGeneration: observedGeneration, + } + } + + sadAllowedScopesCondition := func(time metav1.Time, observedGeneration int64, message string) configv1alpha1.Condition { + return configv1alpha1.Condition{ + Type: "AllowedScopesValid", + Status: "False", + LastTransitionTime: time, + Reason: "MissingRequiredValue", + Message: message, + ObservedGeneration: observedGeneration, + } + } + + secretNameForUID := func(uid string) string { + // See GetName() in OIDCClientSecretStorage for how the production code determines the Secret name. + // This test helper is intended to choose the same name. + return "pinniped-storage-oidc-client-secret-" + + strings.ToLower(base32.StdEncoding.WithPadding(base32.NoPadding).EncodeToString([]byte(uid))) + } + + secretStringDataWithZeroClientSecrets := map[string][]byte{ + "pinniped-storage-data": []byte(`{"version":"1","hashes":[]}`), + "pinniped-storage-version": []byte("1"), + } + + secretStringDataWithOneClientSecret := map[string][]byte{ + "pinniped-storage-data": []byte(`{"version":"1","hashes":["` + testBcryptSecret1 + `"]}`), + "pinniped-storage-version": []byte("1"), + } + + secretStringDataWithTwoClientSecrets := map[string][]byte{ + "pinniped-storage-data": []byte(`{"version":"1","hashes":["` + testBcryptSecret1 + `","` + testBcryptSecret2 + `"]}`), + "pinniped-storage-version": []byte("1"), + } + + secretStringDataWithWrongVersion := map[string][]byte{ + "pinniped-storage-data": []byte(`{"version":"wrong-version","hashes":[]}`), + "pinniped-storage-version": []byte("1"), + } + + storageSecretForUIDWithData := func(uid string, data map[string][]byte) *corev1.Secret { + return &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: testNamespace, + Name: secretNameForUID(uid), + Labels: map[string]string{"storage.pinniped.dev/type": "oidc-client-secret"}, + }, + Type: "storage.pinniped.dev/oidc-client-secret", + Data: data, + } + } + + tests := []struct { + name string + inputObjects []runtime.Object + inputSecrets []runtime.Object + wantErr string + wantResultingOIDCClients []configv1alpha1.OIDCClient + wantAPIActions int + }{ + { + name: "no OIDCClients", + wantAPIActions: 0, // no updates + }, + { + name: "successfully validate minimal OIDCClient and one client secret stored", + inputObjects: []runtime.Object{&configv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Spec: configv1alpha1.OIDCClientSpec{ + AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code"}, + AllowedScopes: []configv1alpha1.Scope{"openid"}, + }, + }}, + inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, + wantAPIActions: 1, // one update + wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Status: configv1alpha1.OIDCClientStatus{ + Phase: "Ready", + Conditions: []configv1alpha1.Condition{ + happyAllowedGrantTypesCondition(now, 1234), + happyAllowedScopesCondition(now, 1234), + happyClientSecretsCondition(1, now, 1234), + }, + }, + }}, + }, + { + name: "successfully validate minimal OIDCClient and two client secrets stored", + inputObjects: []runtime.Object{&configv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Spec: configv1alpha1.OIDCClientSpec{ + AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code"}, + AllowedScopes: []configv1alpha1.Scope{"openid"}, + }, + }}, + inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithTwoClientSecrets)}, + wantAPIActions: 1, // one update + wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Status: configv1alpha1.OIDCClientStatus{ + Phase: "Ready", + Conditions: []configv1alpha1.Condition{ + happyAllowedGrantTypesCondition(now, 1234), + happyAllowedScopesCondition(now, 1234), + happyClientSecretsCondition(2, now, 1234), + }, + }, + }}, + }, + { + name: "an already validated OIDCClient does not have its conditions updated when everything is still valid", + inputObjects: []runtime.Object{&configv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Spec: configv1alpha1.OIDCClientSpec{ + AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code"}, + AllowedScopes: []configv1alpha1.Scope{"openid"}, + }, + Status: configv1alpha1.OIDCClientStatus{ + Phase: "Ready", + Conditions: []configv1alpha1.Condition{ + happyAllowedGrantTypesCondition(earlier, 1234), + happyAllowedScopesCondition(earlier, 1234), + happyClientSecretsCondition(1, earlier, 1234), + }, + }, + }}, + inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, + wantAPIActions: 0, // no updates + wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Status: configv1alpha1.OIDCClientStatus{ + Phase: "Ready", + Conditions: []configv1alpha1.Condition{ + happyAllowedGrantTypesCondition(earlier, 1234), + happyAllowedScopesCondition(earlier, 1234), + happyClientSecretsCondition(1, earlier, 1234), + }, + }, + }}, + }, + { + name: "missing required minimum settings and missing client secret storage", + inputObjects: []runtime.Object{&configv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Spec: configv1alpha1.OIDCClientSpec{}, + }}, + wantAPIActions: 1, // one update + wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Status: configv1alpha1.OIDCClientStatus{ + Phase: "Error", + Conditions: []configv1alpha1.Condition{ + sadAllowedGrantTypesCondition(now, 1234, `"authorization_code" must always be included in "allowedGrantTypes"`), + sadAllowedScopesCondition(now, 1234, `"openid" must always be included in "allowedScopes"`), + sadClientSecretsCondition(now, 1234, "no client secret found (no Secret storage found)"), + }, + }, + }}, + }, + { + name: "client secret storage exists but cannot be read", + inputObjects: []runtime.Object{&configv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Spec: configv1alpha1.OIDCClientSpec{ + AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code"}, + AllowedScopes: []configv1alpha1.Scope{"openid"}, + }, + }}, + inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithWrongVersion)}, + wantAPIActions: 1, // one update + wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Status: configv1alpha1.OIDCClientStatus{ + Phase: "Error", + Conditions: []configv1alpha1.Condition{ + happyAllowedGrantTypesCondition(now, 1234), + happyAllowedScopesCondition(now, 1234), + sadClientSecretsCondition(now, 1234, "error reading client secret storage: OIDC client secret storage data has wrong version: OIDC client secret storage has version wrong-version instead of 1"), + }, + }, + }}, + }, + { + name: "client secret storage exists but does not contain any client secrets", + inputObjects: []runtime.Object{&configv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Spec: configv1alpha1.OIDCClientSpec{ + AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code"}, + AllowedScopes: []configv1alpha1.Scope{"openid"}, + }, + }}, + inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithZeroClientSecrets)}, + wantAPIActions: 1, // one update + wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Status: configv1alpha1.OIDCClientStatus{ + Phase: "Error", + Conditions: []configv1alpha1.Condition{ + happyAllowedGrantTypesCondition(now, 1234), + happyAllowedScopesCondition(now, 1234), + sadClientSecretsCondition(now, 1234, "no client secret found (empty list in storage)"), + }, + }, + }}, + }, + { + name: "can operate on multiple at a time, e.g. one is valid one another is missing required minimum settings", + inputObjects: []runtime.Object{ + &configv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: "test1", Generation: 1234, UID: "uid1"}, + Spec: configv1alpha1.OIDCClientSpec{ + AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code"}, + AllowedScopes: []configv1alpha1.Scope{"openid"}, + }, + }, + &configv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: "test2", Generation: 4567, UID: "uid2"}, + Spec: configv1alpha1.OIDCClientSpec{}, + }, + }, + inputSecrets: []runtime.Object{storageSecretForUIDWithData("uid1", secretStringDataWithOneClientSecret)}, + wantAPIActions: 2, // one update for each OIDCClient + wantResultingOIDCClients: []configv1alpha1.OIDCClient{ + { + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: "test1", Generation: 1234, UID: "uid1"}, + Status: configv1alpha1.OIDCClientStatus{ + Phase: "Ready", + Conditions: []configv1alpha1.Condition{ + happyAllowedGrantTypesCondition(now, 1234), + happyAllowedScopesCondition(now, 1234), + happyClientSecretsCondition(1, now, 1234), + }, + }, + }, + { + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: "test2", Generation: 4567, UID: "uid2"}, + Status: configv1alpha1.OIDCClientStatus{ + Phase: "Error", + Conditions: []configv1alpha1.Condition{ + sadAllowedGrantTypesCondition(now, 4567, `"authorization_code" must always be included in "allowedGrantTypes"`), + sadAllowedScopesCondition(now, 4567, `"openid" must always be included in "allowedScopes"`), + sadClientSecretsCondition(now, 4567, "no client secret found (no Secret storage found)"), + }, + }, + }, + }, + }, + { + name: "a previously invalid OIDCClient has its spec changed to become valid so the conditions are updated", + inputObjects: []runtime.Object{&configv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 4567, UID: testUID}, + Spec: configv1alpha1.OIDCClientSpec{ + AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code"}, + AllowedScopes: []configv1alpha1.Scope{"openid"}, + }, + // was invalid on previous run of controller which observed an old generation at an earlier time + Status: configv1alpha1.OIDCClientStatus{ + Phase: "Error", + Conditions: []configv1alpha1.Condition{ + sadAllowedGrantTypesCondition(earlier, 1234, `"authorization_code" must always be included in "allowedGrantTypes"`), + sadAllowedScopesCondition(earlier, 1234, `"openid" must always be included in "allowedScopes"`), + happyClientSecretsCondition(1, earlier, 1234), + }, + }, + }}, + inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, + wantAPIActions: 1, // one update + wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 4567, UID: testUID}, + // status was updated to reflect the current generation at the current time + Status: configv1alpha1.OIDCClientStatus{ + Phase: "Ready", + Conditions: []configv1alpha1.Condition{ + happyAllowedGrantTypesCondition(now, 4567), + happyAllowedScopesCondition(now, 4567), + happyClientSecretsCondition(1, earlier, 4567), // was already validated earlier + }, + }, + }}, + }, + { + name: "refresh_token must be included in allowedGrantTypes when offline_access is included in allowedScopes", + inputObjects: []runtime.Object{&configv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Spec: configv1alpha1.OIDCClientSpec{ + AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code"}, + AllowedScopes: []configv1alpha1.Scope{"openid", "offline_access"}, + }, + }}, + wantAPIActions: 1, // one update + inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, + wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Status: configv1alpha1.OIDCClientStatus{ + Phase: "Error", + Conditions: []configv1alpha1.Condition{ + sadAllowedGrantTypesCondition(now, 1234, `"refresh_token" must be included in "allowedGrantTypes" when "offline_access" is included in "allowedScopes"`), + happyAllowedScopesCondition(now, 1234), + happyClientSecretsCondition(1, now, 1234), + }, + }, + }}, + }, + { + name: "urn:ietf:params:oauth:grant-type:token-exchange must be included in allowedGrantTypes when pinniped:request-audience is included in allowedScopes", + inputObjects: []runtime.Object{&configv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Spec: configv1alpha1.OIDCClientSpec{ + AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code"}, + AllowedScopes: []configv1alpha1.Scope{"openid", "pinniped:request-audience", "username", "groups"}, + }, + }}, + inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, + wantAPIActions: 1, // one update + wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Status: configv1alpha1.OIDCClientStatus{ + Phase: "Error", + Conditions: []configv1alpha1.Condition{ + sadAllowedGrantTypesCondition(now, 1234, `"urn:ietf:params:oauth:grant-type:token-exchange" must be included in "allowedGrantTypes" when "pinniped:request-audience" is included in "allowedScopes"`), + happyAllowedScopesCondition(now, 1234), + happyClientSecretsCondition(1, now, 1234), + }, + }, + }}, + }, + { + name: "offline_access must be included in allowedScopes when refresh_token is included in allowedGrantTypes", + inputObjects: []runtime.Object{&configv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Spec: configv1alpha1.OIDCClientSpec{ + AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code", "refresh_token"}, + AllowedScopes: []configv1alpha1.Scope{"openid"}, + }, + }}, + inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, + wantAPIActions: 1, // one update + wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Status: configv1alpha1.OIDCClientStatus{ + Phase: "Error", + Conditions: []configv1alpha1.Condition{ + happyAllowedGrantTypesCondition(now, 1234), + sadAllowedScopesCondition(now, 1234, `"offline_access" must be included in "allowedScopes" when "refresh_token" is included in "allowedGrantTypes"`), + happyClientSecretsCondition(1, now, 1234), + }, + }, + }}, + }, + { + name: "username and groups must also be included in allowedScopes when pinniped:request-audience is included in allowedScopes: both missing", + inputObjects: []runtime.Object{&configv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Spec: configv1alpha1.OIDCClientSpec{ + AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code", "urn:ietf:params:oauth:grant-type:token-exchange"}, + AllowedScopes: []configv1alpha1.Scope{"openid", "pinniped:request-audience"}, + }, + }}, + inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, + wantAPIActions: 1, // one update + wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Status: configv1alpha1.OIDCClientStatus{ + Phase: "Error", + Conditions: []configv1alpha1.Condition{ + happyAllowedGrantTypesCondition(now, 1234), + sadAllowedScopesCondition(now, 1234, `"username" and "groups" must be included in "allowedScopes" when "pinniped:request-audience" is included in "allowedScopes"`), + happyClientSecretsCondition(1, now, 1234), + }, + }, + }}, + }, + { + name: "username and groups must also be included in allowedScopes when pinniped:request-audience is included in allowedScopes: username missing", + inputObjects: []runtime.Object{&configv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Spec: configv1alpha1.OIDCClientSpec{ + AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code", "urn:ietf:params:oauth:grant-type:token-exchange"}, + AllowedScopes: []configv1alpha1.Scope{"openid", "pinniped:request-audience", "groups"}, + }, + }}, + inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, + wantAPIActions: 1, // one update + wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Status: configv1alpha1.OIDCClientStatus{ + Phase: "Error", + Conditions: []configv1alpha1.Condition{ + happyAllowedGrantTypesCondition(now, 1234), + sadAllowedScopesCondition(now, 1234, `"username" and "groups" must be included in "allowedScopes" when "pinniped:request-audience" is included in "allowedScopes"`), + happyClientSecretsCondition(1, now, 1234), + }, + }, + }}, + }, + { + name: "username and groups must also be included in allowedScopes when pinniped:request-audience is included in allowedScopes: groups missing", + inputObjects: []runtime.Object{&configv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Spec: configv1alpha1.OIDCClientSpec{ + AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code", "urn:ietf:params:oauth:grant-type:token-exchange"}, + AllowedScopes: []configv1alpha1.Scope{"openid", "pinniped:request-audience", "username"}, + }, + }}, + inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, + wantAPIActions: 1, // one update + wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Status: configv1alpha1.OIDCClientStatus{ + Phase: "Error", + Conditions: []configv1alpha1.Condition{ + happyAllowedGrantTypesCondition(now, 1234), + sadAllowedScopesCondition(now, 1234, `"username" and "groups" must be included in "allowedScopes" when "pinniped:request-audience" is included in "allowedScopes"`), + happyClientSecretsCondition(1, now, 1234), + }, + }, + }}, + }, + { + name: "pinniped:request-audience must be included in allowedScopes when urn:ietf:params:oauth:grant-type:token-exchange is included in allowedGrantTypes", + inputObjects: []runtime.Object{&configv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Spec: configv1alpha1.OIDCClientSpec{ + AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code", "urn:ietf:params:oauth:grant-type:token-exchange"}, + AllowedScopes: []configv1alpha1.Scope{"openid"}, + }, + }}, + inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, + wantAPIActions: 1, // one update + wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Status: configv1alpha1.OIDCClientStatus{ + Phase: "Error", + Conditions: []configv1alpha1.Condition{ + happyAllowedGrantTypesCondition(now, 1234), + sadAllowedScopesCondition(now, 1234, `"pinniped:request-audience" must be included in "allowedScopes" when "urn:ietf:params:oauth:grant-type:token-exchange" is included in "allowedGrantTypes"`), + happyClientSecretsCondition(1, now, 1234), + }, + }, + }}, + }, + { + name: "successfully validate an OIDCClient with all allowedGrantTypes and all allowedScopes", + inputObjects: []runtime.Object{&configv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Spec: configv1alpha1.OIDCClientSpec{ + AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code", "urn:ietf:params:oauth:grant-type:token-exchange", "refresh_token"}, + AllowedScopes: []configv1alpha1.Scope{"openid", "offline_access", "pinniped:request-audience", "username", "groups"}, + }, + }}, + inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, + wantAPIActions: 1, // one update + wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Status: configv1alpha1.OIDCClientStatus{ + Phase: "Ready", + Conditions: []configv1alpha1.Condition{ + happyAllowedGrantTypesCondition(now, 1234), + happyAllowedScopesCondition(now, 1234), + happyClientSecretsCondition(1, now, 1234), + }, + }, + }}, + }, + { + name: "successfully validate an OIDCClient for offline access without kube API access without username/groups", + inputObjects: []runtime.Object{&configv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Spec: configv1alpha1.OIDCClientSpec{ + AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code", "refresh_token"}, + AllowedScopes: []configv1alpha1.Scope{"openid", "offline_access"}, + }, + }}, + inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, + wantAPIActions: 1, // one update + wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Status: configv1alpha1.OIDCClientStatus{ + Phase: "Ready", + Conditions: []configv1alpha1.Condition{ + happyAllowedGrantTypesCondition(now, 1234), + happyAllowedScopesCondition(now, 1234), + happyClientSecretsCondition(1, now, 1234), + }, + }, + }}, + }, + { + name: "successfully validate an OIDCClient for offline access without kube API access with username", + inputObjects: []runtime.Object{&configv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Spec: configv1alpha1.OIDCClientSpec{ + AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code", "refresh_token"}, + AllowedScopes: []configv1alpha1.Scope{"openid", "offline_access", "username"}, + }, + }}, + inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, + wantAPIActions: 1, // one update + wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Status: configv1alpha1.OIDCClientStatus{ + Phase: "Ready", + Conditions: []configv1alpha1.Condition{ + happyAllowedGrantTypesCondition(now, 1234), + happyAllowedScopesCondition(now, 1234), + happyClientSecretsCondition(1, now, 1234), + }, + }, + }}, + }, + { + name: "successfully validate an OIDCClient for offline access without kube API access with groups", + inputObjects: []runtime.Object{&configv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Spec: configv1alpha1.OIDCClientSpec{ + AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code", "refresh_token"}, + AllowedScopes: []configv1alpha1.Scope{"openid", "offline_access", "groups"}, + }, + }}, + inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, + wantAPIActions: 1, // one update + wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Status: configv1alpha1.OIDCClientStatus{ + Phase: "Ready", + Conditions: []configv1alpha1.Condition{ + happyAllowedGrantTypesCondition(now, 1234), + happyAllowedScopesCondition(now, 1234), + happyClientSecretsCondition(1, now, 1234), + }, + }, + }}, + }, + { + name: "successfully validate an OIDCClient for offline access without kube API access with both username and groups", + inputObjects: []runtime.Object{&configv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Spec: configv1alpha1.OIDCClientSpec{ + AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code", "refresh_token"}, + AllowedScopes: []configv1alpha1.Scope{"openid", "offline_access", "username", "groups"}, + }, + }}, + inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, + wantAPIActions: 1, // one update + wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Status: configv1alpha1.OIDCClientStatus{ + Phase: "Ready", + Conditions: []configv1alpha1.Condition{ + happyAllowedGrantTypesCondition(now, 1234), + happyAllowedScopesCondition(now, 1234), + happyClientSecretsCondition(1, now, 1234), + }, + }, + }}, + }, + { + name: "successfully validate an OIDCClient without offline access without kube API access with username", + inputObjects: []runtime.Object{&configv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Spec: configv1alpha1.OIDCClientSpec{ + AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code"}, + AllowedScopes: []configv1alpha1.Scope{"openid", "username"}, + }, + }}, + inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, + wantAPIActions: 1, // one update + wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Status: configv1alpha1.OIDCClientStatus{ + Phase: "Ready", + Conditions: []configv1alpha1.Condition{ + happyAllowedGrantTypesCondition(now, 1234), + happyAllowedScopesCondition(now, 1234), + happyClientSecretsCondition(1, now, 1234), + }, + }, + }}, + }, + { + name: "successfully validate an OIDCClient without offline access without kube API access with groups", + inputObjects: []runtime.Object{&configv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Spec: configv1alpha1.OIDCClientSpec{ + AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code"}, + AllowedScopes: []configv1alpha1.Scope{"openid", "username"}, + }, + }}, + inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, + wantAPIActions: 1, // one update + wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Status: configv1alpha1.OIDCClientStatus{ + Phase: "Ready", + Conditions: []configv1alpha1.Condition{ + happyAllowedGrantTypesCondition(now, 1234), + happyAllowedScopesCondition(now, 1234), + happyClientSecretsCondition(1, now, 1234), + }, + }, + }}, + }, + { + name: "successfully validate an OIDCClient without offline access without kube API access with both username and groups", + inputObjects: []runtime.Object{&configv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Spec: configv1alpha1.OIDCClientSpec{ + AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code"}, + AllowedScopes: []configv1alpha1.Scope{"openid", "username", "groups"}, + }, + }}, + inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, + wantAPIActions: 1, // one update + wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Status: configv1alpha1.OIDCClientStatus{ + Phase: "Ready", + Conditions: []configv1alpha1.Condition{ + happyAllowedGrantTypesCondition(now, 1234), + happyAllowedScopesCondition(now, 1234), + happyClientSecretsCondition(1, now, 1234), + }, + }, + }}, + }, + } + + for _, tt := range tests { + tt := tt + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + fakePinnipedClient := pinnipedfake.NewSimpleClientset(tt.inputObjects...) + fakePinnipedClientForInformers := pinnipedfake.NewSimpleClientset(tt.inputObjects...) + pinnipedInformers := pinnipedinformers.NewSharedInformerFactory(fakePinnipedClientForInformers, 0) + fakeKubeClient := kubernetesfake.NewSimpleClientset(tt.inputSecrets...) + kubeInformers := kubeinformers.NewSharedInformerFactoryWithOptions(fakeKubeClient, 0) + + controller := NewOIDCClientWatcherController( + fakePinnipedClient, + kubeInformers.Core().V1().Secrets(), + pinnipedInformers.Config().V1alpha1().OIDCClients(), + controllerlib.WithInformer, + ) + + ctx, cancel := context.WithCancel(context.Background()) + defer cancel() + + pinnipedInformers.Start(ctx.Done()) + kubeInformers.Start(ctx.Done()) + controllerlib.TestRunSynchronously(t, controller) + + syncCtx := controllerlib.Context{Context: ctx, Key: controllerlib.Key{}} + + if err := controllerlib.TestSync(t, controller, syncCtx); tt.wantErr != "" { + require.EqualError(t, err, tt.wantErr) + } else { + require.NoError(t, err) + } + + require.Len(t, fakePinnipedClient.Actions(), tt.wantAPIActions) + + actualOIDCClients, err := fakePinnipedClient.ConfigV1alpha1().OIDCClients(testNamespace).List(ctx, metav1.ListOptions{}) + require.NoError(t, err) + + // Assert on the expected Status of the OIDCClients. Preprocess them a bit so that they're easier to assert against. + require.ElementsMatch(t, tt.wantResultingOIDCClients, normalizeOIDCClients(actualOIDCClients.Items, now)) + }) + } +} + +func normalizeOIDCClients(oidcClients []configv1alpha1.OIDCClient, now metav1.Time) []configv1alpha1.OIDCClient { + result := make([]configv1alpha1.OIDCClient, 0, len(oidcClients)) + for _, u := range oidcClients { + normalized := u.DeepCopy() + + // We're only interested in comparing the status, so zero out the spec. + normalized.Spec = configv1alpha1.OIDCClientSpec{} + + // Round down the LastTransitionTime values to `now` if they were just updated. This makes + // it much easier to encode assertions about the expected timestamps. + for i := range normalized.Status.Conditions { + if time.Since(normalized.Status.Conditions[i].LastTransitionTime.Time) < 5*time.Second { + normalized.Status.Conditions[i].LastTransitionTime = now + } + } + result = append(result, *normalized) + } + + return result +} diff --git a/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher.go b/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher.go index 2faff38c..599d7400 100644 --- a/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher.go +++ b/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher.go @@ -410,7 +410,7 @@ func (c *oidcWatcherController) updateStatus(ctx context.Context, upstream *v1al log := c.log.WithValues("namespace", upstream.Namespace, "name", upstream.Name) updated := upstream.DeepCopy() - hadErrorCondition := conditionsutil.Merge(conditions, upstream.Generation, &updated.Status.Conditions, log) + hadErrorCondition := conditionsutil.MergeIDPConditions(conditions, upstream.Generation, &updated.Status.Conditions, log) updated.Status.Phase = v1alpha1.PhaseReady if hadErrorCondition { diff --git a/internal/crud/crud.go b/internal/crud/crud.go index 57e73b2a..29ad6b65 100644 --- a/internal/crud/crud.go +++ b/internal/crud/crud.go @@ -1,4 +1,4 @@ -// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package crud @@ -45,6 +45,7 @@ type Storage interface { Update(ctx context.Context, signature, resourceVersion string, data JSON) (newResourceVersion string, err error) Delete(ctx context.Context, signature string) error DeleteByLabel(ctx context.Context, labelName string, labelValue string) error + GetName(signature string) string } type JSON interface{} // document that we need valid JSON types @@ -80,7 +81,7 @@ func (s *secretsStorage) Create(ctx context.Context, signature string, data JSON } func (s *secretsStorage) Get(ctx context.Context, signature string, data JSON) (string, error) { - secret, err := s.secrets.Get(ctx, s.getName(signature), metav1.GetOptions{}) + secret, err := s.secrets.Get(ctx, s.GetName(signature), metav1.GetOptions{}) if err != nil { return "", fmt.Errorf("failed to get %s for signature %s: %w", s.resource, signature, err) } @@ -109,7 +110,7 @@ func (s *secretsStorage) Update(ctx context.Context, signature, resourceVersion } func (s *secretsStorage) Delete(ctx context.Context, signature string) error { - if err := s.secrets.Delete(ctx, s.getName(signature), metav1.DeleteOptions{}); err != nil { + if err := s.secrets.Delete(ctx, s.GetName(signature), metav1.DeleteOptions{}); err != nil { return fmt.Errorf("failed to delete %s for signature %s: %w", s.resource, signature, err) } return nil @@ -171,7 +172,7 @@ func validateSecret(resource string, secret *corev1.Secret) error { //nolint: gochecknoglobals var b32 = base32.StdEncoding.WithPadding(base32.NoPadding) -func (s *secretsStorage) getName(signature string) string { +func (s *secretsStorage) GetName(signature string) string { // try to decode base64 signatures to prevent double encoding of binary data signatureBytes := maybeBase64Decode(signature) // lower case base32 encoding insures that our secret name is valid per ValidateSecretName in k/k @@ -182,7 +183,7 @@ func (s *secretsStorage) getName(signature string) string { func (s *secretsStorage) toSecret(signature, resourceVersion string, data JSON, additionalLabels map[string]string) (*corev1.Secret, error) { buf, err := json.Marshal(data) if err != nil { - return nil, fmt.Errorf("failed to encode secret data for %s: %w", s.getName(signature), err) + return nil, fmt.Errorf("failed to encode secret data for %s: %w", s.GetName(signature), err) } labelsToAdd := map[string]string{ @@ -194,7 +195,7 @@ func (s *secretsStorage) toSecret(signature, resourceVersion string, data JSON, return &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ - Name: s.getName(signature), + Name: s.GetName(signature), ResourceVersion: resourceVersion, Labels: labelsToAdd, Annotations: map[string]string{ diff --git a/internal/oidcclientsecretstorage/oidcclientsecretstorage.go b/internal/oidcclientsecretstorage/oidcclientsecretstorage.go new file mode 100644 index 00000000..257e674c --- /dev/null +++ b/internal/oidcclientsecretstorage/oidcclientsecretstorage.go @@ -0,0 +1,67 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package oidcclientsecretstorage + +import ( + "encoding/base64" + "fmt" + "time" + + v1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/types" + corev1client "k8s.io/client-go/kubernetes/typed/core/v1" + + "go.pinniped.dev/internal/constable" + "go.pinniped.dev/internal/crud" +) + +const ( + TypeLabelValue = "oidc-client-secret" + + ErrOIDCClientSecretStorageVersion = constable.Error("OIDC client secret storage data has wrong version") + + oidcClientSecretStorageVersion = "1" +) + +type OIDCClientSecretStorage struct { + storage crud.Storage +} + +// StoredClientSecret defines the format of the content of a client's secrets when stored in a Secret +// as a JSON string value. +type StoredClientSecret struct { + // List of bcrypt hashes. + SecretHashes []string `json:"hashes"` + // The format version. Take care when updating. We cannot simply bump the storage version and drop/ignore old data. + // Updating this would require some form of migration of existing stored data. + Version string `json:"version"` +} + +func New(secrets corev1client.SecretInterface, clock func() time.Time) *OIDCClientSecretStorage { + // TODO make lifetime = 0 mean that it does not get annotated with any garbage collection annotation + return &OIDCClientSecretStorage{storage: crud.New(TypeLabelValue, secrets, clock, 0)} +} + +// TODO expose other methods as needed for get, create, update, etc. + +// GetName returns the name of the Secret which would be used to store data for the given signature. +func (s *OIDCClientSecretStorage) GetName(oidcClientUID types.UID) string { + // Avoid having s.storage.GetName() base64 decode something that wasn't ever encoded by encoding it here. + b64encodedUID := base64.RawURLEncoding.EncodeToString([]byte(oidcClientUID)) + return s.storage.GetName(b64encodedUID) +} + +// ReadFromSecret reads the contents of a Secret as a StoredClientSecret. +func ReadFromSecret(secret *v1.Secret) (*StoredClientSecret, error) { + storedClientSecret := &StoredClientSecret{} + err := crud.FromSecret(TypeLabelValue, secret, storedClientSecret) + if err != nil { + return nil, err + } + if storedClientSecret.Version != oidcClientSecretStorageVersion { + return nil, fmt.Errorf("%w: OIDC client secret storage has version %s instead of %s", + ErrOIDCClientSecretStorageVersion, storedClientSecret.Version, oidcClientSecretStorageVersion) + } + return storedClientSecret, nil +} diff --git a/internal/oidcclientsecretstorage/oidcclientsecretstorage_test.go b/internal/oidcclientsecretstorage/oidcclientsecretstorage_test.go new file mode 100644 index 00000000..ac81565a --- /dev/null +++ b/internal/oidcclientsecretstorage/oidcclientsecretstorage_test.go @@ -0,0 +1,125 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package oidcclientsecretstorage + +import ( + "testing" + + "github.com/stretchr/testify/require" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +func TestGetName(t *testing.T) { + // Note that GetName() should not depend on the constructor params, to make it easier to use in various contexts. + subject := New(nil, nil) + + require.Equal(t, + "pinniped-storage-oidc-client-secret-onxw2zjnmv4gc3lqnrss25ljmqyq", + subject.GetName("some-example-uid1")) + + require.Equal(t, + "pinniped-storage-oidc-client-secret-onxw2zjnmv4gc3lqnrss25ljmqza", + subject.GetName("some-example-uid2")) +} + +func TestReadFromSecret(t *testing.T) { + tests := []struct { + name string + secret *corev1.Secret + wantStored *StoredClientSecret + wantErr string + }{ + { + name: "happy path", + secret: &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: "pinniped-storage-oidc-client-secret-pwu5zs7lekbhnln2w4", + ResourceVersion: "", + Labels: map[string]string{ + "storage.pinniped.dev/type": "oidc-client-secret", + }, + }, + Data: map[string][]byte{ + "pinniped-storage-data": []byte(`{"hashes":["first-hash","second-hash"],"version":"1"}`), + "pinniped-storage-version": []byte("1"), + }, + Type: "storage.pinniped.dev/oidc-client-secret", + }, + wantStored: &StoredClientSecret{ + Version: "1", + SecretHashes: []string{"first-hash", "second-hash"}, + }, + }, + { + name: "wrong secret type", + secret: &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: "pinniped-storage-oidc-client-secret-pwu5zs7lekbhnln2w4", + ResourceVersion: "", + Labels: map[string]string{ + "storage.pinniped.dev/type": "oidc-client-secret", + }, + }, + Data: map[string][]byte{ + "pinniped-storage-data": []byte(`{"hashes":["first-hash","second-hash"],"version":"1"}`), + "pinniped-storage-version": []byte("1"), + }, + Type: "storage.pinniped.dev/not-oidc-client-secret", + }, + wantErr: "secret storage data has incorrect type: storage.pinniped.dev/not-oidc-client-secret must equal storage.pinniped.dev/oidc-client-secret", + }, + { + name: "wrong stored StoredClientSecret version", + secret: &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: "pinniped-storage-oidc-client-secret-pwu5zs7lekbhnln2w4", + ResourceVersion: "", + Labels: map[string]string{ + "storage.pinniped.dev/type": "oidc-client-secret", + }, + }, + Data: map[string][]byte{ + "pinniped-storage-data": []byte(`{"hashes":["first-hash","second-hash"],"version":"wrong-version-here"}`), + "pinniped-storage-version": []byte("1"), + }, + Type: "storage.pinniped.dev/oidc-client-secret", + }, + wantErr: "OIDC client secret storage data has wrong version: OIDC client secret storage has version wrong-version-here instead of 1", + }, + { + name: "wrong storage version", + secret: &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: "pinniped-storage-oidc-client-secret-pwu5zs7lekbhnln2w4", + ResourceVersion: "", + Labels: map[string]string{ + "storage.pinniped.dev/type": "oidc-client-secret", + }, + }, + Data: map[string][]byte{ + "pinniped-storage-data": []byte(`{"hashes":["first-hash","second-hash"],"version":"1"}`), + "pinniped-storage-version": []byte("wrong-version-here"), + }, + Type: "storage.pinniped.dev/oidc-client-secret", + }, + wantErr: "secret storage data has incorrect version", + }, + } + + for _, tt := range tests { + tt := tt + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + session, err := ReadFromSecret(tt.secret) + if tt.wantErr == "" { + require.NoError(t, err) + require.Equal(t, tt.wantStored, session) + } else { + require.EqualError(t, err, tt.wantErr) + require.Nil(t, session) + } + }) + } +} diff --git a/internal/supervisor/server/server.go b/internal/supervisor/server/server.go index 30cdf48f..677165ee 100644 --- a/internal/supervisor/server/server.go +++ b/internal/supervisor/server/server.go @@ -46,6 +46,7 @@ import ( "go.pinniped.dev/internal/controller/supervisorconfig/activedirectoryupstreamwatcher" "go.pinniped.dev/internal/controller/supervisorconfig/generator" "go.pinniped.dev/internal/controller/supervisorconfig/ldapupstreamwatcher" + "go.pinniped.dev/internal/controller/supervisorconfig/oidcclientwatcher" "go.pinniped.dev/internal/controller/supervisorconfig/oidcupstreamwatcher" "go.pinniped.dev/internal/controller/supervisorstorage" "go.pinniped.dev/internal/controllerinit" @@ -141,6 +142,7 @@ func prepareControllers( const certificateName string = "pinniped-supervisor-api-tls-serving-certificate" clientSecretSupervisorGroupData := groupsuffix.SupervisorAggregatedGroups(*cfg.APIGroupSuffix) federationDomainInformer := pinnipedInformers.Config().V1alpha1().FederationDomains() + oidcClientInformer := pinnipedInformers.Config().V1alpha1().OIDCClients() secretInformer := kubeInformers.Core().V1().Secrets() // Create controller manager. @@ -356,6 +358,15 @@ func prepareControllers( plog.New(), ), singletonWorker, + ). + WithController( + oidcclientwatcher.NewOIDCClientWatcherController( + pinnipedClient, + secretInformer, + oidcClientInformer, + controllerlib.WithInformer, + ), + singletonWorker, ) return controllerinit.Prepare(controllerManager.Start, leaderElector, kubeInformers, pinnipedInformers) diff --git a/test/integration/oidc_client_test.go b/test/integration/supervisor_oidc_client_test.go similarity index 66% rename from test/integration/oidc_client_test.go rename to test/integration/supervisor_oidc_client_test.go index fe77b3b8..adb43403 100644 --- a/test/integration/oidc_client_test.go +++ b/test/integration/supervisor_oidc_client_test.go @@ -17,6 +17,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" supervisorconfigv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" + "go.pinniped.dev/internal/oidcclientsecretstorage" "go.pinniped.dev/internal/testutil" "go.pinniped.dev/test/testlib" ) @@ -464,3 +465,205 @@ func makeErrFix(reallyOld bool) []string { return out } + +func TestOIDCClientControllerValidations_Parallel(t *testing.T) { + env := testlib.IntegrationEnv(t) + + ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute) + t.Cleanup(cancel) + + secrets := testlib.NewKubernetesClientset(t).CoreV1().Secrets(env.SupervisorNamespace) + oidcClients := testlib.NewSupervisorClientset(t).ConfigV1alpha1().OIDCClients(env.SupervisorNamespace) + + tests := []struct { + name string + client *supervisorconfigv1alpha1.OIDCClient + secret *corev1.Secret + wantPhase string + wantConditions []supervisorconfigv1alpha1.Condition + }{ + { + name: "invalid AllowedGrantTypes and AllowedScopes (missing minimum required values), with no Secret", + client: &supervisorconfigv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{ + GenerateName: "client.oauth.pinniped.dev-", + }, + Spec: supervisorconfigv1alpha1.OIDCClientSpec{ + AllowedRedirectURIs: []supervisorconfigv1alpha1.RedirectURI{"https://some-redirect-url.test.pinniped.dev/some/path"}, + AllowedGrantTypes: []supervisorconfigv1alpha1.GrantType{"refresh_token"}, // needs to have authorization_code + AllowedScopes: []supervisorconfigv1alpha1.Scope{"username"}, // needs to have openid + }, + }, + wantPhase: "Error", + wantConditions: []supervisorconfigv1alpha1.Condition{ + { + Type: "AllowedGrantTypesValid", + Status: "False", + Reason: "MissingRequiredValue", + Message: `"authorization_code" must always be included in "allowedGrantTypes"`, + }, + { + Type: "AllowedScopesValid", + Status: "False", + Reason: "MissingRequiredValue", + Message: `"openid" must always be included in "allowedScopes"`, + }, + { + Type: "ClientSecretExists", + Status: "False", + Reason: "NoClientSecretFound", + Message: `no client secret found (no Secret storage found)`, + }, + }, + }, + { + name: "minimal valid AllowedGrantTypes and AllowedScopes, with Secret that contains empty list of client secrets", + client: &supervisorconfigv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{ + GenerateName: "client.oauth.pinniped.dev-", + }, + Spec: supervisorconfigv1alpha1.OIDCClientSpec{ + AllowedRedirectURIs: []supervisorconfigv1alpha1.RedirectURI{"https://some-redirect-url.test.pinniped.dev/some/path"}, + AllowedGrantTypes: []supervisorconfigv1alpha1.GrantType{"authorization_code"}, + AllowedScopes: []supervisorconfigv1alpha1.Scope{"openid"}, + }, + }, + secret: &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Labels: map[string]string{"storage.pinniped.dev/type": "oidc-client-secret"}, + }, + Type: "storage.pinniped.dev/oidc-client-secret", + Data: map[string][]byte{ + "pinniped-storage-data": []byte(`{"version":"1","hashes":[]}`), + "pinniped-storage-version": []byte("1"), + }, + }, + wantPhase: "Error", + wantConditions: []supervisorconfigv1alpha1.Condition{ + { + Type: "AllowedGrantTypesValid", + Status: "True", + Reason: "Success", + Message: `"allowedGrantTypes" is valid`, + }, + { + Type: "AllowedScopesValid", + Status: "True", + Reason: "Success", + Message: `"allowedScopes" is valid`, + }, + { + Type: "ClientSecretExists", + Status: "False", + Reason: "NoClientSecretFound", + Message: `no client secret found (empty list in storage)`, + }, + }, + }, + { + name: "happy path example with one client secret stored and all possible AllowedGrantTypes and AllowedScopes", + client: &supervisorconfigv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{ + GenerateName: "client.oauth.pinniped.dev-", + }, + Spec: supervisorconfigv1alpha1.OIDCClientSpec{ + AllowedRedirectURIs: []supervisorconfigv1alpha1.RedirectURI{"https://some-redirect-url.test.pinniped.dev/some/path"}, + AllowedGrantTypes: []supervisorconfigv1alpha1.GrantType{"authorization_code", "urn:ietf:params:oauth:grant-type:token-exchange", "refresh_token"}, + AllowedScopes: []supervisorconfigv1alpha1.Scope{"openid", "offline_access", "pinniped:request-audience", "username", "groups"}, + }, + }, + secret: &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Labels: map[string]string{"storage.pinniped.dev/type": "oidc-client-secret"}, + }, + Type: "storage.pinniped.dev/oidc-client-secret", + Data: map[string][]byte{ + "pinniped-storage-data": []byte(`{"version":"1","hashes":["$2y$15$Kh7cRj0ScSD5QelE3ZNSl.nF04JDv7zb3SgGN.tSfLIX.4kt3UX7m"]}`), + "pinniped-storage-version": []byte("1"), + }, + }, + wantPhase: "Ready", + wantConditions: []supervisorconfigv1alpha1.Condition{ + { + Type: "AllowedGrantTypesValid", + Status: "True", + Reason: "Success", + Message: `"allowedGrantTypes" is valid`, + }, + { + Type: "AllowedScopesValid", + Status: "True", + Reason: "Success", + Message: `"allowedScopes" is valid`, + }, + { + Type: "ClientSecretExists", + Status: "True", + Reason: "Success", + Message: `1 client secret(s) found`, + }, + }, + }, + // Note: there are many more possible combinations of these settings, but they are covered by the controller's + // unit tests. This test ensures that everything is wired up correctly in regard to this controller, enough to + // allow the controller to work correctly. + } + + for _, tt := range tests { + tt := tt + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + + client, err := oidcClients.Create(ctx, tt.client, metav1.CreateOptions{}) + require.NoError(t, err) + t.Cleanup(func() { + t.Logf("cleaning up test OIDCClient %s/%s", client.Namespace, client.Name) + err := oidcClients.Delete(ctx, client.Name, metav1.DeleteOptions{}) + require.NoError(t, err) + }) + + if tt.secret != nil { + // Force the Secret's name to match the client created above. + tt.secret.Name = oidcclientsecretstorage.New(nil, nil).GetName(client.UID) + secret, err := secrets.Create(ctx, tt.secret, metav1.CreateOptions{}) + require.NoError(t, err) + t.Cleanup(func() { + t.Logf("cleaning up test Secret %s/%s", secret.Namespace, secret.Name) + err := secrets.Delete(ctx, secret.Name, metav1.DeleteOptions{}) + require.NoError(t, err) + }) + } + + // Wait for the OIDCClient to enter the expected phase (or time out). + testlib.RequireEventuallyf(t, func(requireEventually *require.Assertions) { + var err error + updatedClient, err := oidcClients.Get(ctx, client.Name, metav1.GetOptions{}) + requireEventually.NoErrorf(err, "error while getting OIDCClient %s/%s", client.Namespace, client.Name) + requireEventually.Equalf(supervisorconfigv1alpha1.OIDCClientPhase(tt.wantPhase), updatedClient.Status.Phase, + "OIDCClient is not in phase %s: %v", tt.wantPhase, testlib.Sdump(updatedClient)) + }, 1*time.Minute, 2*time.Second, "expected the OIDCClient to go into phase %s", tt.wantPhase) + + // Wait for the controller to converge to the expected Conditions list. It may take several passes of the + // controller running, since the Secret is created after the OIDCClient is created, potentially causing + // the controller to Sync at least twice. + testlib.RequireEventuallyf(t, func(requireEventually *require.Assertions) { + var err error + updatedClient, err := oidcClients.Get(ctx, client.Name, metav1.GetOptions{}) + requireEventually.NoErrorf(err, "error while getting OIDCClient %s/%s", client.Namespace, client.Name) + + // Note that the controller sorts the conditions by type name, + // so we can assume that ordering in the test expectations for this test. + requireEventually.Len(updatedClient.Status.Conditions, len(tt.wantConditions)) + for i, want := range tt.wantConditions { + actual := updatedClient.Status.Conditions[i] + requireEventually.Equal(want.Type, actual.Type) + requireEventually.Equal(want.Status, actual.Status) + requireEventually.Equal(want.Reason, actual.Reason) + requireEventually.Equal(want.Message, actual.Message) + requireEventually.Equal(updatedClient.Generation, actual.ObservedGeneration) + requireEventually.NotEmpty(actual.LastTransitionTime) + } + }, 1*time.Minute, 2*time.Second, "expected the OIDCClient to to have conditions %v", tt.wantConditions) + }) + } +} From 9903c5f79e9c78e1317623bb3d8918baad2e8ae6 Mon Sep 17 00:00:00 2001 From: Margo Crawford Date: Wed, 22 Jun 2022 08:21:16 -0700 Subject: [PATCH 23/61] Handle refresh requests without groups scope Signed-off-by: Margo Crawford --- .../downstreamsession/downstream_session.go | 3 +- internal/oidc/login/post_login_handler.go | 1 - .../provider/dynamic_upstream_idp_provider.go | 2 + internal/oidc/token/token_handler.go | 69 ++-- internal/oidc/token/token_handler_test.go | 356 +++++++++++++----- test/integration/supervisor_login_test.go | 73 +++- test/integration/supervisor_warnings_test.go | 3 +- 7 files changed, 369 insertions(+), 138 deletions(-) diff --git a/internal/oidc/downstreamsession/downstream_session.go b/internal/oidc/downstreamsession/downstream_session.go index d5783e5e..fbb0ca52 100644 --- a/internal/oidc/downstreamsession/downstream_session.go +++ b/internal/oidc/downstreamsession/downstream_session.go @@ -10,12 +10,11 @@ import ( "net/url" "time" - "k8s.io/utils/strings/slices" - "github.com/ory/fosite" "github.com/ory/fosite/handler/openid" "github.com/ory/fosite/token/jwt" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/utils/strings/slices" "go.pinniped.dev/internal/authenticators" "go.pinniped.dev/internal/constable" diff --git a/internal/oidc/login/post_login_handler.go b/internal/oidc/login/post_login_handler.go index fdc480c0..dafe6e06 100644 --- a/internal/oidc/login/post_login_handler.go +++ b/internal/oidc/login/post_login_handler.go @@ -8,7 +8,6 @@ import ( "net/url" coreosoidc "github.com/coreos/go-oidc/v3/oidc" - "github.com/ory/fosite" "go.pinniped.dev/internal/httputil/httperr" diff --git a/internal/oidc/provider/dynamic_upstream_idp_provider.go b/internal/oidc/provider/dynamic_upstream_idp_provider.go index 79771943..befcddb8 100644 --- a/internal/oidc/provider/dynamic_upstream_idp_provider.go +++ b/internal/oidc/provider/dynamic_upstream_idp_provider.go @@ -111,6 +111,8 @@ type UpstreamLDAPIdentityProviderI interface { PerformRefresh(ctx context.Context, storedRefreshAttributes StoredRefreshAttributes) (groups []string, err error) } +// StoredRefreshAttributes contains information about the user from the original login request +// and previous refreshes. type StoredRefreshAttributes struct { Username string Subject string diff --git a/internal/oidc/token/token_handler.go b/internal/oidc/token/token_handler.go index 15f50ec1..6c3bf575 100644 --- a/internal/oidc/token/token_handler.go +++ b/internal/oidc/token/token_handler.go @@ -15,6 +15,7 @@ import ( "golang.org/x/oauth2" "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apiserver/pkg/warning" + "k8s.io/utils/strings/slices" "go.pinniped.dev/internal/httputil/httperr" "go.pinniped.dev/internal/oidc" @@ -106,19 +107,21 @@ func upstreamRefresh(ctx context.Context, accessRequest fosite.AccessRequester, return errorsx.WithStack(errMissingUpstreamSessionInternalError()) } + grantedScopes := accessRequest.GetGrantedScopes() + switch customSessionData.ProviderType { case psession.ProviderTypeOIDC: - return upstreamOIDCRefresh(ctx, session, providerCache) + return upstreamOIDCRefresh(ctx, session, providerCache, grantedScopes) case psession.ProviderTypeLDAP: - return upstreamLDAPRefresh(ctx, providerCache, session) + return upstreamLDAPRefresh(ctx, providerCache, session, grantedScopes) case psession.ProviderTypeActiveDirectory: - return upstreamLDAPRefresh(ctx, providerCache, session) + return upstreamLDAPRefresh(ctx, providerCache, session, grantedScopes) default: return errorsx.WithStack(errMissingUpstreamSessionInternalError()) } } -func upstreamOIDCRefresh(ctx context.Context, session *psession.PinnipedSession, providerCache oidc.UpstreamIdentityProvidersLister) error { +func upstreamOIDCRefresh(ctx context.Context, session *psession.PinnipedSession, providerCache oidc.UpstreamIdentityProvidersLister, grantedScopes []string) error { s := session.Custom if s.OIDC == nil { return errorsx.WithStack(errMissingUpstreamSessionInternalError()) @@ -177,30 +180,33 @@ func upstreamOIDCRefresh(ctx context.Context, session *psession.PinnipedSession, return err } - // If possible, update the user's group memberships. The configured groups claim name (if there is one) may or - // may not be included in the newly fetched and merged claims. It could be missing due to a misconfiguration of the - // claim name. It could also be missing because the claim was originally found in the ID token during login, but - // now we might not have a refreshed ID token. - // If the claim is found, then use it to update the user's group membership in the session. - // If the claim is not found, then we have no new information about groups, so skip updating the group membership - // and let any old groups memberships in the session remain. - refreshedGroups, err := downstreamsession.GetGroupsFromUpstreamIDToken(p, mergedClaims) - if err != nil { - return errUpstreamRefreshError().WithHintf( - "Upstream refresh error while extracting groups claim.").WithTrace(err). - WithDebugf("provider name: %q, provider type: %q", s.ProviderName, s.ProviderType) - } - if refreshedGroups != nil { - oldGroups, err := getDownstreamGroupsFromPinnipedSession(session) + groupsScope := slices.Contains(grantedScopes, oidc.DownstreamGroupsScope) + if groupsScope { + // If possible, update the user's group memberships. The configured groups claim name (if there is one) may or + // may not be included in the newly fetched and merged claims. It could be missing due to a misconfiguration of the + // claim name. It could also be missing because the claim was originally found in the ID token during login, but + // now we might not have a refreshed ID token. + // If the claim is found, then use it to update the user's group membership in the session. + // If the claim is not found, then we have no new information about groups, so skip updating the group membership + // and let any old groups memberships in the session remain. + refreshedGroups, err := downstreamsession.GetGroupsFromUpstreamIDToken(p, mergedClaims) if err != nil { - return err + return errUpstreamRefreshError().WithHintf( + "Upstream refresh error while extracting groups claim.").WithTrace(err). + WithDebugf("provider name: %q, provider type: %q", s.ProviderName, s.ProviderType) } - username, err := getDownstreamUsernameFromPinnipedSession(session) - if err != nil { - return err + if refreshedGroups != nil { + oldGroups, err := getDownstreamGroupsFromPinnipedSession(session) + if err != nil { + return err + } + username, err := getDownstreamUsernameFromPinnipedSession(session) + if err != nil { + return err + } + warnIfGroupsChanged(ctx, oldGroups, refreshedGroups, username) + session.Fosite.Claims.Extra[oidc.DownstreamGroupsClaim] = refreshedGroups } - warnIfGroupsChanged(ctx, oldGroups, refreshedGroups, username) - session.Fosite.Claims.Extra[oidc.DownstreamGroupsClaim] = refreshedGroups } // Upstream refresh may or may not return a new refresh token. If we got a new refresh token, then update it in @@ -291,7 +297,7 @@ func findOIDCProviderByNameAndValidateUID( WithDebugf("provider name: %q, provider type: %q", s.ProviderName, s.ProviderType)) } -func upstreamLDAPRefresh(ctx context.Context, providerCache oidc.UpstreamIdentityProvidersLister, session *psession.PinnipedSession) error { +func upstreamLDAPRefresh(ctx context.Context, providerCache oidc.UpstreamIdentityProvidersLister, session *psession.PinnipedSession, grantedScopes []string) error { username, err := getDownstreamUsernameFromPinnipedSession(session) if err != nil { return err @@ -339,10 +345,13 @@ func upstreamLDAPRefresh(ctx context.Context, providerCache oidc.UpstreamIdentit "Upstream refresh failed.").WithTrace(err). WithDebugf("provider name: %q, provider type: %q", s.ProviderName, s.ProviderType) } - // Replace the old value with the new value. - session.Fosite.Claims.Extra[oidc.DownstreamGroupsClaim] = groups + groupsScope := slices.Contains(grantedScopes, oidc.DownstreamGroupsScope) + if groupsScope { + // Replace the old value with the new value. + session.Fosite.Claims.Extra[oidc.DownstreamGroupsClaim] = groups - warnIfGroupsChanged(ctx, oldGroups, groups, username) + warnIfGroupsChanged(ctx, oldGroups, groups, username) + } return nil } @@ -400,7 +409,7 @@ func getDownstreamGroupsFromPinnipedSession(session *psession.PinnipedSession) ( } downstreamGroupsInterface := extra[oidc.DownstreamGroupsClaim] if downstreamGroupsInterface == nil { - return nil, errorsx.WithStack(errMissingUpstreamSessionInternalError()) + return nil, nil } downstreamGroupsInterfaceList, ok := downstreamGroupsInterface.([]interface{}) if !ok { diff --git a/internal/oidc/token/token_handler_test.go b/internal/oidc/token/token_handler_test.go index ea0d9290..423a8c55 100644 --- a/internal/oidc/token/token_handler_test.go +++ b/internal/oidc/token/token_handler_test.go @@ -200,7 +200,7 @@ var ( happyAuthRequest = &http.Request{ Form: url.Values{ "response_type": {"code"}, - "scope": {"openid profile email"}, + "scope": {"openid profile email groups"}, "client_id": {goodClient}, "state": {"some-state-value-with-enough-bytes-to-exceed-min-allowed"}, "nonce": {goodNonce}, @@ -268,11 +268,12 @@ func TestTokenEndpointAuthcodeExchange(t *testing.T) { { name: "request is valid and tokens are issued", authcodeExchange: authcodeExchangeInputs{ + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid profile email groups") }, want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "scope", "expires_in"}, // no refresh token - wantRequestedScopes: []string{"openid", "profile", "email"}, - wantGrantedScopes: []string{"openid"}, + wantRequestedScopes: []string{"openid", "profile", "email", "groups"}, + wantGrantedScopes: []string{"openid", "groups"}, wantGroups: goodGroups, }, }, @@ -299,7 +300,7 @@ func TestTokenEndpointAuthcodeExchange(t *testing.T) { wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "scope", "expires_in", "refresh_token"}, // all possible tokens wantRequestedScopes: []string{"openid", "offline_access"}, wantGrantedScopes: []string{"openid", "offline_access"}, - wantGroups: goodGroups, + wantGroups: nil, }, }, }, @@ -316,6 +317,19 @@ func TestTokenEndpointAuthcodeExchange(t *testing.T) { }, }, }, + { + name: "groups scope is requested", + authcodeExchange: authcodeExchangeInputs{ + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid profile email groups") }, + want: tokenEndpointResponseExpectedValues{ + wantStatus: http.StatusOK, + wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "scope", "expires_in"}, // no refresh token + wantRequestedScopes: []string{"openid", "profile", "email", "groups"}, + wantGrantedScopes: []string{"openid", "groups"}, + wantGroups: goodGroups, + }, + }, + }, // sad path { @@ -566,12 +580,12 @@ func TestTokenEndpointWhenAuthcodeIsUsedTwice(t *testing.T) { { name: "authcode exchange succeeds once and then fails when the same authcode is used again", authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access profile email") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access profile email groups") }, want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, wantSuccessBodyFields: []string{"id_token", "refresh_token", "access_token", "token_type", "expires_in", "scope"}, - wantRequestedScopes: []string{"openid", "offline_access", "profile", "email"}, - wantGrantedScopes: []string{"openid", "offline_access"}, + wantRequestedScopes: []string{"openid", "offline_access", "profile", "email", "groups"}, + wantGrantedScopes: []string{"openid", "offline_access", "groups"}, wantGroups: goodGroups, }, }, @@ -630,14 +644,14 @@ func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn successfulAuthCodeExchange := tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "expires_in", "scope"}, - wantRequestedScopes: []string{"openid", "pinniped:request-audience"}, - wantGrantedScopes: []string{"openid", "pinniped:request-audience"}, + wantRequestedScopes: []string{"openid", "pinniped:request-audience", "groups"}, + wantGrantedScopes: []string{"openid", "pinniped:request-audience", "groups"}, wantGroups: goodGroups, } doValidAuthCodeExchange := authcodeExchangeInputs{ modifyAuthRequest: func(authRequest *http.Request) { - authRequest.Form.Set("scope", "openid pinniped:request-audience") + authRequest.Form.Set("scope", "openid pinniped:request-audience groups") }, want: successfulAuthCodeExchange, } @@ -732,13 +746,13 @@ func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn name: "access token missing pinniped:request-audience scope", authcodeExchange: authcodeExchangeInputs{ modifyAuthRequest: func(authRequest *http.Request) { - authRequest.Form.Set("scope", "openid") + authRequest.Form.Set("scope", "openid groups") }, want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "expires_in", "scope"}, - wantRequestedScopes: []string{"openid"}, - wantGrantedScopes: []string{"openid"}, + wantRequestedScopes: []string{"openid", "groups"}, + wantGrantedScopes: []string{"openid", "groups"}, wantGroups: goodGroups, }, }, @@ -750,13 +764,13 @@ func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn name: "access token missing openid scope", authcodeExchange: authcodeExchangeInputs{ modifyAuthRequest: func(authRequest *http.Request) { - authRequest.Form.Set("scope", "pinniped:request-audience") + authRequest.Form.Set("scope", "pinniped:request-audience groups") }, want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, wantSuccessBodyFields: []string{"access_token", "token_type", "expires_in", "scope"}, - wantRequestedScopes: []string{"pinniped:request-audience"}, - wantGrantedScopes: []string{"pinniped:request-audience"}, + wantRequestedScopes: []string{"pinniped:request-audience", "groups"}, + wantGrantedScopes: []string{"pinniped:request-audience", "groups"}, wantGroups: goodGroups, }, }, @@ -765,11 +779,28 @@ func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn wantResponseBodyContains: `missing the 'openid' scope`, }, { - name: "token minting failure", + name: "access token missing groups scope", authcodeExchange: authcodeExchangeInputs{ modifyAuthRequest: func(authRequest *http.Request) { authRequest.Form.Set("scope", "openid pinniped:request-audience") }, + want: tokenEndpointResponseExpectedValues{ + wantStatus: http.StatusOK, + wantSuccessBodyFields: []string{"access_token", "token_type", "expires_in", "scope", "id_token"}, + wantRequestedScopes: []string{"openid", "pinniped:request-audience"}, + wantGrantedScopes: []string{"openid", "pinniped:request-audience"}, + wantGroups: nil, + }, + }, + requestedAudience: "some-workload-cluster", + wantStatus: http.StatusOK, + }, + { + name: "token minting failure", + authcodeExchange: authcodeExchangeInputs{ + modifyAuthRequest: func(authRequest *http.Request) { + authRequest.Form.Set("scope", "openid pinniped:request-audience groups") + }, // Fail to fetch a JWK signing key after the authcode exchange has happened. makeOathHelper: makeOauthHelperWithJWTKeyThatWorksOnlyOnce, want: successfulAuthCodeExchange, @@ -845,7 +876,10 @@ func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn require.NoError(t, json.Unmarshal(parsedJWT.UnsafePayloadWithoutVerification(), &tokenClaims)) // Make sure that these are the only fields in the token. - idTokenFields := []string{"sub", "aud", "iss", "jti", "auth_time", "exp", "iat", "rat", "groups", "username"} + idTokenFields := []string{"sub", "aud", "iss", "jti", "auth_time", "exp", "iat", "rat", "username"} + if test.authcodeExchange.want.wantGroups != nil { + idTokenFields = append(idTokenFields, "groups") + } require.ElementsMatch(t, idTokenFields, getMapKeys(tokenClaims)) // Assert that the returned token has expected claims values. @@ -859,7 +893,11 @@ func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn require.Equal(t, goodSubject, tokenClaims["sub"]) require.Equal(t, goodIssuer, tokenClaims["iss"]) require.Equal(t, goodUsername, tokenClaims["username"]) - require.Equal(t, toSliceOfInterface(test.authcodeExchange.want.wantGroups), tokenClaims["groups"]) + if test.authcodeExchange.want.wantGroups != nil { + require.Equal(t, toSliceOfInterface(test.authcodeExchange.want.wantGroups), tokenClaims["groups"]) + } else { + require.Nil(t, tokenClaims["groups"]) + } // Also assert that some are the same as the original downstream ID token. requireClaimsAreEqual(t, "iss", claimsOfFirstIDToken, tokenClaims) // issuer @@ -1003,8 +1041,8 @@ func TestRefreshGrant(t *testing.T) { want := tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, wantSuccessBodyFields: []string{"id_token", "refresh_token", "access_token", "token_type", "expires_in", "scope"}, - wantRequestedScopes: []string{"openid", "offline_access"}, - wantGrantedScopes: []string{"openid", "offline_access"}, + wantRequestedScopes: []string{"openid", "offline_access", "groups"}, + wantGrantedScopes: []string{"openid", "offline_access", "groups"}, wantCustomSessionDataStored: wantCustomSessionDataStored, wantGroups: goodGroups, } @@ -1090,7 +1128,7 @@ func TestRefreshGrant(t *testing.T) { }).WithRefreshedTokens(refreshedUpstreamTokensWithIDAndRefreshTokens()).Build()), authcodeExchange: authcodeExchangeInputs{ customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData()), }, refreshRequest: refreshRequestInputs{ @@ -1114,7 +1152,7 @@ func TestRefreshGrant(t *testing.T) { }).WithRefreshedTokens(refreshedUpstreamTokensWithIDAndRefreshTokens()).Build()), authcodeExchange: authcodeExchangeInputs{ customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData()), }, refreshRequest: refreshRequestInputs{ @@ -1142,15 +1180,15 @@ func TestRefreshGrant(t *testing.T) { }).WithRefreshedTokens(refreshedUpstreamTokensWithIDAndRefreshTokens()).Build()), authcodeExchange: authcodeExchangeInputs{ customSessionData: initialUpstreamOIDCAccessTokenCustomSessionData(), - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCAccessTokenCustomSessionData()), }, refreshRequest: refreshRequestInputs{ want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, wantSuccessBodyFields: []string{"refresh_token", "id_token", "access_token", "token_type", "expires_in", "scope"}, - wantRequestedScopes: []string{"openid", "offline_access"}, - wantGrantedScopes: []string{"openid", "offline_access"}, + wantRequestedScopes: []string{"openid", "offline_access", "groups"}, + wantGrantedScopes: []string{"openid", "offline_access", "groups"}, wantGroups: goodGroups, wantUpstreamOIDCValidateTokenCall: &expectedUpstreamValidateTokens{ oidcUpstreamName, @@ -1207,15 +1245,15 @@ func TestRefreshGrant(t *testing.T) { }).WithRefreshedTokens(refreshedUpstreamTokensWithRefreshTokenWithoutIDToken()).Build()), authcodeExchange: authcodeExchangeInputs{ customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData()), }, refreshRequest: refreshRequestInputs{ want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, wantSuccessBodyFields: []string{"refresh_token", "access_token", "id_token", "token_type", "expires_in", "scope"}, - wantRequestedScopes: []string{"openid", "offline_access"}, - wantGrantedScopes: []string{"openid", "offline_access"}, + wantRequestedScopes: []string{"openid", "offline_access", "groups"}, + wantGrantedScopes: []string{"openid", "offline_access", "groups"}, wantGroups: goodGroups, wantUpstreamRefreshCall: happyOIDCUpstreamRefreshCall(), wantUpstreamOIDCValidateTokenCall: happyUpstreamValidateTokenCall(refreshedUpstreamTokensWithRefreshTokenWithoutIDToken(), false), @@ -1236,15 +1274,15 @@ func TestRefreshGrant(t *testing.T) { }).WithRefreshedTokens(refreshedUpstreamTokensWithIDAndRefreshTokens()).Build()), authcodeExchange: authcodeExchangeInputs{ customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData()), }, refreshRequest: refreshRequestInputs{ want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, wantSuccessBodyFields: []string{"refresh_token", "access_token", "id_token", "token_type", "expires_in", "scope"}, - wantRequestedScopes: []string{"openid", "offline_access"}, - wantGrantedScopes: []string{"openid", "offline_access"}, + wantRequestedScopes: []string{"openid", "offline_access", "groups"}, + wantGrantedScopes: []string{"openid", "offline_access", "groups"}, wantGroups: []string{"new-group1", "new-group2", "new-group3"}, wantUpstreamRefreshCall: happyOIDCUpstreamRefreshCall(), wantUpstreamOIDCValidateTokenCall: happyUpstreamValidateTokenCall(refreshedUpstreamTokensWithIDAndRefreshTokens(), true), @@ -1265,15 +1303,15 @@ func TestRefreshGrant(t *testing.T) { }).WithRefreshedTokens(refreshedUpstreamTokensWithIDAndRefreshTokens()).Build()), authcodeExchange: authcodeExchangeInputs{ customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData()), }, refreshRequest: refreshRequestInputs{ want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, wantSuccessBodyFields: []string{"refresh_token", "access_token", "id_token", "token_type", "expires_in", "scope"}, - wantRequestedScopes: []string{"openid", "offline_access"}, - wantGrantedScopes: []string{"openid", "offline_access"}, + wantRequestedScopes: []string{"openid", "offline_access", "groups"}, + wantGrantedScopes: []string{"openid", "offline_access", "groups"}, wantGroups: []string{"new-group1", "new-group2", "new-group3"}, wantUpstreamRefreshCall: happyOIDCUpstreamRefreshCall(), wantUpstreamOIDCValidateTokenCall: happyUpstreamValidateTokenCall(refreshedUpstreamTokensWithIDAndRefreshTokens(), true), @@ -1294,15 +1332,15 @@ func TestRefreshGrant(t *testing.T) { }).WithRefreshedTokens(refreshedUpstreamTokensWithIDAndRefreshTokens()).Build()), authcodeExchange: authcodeExchangeInputs{ customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData()), }, refreshRequest: refreshRequestInputs{ want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, wantSuccessBodyFields: []string{"refresh_token", "access_token", "id_token", "token_type", "expires_in", "scope"}, - wantRequestedScopes: []string{"openid", "offline_access"}, - wantGrantedScopes: []string{"openid", "offline_access"}, + wantRequestedScopes: []string{"openid", "offline_access", "groups"}, + wantGrantedScopes: []string{"openid", "offline_access", "groups"}, wantGroups: []string{}, // the user no longer belongs to any groups wantUpstreamRefreshCall: happyOIDCUpstreamRefreshCall(), wantUpstreamOIDCValidateTokenCall: happyUpstreamValidateTokenCall(refreshedUpstreamTokensWithIDAndRefreshTokens(), true), @@ -1323,15 +1361,15 @@ func TestRefreshGrant(t *testing.T) { }).WithRefreshedTokens(refreshedUpstreamTokensWithIDAndRefreshTokens()).Build()), authcodeExchange: authcodeExchangeInputs{ customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData()), }, refreshRequest: refreshRequestInputs{ want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, wantSuccessBodyFields: []string{"refresh_token", "access_token", "id_token", "token_type", "expires_in", "scope"}, - wantRequestedScopes: []string{"openid", "offline_access"}, - wantGrantedScopes: []string{"openid", "offline_access"}, + wantRequestedScopes: []string{"openid", "offline_access", "groups"}, + wantGrantedScopes: []string{"openid", "offline_access", "groups"}, wantGroups: goodGroups, // the same groups as from the initial login wantUpstreamRefreshCall: happyOIDCUpstreamRefreshCall(), wantUpstreamOIDCValidateTokenCall: happyUpstreamValidateTokenCall(refreshedUpstreamTokensWithIDAndRefreshTokens(), true), @@ -1348,7 +1386,7 @@ func TestRefreshGrant(t *testing.T) { PerformRefreshGroups: []string{"new-group1", "new-group2", "new-group3"}, }), authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, customSessionData: happyLDAPCustomSessionData, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( happyLDAPCustomSessionData, @@ -1358,8 +1396,8 @@ func TestRefreshGrant(t *testing.T) { want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, wantSuccessBodyFields: []string{"refresh_token", "access_token", "id_token", "token_type", "expires_in", "scope"}, - wantRequestedScopes: []string{"openid", "offline_access"}, - wantGrantedScopes: []string{"openid", "offline_access"}, + wantRequestedScopes: []string{"openid", "offline_access", "groups"}, + wantGrantedScopes: []string{"openid", "offline_access", "groups"}, wantGroups: []string{"new-group1", "new-group2", "new-group3"}, wantUpstreamRefreshCall: happyLDAPUpstreamRefreshCall(), wantCustomSessionDataStored: happyLDAPCustomSessionData, @@ -1375,7 +1413,7 @@ func TestRefreshGrant(t *testing.T) { PerformRefreshGroups: []string{}, }), authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, customSessionData: happyLDAPCustomSessionData, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( happyLDAPCustomSessionData, @@ -1385,9 +1423,120 @@ func TestRefreshGrant(t *testing.T) { want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, wantSuccessBodyFields: []string{"refresh_token", "access_token", "id_token", "token_type", "expires_in", "scope"}, + wantRequestedScopes: []string{"openid", "offline_access", "groups"}, + wantGrantedScopes: []string{"openid", "offline_access", "groups"}, + wantGroups: []string{}, + wantUpstreamRefreshCall: happyLDAPUpstreamRefreshCall(), + wantCustomSessionDataStored: happyLDAPCustomSessionData, + }, + }, + }, + { + name: "ldap refresh grant when the upstream refresh when groups scope not requested on original request or refresh", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&oidctestutil.TestUpstreamLDAPIdentityProvider{ + Name: ldapUpstreamName, + ResourceUID: ldapUpstreamResourceUID, + URL: ldapUpstreamURL, + PerformRefreshGroups: []string{}, + }), + authcodeExchange: authcodeExchangeInputs{ + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + customSessionData: happyLDAPCustomSessionData, + want: tokenEndpointResponseExpectedValues{ + wantStatus: http.StatusOK, + wantSuccessBodyFields: []string{"id_token", "refresh_token", "access_token", "token_type", "expires_in", "scope"}, wantRequestedScopes: []string{"openid", "offline_access"}, wantGrantedScopes: []string{"openid", "offline_access"}, - wantGroups: []string{}, + wantCustomSessionDataStored: happyLDAPCustomSessionData, + wantGroups: nil, + }, + }, + refreshRequest: refreshRequestInputs{ + modifyTokenRequest: func(r *http.Request, refreshToken string, accessToken string) { + r.Body = happyRefreshRequestBody(refreshToken).WithScope("openid offline_access").ReadCloser() + }, + want: tokenEndpointResponseExpectedValues{ + wantStatus: http.StatusOK, + wantSuccessBodyFields: []string{"refresh_token", "access_token", "id_token", "token_type", "expires_in", "scope"}, + wantRequestedScopes: []string{"openid", "offline_access"}, + wantGrantedScopes: []string{"openid", "offline_access"}, + wantGroups: nil, + wantUpstreamRefreshCall: happyLDAPUpstreamRefreshCall(), + wantCustomSessionDataStored: happyLDAPCustomSessionData, + }, + }, + }, + { + name: "oidc refresh grant when the upstream refresh when groups scope not requested on original request or refresh", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC( + upstreamOIDCIdentityProviderBuilder().WithGroupsClaim("my-groups-claim").WithValidatedAndMergedWithUserInfoTokens(&oidctypes.Token{ + IDToken: &oidctypes.IDToken{ + Claims: map[string]interface{}{ + "sub": goodUpstreamSubject, + "my-groups-claim": []string{"new-group1", "new-group2", "new-group3"}, // refreshed claims includes updated groups + }, + }, + }).WithRefreshedTokens(refreshedUpstreamTokensWithIDAndRefreshTokens()).Build()), + authcodeExchange: authcodeExchangeInputs{ + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), + want: tokenEndpointResponseExpectedValues{ + wantStatus: http.StatusOK, + wantSuccessBodyFields: []string{"id_token", "refresh_token", "access_token", "token_type", "expires_in", "scope"}, + wantRequestedScopes: []string{"openid", "offline_access"}, + wantGrantedScopes: []string{"openid", "offline_access"}, + wantCustomSessionDataStored: initialUpstreamOIDCRefreshTokenCustomSessionData(), + wantGroups: nil, + }, + }, + refreshRequest: refreshRequestInputs{ + modifyTokenRequest: func(r *http.Request, refreshToken string, accessToken string) { + r.Body = happyRefreshRequestBody(refreshToken).WithScope("openid offline_access").ReadCloser() + }, + want: tokenEndpointResponseExpectedValues{ + wantStatus: http.StatusOK, + wantSuccessBodyFields: []string{"refresh_token", "access_token", "id_token", "token_type", "expires_in", "scope"}, + wantRequestedScopes: []string{"openid", "offline_access"}, + wantGrantedScopes: []string{"openid", "offline_access"}, + wantGroups: nil, + wantUpstreamRefreshCall: happyOIDCUpstreamRefreshCall(), + wantUpstreamOIDCValidateTokenCall: happyUpstreamValidateTokenCall(refreshedUpstreamTokensWithIDAndRefreshTokens(), true), + wantCustomSessionDataStored: upstreamOIDCCustomSessionDataWithNewRefreshToken(oidcUpstreamRefreshedRefreshToken), + }, + }, + }, + { + // fosite does not look at the scopes provided in refresh requests, although it is a valid parameter. + // even if 'groups' is not sent in the refresh request, we will send groups all the same. + name: "refresh grant when the upstream refresh when groups scope requested on original request but not refresh refresh", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&oidctestutil.TestUpstreamLDAPIdentityProvider{ + Name: ldapUpstreamName, + ResourceUID: ldapUpstreamResourceUID, + URL: ldapUpstreamURL, + PerformRefreshGroups: []string{"new-group1", "new-group2", "new-group3"}, + }), + authcodeExchange: authcodeExchangeInputs{ + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, + customSessionData: happyLDAPCustomSessionData, + want: tokenEndpointResponseExpectedValues{ + wantStatus: http.StatusOK, + wantSuccessBodyFields: []string{"id_token", "refresh_token", "access_token", "token_type", "expires_in", "scope"}, + wantRequestedScopes: []string{"openid", "offline_access", "groups"}, + wantGrantedScopes: []string{"openid", "offline_access", "groups"}, + wantCustomSessionDataStored: happyLDAPCustomSessionData, + wantGroups: goodGroups, + }, + }, + refreshRequest: refreshRequestInputs{ + modifyTokenRequest: func(r *http.Request, refreshToken string, accessToken string) { + r.Body = happyRefreshRequestBody(refreshToken).WithScope("openid offline_access").ReadCloser() + }, + want: tokenEndpointResponseExpectedValues{ + wantStatus: http.StatusOK, + wantSuccessBodyFields: []string{"refresh_token", "access_token", "id_token", "token_type", "expires_in", "scope"}, + wantRequestedScopes: []string{"openid", "offline_access", "groups"}, + wantGrantedScopes: []string{"openid", "offline_access", "groups"}, + wantGroups: []string{"new-group1", "new-group2", "new-group3"}, // groups are updated even though the scope was not included wantUpstreamRefreshCall: happyLDAPUpstreamRefreshCall(), wantCustomSessionDataStored: happyLDAPCustomSessionData, }, @@ -1406,7 +1555,7 @@ func TestRefreshGrant(t *testing.T) { }).WithRefreshedTokens(refreshedUpstreamTokensWithIDAndRefreshTokens()).Build()), authcodeExchange: authcodeExchangeInputs{ customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData()), }, refreshRequest: refreshRequestInputs{ @@ -1430,7 +1579,7 @@ func TestRefreshGrant(t *testing.T) { }).WithRefreshedTokens(refreshedUpstreamTokensWithIDTokenWithoutRefreshToken()).Build()), authcodeExchange: authcodeExchangeInputs{ customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData()), }, refreshRequest: refreshRequestInputs{ @@ -1452,7 +1601,7 @@ func TestRefreshGrant(t *testing.T) { }).WithRefreshedTokens(refreshedUpstreamTokensWithIDAndRefreshTokens()).Build()), authcodeExchange: authcodeExchangeInputs{ customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData()), }, refreshRequest: refreshRequestInputs{ @@ -1477,12 +1626,12 @@ func TestRefreshGrant(t *testing.T) { }).WithRefreshedTokens(refreshedUpstreamTokensWithIDAndRefreshTokens()).Build()), authcodeExchange: authcodeExchangeInputs{ customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access pinniped:request-audience") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access pinniped:request-audience groups") }, want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, wantSuccessBodyFields: []string{"id_token", "refresh_token", "access_token", "token_type", "expires_in", "scope"}, - wantRequestedScopes: []string{"openid", "offline_access", "pinniped:request-audience"}, - wantGrantedScopes: []string{"openid", "offline_access", "pinniped:request-audience"}, + wantRequestedScopes: []string{"openid", "offline_access", "pinniped:request-audience", "groups"}, + wantGrantedScopes: []string{"openid", "offline_access", "pinniped:request-audience", "groups"}, wantGroups: goodGroups, wantCustomSessionDataStored: initialUpstreamOIDCRefreshTokenCustomSessionData(), }, @@ -1494,8 +1643,8 @@ func TestRefreshGrant(t *testing.T) { want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, wantSuccessBodyFields: []string{"id_token", "refresh_token", "access_token", "token_type", "expires_in", "scope"}, - wantRequestedScopes: []string{"openid", "offline_access", "pinniped:request-audience"}, - wantGrantedScopes: []string{"openid", "offline_access", "pinniped:request-audience"}, + wantRequestedScopes: []string{"openid", "offline_access", "pinniped:request-audience", "groups"}, + wantGrantedScopes: []string{"openid", "offline_access", "pinniped:request-audience", "groups"}, wantGroups: goodGroups, wantUpstreamRefreshCall: happyOIDCUpstreamRefreshCall(), wantUpstreamOIDCValidateTokenCall: happyUpstreamValidateTokenCall(refreshedUpstreamTokensWithIDAndRefreshTokens(), true), @@ -1515,7 +1664,7 @@ func TestRefreshGrant(t *testing.T) { }).WithRefreshedTokens(refreshedUpstreamTokensWithIDAndRefreshTokens()).Build()), authcodeExchange: authcodeExchangeInputs{ customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData()), }, refreshRequest: refreshRequestInputs{ @@ -1605,7 +1754,7 @@ func TestRefreshGrant(t *testing.T) { idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(upstreamOIDCIdentityProviderBuilder().Build()), authcodeExchange: authcodeExchangeInputs{ customSessionData: nil, // this should not happen in practice - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(nil), }, refreshRequest: refreshRequestInputs{ @@ -1625,7 +1774,7 @@ func TestRefreshGrant(t *testing.T) { ProviderType: oidcUpstreamType, OIDC: &psession.OIDCSessionData{UpstreamRefreshToken: oidcUpstreamInitialRefreshToken}, }, - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( &psession.CustomSessionData{ // want the initial customSessionData to be unmodified ProviderName: "", // this should not happen in practice @@ -1652,7 +1801,7 @@ func TestRefreshGrant(t *testing.T) { ProviderType: oidcUpstreamType, OIDC: &psession.OIDCSessionData{UpstreamRefreshToken: oidcUpstreamInitialRefreshToken}, }, - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( &psession.CustomSessionData{ // want the initial customSessionData to be unmodified ProviderName: oidcUpstreamName, @@ -1679,7 +1828,7 @@ func TestRefreshGrant(t *testing.T) { ProviderType: "", // this should not happen in practice OIDC: &psession.OIDCSessionData{UpstreamRefreshToken: oidcUpstreamInitialRefreshToken}, }, - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( &psession.CustomSessionData{ // want the initial customSessionData to be unmodified ProviderName: oidcUpstreamName, @@ -1706,7 +1855,7 @@ func TestRefreshGrant(t *testing.T) { ProviderType: "not-an-allowed-provider-type", // this should not happen in practice OIDC: &psession.OIDCSessionData{UpstreamRefreshToken: oidcUpstreamInitialRefreshToken}, }, - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( &psession.CustomSessionData{ // want the initial customSessionData to be unmodified ProviderName: oidcUpstreamName, @@ -1733,7 +1882,7 @@ func TestRefreshGrant(t *testing.T) { ProviderType: oidcUpstreamType, OIDC: nil, // this should not happen in practice }, - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( &psession.CustomSessionData{ // want the initial customSessionData to be unmodified ProviderName: oidcUpstreamName, @@ -1763,7 +1912,7 @@ func TestRefreshGrant(t *testing.T) { UpstreamAccessToken: "", }, }, - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( &psession.CustomSessionData{ // want the initial customSessionData to be unmodified ProviderName: oidcUpstreamName, @@ -1793,7 +1942,7 @@ func TestRefreshGrant(t *testing.T) { ProviderType: oidcUpstreamType, OIDC: &psession.OIDCSessionData{UpstreamRefreshToken: oidcUpstreamInitialRefreshToken}, }, - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( &psession.CustomSessionData{ // want the initial customSessionData to be unmodified ProviderName: "this-name-will-not-be-found", // this could happen if the OIDCIdentityProvider was deleted since original login @@ -1825,7 +1974,7 @@ func TestRefreshGrant(t *testing.T) { ProviderType: oidcUpstreamType, OIDC: &psession.OIDCSessionData{UpstreamRefreshToken: oidcUpstreamInitialRefreshToken}, }, - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( &psession.CustomSessionData{ // want the initial customSessionData to be unmodified ProviderName: oidcUpstreamName, @@ -1853,7 +2002,7 @@ func TestRefreshGrant(t *testing.T) { WithPerformRefreshError(errors.New("some upstream refresh error")).Build()), authcodeExchange: authcodeExchangeInputs{ customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData()), }, refreshRequest: refreshRequestInputs{ @@ -1878,7 +2027,7 @@ func TestRefreshGrant(t *testing.T) { Build()), authcodeExchange: authcodeExchangeInputs{ customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData()), }, refreshRequest: refreshRequestInputs{ @@ -1910,7 +2059,7 @@ func TestRefreshGrant(t *testing.T) { Build()), authcodeExchange: authcodeExchangeInputs{ customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData()), }, refreshRequest: refreshRequestInputs{ @@ -1939,7 +2088,7 @@ func TestRefreshGrant(t *testing.T) { }).WithRefreshedTokens(refreshedUpstreamTokensWithIDAndRefreshTokens()).Build()), authcodeExchange: authcodeExchangeInputs{ customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData()), }, refreshRequest: refreshRequestInputs{ @@ -1970,7 +2119,7 @@ func TestRefreshGrant(t *testing.T) { }).WithRefreshedTokens(refreshedUpstreamTokensWithIDAndRefreshTokens()).Build()), authcodeExchange: authcodeExchangeInputs{ customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData()), }, refreshRequest: refreshRequestInputs{ @@ -2001,7 +2150,7 @@ func TestRefreshGrant(t *testing.T) { }).WithRefreshedTokens(refreshedUpstreamTokensWithIDAndRefreshTokens()).Build()), authcodeExchange: authcodeExchangeInputs{ customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData()), }, refreshRequest: refreshRequestInputs{ @@ -2027,7 +2176,7 @@ func TestRefreshGrant(t *testing.T) { PerformRefreshGroups: goodGroups, }), authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, customSessionData: happyLDAPCustomSessionData, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( happyLDAPCustomSessionData, @@ -2048,7 +2197,7 @@ func TestRefreshGrant(t *testing.T) { PerformRefreshGroups: goodGroups, }), authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, customSessionData: happyActiveDirectoryCustomSessionData, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( happyActiveDirectoryCustomSessionData, @@ -2068,7 +2217,7 @@ func TestRefreshGrant(t *testing.T) { URL: ldapUpstreamURL, }), authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, customSessionData: &psession.CustomSessionData{ ProviderUID: ldapUpstreamResourceUID, ProviderName: ldapUpstreamName, @@ -2104,7 +2253,7 @@ func TestRefreshGrant(t *testing.T) { URL: ldapUpstreamURL, }), authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, customSessionData: &psession.CustomSessionData{ ProviderUID: activeDirectoryUpstreamResourceUID, ProviderName: activeDirectoryUpstreamName, @@ -2140,7 +2289,7 @@ func TestRefreshGrant(t *testing.T) { URL: ldapUpstreamURL, }), authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, customSessionData: &psession.CustomSessionData{ ProviderUID: ldapUpstreamResourceUID, ProviderName: ldapUpstreamName, @@ -2180,7 +2329,7 @@ func TestRefreshGrant(t *testing.T) { URL: ldapUpstreamURL, }), authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, customSessionData: &psession.CustomSessionData{ ProviderUID: ldapUpstreamResourceUID, ProviderName: ldapUpstreamName, @@ -2221,7 +2370,7 @@ func TestRefreshGrant(t *testing.T) { PerformRefreshErr: errors.New("Some error performing upstream refresh"), }), authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, customSessionData: happyLDAPCustomSessionData, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( happyLDAPCustomSessionData, @@ -2249,7 +2398,7 @@ func TestRefreshGrant(t *testing.T) { PerformRefreshErr: errors.New("Some error performing upstream refresh"), }), authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, customSessionData: happyActiveDirectoryCustomSessionData, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( happyActiveDirectoryCustomSessionData, @@ -2272,7 +2421,7 @@ func TestRefreshGrant(t *testing.T) { name: "upstream ldap idp not found", idps: oidctestutil.NewUpstreamIDPListerBuilder(), authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, customSessionData: happyLDAPCustomSessionData, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( happyLDAPCustomSessionData, @@ -2294,7 +2443,7 @@ func TestRefreshGrant(t *testing.T) { name: "upstream active directory idp not found", idps: oidctestutil.NewUpstreamIDPListerBuilder(), authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, customSessionData: happyActiveDirectoryCustomSessionData, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( happyActiveDirectoryCustomSessionData, @@ -2320,7 +2469,7 @@ func TestRefreshGrant(t *testing.T) { URL: ldapUpstreamURL, }), authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, customSessionData: happyLDAPCustomSessionData, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( happyLDAPCustomSessionData, @@ -2357,7 +2506,7 @@ func TestRefreshGrant(t *testing.T) { URL: ldapUpstreamURL, }), authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, customSessionData: happyLDAPCustomSessionData, //fositeSessionData: &openid.DefaultSession{}, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( @@ -2399,7 +2548,7 @@ func TestRefreshGrant(t *testing.T) { URL: ldapUpstreamURL, }), authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, customSessionData: happyLDAPCustomSessionData, //fositeSessionData: &openid.DefaultSession{}, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( @@ -2441,7 +2590,7 @@ func TestRefreshGrant(t *testing.T) { URL: ldapUpstreamURL, }), authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, customSessionData: happyLDAPCustomSessionData, //fositeSessionData: &openid.DefaultSession{}, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( @@ -2483,7 +2632,7 @@ func TestRefreshGrant(t *testing.T) { URL: ldapUpstreamURL, }), authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, customSessionData: happyLDAPCustomSessionData, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( happyLDAPCustomSessionData, @@ -2509,7 +2658,7 @@ func TestRefreshGrant(t *testing.T) { URL: ldapUpstreamURL, }), authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, customSessionData: happyActiveDirectoryCustomSessionData, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( happyActiveDirectoryCustomSessionData, @@ -2531,7 +2680,7 @@ func TestRefreshGrant(t *testing.T) { name: "upstream ldap idp not found", idps: oidctestutil.NewUpstreamIDPListerBuilder(), authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, customSessionData: happyLDAPCustomSessionData, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( happyLDAPCustomSessionData, @@ -2553,7 +2702,7 @@ func TestRefreshGrant(t *testing.T) { name: "upstream active directory idp not found", idps: oidctestutil.NewUpstreamIDPListerBuilder(), authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, customSessionData: happyActiveDirectoryCustomSessionData, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( happyActiveDirectoryCustomSessionData, @@ -2579,7 +2728,7 @@ func TestRefreshGrant(t *testing.T) { URL: ldapUpstreamURL, }), authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, customSessionData: happyLDAPCustomSessionData, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( happyLDAPCustomSessionData, @@ -2616,7 +2765,7 @@ func TestRefreshGrant(t *testing.T) { URL: ldapUpstreamURL, }), authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, customSessionData: happyLDAPCustomSessionData, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( happyLDAPCustomSessionData, @@ -2657,7 +2806,7 @@ func TestRefreshGrant(t *testing.T) { URL: ldapUpstreamURL, }), authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, customSessionData: happyLDAPCustomSessionData, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( happyLDAPCustomSessionData, @@ -2696,7 +2845,7 @@ func TestRefreshGrant(t *testing.T) { URL: ldapUpstreamURL, }), authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, customSessionData: happyLDAPCustomSessionData, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( happyLDAPCustomSessionData, @@ -2722,7 +2871,7 @@ func TestRefreshGrant(t *testing.T) { URL: ldapUpstreamURL, }), authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, customSessionData: happyActiveDirectoryCustomSessionData, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( happyActiveDirectoryCustomSessionData, @@ -2942,7 +3091,7 @@ func exchangeAuthcodeForTokens(t *testing.T, test authcodeExchangeInputs, idps p requireTokenEndpointBehavior(t, test.want, - goodGroups, // the old groups from the initial login + test.want.wantGroups, // the old groups from the initial login test.customSessionData, // the old custom session data from the initial login wantAtHashClaimInIDToken, wantNonceValueInIDToken, @@ -3174,7 +3323,6 @@ func simulateAuthEndpointHavingAlreadyRun( AuthTime: goodAuthTime, Extra: map[string]interface{}{ oidc.DownstreamUsernameClaim: goodUsername, - oidc.DownstreamGroupsClaim: goodGroups, }, }, Subject: "", // not used, note that callback_handler.go does not set this @@ -3193,6 +3341,10 @@ func simulateAuthEndpointHavingAlreadyRun( if strings.Contains(authRequest.Form.Get("scope"), "pinniped:request-audience") { authRequester.GrantScope("pinniped:request-audience") } + if strings.Contains(authRequest.Form.Get("scope"), "groups") { + authRequester.GrantScope("groups") + session.Fosite.Claims.Extra[oidc.DownstreamGroupsClaim] = goodGroups + } authResponder, err := oauthHelper.NewAuthorizeResponse(ctx, authRequester, session) require.NoError(t, err) return authResponder @@ -3429,10 +3581,13 @@ func requireValidStoredRequest( require.Equal(t, goodSubject, claims.Subject) // Our custom claims from the authorize endpoint should still be set. - require.Equal(t, map[string]interface{}{ + expectedExtra := map[string]interface{}{ "username": goodUsername, - "groups": toSliceOfInterface(wantGroups), - }, claims.Extra) + } + if wantGroups != nil { + expectedExtra["groups"] = toSliceOfInterface(wantGroups) + } + require.Equal(t, expectedExtra, claims.Extra) // We are in charge of setting these fields. For the purpose of testing, we ensure that the // sentinel test value is set correctly. @@ -3551,13 +3706,16 @@ func requireValidIDToken( // Note that there is a bug in fosite which prevents the `at_hash` claim from appearing in this ID token // during the initial authcode exchange, but does not prevent `at_hash` from appearing in the refreshed ID token. // We can add a workaround for this later. - idTokenFields := []string{"sub", "aud", "iss", "jti", "auth_time", "exp", "iat", "rat", "groups", "username"} + idTokenFields := []string{"sub", "aud", "iss", "jti", "auth_time", "exp", "iat", "rat", "username"} if wantAtHashClaimInIDToken { idTokenFields = append(idTokenFields, "at_hash") } if wantNonceValueInIDToken { idTokenFields = append(idTokenFields, "nonce") } + if wantGroupsInIDToken != nil { + idTokenFields = append(idTokenFields, "groups") + } // make sure that these are the only fields in the token var m map[string]interface{} diff --git a/test/integration/supervisor_login_test.go b/test/integration/supervisor_login_test.go index 2fa1679b..b5e22ca1 100644 --- a/test/integration/supervisor_login_test.go +++ b/test/integration/supervisor_login_test.go @@ -25,6 +25,7 @@ import ( "golang.org/x/oauth2" v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/utils/strings/slices" configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" @@ -162,6 +163,7 @@ func TestSupervisorLogin_Browser(t *testing.T) { deleteTestUser func(t *testing.T, username string) requestAuthorization func(t *testing.T, downstreamIssuer, downstreamAuthorizeURL, downstreamCallbackURL, username, password string, httpClient *http.Client) createIDP func(t *testing.T) string + downstreamScopes []string wantLocalhostCallbackToNeverHappen bool wantDownstreamIDTokenSubjectToMatch string wantDownstreamIDTokenUsernameToMatch func(username string) string @@ -329,6 +331,55 @@ func TestSupervisorLogin_Browser(t *testing.T) { }, wantDownstreamIDTokenGroups: env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs, }, + { + name: "ldap without requesting groups scope", + maybeSkip: skipLDAPTests, + createIDP: func(t *testing.T) string { + idp, _ := createLDAPIdentityProvider(t, nil) + return idp.Name + }, + downstreamScopes: []string{"openid", "pinniped:request-audience", "offline_access"}, + requestAuthorization: func(t *testing.T, _, downstreamAuthorizeURL, _, _, _ string, httpClient *http.Client) { + requestAuthorizationUsingCLIPasswordFlow(t, + downstreamAuthorizeURL, + env.SupervisorUpstreamLDAP.TestUserMailAttributeValue, // username to present to server during login + env.SupervisorUpstreamLDAP.TestUserPassword, // password to present to server during login + httpClient, + false, + ) + }, + // the ID token Subject should be the Host URL plus the value pulled from the requested UserSearch.Attributes.UID attribute + wantDownstreamIDTokenSubjectToMatch: "^" + regexp.QuoteMeta( + "ldaps://"+env.SupervisorUpstreamLDAP.Host+ + "?base="+url.QueryEscape(env.SupervisorUpstreamLDAP.UserSearchBase)+ + "&sub="+base64.RawURLEncoding.EncodeToString([]byte(env.SupervisorUpstreamLDAP.TestUserUniqueIDAttributeValue)), + ) + "$", + // the ID token Username should have been pulled from the requested UserSearch.Attributes.Username attribute + wantDownstreamIDTokenUsernameToMatch: func(_ string) string { + return "^" + regexp.QuoteMeta(env.SupervisorUpstreamLDAP.TestUserMailAttributeValue) + "$" + }, + wantDownstreamIDTokenGroups: []string{}, + }, + { + name: "oidc without requesting groups scope", + maybeSkip: skipNever, + createIDP: func(t *testing.T) string { + spec := basicOIDCIdentityProviderSpec() + spec.Claims = idpv1alpha1.OIDCClaims{ + Username: env.SupervisorUpstreamOIDC.UsernameClaim, + Groups: env.SupervisorUpstreamOIDC.GroupsClaim, + } + spec.AuthorizationConfig = idpv1alpha1.OIDCAuthorizationConfig{ + AdditionalScopes: env.SupervisorUpstreamOIDC.AdditionalScopes, + } + return testlib.CreateTestOIDCIdentityProvider(t, spec, idpv1alpha1.PhaseReady).Name + }, + downstreamScopes: []string{"openid", "pinniped:request-audience", "offline_access"}, + requestAuthorization: requestAuthorizationUsingBrowserAuthcodeFlowOIDC, + wantDownstreamIDTokenSubjectToMatch: "^" + regexp.QuoteMeta(env.SupervisorUpstreamOIDC.Issuer+"?sub=") + ".+", + wantDownstreamIDTokenUsernameToMatch: func(_ string) string { return "^" + regexp.QuoteMeta(env.SupervisorUpstreamOIDC.Username) + "$" }, + wantDownstreamIDTokenGroups: nil, + }, { name: "ldap with browser flow", maybeSkip: skipLDAPTests, @@ -1123,6 +1174,7 @@ func TestSupervisorLogin_Browser(t *testing.T) { tt.breakRefreshSessionData, tt.createTestUser, tt.deleteTestUser, + tt.downstreamScopes, tt.wantLocalhostCallbackToNeverHappen, tt.wantDownstreamIDTokenSubjectToMatch, tt.wantDownstreamIDTokenUsernameToMatch, @@ -1260,6 +1312,7 @@ func testSupervisorLogin( breakRefreshSessionData func(t *testing.T, pinnipedSession *psession.PinnipedSession, idpName, username string), createTestUser func(t *testing.T) (string, string), deleteTestUser func(t *testing.T, username string), + downstreamScopes []string, wantLocalhostCallbackToNeverHappen bool, wantDownstreamIDTokenSubjectToMatch string, wantDownstreamIDTokenUsernameToMatch func(username string) string, @@ -1372,6 +1425,10 @@ func testSupervisorLogin( // Start a callback server on localhost. localCallbackServer := startLocalCallbackServer(t) + if downstreamScopes == nil { + downstreamScopes = []string{"openid", "pinniped:request-audience", "offline_access", "groups"} + } + // Form the OAuth2 configuration corresponding to our CLI client. // Note that this is not using response_type=form_post, so the Supervisor will redirect to the callback endpoint // directly, without using the Javascript form_post HTML page to POST back to the callback endpoint. The e2e @@ -1381,7 +1438,7 @@ func testSupervisorLogin( ClientID: "pinniped-cli", Endpoint: discovery.Endpoint(), RedirectURL: localCallbackServer.URL, - Scopes: []string{"openid", "pinniped:request-audience", "offline_access", "groups"}, + Scopes: downstreamScopes, } // Build a valid downstream authorize URL for the supervisor. @@ -1414,9 +1471,9 @@ func testSupervisorLogin( require.NoError(t, err) t.Logf("got callback request: %s", testlib.MaskTokens(callback.URL.String())) - if wantErrorType == "" { + if wantErrorType == "" { // nolint:nestif require.Equal(t, stateParam.String(), callback.URL.Query().Get("state")) - require.ElementsMatch(t, []string{"openid", "pinniped:request-audience", "offline_access", "groups"}, strings.Split(callback.URL.Query().Get("scope"), " ")) + require.ElementsMatch(t, downstreamScopes, strings.Split(callback.URL.Query().Get("scope"), " ")) authcode := callback.URL.Query().Get("code") require.NotEmpty(t, authcode) @@ -1427,7 +1484,10 @@ func testSupervisorLogin( tokenResponse, err := downstreamOAuth2Config.Exchange(oidcHTTPClientContext, authcode, pkceParam.Verifier()) require.NoError(t, err) - expectedIDTokenClaims := []string{"iss", "exp", "sub", "aud", "auth_time", "iat", "jti", "nonce", "rat", "username", "groups"} + expectedIDTokenClaims := []string{"iss", "exp", "sub", "aud", "auth_time", "iat", "jti", "nonce", "rat", "username"} + if slices.Contains(downstreamScopes, "groups") { + expectedIDTokenClaims = append(expectedIDTokenClaims, "groups") + } verifyTokenResponse(t, tokenResponse, discovery, downstreamOAuth2Config, nonceParam, expectedIDTokenClaims, wantDownstreamIDTokenSubjectToMatch, wantDownstreamIDTokenUsernameToMatch(username), wantDownstreamIDTokenGroups) @@ -1464,7 +1524,10 @@ func testSupervisorLogin( require.NoError(t, err) // When refreshing, expect to get an "at_hash" claim, but no "nonce" claim. - expectRefreshedIDTokenClaims := []string{"iss", "exp", "sub", "aud", "auth_time", "iat", "jti", "rat", "username", "groups", "at_hash"} + expectRefreshedIDTokenClaims := []string{"iss", "exp", "sub", "aud", "auth_time", "iat", "jti", "rat", "username", "at_hash"} + if slices.Contains(downstreamScopes, "groups") { + expectRefreshedIDTokenClaims = append(expectRefreshedIDTokenClaims, "groups") + } verifyTokenResponse(t, refreshedTokenResponse, discovery, downstreamOAuth2Config, "", expectRefreshedIDTokenClaims, wantDownstreamIDTokenSubjectToMatch, wantDownstreamIDTokenUsernameToMatch(username), refreshedGroups) diff --git a/test/integration/supervisor_warnings_test.go b/test/integration/supervisor_warnings_test.go index 74b5aab0..27c58179 100644 --- a/test/integration/supervisor_warnings_test.go +++ b/test/integration/supervisor_warnings_test.go @@ -119,6 +119,7 @@ func TestSupervisorWarnings_Browser(t *testing.T) { "--concierge-authenticator-name", authenticator.Name, "--oidc-session-cache", sessionCachePath, "--credential-cache", credentialCachePath, + "--oidc-scopes", "offline_access,openid,pinniped:request-audience,groups", }) // Run "kubectl get namespaces" which should trigger a cli-based login. @@ -171,7 +172,7 @@ func TestSupervisorWarnings_Browser(t *testing.T) { })) // construct the cache key - downstreamScopes := []string{coreosoidc.ScopeOfflineAccess, coreosoidc.ScopeOpenID, "pinniped:request-audience"} + downstreamScopes := []string{coreosoidc.ScopeOfflineAccess, coreosoidc.ScopeOpenID, "pinniped:request-audience", "groups"} sort.Strings(downstreamScopes) sessionCacheKey := oidcclient.SessionCacheKey{ Issuer: downstream.Spec.Issuer, From c70a0b99a846b399027abdae1a2fdace636d5c8c Mon Sep 17 00:00:00 2001 From: Margo Crawford Date: Wed, 22 Jun 2022 10:58:08 -0700 Subject: [PATCH 24/61] Don't do ldap group search when group scope not specified Signed-off-by: Margo Crawford --- internal/authenticators/authenticators.go | 2 +- .../active_directory_upstream_watcher.go | 6 +-- .../active_directory_upstream_watcher_test.go | 38 +++++++++--------- internal/oidc/auth/auth_handler.go | 2 +- internal/oidc/login/post_login_handler.go | 2 +- .../provider/dynamic_upstream_idp_provider.go | 7 ++-- internal/oidc/token/token_handler.go | 5 ++- .../testutil/oidctestutil/oidctestutil.go | 6 +-- internal/upstreamldap/upstreamldap.go | 39 ++++++++++++------- internal/upstreamldap/upstreamldap_test.go | 19 ++++----- test/integration/ldap_client_test.go | 22 +++++++++-- 11 files changed, 88 insertions(+), 60 deletions(-) diff --git a/internal/authenticators/authenticators.go b/internal/authenticators/authenticators.go index e343ecd1..9d675c2a 100644 --- a/internal/authenticators/authenticators.go +++ b/internal/authenticators/authenticators.go @@ -31,7 +31,7 @@ import ( // See k8s.io/apiserver/pkg/authentication/authenticator/interfaces.go for the token authenticator // interface, as well as the Response type. type UserAuthenticator interface { - AuthenticateUser(ctx context.Context, username, password string) (*Response, bool, error) + AuthenticateUser(ctx context.Context, username, password string, grantedScopes []string) (*Response, bool, error) } type Response struct { diff --git a/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go b/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go index 4aaa41b9..03bdf332 100644 --- a/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go +++ b/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go @@ -338,7 +338,7 @@ func (c *activeDirectoryWatcherController) validateUpstream(ctx context.Context, UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){ "objectGUID": microsoftUUIDFromBinaryAttr("objectGUID"), }, - RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.StoredRefreshAttributes) error{ + RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{ pwdLastSetAttribute: upstreamldap.AttributeUnchangedSinceLogin(pwdLastSetAttribute), userAccountControlAttribute: validUserAccountControl, userAccountControlComputedAttribute: validComputedUserAccountControl, @@ -437,7 +437,7 @@ func getDomainFromDistinguishedName(distinguishedName string) (string, error) { return strings.Join(domainComponents[1:], "."), nil } -func validUserAccountControl(entry *ldap.Entry, _ provider.StoredRefreshAttributes) error { +func validUserAccountControl(entry *ldap.Entry, _ provider.RefreshAttributes) error { userAccountControl, err := strconv.Atoi(entry.GetAttributeValue(userAccountControlAttribute)) if err != nil { return err @@ -450,7 +450,7 @@ func validUserAccountControl(entry *ldap.Entry, _ provider.StoredRefreshAttribut return nil } -func validComputedUserAccountControl(entry *ldap.Entry, _ provider.StoredRefreshAttributes) error { +func validComputedUserAccountControl(entry *ldap.Entry, _ provider.RefreshAttributes) error { userAccountControl, err := strconv.Atoi(entry.GetAttributeValue(userAccountControlComputedAttribute)) if err != nil { return err diff --git a/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher_test.go b/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher_test.go index ce69b4af..dc5fa693 100644 --- a/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher_test.go +++ b/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher_test.go @@ -222,7 +222,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { GroupNameAttribute: testGroupNameAttrName, }, UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")}, - RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.StoredRefreshAttributes) error{ + RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{ "pwdLastSet": upstreamldap.AttributeUnchangedSinceLogin("pwdLastSet"), "userAccountControl": validUserAccountControl, "msDS-User-Account-Control-Computed": validComputedUserAccountControl, @@ -564,7 +564,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { GroupNameAttribute: testGroupNameAttrName, }, UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")}, - RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.StoredRefreshAttributes) error{ + RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{ "pwdLastSet": upstreamldap.AttributeUnchangedSinceLogin("pwdLastSet"), "userAccountControl": validUserAccountControl, "msDS-User-Account-Control-Computed": validComputedUserAccountControl, @@ -633,7 +633,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { GroupNameAttribute: "sAMAccountName", }, UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")}, - RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.StoredRefreshAttributes) error{ + RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{ "pwdLastSet": upstreamldap.AttributeUnchangedSinceLogin("pwdLastSet"), "userAccountControl": validUserAccountControl, "msDS-User-Account-Control-Computed": validComputedUserAccountControl, @@ -705,7 +705,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { GroupNameAttribute: testGroupNameAttrName, }, UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")}, - RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.StoredRefreshAttributes) error{ + RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{ "pwdLastSet": upstreamldap.AttributeUnchangedSinceLogin("pwdLastSet"), "userAccountControl": validUserAccountControl, "msDS-User-Account-Control-Computed": validComputedUserAccountControl, @@ -784,7 +784,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { GroupNameAttribute: testGroupNameAttrName, }, UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")}, - RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.StoredRefreshAttributes) error{ + RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{ "pwdLastSet": upstreamldap.AttributeUnchangedSinceLogin("pwdLastSet"), "userAccountControl": validUserAccountControl, "msDS-User-Account-Control-Computed": validComputedUserAccountControl, @@ -847,7 +847,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { GroupNameAttribute: testGroupNameAttrName, }, UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")}, - RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.StoredRefreshAttributes) error{ + RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{ "pwdLastSet": upstreamldap.AttributeUnchangedSinceLogin("pwdLastSet"), "userAccountControl": validUserAccountControl, "msDS-User-Account-Control-Computed": validComputedUserAccountControl, @@ -997,7 +997,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { GroupNameAttribute: testGroupNameAttrName, }, UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")}, - RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.StoredRefreshAttributes) error{ + RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{ "pwdLastSet": upstreamldap.AttributeUnchangedSinceLogin("pwdLastSet"), "userAccountControl": validUserAccountControl, "msDS-User-Account-Control-Computed": validComputedUserAccountControl, @@ -1146,7 +1146,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { GroupNameAttribute: testGroupNameAttrName, }, UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")}, - RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.StoredRefreshAttributes) error{ + RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{ "pwdLastSet": upstreamldap.AttributeUnchangedSinceLogin("pwdLastSet"), "userAccountControl": validUserAccountControl, "msDS-User-Account-Control-Computed": validComputedUserAccountControl, @@ -1217,7 +1217,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { GroupNameAttribute: testGroupNameAttrName, }, UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")}, - RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.StoredRefreshAttributes) error{ + RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{ "pwdLastSet": upstreamldap.AttributeUnchangedSinceLogin("pwdLastSet"), "userAccountControl": validUserAccountControl, "msDS-User-Account-Control-Computed": validComputedUserAccountControl, @@ -1483,7 +1483,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { }, UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")}, GroupAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"sAMAccountName": groupSAMAccountNameWithDomainSuffix}, - RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.StoredRefreshAttributes) error{ + RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{ "pwdLastSet": upstreamldap.AttributeUnchangedSinceLogin("pwdLastSet"), "userAccountControl": validUserAccountControl, "msDS-User-Account-Control-Computed": validComputedUserAccountControl, @@ -1542,7 +1542,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { GroupNameAttribute: testGroupNameAttrName, }, UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")}, - RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.StoredRefreshAttributes) error{ + RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{ "pwdLastSet": upstreamldap.AttributeUnchangedSinceLogin("pwdLastSet"), "userAccountControl": validUserAccountControl, "msDS-User-Account-Control-Computed": validComputedUserAccountControl, @@ -1605,7 +1605,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { GroupNameAttribute: testGroupNameAttrName, }, UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")}, - RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.StoredRefreshAttributes) error{ + RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{ "pwdLastSet": upstreamldap.AttributeUnchangedSinceLogin("pwdLastSet"), "userAccountControl": validUserAccountControl, "msDS-User-Account-Control-Computed": validComputedUserAccountControl, @@ -1668,7 +1668,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { GroupNameAttribute: testGroupNameAttrName, }, UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")}, - RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.StoredRefreshAttributes) error{ + RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{ "pwdLastSet": upstreamldap.AttributeUnchangedSinceLogin("pwdLastSet"), "userAccountControl": validUserAccountControl, "msDS-User-Account-Control-Computed": validComputedUserAccountControl, @@ -1879,7 +1879,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { GroupNameAttribute: testGroupNameAttrName, }, UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")}, - RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.StoredRefreshAttributes) error{ + RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{ "pwdLastSet": upstreamldap.AttributeUnchangedSinceLogin("pwdLastSet"), "userAccountControl": validUserAccountControl, "msDS-User-Account-Control-Computed": validComputedUserAccountControl, @@ -1941,7 +1941,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { SkipGroupRefresh: true, }, UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")}, - RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.StoredRefreshAttributes) error{ + RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{ "pwdLastSet": upstreamldap.AttributeUnchangedSinceLogin("pwdLastSet"), "userAccountControl": validUserAccountControl, "msDS-User-Account-Control-Computed": validComputedUserAccountControl, @@ -2083,8 +2083,8 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { expectedRefreshAttributeChecks := copyOfExpectedValueForResultingCache.RefreshAttributeChecks actualRefreshAttributeChecks := actualConfig.RefreshAttributeChecks - copyOfExpectedValueForResultingCache.RefreshAttributeChecks = map[string]func(*ldap.Entry, provider.StoredRefreshAttributes) error{} - actualConfig.RefreshAttributeChecks = map[string]func(*ldap.Entry, provider.StoredRefreshAttributes) error{} + copyOfExpectedValueForResultingCache.RefreshAttributeChecks = map[string]func(*ldap.Entry, provider.RefreshAttributes) error{} + actualConfig.RefreshAttributeChecks = map[string]func(*ldap.Entry, provider.RefreshAttributes) error{} require.Equal(t, len(expectedRefreshAttributeChecks), len(actualRefreshAttributeChecks)) for k, v := range expectedRefreshAttributeChecks { require.NotNil(t, actualRefreshAttributeChecks[k]) @@ -2333,7 +2333,7 @@ func TestValidUserAccountControl(t *testing.T) { for _, test := range tests { tt := test t.Run(tt.name, func(t *testing.T) { - err := validUserAccountControl(tt.entry, provider.StoredRefreshAttributes{}) + err := validUserAccountControl(tt.entry, provider.RefreshAttributes{}) if tt.wantErr != "" { require.Error(t, err) @@ -2394,7 +2394,7 @@ func TestValidComputedUserAccountControl(t *testing.T) { for _, test := range tests { tt := test t.Run(tt.name, func(t *testing.T) { - err := validComputedUserAccountControl(tt.entry, provider.StoredRefreshAttributes{}) + err := validComputedUserAccountControl(tt.entry, provider.RefreshAttributes{}) if tt.wantErr != "" { require.Error(t, err) diff --git a/internal/oidc/auth/auth_handler.go b/internal/oidc/auth/auth_handler.go index 67b1581b..adbbec7c 100644 --- a/internal/oidc/auth/auth_handler.go +++ b/internal/oidc/auth/auth_handler.go @@ -131,7 +131,7 @@ func handleAuthRequestForLDAPUpstreamCLIFlow( return nil } - authenticateResponse, authenticated, err := ldapUpstream.AuthenticateUser(r.Context(), username, password) + authenticateResponse, authenticated, err := ldapUpstream.AuthenticateUser(r.Context(), username, password, authorizeRequester.GetGrantedScopes()) if err != nil { plog.WarningErr("unexpected error during upstream LDAP authentication", err, "upstreamName", ldapUpstream.GetName()) return httperr.New(http.StatusBadGateway, "unexpected error during upstream authentication") diff --git a/internal/oidc/login/post_login_handler.go b/internal/oidc/login/post_login_handler.go index dafe6e06..bc851c54 100644 --- a/internal/oidc/login/post_login_handler.go +++ b/internal/oidc/login/post_login_handler.go @@ -60,7 +60,7 @@ func NewPostHandler(issuerURL string, upstreamIDPs oidc.UpstreamIdentityProvider } // Attempt to authenticate the user with the upstream IDP. - authenticateResponse, authenticated, err := ldapUpstream.AuthenticateUser(r.Context(), username, password) + authenticateResponse, authenticated, err := ldapUpstream.AuthenticateUser(r.Context(), username, password, authorizeRequester.GetGrantedScopes()) if err != nil { plog.WarningErr("unexpected error during upstream LDAP authentication", err, "upstreamName", ldapUpstream.GetName()) // There was some problem during authentication with the upstream, aside from bad username/password. diff --git a/internal/oidc/provider/dynamic_upstream_idp_provider.go b/internal/oidc/provider/dynamic_upstream_idp_provider.go index befcddb8..a5eabea5 100644 --- a/internal/oidc/provider/dynamic_upstream_idp_provider.go +++ b/internal/oidc/provider/dynamic_upstream_idp_provider.go @@ -108,17 +108,18 @@ type UpstreamLDAPIdentityProviderI interface { authenticators.UserAuthenticator // PerformRefresh performs a refresh against the upstream LDAP identity provider - PerformRefresh(ctx context.Context, storedRefreshAttributes StoredRefreshAttributes) (groups []string, err error) + PerformRefresh(ctx context.Context, storedRefreshAttributes RefreshAttributes) (groups []string, err error) } -// StoredRefreshAttributes contains information about the user from the original login request +// RefreshAttributes contains information about the user from the original login request // and previous refreshes. -type StoredRefreshAttributes struct { +type RefreshAttributes struct { Username string Subject string DN string Groups []string AdditionalAttributes map[string]string + GrantedScopes []string } type DynamicUpstreamIDPProvider interface { diff --git a/internal/oidc/token/token_handler.go b/internal/oidc/token/token_handler.go index 6c3bf575..76727a12 100644 --- a/internal/oidc/token/token_handler.go +++ b/internal/oidc/token/token_handler.go @@ -181,7 +181,7 @@ func upstreamOIDCRefresh(ctx context.Context, session *psession.PinnipedSession, } groupsScope := slices.Contains(grantedScopes, oidc.DownstreamGroupsScope) - if groupsScope { + if groupsScope { //nolint:nestif // If possible, update the user's group memberships. The configured groups claim name (if there is one) may or // may not be included in the newly fetched and merged claims. It could be missing due to a misconfiguration of the // claim name. It could also be missing because the claim was originally found in the ID token during login, but @@ -333,12 +333,13 @@ func upstreamLDAPRefresh(ctx context.Context, providerCache oidc.UpstreamIdentit return errorsx.WithStack(errMissingUpstreamSessionInternalError()) } // run PerformRefresh - groups, err := p.PerformRefresh(ctx, provider.StoredRefreshAttributes{ + groups, err := p.PerformRefresh(ctx, provider.RefreshAttributes{ Username: username, Subject: subject, DN: dn, Groups: oldGroups, AdditionalAttributes: additionalAttributes, + GrantedScopes: grantedScopes, }) if err != nil { return errUpstreamRefreshError().WithHint( diff --git a/internal/testutil/oidctestutil/oidctestutil.go b/internal/testutil/oidctestutil/oidctestutil.go index 508e4bf0..fb1e8a7a 100644 --- a/internal/testutil/oidctestutil/oidctestutil.go +++ b/internal/testutil/oidctestutil/oidctestutil.go @@ -92,7 +92,7 @@ type ValidateTokenAndMergeWithUserInfoArgs struct { type ValidateRefreshArgs struct { Ctx context.Context Tok *oauth2.Token - StoredAttributes provider.StoredRefreshAttributes + StoredAttributes provider.RefreshAttributes } type TestUpstreamLDAPIdentityProvider struct { @@ -116,7 +116,7 @@ func (u *TestUpstreamLDAPIdentityProvider) GetName() string { return u.Name } -func (u *TestUpstreamLDAPIdentityProvider) AuthenticateUser(ctx context.Context, username, password string) (*authenticators.Response, bool, error) { +func (u *TestUpstreamLDAPIdentityProvider) AuthenticateUser(ctx context.Context, username, password string, grantedScopes []string) (*authenticators.Response, bool, error) { return u.AuthenticateFunc(ctx, username, password) } @@ -124,7 +124,7 @@ func (u *TestUpstreamLDAPIdentityProvider) GetURL() *url.URL { return u.URL } -func (u *TestUpstreamLDAPIdentityProvider) PerformRefresh(ctx context.Context, storedRefreshAttributes provider.StoredRefreshAttributes) ([]string, error) { +func (u *TestUpstreamLDAPIdentityProvider) PerformRefresh(ctx context.Context, storedRefreshAttributes provider.RefreshAttributes) ([]string, error) { if u.performRefreshArgs == nil { u.performRefreshArgs = make([]*PerformRefreshArgs, 0) } diff --git a/internal/upstreamldap/upstreamldap.go b/internal/upstreamldap/upstreamldap.go index ddee048b..7317d939 100644 --- a/internal/upstreamldap/upstreamldap.go +++ b/internal/upstreamldap/upstreamldap.go @@ -16,6 +16,10 @@ import ( "strings" "time" + "go.pinniped.dev/internal/oidc" + + "k8s.io/utils/strings/slices" + "github.com/go-ldap/ldap/v3" "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/sets" @@ -118,7 +122,7 @@ type ProviderConfig struct { GroupAttributeParsingOverrides map[string]func(*ldap.Entry) (string, error) // RefreshAttributeChecks are extra checks that attributes in a refresh response are as expected. - RefreshAttributeChecks map[string]func(*ldap.Entry, provider.StoredRefreshAttributes) error + RefreshAttributeChecks map[string]func(*ldap.Entry, provider.RefreshAttributes) error } // UserSearchConfig contains information about how to search for users in the upstream LDAP IDP. @@ -175,7 +179,7 @@ func (p *Provider) GetConfig() ProviderConfig { return p.c } -func (p *Provider) PerformRefresh(ctx context.Context, storedRefreshAttributes provider.StoredRefreshAttributes) ([]string, error) { +func (p *Provider) PerformRefresh(ctx context.Context, storedRefreshAttributes provider.RefreshAttributes) ([]string, error) { t := trace.FromContext(ctx).Nest("slow ldap refresh attempt", trace.Field{Key: "providerName", Value: p.GetName()}) defer t.LogIfLong(500 * time.Millisecond) // to help users debug slow LDAP searches userDN := storedRefreshAttributes.DN @@ -238,6 +242,10 @@ func (p *Provider) PerformRefresh(ctx context.Context, storedRefreshAttributes p if p.c.GroupSearch.SkipGroupRefresh { return storedRefreshAttributes.Groups, nil } + // if we were not granted the groups scope, we should not search for groups or return any. + if !slices.Contains(storedRefreshAttributes.GrantedScopes, oidc.DownstreamGroupsScope) { + return nil, nil + } mappedGroupNames, err := p.searchGroupsForUserDN(conn, userDN) if err != nil { @@ -398,23 +406,23 @@ func (p *Provider) TestConnection(ctx context.Context) error { // authentication for a given end user's username. It runs the same logic as AuthenticateUser except it does // not bind as that user, so it does not test their password. It returns the same values that a real call to // AuthenticateUser with the correct password would return. -func (p *Provider) DryRunAuthenticateUser(ctx context.Context, username string) (*authenticators.Response, bool, error) { +func (p *Provider) DryRunAuthenticateUser(ctx context.Context, username string, grantedScopes []string) (*authenticators.Response, bool, error) { endUserBindFunc := func(conn Conn, foundUserDN string) error { // Act as if the end user bind always succeeds. return nil } - return p.authenticateUserImpl(ctx, username, endUserBindFunc) + return p.authenticateUserImpl(ctx, username, grantedScopes, endUserBindFunc) } // Authenticate an end user and return their mapped username, groups, and UID. Implements authenticators.UserAuthenticator. -func (p *Provider) AuthenticateUser(ctx context.Context, username, password string) (*authenticators.Response, bool, error) { +func (p *Provider) AuthenticateUser(ctx context.Context, username, password string, grantedScopes []string) (*authenticators.Response, bool, error) { endUserBindFunc := func(conn Conn, foundUserDN string) error { return conn.Bind(foundUserDN, password) } - return p.authenticateUserImpl(ctx, username, endUserBindFunc) + return p.authenticateUserImpl(ctx, username, grantedScopes, endUserBindFunc) } -func (p *Provider) authenticateUserImpl(ctx context.Context, username string, bindFunc func(conn Conn, foundUserDN string) error) (*authenticators.Response, bool, error) { +func (p *Provider) authenticateUserImpl(ctx context.Context, username string, grantedScopes []string, bindFunc func(conn Conn, foundUserDN string) error) (*authenticators.Response, bool, error) { t := trace.FromContext(ctx).Nest("slow ldap authenticate user attempt", trace.Field{Key: "providerName", Value: p.GetName()}) defer t.LogIfLong(500 * time.Millisecond) // to help users debug slow LDAP searches @@ -443,7 +451,7 @@ func (p *Provider) authenticateUserImpl(ctx context.Context, username string, bi return nil, false, fmt.Errorf(`error binding as %q before user search: %w`, p.c.BindUsername, err) } - response, err := p.searchAndBindUser(conn, username, bindFunc) + response, err := p.searchAndBindUser(conn, username, grantedScopes, bindFunc) if err != nil { p.traceAuthFailure(t, err) return nil, false, err @@ -540,7 +548,7 @@ func (p *Provider) SearchForDefaultNamingContext(ctx context.Context) (string, e return searchBase, nil } -func (p *Provider) searchAndBindUser(conn Conn, username string, bindFunc func(conn Conn, foundUserDN string) error) (*authenticators.Response, error) { +func (p *Provider) searchAndBindUser(conn Conn, username string, grantedScopes []string, bindFunc func(conn Conn, foundUserDN string) error) (*authenticators.Response, error) { searchResult, err := conn.Search(p.userSearchRequest(username)) if err != nil { plog.All(`error searching for user`, @@ -586,9 +594,12 @@ func (p *Provider) searchAndBindUser(conn Conn, username string, bindFunc func(c return nil, err } - mappedGroupNames, err := p.searchGroupsForUserDN(conn, userEntry.DN) - if err != nil { - return nil, err + var mappedGroupNames []string + if slices.Contains(grantedScopes, oidc.DownstreamGroupsScope) { + mappedGroupNames, err = p.searchGroupsForUserDN(conn, userEntry.DN) + if err != nil { + return nil, err + } } mappedRefreshAttributes := make(map[string]string) @@ -822,8 +833,8 @@ func (p *Provider) traceRefreshFailure(t *trace.Trace, err error) { ) } -func AttributeUnchangedSinceLogin(attribute string) func(*ldap.Entry, provider.StoredRefreshAttributes) error { - return func(entry *ldap.Entry, storedAttributes provider.StoredRefreshAttributes) error { +func AttributeUnchangedSinceLogin(attribute string) func(*ldap.Entry, provider.RefreshAttributes) error { + return func(entry *ldap.Entry, storedAttributes provider.RefreshAttributes) error { prevAttributeValue := storedAttributes.AdditionalAttributes[attribute] newValues := entry.GetRawAttributeValues(attribute) diff --git a/internal/upstreamldap/upstreamldap_test.go b/internal/upstreamldap/upstreamldap_test.go index b4ee6bdf..9a9ca782 100644 --- a/internal/upstreamldap/upstreamldap_test.go +++ b/internal/upstreamldap/upstreamldap_test.go @@ -638,8 +638,8 @@ func TestEndUserAuthentication(t *testing.T) { username: testUpstreamUsername, password: testUpstreamPassword, providerConfig: providerConfig(func(p *ProviderConfig) { - p.RefreshAttributeChecks = map[string]func(entry *ldap.Entry, attributes provider.StoredRefreshAttributes) error{ - "some-attribute-to-check-during-refresh": func(entry *ldap.Entry, attributes provider.StoredRefreshAttributes) error { + p.RefreshAttributeChecks = map[string]func(entry *ldap.Entry, attributes provider.RefreshAttributes) error{ + "some-attribute-to-check-during-refresh": func(entry *ldap.Entry, attributes provider.RefreshAttributes) error { return nil }, } @@ -676,8 +676,8 @@ func TestEndUserAuthentication(t *testing.T) { username: testUpstreamUsername, password: testUpstreamPassword, providerConfig: providerConfig(func(p *ProviderConfig) { - p.RefreshAttributeChecks = map[string]func(entry *ldap.Entry, attributes provider.StoredRefreshAttributes) error{ - "some-attribute-to-check-during-refresh": func(entry *ldap.Entry, attributes provider.StoredRefreshAttributes) error { + p.RefreshAttributeChecks = map[string]func(entry *ldap.Entry, attributes provider.RefreshAttributes) error{ + "some-attribute-to-check-during-refresh": func(entry *ldap.Entry, attributes provider.RefreshAttributes) error { return nil }, } @@ -1167,7 +1167,7 @@ func TestEndUserAuthentication(t *testing.T) { ldapProvider := New(*tt.providerConfig) - authResponse, authenticated, err := ldapProvider.AuthenticateUser(context.Background(), tt.username, tt.password) + authResponse, authenticated, err := ldapProvider.AuthenticateUser(context.Background(), tt.username, tt.password, []string{"groups"}) require.Equal(t, !tt.wantToSkipDial, dialWasAttempted) switch { case tt.wantError != "": @@ -1199,7 +1199,7 @@ func TestEndUserAuthentication(t *testing.T) { } // Skip tt.bindEndUserMocks since DryRunAuthenticateUser() never binds as the end user. - authResponse, authenticated, err = ldapProvider.DryRunAuthenticateUser(context.Background(), tt.username) + authResponse, authenticated, err = ldapProvider.DryRunAuthenticateUser(context.Background(), tt.username, []string{"groups"}) require.Equal(t, !tt.wantToSkipDial, dialWasAttempted) switch { case tt.wantError != "": @@ -1318,7 +1318,7 @@ func TestUpstreamRefresh(t *testing.T) { Filter: testGroupSearchFilter, GroupNameAttribute: testGroupSearchGroupNameAttribute, }, - RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.StoredRefreshAttributes) error{ + RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{ pwdLastSetAttribute: AttributeUnchangedSinceLogin(pwdLastSetAttribute), }, } @@ -1772,11 +1772,12 @@ func TestUpstreamRefresh(t *testing.T) { initialPwdLastSetEncoded := base64.RawURLEncoding.EncodeToString([]byte("132801740800000000")) ldapProvider := New(*tt.providerConfig) subject := "ldaps://ldap.example.com:8443?base=some-upstream-user-base-dn&sub=c29tZS11cHN0cmVhbS11aWQtdmFsdWU" - groups, err := ldapProvider.PerformRefresh(context.Background(), provider.StoredRefreshAttributes{ + groups, err := ldapProvider.PerformRefresh(context.Background(), provider.RefreshAttributes{ Username: testUserSearchResultUsernameAttributeValue, Subject: subject, DN: tt.refreshUserDN, AdditionalAttributes: map[string]string{pwdLastSetAttribute: initialPwdLastSetEncoded}, + GrantedScopes: []string{"groups"}, }) if tt.wantErr != "" { require.Error(t, err) @@ -2149,7 +2150,7 @@ func TestAttributeUnchangedSinceLogin(t *testing.T) { tt := test t.Run(tt.name, func(t *testing.T) { initialValRawEncoded := base64.RawURLEncoding.EncodeToString([]byte(initialVal)) - err := AttributeUnchangedSinceLogin(attributeName)(tt.entry, provider.StoredRefreshAttributes{AdditionalAttributes: map[string]string{attributeName: initialValRawEncoded}}) + err := AttributeUnchangedSinceLogin(attributeName)(tt.entry, provider.RefreshAttributes{AdditionalAttributes: map[string]string{attributeName: initialValRawEncoded}}) if tt.wantErr != "" { require.Error(t, err) require.Equal(t, tt.wantErr, err.Error()) diff --git a/test/integration/ldap_client_test.go b/test/integration/ldap_client_test.go index 584b68f5..3541dfa0 100644 --- a/test/integration/ldap_client_test.go +++ b/test/integration/ldap_client_test.go @@ -73,6 +73,7 @@ func TestLDAPSearch_Parallel(t *testing.T) { name string username string password string + grantedScopes []string provider *upstreamldap.Provider wantError string wantAuthResponse *authenticators.Response @@ -114,6 +115,18 @@ func TestLDAPSearch_Parallel(t *testing.T) { ExtraRefreshAttributes: map[string]string{}, }, }, + { + name: "groups scope not in granted scopes", + username: "pinny", + password: pinnyPassword, + grantedScopes: []string{}, + provider: upstreamldap.New(*providerConfig(nil)), + wantAuthResponse: &authenticators.Response{ + User: &user.DefaultInfo{Name: "pinny", UID: b64("1000"), Groups: nil}, + DN: "cn=pinny,ou=users,dc=pinniped,dc=dev", + ExtraRefreshAttributes: map[string]string{}, + }, + }, { name: "when the user search filter is already wrapped by parenthesis", username: "pinny", @@ -636,7 +649,10 @@ func TestLDAPSearch_Parallel(t *testing.T) { for _, test := range tests { tt := test t.Run(tt.name, func(t *testing.T) { - authResponse, authenticated, err := tt.provider.AuthenticateUser(ctx, tt.username, tt.password) + if tt.grantedScopes == nil { + tt.grantedScopes = []string{"groups"} + } + authResponse, authenticated, err := tt.provider.AuthenticateUser(ctx, tt.username, tt.password, tt.grantedScopes) switch { case tt.wantError != "": @@ -694,9 +710,7 @@ func TestSimultaneousLDAPRequestsOnSingleProvider(t *testing.T) { authUserCtx, authUserCtxCancelFunc := context.WithTimeout(context.Background(), 2*time.Minute) defer authUserCtxCancelFunc() - authResponse, authenticated, err := provider.AuthenticateUser(authUserCtx, - env.SupervisorUpstreamLDAP.TestUserCN, env.SupervisorUpstreamLDAP.TestUserPassword, - ) + authResponse, authenticated, err := provider.AuthenticateUser(authUserCtx, env.SupervisorUpstreamLDAP.TestUserCN, env.SupervisorUpstreamLDAP.TestUserPassword, []string{"groups"}) resultCh <- authUserResult{ response: authResponse, authenticated: authenticated, From dac03956807a68f9caabffe71392036aefa4b450 Mon Sep 17 00:00:00 2001 From: Margo Crawford Date: Wed, 22 Jun 2022 14:19:55 -0700 Subject: [PATCH 25/61] Add a couple tests, address pr comments Signed-off-by: Margo Crawford --- internal/oidc/token/token_handler.go | 11 ++++-- internal/upstreamldap/upstreamldap.go | 6 +-- internal/upstreamldap/upstreamldap_test.go | 45 ++++++++++++++++++++-- 3 files changed, 51 insertions(+), 11 deletions(-) diff --git a/internal/oidc/token/token_handler.go b/internal/oidc/token/token_handler.go index 76727a12..c0044fc5 100644 --- a/internal/oidc/token/token_handler.go +++ b/internal/oidc/token/token_handler.go @@ -303,9 +303,12 @@ func upstreamLDAPRefresh(ctx context.Context, providerCache oidc.UpstreamIdentit return err } subject := session.Fosite.Claims.Subject - oldGroups, err := getDownstreamGroupsFromPinnipedSession(session) - if err != nil { - return err + var oldGroups []string + if slices.Contains(grantedScopes, oidc.DownstreamGroupsScope) { + oldGroups, err = getDownstreamGroupsFromPinnipedSession(session) + if err != nil { + return err + } } s := session.Custom @@ -410,7 +413,7 @@ func getDownstreamGroupsFromPinnipedSession(session *psession.PinnipedSession) ( } downstreamGroupsInterface := extra[oidc.DownstreamGroupsClaim] if downstreamGroupsInterface == nil { - return nil, nil + return nil, errorsx.WithStack(errMissingUpstreamSessionInternalError()) } downstreamGroupsInterfaceList, ok := downstreamGroupsInterface.([]interface{}) if !ok { diff --git a/internal/upstreamldap/upstreamldap.go b/internal/upstreamldap/upstreamldap.go index 7317d939..cfbd437f 100644 --- a/internal/upstreamldap/upstreamldap.go +++ b/internal/upstreamldap/upstreamldap.go @@ -16,19 +16,17 @@ import ( "strings" "time" - "go.pinniped.dev/internal/oidc" - - "k8s.io/utils/strings/slices" - "github.com/go-ldap/ldap/v3" "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apiserver/pkg/authentication/user" + "k8s.io/utils/strings/slices" "k8s.io/utils/trace" "go.pinniped.dev/internal/authenticators" "go.pinniped.dev/internal/crypto/ptls" "go.pinniped.dev/internal/endpointaddr" + "go.pinniped.dev/internal/oidc" "go.pinniped.dev/internal/oidc/downstreamsession" "go.pinniped.dev/internal/oidc/provider" "go.pinniped.dev/internal/plog" diff --git a/internal/upstreamldap/upstreamldap_test.go b/internal/upstreamldap/upstreamldap_test.go index 9a9ca782..892c9f25 100644 --- a/internal/upstreamldap/upstreamldap_test.go +++ b/internal/upstreamldap/upstreamldap_test.go @@ -174,6 +174,7 @@ func TestEndUserAuthentication(t *testing.T) { name string username string password string + grantedScopes []string providerConfig *ProviderConfig searchMocks func(conn *mockldapconn.MockConn) bindEndUserMocks func(conn *mockldapconn.MockConn) @@ -286,6 +287,25 @@ func TestEndUserAuthentication(t *testing.T) { info.Groups = []string{} }), }, + { + name: "when groups scope isn't granted, don't do group search", + username: testUpstreamUsername, + password: testUpstreamPassword, + grantedScopes: []string{}, + providerConfig: providerConfig(nil), + searchMocks: func(conn *mockldapconn.MockConn) { + conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1) + conn.EXPECT().Search(expectedUserSearch(nil)).Return(exampleUserSearchResult, nil).Times(1) + conn.EXPECT().Close().Times(1) + }, + bindEndUserMocks: func(conn *mockldapconn.MockConn) { + conn.EXPECT().Bind(testUserSearchResultDNValue, testUpstreamPassword).Times(1) + }, + wantAuthResponse: expectedAuthResponse(func(r *authenticators.Response) { + info := r.User.(*user.DefaultInfo) + info.Groups = nil + }), + }, { name: "when the UsernameAttribute is dn and there is a user search filter provided", username: testUpstreamUsername, @@ -1167,7 +1187,11 @@ func TestEndUserAuthentication(t *testing.T) { ldapProvider := New(*tt.providerConfig) - authResponse, authenticated, err := ldapProvider.AuthenticateUser(context.Background(), tt.username, tt.password, []string{"groups"}) + if tt.grantedScopes == nil { + tt.grantedScopes = []string{"groups"} + } + + authResponse, authenticated, err := ldapProvider.AuthenticateUser(context.Background(), tt.username, tt.password, tt.grantedScopes) require.Equal(t, !tt.wantToSkipDial, dialWasAttempted) switch { case tt.wantError != "": @@ -1199,7 +1223,7 @@ func TestEndUserAuthentication(t *testing.T) { } // Skip tt.bindEndUserMocks since DryRunAuthenticateUser() never binds as the end user. - authResponse, authenticated, err = ldapProvider.DryRunAuthenticateUser(context.Background(), tt.username, []string{"groups"}) + authResponse, authenticated, err = ldapProvider.DryRunAuthenticateUser(context.Background(), tt.username, tt.grantedScopes) require.Equal(t, !tt.wantToSkipDial, dialWasAttempted) switch { case tt.wantError != "": @@ -1331,6 +1355,7 @@ func TestUpstreamRefresh(t *testing.T) { tests := []struct { name string providerConfig *ProviderConfig + grantedScopes []string setupMocks func(conn *mockldapconn.MockConn) refreshUserDN string dialError error @@ -1465,6 +1490,17 @@ func TestUpstreamRefresh(t *testing.T) { }, wantGroups: nil, // do not update groups }, + { + name: "happy path where group search is configured but groups scope isn't included", + providerConfig: providerConfig(nil), + setupMocks: func(conn *mockldapconn.MockConn) { + conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1) + conn.EXPECT().Search(expectedUserSearch(nil)).Return(happyPathUserSearchResult, nil).Times(1) + conn.EXPECT().Close().Times(1) + }, + grantedScopes: []string{}, + wantGroups: nil, + }, { name: "error where dial fails", providerConfig: providerConfig(nil), @@ -1769,6 +1805,9 @@ func TestUpstreamRefresh(t *testing.T) { tt.refreshUserDN = testUserSearchResultDNValue // default for all tests } + if tt.grantedScopes == nil { + tt.grantedScopes = []string{"groups"} + } initialPwdLastSetEncoded := base64.RawURLEncoding.EncodeToString([]byte("132801740800000000")) ldapProvider := New(*tt.providerConfig) subject := "ldaps://ldap.example.com:8443?base=some-upstream-user-base-dn&sub=c29tZS11cHN0cmVhbS11aWQtdmFsdWU" @@ -1777,7 +1816,7 @@ func TestUpstreamRefresh(t *testing.T) { Subject: subject, DN: tt.refreshUserDN, AdditionalAttributes: map[string]string{pwdLastSetAttribute: initialPwdLastSetEncoded}, - GrantedScopes: []string{"groups"}, + GrantedScopes: tt.grantedScopes, }) if tt.wantErr != "" { require.Error(t, err) From 8adc1ce345f7b9b518f1c22a6b63c42e678b9ac7 Mon Sep 17 00:00:00 2001 From: Margo Crawford Date: Wed, 22 Jun 2022 16:16:32 -0700 Subject: [PATCH 26/61] Fix failing active directory integration test Signed-off-by: Margo Crawford --- test/integration/supervisor_warnings_test.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/test/integration/supervisor_warnings_test.go b/test/integration/supervisor_warnings_test.go index 27c58179..04f77b25 100644 --- a/test/integration/supervisor_warnings_test.go +++ b/test/integration/supervisor_warnings_test.go @@ -263,6 +263,7 @@ func TestSupervisorWarnings_Browser(t *testing.T) { "--concierge-authenticator-name", authenticator.Name, "--oidc-session-cache", sessionCachePath, "--credential-cache", credentialCachePath, + "--oidc-scopes", "offline_access,openid,pinniped:request-audience,groups", }) // Run "kubectl get namespaces" which should trigger a cli-based login. @@ -406,6 +407,7 @@ func TestSupervisorWarnings_Browser(t *testing.T) { "--oidc-skip-listen", "--oidc-ca-bundle", testCABundlePath, "--oidc-session-cache", sessionCachePath, + "--oidc-scopes", "offline_access,openid,pinniped:request-audience,groups", "--credential-cache", credentialCachePath, }) From f13c5e3f06271311e7cf273402184aaeb71c459f Mon Sep 17 00:00:00 2001 From: Monis Khan Date: Fri, 24 Jun 2022 09:56:44 -0400 Subject: [PATCH 27/61] Fix supervisor scheme comment Signed-off-by: Monis Khan --- internal/supervisor/scheme/scheme.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/internal/supervisor/scheme/scheme.go b/internal/supervisor/scheme/scheme.go index ad6f3aba..4200378c 100644 --- a/internal/supervisor/scheme/scheme.go +++ b/internal/supervisor/scheme/scheme.go @@ -1,8 +1,7 @@ // Copyright 2022 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -// Package scheme contains code to construct a proper runtime.Scheme for the Concierge aggregated -// API. +// Package scheme contains code to construct a proper runtime.Scheme for the Supervisor aggregated API. package scheme import ( From 98b0b6b21cff5140a846746feaeb7e02b05920af Mon Sep 17 00:00:00 2001 From: Margo Crawford Date: Fri, 24 Jun 2022 08:09:32 -0700 Subject: [PATCH 28/61] One line fix to the supervisor warnings test Make the scopes in the cache key include the new groups scope Signed-off-by: Margo Crawford --- test/integration/supervisor_warnings_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/integration/supervisor_warnings_test.go b/test/integration/supervisor_warnings_test.go index 04f77b25..3fdfffb9 100644 --- a/test/integration/supervisor_warnings_test.go +++ b/test/integration/supervisor_warnings_test.go @@ -485,7 +485,7 @@ func TestSupervisorWarnings_Browser(t *testing.T) { })) // construct the cache key - downstreamScopes := []string{coreosoidc.ScopeOfflineAccess, coreosoidc.ScopeOpenID, "pinniped:request-audience"} + downstreamScopes := []string{coreosoidc.ScopeOfflineAccess, coreosoidc.ScopeOpenID, "pinniped:request-audience", "groups"} sort.Strings(downstreamScopes) sessionCacheKey := oidcclient.SessionCacheKey{ Issuer: downstream.Spec.Issuer, From 93939ccbd86ec7231ee3047d16373f95cd180faf Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Wed, 6 Jul 2022 10:34:24 -0700 Subject: [PATCH 29/61] OIDCClient watcher controller updates based on PR feedback --- .../config/v1alpha1/types_oidcclient.go.tmpl | 9 +- ...g.supervisor.pinniped.dev_oidcclients.yaml | 12 +- generated/1.17/README.adoc | 7 +- .../config/v1alpha1/types_oidcclient.go | 9 +- ...g.supervisor.pinniped.dev_oidcclients.yaml | 12 +- generated/1.18/README.adoc | 7 +- .../config/v1alpha1/types_oidcclient.go | 9 +- ...g.supervisor.pinniped.dev_oidcclients.yaml | 12 +- generated/1.19/README.adoc | 7 +- .../config/v1alpha1/types_oidcclient.go | 9 +- ...g.supervisor.pinniped.dev_oidcclients.yaml | 12 +- generated/1.20/README.adoc | 7 +- .../config/v1alpha1/types_oidcclient.go | 9 +- ...g.supervisor.pinniped.dev_oidcclients.yaml | 12 +- generated/1.21/README.adoc | 7 +- .../config/v1alpha1/types_oidcclient.go | 9 +- ...g.supervisor.pinniped.dev_oidcclients.yaml | 12 +- generated/1.22/README.adoc | 7 +- .../config/v1alpha1/types_oidcclient.go | 9 +- ...g.supervisor.pinniped.dev_oidcclients.yaml | 12 +- generated/1.23/README.adoc | 7 +- .../config/v1alpha1/types_oidcclient.go | 9 +- ...g.supervisor.pinniped.dev_oidcclients.yaml | 12 +- generated/1.24/README.adoc | 7 +- .../config/v1alpha1/types_oidcclient.go | 9 +- ...g.supervisor.pinniped.dev_oidcclients.yaml | 12 +- .../config/v1alpha1/types_oidcclient.go | 9 +- .../oidcclientwatcher/oidc_client_watcher.go | 207 +++++++++------- .../oidc_client_watcher_test.go | 229 +++++++++++++++--- .../supervisor_oidc_client_test.go | 2 +- 30 files changed, 496 insertions(+), 196 deletions(-) diff --git a/apis/supervisor/config/v1alpha1/types_oidcclient.go.tmpl b/apis/supervisor/config/v1alpha1/types_oidcclient.go.tmpl index 1bc7399d..36d86de4 100644 --- a/apis/supervisor/config/v1alpha1/types_oidcclient.go.tmpl +++ b/apis/supervisor/config/v1alpha1/types_oidcclient.go.tmpl @@ -27,7 +27,7 @@ type GrantType string // +kubebuilder:validation:Enum="openid";"offline_access";"username";"groups";"pinniped:request-audience" type Scope string -// OIDCClientSpec is a struct that describes an OIDC Client. +// OIDCClientSpec is a struct that describes an OIDCClient. type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // client. Any other uris will be rejected. @@ -75,17 +75,20 @@ type OIDCClientSpec struct { // OIDCClientStatus is a struct that describes the actual state of an OIDCClient. type OIDCClientStatus struct { - // Phase summarizes the overall status of the OIDCClient. + // phase summarizes the overall status of the OIDCClient. // +kubebuilder:default=Pending // +kubebuilder:validation:Enum=Pending;Ready;Error Phase OIDCClientPhase `json:"phase,omitempty"` - // Represents the observations of an OIDCClient's current state. + // conditions represent the observations of an OIDCClient's current state. // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` + + // totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. + TotalClientSecrets int `json:"totalClientSecrets"` } // OIDCClient describes the configuration of an OIDC client. diff --git a/deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml b/deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml index b5569275..c61e9c45 100644 --- a/deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml @@ -117,8 +117,8 @@ spec: description: Status of the OIDC client. properties: conditions: - description: Represents the observations of an OIDCClient's current - state. + description: conditions represent the observations of an OIDCClient's + current state. items: description: Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can @@ -185,12 +185,18 @@ spec: x-kubernetes-list-type: map phase: default: Pending - description: Phase summarizes the overall status of the OIDCClient. + description: phase summarizes the overall status of the OIDCClient. enum: - Pending - Ready - Error type: string + totalClientSecrets: + description: totalClientSecrets is the current number of client secrets + that are detected for this OIDCClient. + type: integer + required: + - totalClientSecrets type: object required: - spec diff --git a/generated/1.17/README.adoc b/generated/1.17/README.adoc index 2b29fc45..62ea1f8e 100644 --- a/generated/1.17/README.adoc +++ b/generated/1.17/README.adoc @@ -724,7 +724,7 @@ OIDCClient describes the configuration of an OIDC client. [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcclientspec"] ==== OIDCClientSpec -OIDCClientSpec is a struct that describes an OIDC Client. +OIDCClientSpec is a struct that describes an OIDCClient. .Appears In: **** @@ -755,8 +755,9 @@ OIDCClientStatus is a struct that describes the actual state of an OIDCClient. [cols="25a,75a", options="header"] |=== | Field | Description -| *`phase`* __OIDCClientPhase__ | Phase summarizes the overall status of the OIDCClient. -| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-condition[$$Condition$$] array__ | Represents the observations of an OIDCClient's current state. +| *`phase`* __OIDCClientPhase__ | phase summarizes the overall status of the OIDCClient. +| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-condition[$$Condition$$] array__ | conditions represent the observations of an OIDCClient's current state. +| *`totalClientSecrets`* __integer__ | totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. |=== diff --git a/generated/1.17/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/1.17/apis/supervisor/config/v1alpha1/types_oidcclient.go index 1bc7399d..36d86de4 100644 --- a/generated/1.17/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/1.17/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -27,7 +27,7 @@ type GrantType string // +kubebuilder:validation:Enum="openid";"offline_access";"username";"groups";"pinniped:request-audience" type Scope string -// OIDCClientSpec is a struct that describes an OIDC Client. +// OIDCClientSpec is a struct that describes an OIDCClient. type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // client. Any other uris will be rejected. @@ -75,17 +75,20 @@ type OIDCClientSpec struct { // OIDCClientStatus is a struct that describes the actual state of an OIDCClient. type OIDCClientStatus struct { - // Phase summarizes the overall status of the OIDCClient. + // phase summarizes the overall status of the OIDCClient. // +kubebuilder:default=Pending // +kubebuilder:validation:Enum=Pending;Ready;Error Phase OIDCClientPhase `json:"phase,omitempty"` - // Represents the observations of an OIDCClient's current state. + // conditions represent the observations of an OIDCClient's current state. // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` + + // totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. + TotalClientSecrets int `json:"totalClientSecrets"` } // OIDCClient describes the configuration of an OIDC client. diff --git a/generated/1.17/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.17/crds/config.supervisor.pinniped.dev_oidcclients.yaml index b5569275..c61e9c45 100644 --- a/generated/1.17/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.17/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -117,8 +117,8 @@ spec: description: Status of the OIDC client. properties: conditions: - description: Represents the observations of an OIDCClient's current - state. + description: conditions represent the observations of an OIDCClient's + current state. items: description: Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can @@ -185,12 +185,18 @@ spec: x-kubernetes-list-type: map phase: default: Pending - description: Phase summarizes the overall status of the OIDCClient. + description: phase summarizes the overall status of the OIDCClient. enum: - Pending - Ready - Error type: string + totalClientSecrets: + description: totalClientSecrets is the current number of client secrets + that are detected for this OIDCClient. + type: integer + required: + - totalClientSecrets type: object required: - spec diff --git a/generated/1.18/README.adoc b/generated/1.18/README.adoc index e2fb5b80..1d705d41 100644 --- a/generated/1.18/README.adoc +++ b/generated/1.18/README.adoc @@ -724,7 +724,7 @@ OIDCClient describes the configuration of an OIDC client. [id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcclientspec"] ==== OIDCClientSpec -OIDCClientSpec is a struct that describes an OIDC Client. +OIDCClientSpec is a struct that describes an OIDCClient. .Appears In: **** @@ -755,8 +755,9 @@ OIDCClientStatus is a struct that describes the actual state of an OIDCClient. [cols="25a,75a", options="header"] |=== | Field | Description -| *`phase`* __OIDCClientPhase__ | Phase summarizes the overall status of the OIDCClient. -| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-condition[$$Condition$$] array__ | Represents the observations of an OIDCClient's current state. +| *`phase`* __OIDCClientPhase__ | phase summarizes the overall status of the OIDCClient. +| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-condition[$$Condition$$] array__ | conditions represent the observations of an OIDCClient's current state. +| *`totalClientSecrets`* __integer__ | totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. |=== diff --git a/generated/1.18/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/1.18/apis/supervisor/config/v1alpha1/types_oidcclient.go index 1bc7399d..36d86de4 100644 --- a/generated/1.18/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/1.18/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -27,7 +27,7 @@ type GrantType string // +kubebuilder:validation:Enum="openid";"offline_access";"username";"groups";"pinniped:request-audience" type Scope string -// OIDCClientSpec is a struct that describes an OIDC Client. +// OIDCClientSpec is a struct that describes an OIDCClient. type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // client. Any other uris will be rejected. @@ -75,17 +75,20 @@ type OIDCClientSpec struct { // OIDCClientStatus is a struct that describes the actual state of an OIDCClient. type OIDCClientStatus struct { - // Phase summarizes the overall status of the OIDCClient. + // phase summarizes the overall status of the OIDCClient. // +kubebuilder:default=Pending // +kubebuilder:validation:Enum=Pending;Ready;Error Phase OIDCClientPhase `json:"phase,omitempty"` - // Represents the observations of an OIDCClient's current state. + // conditions represent the observations of an OIDCClient's current state. // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` + + // totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. + TotalClientSecrets int `json:"totalClientSecrets"` } // OIDCClient describes the configuration of an OIDC client. diff --git a/generated/1.18/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.18/crds/config.supervisor.pinniped.dev_oidcclients.yaml index b5569275..c61e9c45 100644 --- a/generated/1.18/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.18/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -117,8 +117,8 @@ spec: description: Status of the OIDC client. properties: conditions: - description: Represents the observations of an OIDCClient's current - state. + description: conditions represent the observations of an OIDCClient's + current state. items: description: Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can @@ -185,12 +185,18 @@ spec: x-kubernetes-list-type: map phase: default: Pending - description: Phase summarizes the overall status of the OIDCClient. + description: phase summarizes the overall status of the OIDCClient. enum: - Pending - Ready - Error type: string + totalClientSecrets: + description: totalClientSecrets is the current number of client secrets + that are detected for this OIDCClient. + type: integer + required: + - totalClientSecrets type: object required: - spec diff --git a/generated/1.19/README.adoc b/generated/1.19/README.adoc index 337689da..dee1f150 100644 --- a/generated/1.19/README.adoc +++ b/generated/1.19/README.adoc @@ -724,7 +724,7 @@ OIDCClient describes the configuration of an OIDC client. [id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcclientspec"] ==== OIDCClientSpec -OIDCClientSpec is a struct that describes an OIDC Client. +OIDCClientSpec is a struct that describes an OIDCClient. .Appears In: **** @@ -755,8 +755,9 @@ OIDCClientStatus is a struct that describes the actual state of an OIDCClient. [cols="25a,75a", options="header"] |=== | Field | Description -| *`phase`* __OIDCClientPhase__ | Phase summarizes the overall status of the OIDCClient. -| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-condition[$$Condition$$] array__ | Represents the observations of an OIDCClient's current state. +| *`phase`* __OIDCClientPhase__ | phase summarizes the overall status of the OIDCClient. +| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-condition[$$Condition$$] array__ | conditions represent the observations of an OIDCClient's current state. +| *`totalClientSecrets`* __integer__ | totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. |=== diff --git a/generated/1.19/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/1.19/apis/supervisor/config/v1alpha1/types_oidcclient.go index 1bc7399d..36d86de4 100644 --- a/generated/1.19/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/1.19/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -27,7 +27,7 @@ type GrantType string // +kubebuilder:validation:Enum="openid";"offline_access";"username";"groups";"pinniped:request-audience" type Scope string -// OIDCClientSpec is a struct that describes an OIDC Client. +// OIDCClientSpec is a struct that describes an OIDCClient. type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // client. Any other uris will be rejected. @@ -75,17 +75,20 @@ type OIDCClientSpec struct { // OIDCClientStatus is a struct that describes the actual state of an OIDCClient. type OIDCClientStatus struct { - // Phase summarizes the overall status of the OIDCClient. + // phase summarizes the overall status of the OIDCClient. // +kubebuilder:default=Pending // +kubebuilder:validation:Enum=Pending;Ready;Error Phase OIDCClientPhase `json:"phase,omitempty"` - // Represents the observations of an OIDCClient's current state. + // conditions represent the observations of an OIDCClient's current state. // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` + + // totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. + TotalClientSecrets int `json:"totalClientSecrets"` } // OIDCClient describes the configuration of an OIDC client. diff --git a/generated/1.19/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.19/crds/config.supervisor.pinniped.dev_oidcclients.yaml index b5569275..c61e9c45 100644 --- a/generated/1.19/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.19/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -117,8 +117,8 @@ spec: description: Status of the OIDC client. properties: conditions: - description: Represents the observations of an OIDCClient's current - state. + description: conditions represent the observations of an OIDCClient's + current state. items: description: Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can @@ -185,12 +185,18 @@ spec: x-kubernetes-list-type: map phase: default: Pending - description: Phase summarizes the overall status of the OIDCClient. + description: phase summarizes the overall status of the OIDCClient. enum: - Pending - Ready - Error type: string + totalClientSecrets: + description: totalClientSecrets is the current number of client secrets + that are detected for this OIDCClient. + type: integer + required: + - totalClientSecrets type: object required: - spec diff --git a/generated/1.20/README.adoc b/generated/1.20/README.adoc index 493e4ba2..e70a070d 100644 --- a/generated/1.20/README.adoc +++ b/generated/1.20/README.adoc @@ -724,7 +724,7 @@ OIDCClient describes the configuration of an OIDC client. [id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-config-v1alpha1-oidcclientspec"] ==== OIDCClientSpec -OIDCClientSpec is a struct that describes an OIDC Client. +OIDCClientSpec is a struct that describes an OIDCClient. .Appears In: **** @@ -755,8 +755,9 @@ OIDCClientStatus is a struct that describes the actual state of an OIDCClient. [cols="25a,75a", options="header"] |=== | Field | Description -| *`phase`* __OIDCClientPhase__ | Phase summarizes the overall status of the OIDCClient. -| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-config-v1alpha1-condition[$$Condition$$] array__ | Represents the observations of an OIDCClient's current state. +| *`phase`* __OIDCClientPhase__ | phase summarizes the overall status of the OIDCClient. +| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-config-v1alpha1-condition[$$Condition$$] array__ | conditions represent the observations of an OIDCClient's current state. +| *`totalClientSecrets`* __integer__ | totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. |=== diff --git a/generated/1.20/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/1.20/apis/supervisor/config/v1alpha1/types_oidcclient.go index 1bc7399d..36d86de4 100644 --- a/generated/1.20/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/1.20/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -27,7 +27,7 @@ type GrantType string // +kubebuilder:validation:Enum="openid";"offline_access";"username";"groups";"pinniped:request-audience" type Scope string -// OIDCClientSpec is a struct that describes an OIDC Client. +// OIDCClientSpec is a struct that describes an OIDCClient. type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // client. Any other uris will be rejected. @@ -75,17 +75,20 @@ type OIDCClientSpec struct { // OIDCClientStatus is a struct that describes the actual state of an OIDCClient. type OIDCClientStatus struct { - // Phase summarizes the overall status of the OIDCClient. + // phase summarizes the overall status of the OIDCClient. // +kubebuilder:default=Pending // +kubebuilder:validation:Enum=Pending;Ready;Error Phase OIDCClientPhase `json:"phase,omitempty"` - // Represents the observations of an OIDCClient's current state. + // conditions represent the observations of an OIDCClient's current state. // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` + + // totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. + TotalClientSecrets int `json:"totalClientSecrets"` } // OIDCClient describes the configuration of an OIDC client. diff --git a/generated/1.20/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.20/crds/config.supervisor.pinniped.dev_oidcclients.yaml index b5569275..c61e9c45 100644 --- a/generated/1.20/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.20/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -117,8 +117,8 @@ spec: description: Status of the OIDC client. properties: conditions: - description: Represents the observations of an OIDCClient's current - state. + description: conditions represent the observations of an OIDCClient's + current state. items: description: Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can @@ -185,12 +185,18 @@ spec: x-kubernetes-list-type: map phase: default: Pending - description: Phase summarizes the overall status of the OIDCClient. + description: phase summarizes the overall status of the OIDCClient. enum: - Pending - Ready - Error type: string + totalClientSecrets: + description: totalClientSecrets is the current number of client secrets + that are detected for this OIDCClient. + type: integer + required: + - totalClientSecrets type: object required: - spec diff --git a/generated/1.21/README.adoc b/generated/1.21/README.adoc index 59be6db3..3d106f96 100644 --- a/generated/1.21/README.adoc +++ b/generated/1.21/README.adoc @@ -724,7 +724,7 @@ OIDCClient describes the configuration of an OIDC client. [id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-oidcclientspec"] ==== OIDCClientSpec -OIDCClientSpec is a struct that describes an OIDC Client. +OIDCClientSpec is a struct that describes an OIDCClient. .Appears In: **** @@ -755,8 +755,9 @@ OIDCClientStatus is a struct that describes the actual state of an OIDCClient. [cols="25a,75a", options="header"] |=== | Field | Description -| *`phase`* __OIDCClientPhase__ | Phase summarizes the overall status of the OIDCClient. -| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-condition[$$Condition$$] array__ | Represents the observations of an OIDCClient's current state. +| *`phase`* __OIDCClientPhase__ | phase summarizes the overall status of the OIDCClient. +| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-condition[$$Condition$$] array__ | conditions represent the observations of an OIDCClient's current state. +| *`totalClientSecrets`* __integer__ | totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. |=== diff --git a/generated/1.21/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/1.21/apis/supervisor/config/v1alpha1/types_oidcclient.go index 1bc7399d..36d86de4 100644 --- a/generated/1.21/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/1.21/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -27,7 +27,7 @@ type GrantType string // +kubebuilder:validation:Enum="openid";"offline_access";"username";"groups";"pinniped:request-audience" type Scope string -// OIDCClientSpec is a struct that describes an OIDC Client. +// OIDCClientSpec is a struct that describes an OIDCClient. type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // client. Any other uris will be rejected. @@ -75,17 +75,20 @@ type OIDCClientSpec struct { // OIDCClientStatus is a struct that describes the actual state of an OIDCClient. type OIDCClientStatus struct { - // Phase summarizes the overall status of the OIDCClient. + // phase summarizes the overall status of the OIDCClient. // +kubebuilder:default=Pending // +kubebuilder:validation:Enum=Pending;Ready;Error Phase OIDCClientPhase `json:"phase,omitempty"` - // Represents the observations of an OIDCClient's current state. + // conditions represent the observations of an OIDCClient's current state. // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` + + // totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. + TotalClientSecrets int `json:"totalClientSecrets"` } // OIDCClient describes the configuration of an OIDC client. diff --git a/generated/1.21/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.21/crds/config.supervisor.pinniped.dev_oidcclients.yaml index b5569275..c61e9c45 100644 --- a/generated/1.21/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.21/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -117,8 +117,8 @@ spec: description: Status of the OIDC client. properties: conditions: - description: Represents the observations of an OIDCClient's current - state. + description: conditions represent the observations of an OIDCClient's + current state. items: description: Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can @@ -185,12 +185,18 @@ spec: x-kubernetes-list-type: map phase: default: Pending - description: Phase summarizes the overall status of the OIDCClient. + description: phase summarizes the overall status of the OIDCClient. enum: - Pending - Ready - Error type: string + totalClientSecrets: + description: totalClientSecrets is the current number of client secrets + that are detected for this OIDCClient. + type: integer + required: + - totalClientSecrets type: object required: - spec diff --git a/generated/1.22/README.adoc b/generated/1.22/README.adoc index 7f4ace33..36a03dd1 100644 --- a/generated/1.22/README.adoc +++ b/generated/1.22/README.adoc @@ -724,7 +724,7 @@ OIDCClient describes the configuration of an OIDC client. [id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-oidcclientspec"] ==== OIDCClientSpec -OIDCClientSpec is a struct that describes an OIDC Client. +OIDCClientSpec is a struct that describes an OIDCClient. .Appears In: **** @@ -755,8 +755,9 @@ OIDCClientStatus is a struct that describes the actual state of an OIDCClient. [cols="25a,75a", options="header"] |=== | Field | Description -| *`phase`* __OIDCClientPhase__ | Phase summarizes the overall status of the OIDCClient. -| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-condition[$$Condition$$] array__ | Represents the observations of an OIDCClient's current state. +| *`phase`* __OIDCClientPhase__ | phase summarizes the overall status of the OIDCClient. +| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-condition[$$Condition$$] array__ | conditions represent the observations of an OIDCClient's current state. +| *`totalClientSecrets`* __integer__ | totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. |=== diff --git a/generated/1.22/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/1.22/apis/supervisor/config/v1alpha1/types_oidcclient.go index 1bc7399d..36d86de4 100644 --- a/generated/1.22/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/1.22/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -27,7 +27,7 @@ type GrantType string // +kubebuilder:validation:Enum="openid";"offline_access";"username";"groups";"pinniped:request-audience" type Scope string -// OIDCClientSpec is a struct that describes an OIDC Client. +// OIDCClientSpec is a struct that describes an OIDCClient. type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // client. Any other uris will be rejected. @@ -75,17 +75,20 @@ type OIDCClientSpec struct { // OIDCClientStatus is a struct that describes the actual state of an OIDCClient. type OIDCClientStatus struct { - // Phase summarizes the overall status of the OIDCClient. + // phase summarizes the overall status of the OIDCClient. // +kubebuilder:default=Pending // +kubebuilder:validation:Enum=Pending;Ready;Error Phase OIDCClientPhase `json:"phase,omitempty"` - // Represents the observations of an OIDCClient's current state. + // conditions represent the observations of an OIDCClient's current state. // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` + + // totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. + TotalClientSecrets int `json:"totalClientSecrets"` } // OIDCClient describes the configuration of an OIDC client. diff --git a/generated/1.22/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.22/crds/config.supervisor.pinniped.dev_oidcclients.yaml index b5569275..c61e9c45 100644 --- a/generated/1.22/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.22/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -117,8 +117,8 @@ spec: description: Status of the OIDC client. properties: conditions: - description: Represents the observations of an OIDCClient's current - state. + description: conditions represent the observations of an OIDCClient's + current state. items: description: Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can @@ -185,12 +185,18 @@ spec: x-kubernetes-list-type: map phase: default: Pending - description: Phase summarizes the overall status of the OIDCClient. + description: phase summarizes the overall status of the OIDCClient. enum: - Pending - Ready - Error type: string + totalClientSecrets: + description: totalClientSecrets is the current number of client secrets + that are detected for this OIDCClient. + type: integer + required: + - totalClientSecrets type: object required: - spec diff --git a/generated/1.23/README.adoc b/generated/1.23/README.adoc index ad7d96a6..ca8875dc 100644 --- a/generated/1.23/README.adoc +++ b/generated/1.23/README.adoc @@ -724,7 +724,7 @@ OIDCClient describes the configuration of an OIDC client. [id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-oidcclientspec"] ==== OIDCClientSpec -OIDCClientSpec is a struct that describes an OIDC Client. +OIDCClientSpec is a struct that describes an OIDCClient. .Appears In: **** @@ -755,8 +755,9 @@ OIDCClientStatus is a struct that describes the actual state of an OIDCClient. [cols="25a,75a", options="header"] |=== | Field | Description -| *`phase`* __OIDCClientPhase__ | Phase summarizes the overall status of the OIDCClient. -| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-condition[$$Condition$$] array__ | Represents the observations of an OIDCClient's current state. +| *`phase`* __OIDCClientPhase__ | phase summarizes the overall status of the OIDCClient. +| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-condition[$$Condition$$] array__ | conditions represent the observations of an OIDCClient's current state. +| *`totalClientSecrets`* __integer__ | totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. |=== diff --git a/generated/1.23/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/1.23/apis/supervisor/config/v1alpha1/types_oidcclient.go index 1bc7399d..36d86de4 100644 --- a/generated/1.23/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/1.23/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -27,7 +27,7 @@ type GrantType string // +kubebuilder:validation:Enum="openid";"offline_access";"username";"groups";"pinniped:request-audience" type Scope string -// OIDCClientSpec is a struct that describes an OIDC Client. +// OIDCClientSpec is a struct that describes an OIDCClient. type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // client. Any other uris will be rejected. @@ -75,17 +75,20 @@ type OIDCClientSpec struct { // OIDCClientStatus is a struct that describes the actual state of an OIDCClient. type OIDCClientStatus struct { - // Phase summarizes the overall status of the OIDCClient. + // phase summarizes the overall status of the OIDCClient. // +kubebuilder:default=Pending // +kubebuilder:validation:Enum=Pending;Ready;Error Phase OIDCClientPhase `json:"phase,omitempty"` - // Represents the observations of an OIDCClient's current state. + // conditions represent the observations of an OIDCClient's current state. // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` + + // totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. + TotalClientSecrets int `json:"totalClientSecrets"` } // OIDCClient describes the configuration of an OIDC client. diff --git a/generated/1.23/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.23/crds/config.supervisor.pinniped.dev_oidcclients.yaml index b5569275..c61e9c45 100644 --- a/generated/1.23/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.23/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -117,8 +117,8 @@ spec: description: Status of the OIDC client. properties: conditions: - description: Represents the observations of an OIDCClient's current - state. + description: conditions represent the observations of an OIDCClient's + current state. items: description: Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can @@ -185,12 +185,18 @@ spec: x-kubernetes-list-type: map phase: default: Pending - description: Phase summarizes the overall status of the OIDCClient. + description: phase summarizes the overall status of the OIDCClient. enum: - Pending - Ready - Error type: string + totalClientSecrets: + description: totalClientSecrets is the current number of client secrets + that are detected for this OIDCClient. + type: integer + required: + - totalClientSecrets type: object required: - spec diff --git a/generated/1.24/README.adoc b/generated/1.24/README.adoc index 9a7ab440..73328c0e 100644 --- a/generated/1.24/README.adoc +++ b/generated/1.24/README.adoc @@ -724,7 +724,7 @@ OIDCClient describes the configuration of an OIDC client. [id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-oidcclientspec"] ==== OIDCClientSpec -OIDCClientSpec is a struct that describes an OIDC Client. +OIDCClientSpec is a struct that describes an OIDCClient. .Appears In: **** @@ -755,8 +755,9 @@ OIDCClientStatus is a struct that describes the actual state of an OIDCClient. [cols="25a,75a", options="header"] |=== | Field | Description -| *`phase`* __OIDCClientPhase__ | Phase summarizes the overall status of the OIDCClient. -| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-condition[$$Condition$$] array__ | Represents the observations of an OIDCClient's current state. +| *`phase`* __OIDCClientPhase__ | phase summarizes the overall status of the OIDCClient. +| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-condition[$$Condition$$] array__ | conditions represent the observations of an OIDCClient's current state. +| *`totalClientSecrets`* __integer__ | totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. |=== diff --git a/generated/1.24/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/1.24/apis/supervisor/config/v1alpha1/types_oidcclient.go index 1bc7399d..36d86de4 100644 --- a/generated/1.24/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/1.24/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -27,7 +27,7 @@ type GrantType string // +kubebuilder:validation:Enum="openid";"offline_access";"username";"groups";"pinniped:request-audience" type Scope string -// OIDCClientSpec is a struct that describes an OIDC Client. +// OIDCClientSpec is a struct that describes an OIDCClient. type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // client. Any other uris will be rejected. @@ -75,17 +75,20 @@ type OIDCClientSpec struct { // OIDCClientStatus is a struct that describes the actual state of an OIDCClient. type OIDCClientStatus struct { - // Phase summarizes the overall status of the OIDCClient. + // phase summarizes the overall status of the OIDCClient. // +kubebuilder:default=Pending // +kubebuilder:validation:Enum=Pending;Ready;Error Phase OIDCClientPhase `json:"phase,omitempty"` - // Represents the observations of an OIDCClient's current state. + // conditions represent the observations of an OIDCClient's current state. // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` + + // totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. + TotalClientSecrets int `json:"totalClientSecrets"` } // OIDCClient describes the configuration of an OIDC client. diff --git a/generated/1.24/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.24/crds/config.supervisor.pinniped.dev_oidcclients.yaml index b5569275..c61e9c45 100644 --- a/generated/1.24/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.24/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -117,8 +117,8 @@ spec: description: Status of the OIDC client. properties: conditions: - description: Represents the observations of an OIDCClient's current - state. + description: conditions represent the observations of an OIDCClient's + current state. items: description: Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can @@ -185,12 +185,18 @@ spec: x-kubernetes-list-type: map phase: default: Pending - description: Phase summarizes the overall status of the OIDCClient. + description: phase summarizes the overall status of the OIDCClient. enum: - Pending - Ready - Error type: string + totalClientSecrets: + description: totalClientSecrets is the current number of client secrets + that are detected for this OIDCClient. + type: integer + required: + - totalClientSecrets type: object required: - spec diff --git a/generated/latest/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/latest/apis/supervisor/config/v1alpha1/types_oidcclient.go index 1bc7399d..36d86de4 100644 --- a/generated/latest/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/latest/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -27,7 +27,7 @@ type GrantType string // +kubebuilder:validation:Enum="openid";"offline_access";"username";"groups";"pinniped:request-audience" type Scope string -// OIDCClientSpec is a struct that describes an OIDC Client. +// OIDCClientSpec is a struct that describes an OIDCClient. type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // client. Any other uris will be rejected. @@ -75,17 +75,20 @@ type OIDCClientSpec struct { // OIDCClientStatus is a struct that describes the actual state of an OIDCClient. type OIDCClientStatus struct { - // Phase summarizes the overall status of the OIDCClient. + // phase summarizes the overall status of the OIDCClient. // +kubebuilder:default=Pending // +kubebuilder:validation:Enum=Pending;Ready;Error Phase OIDCClientPhase `json:"phase,omitempty"` - // Represents the observations of an OIDCClient's current state. + // conditions represent the observations of an OIDCClient's current state. // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` + + // totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. + TotalClientSecrets int `json:"totalClientSecrets"` } // OIDCClient describes the configuration of an OIDC client. diff --git a/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go b/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go index 600f7420..34d82941 100644 --- a/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go +++ b/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go @@ -6,7 +6,10 @@ package oidcclientwatcher import ( "context" "fmt" + "strings" + "github.com/coreos/go-oidc/v3/oidc" + "golang.org/x/crypto/bcrypt" v1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/equality" k8serrors "k8s.io/apimachinery/pkg/api/errors" @@ -29,16 +32,17 @@ const ( allowedGrantTypesValid = "AllowedGrantTypesValid" allowedScopesValid = "AllowedScopesValid" - reasonSuccess = "Success" - reasonMissingRequiredValue = "MissingRequiredValue" - reasonNoClientSecretFound = "NoClientSecretFound" + reasonSuccess = "Success" + reasonMissingRequiredValue = "MissingRequiredValue" + reasonNoClientSecretFound = "NoClientSecretFound" + reasonInvalidClientSecretFound = "InvalidClientSecretFound" authorizationCodeGrantTypeName = "authorization_code" refreshTokenGrantTypeName = "refresh_token" tokenExchangeGrantTypeName = "urn:ietf:params:oauth:grant-type:token-exchange" //nolint:gosec // this is not a credential - openidScopeName = "openid" - offlineAccessScopeName = "offline_access" + openidScopeName = oidc.ScopeOpenID + offlineAccessScopeName = oidc.ScopeOfflineAccess requestAudienceScopeName = "pinniped:request-audience" usernameScopeName = "username" groupsScopeName = "groups" @@ -46,7 +50,10 @@ const ( allowedGrantTypesFieldName = "allowedGrantTypes" allowedScopesFieldName = "allowedScopes" - secretTypeToObserve = "storage.pinniped.dev/oidc-client-secret" //nolint:gosec // this is not a credential + secretTypeToObserve = "storage.pinniped.dev/oidc-client-secret" //nolint:gosec // this is not a credential + oidcClientPrefixToObserve = "client.oauth.pinniped.dev-" //nolint:gosec // this is not a credential + + minimumRequiredBcryptCost = 15 ) type oidcClientWatcherController struct { @@ -81,7 +88,9 @@ func NewOIDCClientWatcherController( // We want to be notified when anything happens to an OIDCClient. withInformer( oidcClientInformer, - pinnipedcontroller.MatchAnythingFilter(pinnipedcontroller.SingletonQueue()), + pinnipedcontroller.SimpleFilterWithSingletonQueue(func(obj metav1.Object) bool { + return strings.HasPrefix(obj.GetName(), oidcClientPrefixToObserve) + }), controllerlib.InformerOption{}, ), ) @@ -101,6 +110,11 @@ func (c *oidcClientWatcherController) Sync(ctx controllerlib.Context) error { storage := oidcclientsecretstorage.New(nil, nil) for _, oidcClient := range oidcClients { + // Skip the OIDCClients that we are not trying to observe. + if !strings.HasPrefix(oidcClient.Name, oidcClientPrefixToObserve) { + continue + } + correspondingSecretName := storage.GetName(oidcClient.UID) secret, err := c.secretInformer.Lister().Secrets(oidcClient.Namespace).Get(correspondingSecretName) @@ -119,9 +133,9 @@ func (c *oidcClientWatcherController) Sync(ctx controllerlib.Context) error { secret = nil } - conditions := validateOIDCClient(oidcClient, secret) + conditions, totalClientSecrets := validateOIDCClient(oidcClient, secret) - if err := c.updateStatus(ctx.Context, oidcClient, conditions); err != nil { + if err := c.updateStatus(ctx.Context, oidcClient, conditions, totalClientSecrets); err != nil { return fmt.Errorf("cannot update OIDCClient '%s/%s': %w", oidcClient.Namespace, oidcClient.Name, err) } @@ -138,100 +152,94 @@ func (c *oidcClientWatcherController) Sync(ctx controllerlib.Context) error { // validateOIDCClient validates the OIDCClient and its corresponding client secret storage Secret. // When the corresponding client secret storage Secret was not found, pass nil to this function to -// get the validation error for that case. -func validateOIDCClient(oidcClient *v1alpha1.OIDCClient, secret *v1.Secret) []*v1alpha1.Condition { - c := validateSecret(secret, []*v1alpha1.Condition{}) +// get the validation error for that case. It returns a slice of conditions along with the number +// of client secrets found. +func validateOIDCClient(oidcClient *v1alpha1.OIDCClient, secret *v1.Secret) ([]*v1alpha1.Condition, int) { + c, totalClientSecrets := validateSecret(secret, make([]*v1alpha1.Condition, 0, 3)) c = validateAllowedGrantTypes(oidcClient, c) c = validateAllowedScopes(oidcClient, c) - return c + return c, totalClientSecrets } // validateAllowedScopes checks if allowedScopes is valid on the OIDCClient. func validateAllowedScopes(oidcClient *v1alpha1.OIDCClient, conditions []*v1alpha1.Condition) []*v1alpha1.Condition { - switch { - case !allowedScopesContains(oidcClient, openidScopeName): - conditions = append(conditions, &v1alpha1.Condition{ - Type: allowedScopesValid, - Status: v1alpha1.ConditionFalse, - Reason: reasonMissingRequiredValue, - Message: fmt.Sprintf("%q must always be included in %q", openidScopeName, allowedScopesFieldName), - }) - case allowedGrantTypesContains(oidcClient, refreshTokenGrantTypeName) && !allowedScopesContains(oidcClient, offlineAccessScopeName): - conditions = append(conditions, &v1alpha1.Condition{ - Type: allowedScopesValid, - Status: v1alpha1.ConditionFalse, - Reason: reasonMissingRequiredValue, - Message: fmt.Sprintf("%q must be included in %q when %q is included in %q", - offlineAccessScopeName, allowedScopesFieldName, refreshTokenGrantTypeName, allowedGrantTypesFieldName), - }) - case allowedScopesContains(oidcClient, requestAudienceScopeName) && - (!allowedScopesContains(oidcClient, usernameScopeName) || !allowedScopesContains(oidcClient, groupsScopeName)): - conditions = append(conditions, &v1alpha1.Condition{ - Type: allowedScopesValid, - Status: v1alpha1.ConditionFalse, - Reason: reasonMissingRequiredValue, - Message: fmt.Sprintf("%q and %q must be included in %q when %q is included in %q", - usernameScopeName, groupsScopeName, allowedScopesFieldName, requestAudienceScopeName, allowedScopesFieldName), - }) - case allowedGrantTypesContains(oidcClient, tokenExchangeGrantTypeName) && !allowedScopesContains(oidcClient, requestAudienceScopeName): - conditions = append(conditions, &v1alpha1.Condition{ - Type: allowedScopesValid, - Status: v1alpha1.ConditionFalse, - Reason: reasonMissingRequiredValue, - Message: fmt.Sprintf("%q must be included in %q when %q is included in %q", - requestAudienceScopeName, allowedScopesFieldName, tokenExchangeGrantTypeName, allowedGrantTypesFieldName), - }) - default: + m := make([]string, 0, 4) + + if !allowedScopesContains(oidcClient, openidScopeName) { + m = append(m, fmt.Sprintf("%q must always be included in %q", openidScopeName, allowedScopesFieldName)) + } + if allowedGrantTypesContains(oidcClient, refreshTokenGrantTypeName) && !allowedScopesContains(oidcClient, offlineAccessScopeName) { + m = append(m, fmt.Sprintf("%q must be included in %q when %q is included in %q", + offlineAccessScopeName, allowedScopesFieldName, refreshTokenGrantTypeName, allowedGrantTypesFieldName)) + } + if allowedScopesContains(oidcClient, requestAudienceScopeName) && + (!allowedScopesContains(oidcClient, usernameScopeName) || !allowedScopesContains(oidcClient, groupsScopeName)) { + m = append(m, fmt.Sprintf("%q and %q must be included in %q when %q is included in %q", + usernameScopeName, groupsScopeName, allowedScopesFieldName, requestAudienceScopeName, allowedScopesFieldName)) + } + if allowedGrantTypesContains(oidcClient, tokenExchangeGrantTypeName) && !allowedScopesContains(oidcClient, requestAudienceScopeName) { + m = append(m, fmt.Sprintf("%q must be included in %q when %q is included in %q", + requestAudienceScopeName, allowedScopesFieldName, tokenExchangeGrantTypeName, allowedGrantTypesFieldName)) + } + + if len(m) == 0 { conditions = append(conditions, &v1alpha1.Condition{ Type: allowedScopesValid, Status: v1alpha1.ConditionTrue, Reason: reasonSuccess, Message: fmt.Sprintf("%q is valid", allowedScopesFieldName), }) + } else { + conditions = append(conditions, &v1alpha1.Condition{ + Type: allowedScopesValid, + Status: v1alpha1.ConditionFalse, + Reason: reasonMissingRequiredValue, + Message: strings.Join(m, "; "), + }) } + return conditions } // validateAllowedGrantTypes checks if allowedGrantTypes is valid on the OIDCClient. func validateAllowedGrantTypes(oidcClient *v1alpha1.OIDCClient, conditions []*v1alpha1.Condition) []*v1alpha1.Condition { - switch { - case !allowedGrantTypesContains(oidcClient, authorizationCodeGrantTypeName): - conditions = append(conditions, &v1alpha1.Condition{ - Type: allowedGrantTypesValid, - Status: v1alpha1.ConditionFalse, - Reason: reasonMissingRequiredValue, - Message: fmt.Sprintf("%q must always be included in %q", - authorizationCodeGrantTypeName, allowedGrantTypesFieldName), - }) - case allowedScopesContains(oidcClient, offlineAccessScopeName) && !allowedGrantTypesContains(oidcClient, refreshTokenGrantTypeName): - conditions = append(conditions, &v1alpha1.Condition{ - Type: allowedGrantTypesValid, - Status: v1alpha1.ConditionFalse, - Reason: reasonMissingRequiredValue, - Message: fmt.Sprintf("%q must be included in %q when %q is included in %q", - refreshTokenGrantTypeName, allowedGrantTypesFieldName, offlineAccessScopeName, allowedScopesFieldName), - }) - case allowedScopesContains(oidcClient, requestAudienceScopeName) && !allowedGrantTypesContains(oidcClient, tokenExchangeGrantTypeName): - conditions = append(conditions, &v1alpha1.Condition{ - Type: allowedGrantTypesValid, - Status: v1alpha1.ConditionFalse, - Reason: reasonMissingRequiredValue, - Message: fmt.Sprintf("%q must be included in %q when %q is included in %q", - tokenExchangeGrantTypeName, allowedGrantTypesFieldName, requestAudienceScopeName, allowedScopesFieldName), - }) - default: + m := make([]string, 0, 3) + + if !allowedGrantTypesContains(oidcClient, authorizationCodeGrantTypeName) { + m = append(m, fmt.Sprintf("%q must always be included in %q", + authorizationCodeGrantTypeName, allowedGrantTypesFieldName)) + } + if allowedScopesContains(oidcClient, offlineAccessScopeName) && !allowedGrantTypesContains(oidcClient, refreshTokenGrantTypeName) { + m = append(m, fmt.Sprintf("%q must be included in %q when %q is included in %q", + refreshTokenGrantTypeName, allowedGrantTypesFieldName, offlineAccessScopeName, allowedScopesFieldName)) + } + if allowedScopesContains(oidcClient, requestAudienceScopeName) && !allowedGrantTypesContains(oidcClient, tokenExchangeGrantTypeName) { + m = append(m, fmt.Sprintf("%q must be included in %q when %q is included in %q", + tokenExchangeGrantTypeName, allowedGrantTypesFieldName, requestAudienceScopeName, allowedScopesFieldName)) + } + + if len(m) == 0 { conditions = append(conditions, &v1alpha1.Condition{ Type: allowedGrantTypesValid, Status: v1alpha1.ConditionTrue, Reason: reasonSuccess, Message: fmt.Sprintf("%q is valid", allowedGrantTypesFieldName), }) + } else { + conditions = append(conditions, &v1alpha1.Condition{ + Type: allowedGrantTypesValid, + Status: v1alpha1.ConditionFalse, + Reason: reasonMissingRequiredValue, + Message: strings.Join(m, "; "), + }) } + return conditions } // validateSecret checks if the client secret storage Secret is valid and contains at least one client secret. -func validateSecret(secret *v1.Secret, conditions []*v1alpha1.Condition) []*v1alpha1.Condition { +// It returns the updated conditions slice along with the number of client secrets found. +func validateSecret(secret *v1.Secret, conditions []*v1alpha1.Condition) ([]*v1alpha1.Condition, int) { if secret == nil { // Invalid: no storage Secret found. conditions = append(conditions, &v1alpha1.Condition{ @@ -240,7 +248,7 @@ func validateSecret(secret *v1.Secret, conditions []*v1alpha1.Condition) []*v1al Reason: reasonNoClientSecretFound, Message: "no client secret found (no Secret storage found)", }) - return conditions + return conditions, 0 } storedClientSecret, err := oidcclientsecretstorage.ReadFromSecret(secret) @@ -252,7 +260,7 @@ func validateSecret(secret *v1.Secret, conditions []*v1alpha1.Condition) []*v1al Reason: reasonNoClientSecretFound, Message: fmt.Sprintf("error reading client secret storage: %s", err.Error()), }) - return conditions + return conditions, 0 } // Successfully read the stored client secrets, so check if there are any stored in the list. @@ -265,16 +273,42 @@ func validateSecret(secret *v1.Secret, conditions []*v1alpha1.Condition) []*v1al Reason: reasonNoClientSecretFound, Message: "no client secret found (empty list in storage)", }) - } else { - // Valid: has at least one client secret stored for this OIDC client. + return conditions, 0 + } + + // Check each hashed password's format and bcrypt cost. + bcryptErrs := make([]string, 0, storedClientSecretsCount) + for i, p := range storedClientSecret.SecretHashes { + cost, err := bcrypt.Cost([]byte(p)) + if err != nil { + bcryptErrs = append(bcryptErrs, fmt.Sprintf( + "hashed client secret at index %d: %s", + i, err.Error())) + } else if cost < minimumRequiredBcryptCost { + bcryptErrs = append(bcryptErrs, fmt.Sprintf( + "hashed client secret at index %d: bcrypt cost %d is below the required minimum of %d", + i, cost, minimumRequiredBcryptCost)) + } + } + if len(bcryptErrs) > 0 { + // Invalid: some stored client secrets were not valid. conditions = append(conditions, &v1alpha1.Condition{ Type: clientSecretExists, - Status: v1alpha1.ConditionTrue, - Reason: reasonSuccess, - Message: fmt.Sprintf("%d client secret(s) found", storedClientSecretsCount), + Status: v1alpha1.ConditionFalse, + Reason: reasonInvalidClientSecretFound, + Message: strings.Join(bcryptErrs, "; "), }) + return conditions, storedClientSecretsCount } - return conditions + + // Valid: has at least one client secret stored for this OIDC client, and all stored client secrets are valid. + conditions = append(conditions, &v1alpha1.Condition{ + Type: clientSecretExists, + Status: v1alpha1.ConditionTrue, + Reason: reasonSuccess, + Message: fmt.Sprintf("%d client secret(s) found", storedClientSecretsCount), + }) + return conditions, storedClientSecretsCount } func allowedGrantTypesContains(haystack *v1alpha1.OIDCClient, needle string) bool { @@ -295,7 +329,12 @@ func allowedScopesContains(haystack *v1alpha1.OIDCClient, needle string) bool { return false } -func (c *oidcClientWatcherController) updateStatus(ctx context.Context, upstream *v1alpha1.OIDCClient, conditions []*v1alpha1.Condition) error { +func (c *oidcClientWatcherController) updateStatus( + ctx context.Context, + upstream *v1alpha1.OIDCClient, + conditions []*v1alpha1.Condition, + totalClientSecrets int, +) error { updated := upstream.DeepCopy() hadErrorCondition := conditionsutil.MergeConfigConditions(conditions, upstream.Generation, &updated.Status.Conditions, plog.New()) @@ -305,6 +344,8 @@ func (c *oidcClientWatcherController) updateStatus(ctx context.Context, upstream updated.Status.Phase = v1alpha1.PhaseError } + updated.Status.TotalClientSecrets = totalClientSecrets + if equality.Semantic.DeepEqual(upstream, updated) { return nil } diff --git a/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher_test.go b/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher_test.go index 683c92ab..92a0d358 100644 --- a/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher_test.go +++ b/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher_test.go @@ -101,12 +101,32 @@ func TestOIDCClientWatcherControllerFilterOIDCClient(t *testing.T) { wantDelete bool }{ { - name: "anything goes", - oidcClient: configv1alpha1.OIDCClient{}, + name: "name has client.oauth.pinniped.dev- prefix", + oidcClient: configv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{Name: "client.oauth.pinniped.dev-foo"}, + }, wantAdd: true, wantUpdate: true, wantDelete: true, }, + { + name: "name does not have client.oauth.pinniped.dev- prefix", + oidcClient: configv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{Name: "something.oauth.pinniped.dev-foo"}, + }, + wantAdd: false, + wantUpdate: false, + wantDelete: false, + }, + { + name: "other names without any particular pinniped.dev prefixes", + oidcClient: configv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{Name: "something"}, + }, + wantAdd: false, + wantUpdate: false, + wantDelete: false, + }, } for _, test := range tests { tt := test @@ -143,15 +163,18 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { t.Parallel() const ( - testName = "test-name" + testName = "client.oauth.pinniped.dev-test-name" testNamespace = "test-namespace" testUID = "test-uid-123" //nolint:gosec // this is not a credential - testBcryptSecret1 = "$2y$15$Kh7cRj0ScSD5QelE3ZNSl.nF04JDv7zb3SgGN.tSfLIX.4kt3UX7m" // bcrypt of "password1" - + testBcryptSecret1 = "$2y$15$Kh7cRj0ScSD5QelE3ZNSl.nF04JDv7zb3SgGN.tSfLIX.4kt3UX7m" // bcrypt of "password1" at cost 15 //nolint:gosec // this is not a credential - testBcryptSecret2 = "$2y$15$Kh7cRj0ScSD5QelE3ZNSl.nF04JDv7zb3SgGN.tSfLIX.4kt3UX7m" // bcrypt of "password2" + testBcryptSecret2 = "$2y$15$Kh7cRj0ScSD5QelE3ZNSl.nF04JDv7zb3SgGN.tSfLIX.4kt3UX7m" // bcrypt of "password2" at cost 15 + //nolint:gosec // this is not a credential + testInvalidBcryptSecretCostTooLow = "$2y$14$njwk1cItiRy6cb6u9aiJLuhtJG83zM9111t.xU6MxvnqqYbkXxzwy" // bcrypt of "password1" at cost 14 + //nolint:gosec // this is not a credential + testInvalidBcryptSecretInvalidFormat = "$2y$14$njwk1cItiRy6cb6u9aiJLuhtJG83zM9111t.xU6MxvnqqYbkXxz" // not enough characters in hash value ) now := metav1.NewTime(time.Now().UTC()) @@ -190,7 +213,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { } } - sadClientSecretsCondition := func(time metav1.Time, observedGeneration int64, message string) configv1alpha1.Condition { + sadNoClientSecretsCondition := func(time metav1.Time, observedGeneration int64, message string) configv1alpha1.Condition { return configv1alpha1.Condition{ Type: "ClientSecretExists", Status: "False", @@ -201,6 +224,17 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { } } + sadInvalidClientSecretsCondition := func(time metav1.Time, observedGeneration int64, message string) configv1alpha1.Condition { + return configv1alpha1.Condition{ + Type: "ClientSecretExists", + Status: "False", + LastTransitionTime: time, + Reason: "InvalidClientSecretFound", + Message: message, + ObservedGeneration: observedGeneration, + } + } + happyAllowedScopesCondition := func(time metav1.Time, observedGeneration int64) configv1alpha1.Condition { return configv1alpha1.Condition{ Type: "AllowedScopesValid", @@ -245,6 +279,12 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { "pinniped-storage-version": []byte("1"), } + secretStringDataWithSomeInvalidClientSecrets := map[string][]byte{ + "pinniped-storage-data": []byte(`{"version":"1","hashes":["` + + testBcryptSecret1 + `","` + testInvalidBcryptSecretCostTooLow + `","` + testInvalidBcryptSecretInvalidFormat + `"]}`), + "pinniped-storage-version": []byte("1"), + } + secretStringDataWithWrongVersion := map[string][]byte{ "pinniped-storage-data": []byte(`{"version":"wrong-version","hashes":[]}`), "pinniped-storage-version": []byte("1"), @@ -275,27 +315,48 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { wantAPIActions: 0, // no updates }, { - name: "successfully validate minimal OIDCClient and one client secret stored", + name: "OIDCClient with wrong prefix is ignored", inputObjects: []runtime.Object{&configv1alpha1.OIDCClient{ - ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, - Spec: configv1alpha1.OIDCClientSpec{ - AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code"}, - AllowedScopes: []configv1alpha1.Scope{"openid"}, - }, + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: "wrong-prefix-name", Generation: 1234, UID: testUID}, }}, - inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, - wantAPIActions: 1, // one update + wantAPIActions: 0, // no updates wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ - ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, - Status: configv1alpha1.OIDCClientStatus{ - Phase: "Ready", - Conditions: []configv1alpha1.Condition{ - happyAllowedGrantTypesCondition(now, 1234), - happyAllowedScopesCondition(now, 1234), - happyClientSecretsCondition(1, now, 1234), + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: "wrong-prefix-name", Generation: 1234, UID: testUID}, + }}, + }, + { + name: "successfully validate minimal OIDCClient and one client secret stored (while ignoring client with wrong prefix)", + inputObjects: []runtime.Object{ + &configv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: "wrong-prefix-name", Generation: 1234, UID: testUID}, + }, + &configv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Spec: configv1alpha1.OIDCClientSpec{ + AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code"}, + AllowedScopes: []configv1alpha1.Scope{"openid"}, }, }, - }}, + }, + inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, + wantAPIActions: 1, // one update + wantResultingOIDCClients: []configv1alpha1.OIDCClient{ + { + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: "wrong-prefix-name", Generation: 1234, UID: testUID}, + }, + { + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Status: configv1alpha1.OIDCClientStatus{ + Phase: "Ready", + Conditions: []configv1alpha1.Condition{ + happyAllowedGrantTypesCondition(now, 1234), + happyAllowedScopesCondition(now, 1234), + happyClientSecretsCondition(1, now, 1234), + }, + TotalClientSecrets: 1, + }, + }, + }, }, { name: "successfully validate minimal OIDCClient and two client secrets stored", @@ -317,6 +378,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { happyAllowedScopesCondition(now, 1234), happyClientSecretsCondition(2, now, 1234), }, + TotalClientSecrets: 2, }, }}, }, @@ -335,6 +397,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { happyAllowedScopesCondition(earlier, 1234), happyClientSecretsCondition(1, earlier, 1234), }, + TotalClientSecrets: 1, }, }}, inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, @@ -348,6 +411,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { happyAllowedScopesCondition(earlier, 1234), happyClientSecretsCondition(1, earlier, 1234), }, + TotalClientSecrets: 1, }, }}, }, @@ -365,7 +429,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { Conditions: []configv1alpha1.Condition{ sadAllowedGrantTypesCondition(now, 1234, `"authorization_code" must always be included in "allowedGrantTypes"`), sadAllowedScopesCondition(now, 1234, `"openid" must always be included in "allowedScopes"`), - sadClientSecretsCondition(now, 1234, "no client secret found (no Secret storage found)"), + sadNoClientSecretsCondition(now, 1234, "no client secret found (no Secret storage found)"), }, }, }}, @@ -388,7 +452,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { Conditions: []configv1alpha1.Condition{ happyAllowedGrantTypesCondition(now, 1234), happyAllowedScopesCondition(now, 1234), - sadClientSecretsCondition(now, 1234, "error reading client secret storage: OIDC client secret storage data has wrong version: OIDC client secret storage has version wrong-version instead of 1"), + sadNoClientSecretsCondition(now, 1234, "error reading client secret storage: OIDC client secret storage data has wrong version: OIDC client secret storage has version wrong-version instead of 1"), }, }, }}, @@ -411,8 +475,35 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { Conditions: []configv1alpha1.Condition{ happyAllowedGrantTypesCondition(now, 1234), happyAllowedScopesCondition(now, 1234), - sadClientSecretsCondition(now, 1234, "no client secret found (empty list in storage)"), + sadNoClientSecretsCondition(now, 1234, "no client secret found (empty list in storage)"), }, + TotalClientSecrets: 0, + }, + }}, + }, + { + name: "client secret storage exists but some of the client secrets are invalid bcrypt hashes", + inputObjects: []runtime.Object{&configv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Spec: configv1alpha1.OIDCClientSpec{ + AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code"}, + AllowedScopes: []configv1alpha1.Scope{"openid"}, + }, + }}, + inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithSomeInvalidClientSecrets)}, + wantAPIActions: 1, // one update + wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Status: configv1alpha1.OIDCClientStatus{ + Phase: "Error", + Conditions: []configv1alpha1.Condition{ + happyAllowedGrantTypesCondition(now, 1234), + happyAllowedScopesCondition(now, 1234), + sadInvalidClientSecretsCondition(now, 1234, + "hashed client secret at index 1: bcrypt cost 14 is below the required minimum of 15; "+ + "hashed client secret at index 2: crypto/bcrypt: hashedSecret too short to be a bcrypted password"), + }, + TotalClientSecrets: 3, }, }}, }, @@ -420,14 +511,14 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { name: "can operate on multiple at a time, e.g. one is valid one another is missing required minimum settings", inputObjects: []runtime.Object{ &configv1alpha1.OIDCClient{ - ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: "test1", Generation: 1234, UID: "uid1"}, + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: "client.oauth.pinniped.dev-test1", Generation: 1234, UID: "uid1"}, Spec: configv1alpha1.OIDCClientSpec{ AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code"}, AllowedScopes: []configv1alpha1.Scope{"openid"}, }, }, &configv1alpha1.OIDCClient{ - ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: "test2", Generation: 4567, UID: "uid2"}, + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: "client.oauth.pinniped.dev-test2", Generation: 4567, UID: "uid2"}, Spec: configv1alpha1.OIDCClientSpec{}, }, }, @@ -435,7 +526,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { wantAPIActions: 2, // one update for each OIDCClient wantResultingOIDCClients: []configv1alpha1.OIDCClient{ { - ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: "test1", Generation: 1234, UID: "uid1"}, + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: "client.oauth.pinniped.dev-test1", Generation: 1234, UID: "uid1"}, Status: configv1alpha1.OIDCClientStatus{ Phase: "Ready", Conditions: []configv1alpha1.Condition{ @@ -443,17 +534,19 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { happyAllowedScopesCondition(now, 1234), happyClientSecretsCondition(1, now, 1234), }, + TotalClientSecrets: 1, }, }, { - ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: "test2", Generation: 4567, UID: "uid2"}, + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: "client.oauth.pinniped.dev-test2", Generation: 4567, UID: "uid2"}, Status: configv1alpha1.OIDCClientStatus{ Phase: "Error", Conditions: []configv1alpha1.Condition{ sadAllowedGrantTypesCondition(now, 4567, `"authorization_code" must always be included in "allowedGrantTypes"`), sadAllowedScopesCondition(now, 4567, `"openid" must always be included in "allowedScopes"`), - sadClientSecretsCondition(now, 4567, "no client secret found (no Secret storage found)"), + sadNoClientSecretsCondition(now, 4567, "no client secret found (no Secret storage found)"), }, + TotalClientSecrets: 0, }, }, }, @@ -474,6 +567,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { sadAllowedScopesCondition(earlier, 1234, `"openid" must always be included in "allowedScopes"`), happyClientSecretsCondition(1, earlier, 1234), }, + TotalClientSecrets: 1, }, }}, inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, @@ -488,6 +582,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { happyAllowedScopesCondition(now, 4567), happyClientSecretsCondition(1, earlier, 4567), // was already validated earlier }, + TotalClientSecrets: 1, }, }}, }, @@ -511,6 +606,64 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { happyAllowedScopesCondition(now, 1234), happyClientSecretsCondition(1, now, 1234), }, + TotalClientSecrets: 1, + }, + }}, + }, + { + name: "multiple errors on allowedScopes and allowedGrantTypes", + inputObjects: []runtime.Object{&configv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Spec: configv1alpha1.OIDCClientSpec{ + AllowedGrantTypes: []configv1alpha1.GrantType{"refresh_token"}, + AllowedScopes: []configv1alpha1.Scope{"pinniped:request-audience"}, + }, + }}, + wantAPIActions: 1, // one update + inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, + wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Status: configv1alpha1.OIDCClientStatus{ + Phase: "Error", + Conditions: []configv1alpha1.Condition{ + sadAllowedGrantTypesCondition(now, 1234, + `"authorization_code" must always be included in "allowedGrantTypes"; `+ + `"urn:ietf:params:oauth:grant-type:token-exchange" must be included in "allowedGrantTypes" when "pinniped:request-audience" is included in "allowedScopes"`), + sadAllowedScopesCondition(now, 1234, + `"openid" must always be included in "allowedScopes"; `+ + `"offline_access" must be included in "allowedScopes" when "refresh_token" is included in "allowedGrantTypes"; `+ + `"username" and "groups" must be included in "allowedScopes" when "pinniped:request-audience" is included in "allowedScopes"`), + happyClientSecretsCondition(1, now, 1234), + }, + TotalClientSecrets: 1, + }, + }}, + }, + { + name: "another combination of multiple errors on allowedScopes and allowedGrantTypes", + inputObjects: []runtime.Object{&configv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Spec: configv1alpha1.OIDCClientSpec{ + AllowedGrantTypes: []configv1alpha1.GrantType{"urn:ietf:params:oauth:grant-type:token-exchange"}, + AllowedScopes: []configv1alpha1.Scope{"offline_access"}, + }, + }}, + wantAPIActions: 1, // one update + inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, + wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Status: configv1alpha1.OIDCClientStatus{ + Phase: "Error", + Conditions: []configv1alpha1.Condition{ + sadAllowedGrantTypesCondition(now, 1234, + `"authorization_code" must always be included in "allowedGrantTypes"; `+ + `"refresh_token" must be included in "allowedGrantTypes" when "offline_access" is included in "allowedScopes"`), + sadAllowedScopesCondition(now, 1234, + `"openid" must always be included in "allowedScopes"; `+ + `"pinniped:request-audience" must be included in "allowedScopes" when "urn:ietf:params:oauth:grant-type:token-exchange" is included in "allowedGrantTypes"`), + happyClientSecretsCondition(1, now, 1234), + }, + TotalClientSecrets: 1, }, }}, }, @@ -534,6 +687,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { happyAllowedScopesCondition(now, 1234), happyClientSecretsCondition(1, now, 1234), }, + TotalClientSecrets: 1, }, }}, }, @@ -557,6 +711,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { sadAllowedScopesCondition(now, 1234, `"offline_access" must be included in "allowedScopes" when "refresh_token" is included in "allowedGrantTypes"`), happyClientSecretsCondition(1, now, 1234), }, + TotalClientSecrets: 1, }, }}, }, @@ -580,6 +735,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { sadAllowedScopesCondition(now, 1234, `"username" and "groups" must be included in "allowedScopes" when "pinniped:request-audience" is included in "allowedScopes"`), happyClientSecretsCondition(1, now, 1234), }, + TotalClientSecrets: 1, }, }}, }, @@ -603,6 +759,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { sadAllowedScopesCondition(now, 1234, `"username" and "groups" must be included in "allowedScopes" when "pinniped:request-audience" is included in "allowedScopes"`), happyClientSecretsCondition(1, now, 1234), }, + TotalClientSecrets: 1, }, }}, }, @@ -626,6 +783,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { sadAllowedScopesCondition(now, 1234, `"username" and "groups" must be included in "allowedScopes" when "pinniped:request-audience" is included in "allowedScopes"`), happyClientSecretsCondition(1, now, 1234), }, + TotalClientSecrets: 1, }, }}, }, @@ -649,6 +807,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { sadAllowedScopesCondition(now, 1234, `"pinniped:request-audience" must be included in "allowedScopes" when "urn:ietf:params:oauth:grant-type:token-exchange" is included in "allowedGrantTypes"`), happyClientSecretsCondition(1, now, 1234), }, + TotalClientSecrets: 1, }, }}, }, @@ -672,6 +831,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { happyAllowedScopesCondition(now, 1234), happyClientSecretsCondition(1, now, 1234), }, + TotalClientSecrets: 1, }, }}, }, @@ -695,6 +855,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { happyAllowedScopesCondition(now, 1234), happyClientSecretsCondition(1, now, 1234), }, + TotalClientSecrets: 1, }, }}, }, @@ -718,6 +879,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { happyAllowedScopesCondition(now, 1234), happyClientSecretsCondition(1, now, 1234), }, + TotalClientSecrets: 1, }, }}, }, @@ -741,6 +903,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { happyAllowedScopesCondition(now, 1234), happyClientSecretsCondition(1, now, 1234), }, + TotalClientSecrets: 1, }, }}, }, @@ -764,6 +927,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { happyAllowedScopesCondition(now, 1234), happyClientSecretsCondition(1, now, 1234), }, + TotalClientSecrets: 1, }, }}, }, @@ -787,6 +951,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { happyAllowedScopesCondition(now, 1234), happyClientSecretsCondition(1, now, 1234), }, + TotalClientSecrets: 1, }, }}, }, @@ -810,6 +975,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { happyAllowedScopesCondition(now, 1234), happyClientSecretsCondition(1, now, 1234), }, + TotalClientSecrets: 1, }, }}, }, @@ -833,6 +999,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { happyAllowedScopesCondition(now, 1234), happyClientSecretsCondition(1, now, 1234), }, + TotalClientSecrets: 1, }, }}, }, diff --git a/test/integration/supervisor_oidc_client_test.go b/test/integration/supervisor_oidc_client_test.go index adb43403..cf059fd3 100644 --- a/test/integration/supervisor_oidc_client_test.go +++ b/test/integration/supervisor_oidc_client_test.go @@ -506,7 +506,7 @@ func TestOIDCClientControllerValidations_Parallel(t *testing.T) { Type: "AllowedScopesValid", Status: "False", Reason: "MissingRequiredValue", - Message: `"openid" must always be included in "allowedScopes"`, + Message: `"openid" must always be included in "allowedScopes"; "offline_access" must be included in "allowedScopes" when "refresh_token" is included in "allowedGrantTypes"`, }, { Type: "ClientSecretExists", From be85e1ed0a720f784d542ea8819cab9156a1b52e Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Thu, 14 Jul 2022 09:30:03 -0700 Subject: [PATCH 30/61] TotalClientSecrets field gets omitempty and becomes int32 --- .../config/v1alpha1/types_oidcclient.go.tmpl | 2 +- ...g.supervisor.pinniped.dev_oidcclients.yaml | 3 +-- generated/1.17/README.adoc | 25 ++++++++++++++++++- .../config/v1alpha1/types_oidcclient.go | 2 +- ...g.supervisor.pinniped.dev_oidcclients.yaml | 3 +-- generated/1.18/README.adoc | 25 ++++++++++++++++++- .../config/v1alpha1/types_oidcclient.go | 2 +- ...g.supervisor.pinniped.dev_oidcclients.yaml | 3 +-- generated/1.19/README.adoc | 25 ++++++++++++++++++- .../config/v1alpha1/types_oidcclient.go | 2 +- ...g.supervisor.pinniped.dev_oidcclients.yaml | 3 +-- generated/1.20/README.adoc | 25 ++++++++++++++++++- .../config/v1alpha1/types_oidcclient.go | 2 +- ...g.supervisor.pinniped.dev_oidcclients.yaml | 3 +-- generated/1.21/README.adoc | 25 ++++++++++++++++++- .../config/v1alpha1/types_oidcclient.go | 2 +- ...g.supervisor.pinniped.dev_oidcclients.yaml | 3 +-- generated/1.22/README.adoc | 25 ++++++++++++++++++- .../config/v1alpha1/types_oidcclient.go | 2 +- ...g.supervisor.pinniped.dev_oidcclients.yaml | 3 +-- generated/1.23/README.adoc | 25 ++++++++++++++++++- .../config/v1alpha1/types_oidcclient.go | 2 +- ...g.supervisor.pinniped.dev_oidcclients.yaml | 3 +-- generated/1.24/README.adoc | 25 ++++++++++++++++++- .../config/v1alpha1/types_oidcclient.go | 2 +- ...g.supervisor.pinniped.dev_oidcclients.yaml | 3 +-- .../config/v1alpha1/types_oidcclient.go | 2 +- .../oidcclientwatcher/oidc_client_watcher.go | 2 +- 28 files changed, 212 insertions(+), 37 deletions(-) diff --git a/apis/supervisor/config/v1alpha1/types_oidcclient.go.tmpl b/apis/supervisor/config/v1alpha1/types_oidcclient.go.tmpl index 36d86de4..8604a4f1 100644 --- a/apis/supervisor/config/v1alpha1/types_oidcclient.go.tmpl +++ b/apis/supervisor/config/v1alpha1/types_oidcclient.go.tmpl @@ -88,7 +88,7 @@ type OIDCClientStatus struct { Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` // totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. - TotalClientSecrets int `json:"totalClientSecrets"` + TotalClientSecrets int32 `json:"totalClientSecrets,omitempty"` } // OIDCClient describes the configuration of an OIDC client. diff --git a/deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml b/deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml index c61e9c45..76c0cab0 100644 --- a/deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml @@ -194,9 +194,8 @@ spec: totalClientSecrets: description: totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. + format: int32 type: integer - required: - - totalClientSecrets type: object required: - spec diff --git a/generated/1.17/README.adoc b/generated/1.17/README.adoc index 62ea1f8e..11dd5e0e 100644 --- a/generated/1.17/README.adoc +++ b/generated/1.17/README.adoc @@ -832,7 +832,30 @@ WhoAmIRequest submits a request to echo back the current authenticated user. [cols="25a,75a", options="header"] |=== | Field | Description -| *`ObjectMeta`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#objectmeta-v1-meta[$$ObjectMeta$$]__ | +| *`name`* __string__ | Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names +| *`generateName`* __string__ | GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server. + If this field is specified and the generated name exists, the server will NOT return a 409 - instead, it will either return 201 Created or 500 with Reason ServerTimeout indicating a unique name could not be found in the time allotted, and the client should retry (optionally after the time indicated in the Retry-After header). + Applied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency +| *`namespace`* __string__ | Namespace defines the space within each name must be unique. An empty namespace is equivalent to the "default" namespace, but "default" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty. + Must be a DNS_LABEL. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/namespaces +| *`selfLink`* __string__ | SelfLink is a URL representing this object. Populated by the system. Read-only. + DEPRECATED Kubernetes will stop propagating this field in 1.20 release and the field is planned to be removed in 1.21 release. +| *`uid`* __UID__ | UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations. + Populated by the system. Read-only. More info: http://kubernetes.io/docs/user-guide/identifiers#uids +| *`resourceVersion`* __string__ | An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources. + Populated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency +| *`generation`* __integer__ | A sequence number representing a specific generation of the desired state. Populated by the system. Read-only. +| *`creationTimestamp`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#time-v1-meta[$$Time$$]__ | CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +| *`deletionTimestamp`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#time-v1-meta[$$Time$$]__ | DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This field is set by the server when a graceful deletion is requested by the user, and is not directly settable by a client. The resource is expected to be deleted (no longer visible from resource lists, and not reachable by name) after the time in this field, once the finalizers list is empty. As long as the finalizers list contains items, deletion is blocked. Once the deletionTimestamp is set, this value may not be unset or be set further into the future, although it may be shortened or the resource may be deleted prior to this time. For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, remove the pod from the API. In the presence of network partitions, this object may still exist after this timestamp, until an administrator or automated process can determine the resource is fully terminated. If not set, graceful deletion of the object has not been requested. + Populated by the system when a graceful deletion is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +| *`deletionGracePeriodSeconds`* __integer__ | Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only. +| *`labels`* __object (keys:string, values:string)__ | Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels +| *`annotations`* __object (keys:string, values:string)__ | Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations +| *`ownerReferences`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#ownerreference-v1-meta[$$OwnerReference$$] array__ | List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller. +| *`finalizers`* __string array__ | Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list. +| *`clusterName`* __string__ | The name of the cluster which the object belongs to. This is used to distinguish resources with same name and namespace in different clusters. This field is not set anywhere right now and apiserver is going to ignore it if set in create or update request. +| *`managedFields`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#managedfieldsentry-v1-meta[$$ManagedFieldsEntry$$] array__ | ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like "ci-cd". The set of fields is always in the version that the workflow used when modifying the object. | *`Spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-identity-whoamirequestspec[$$WhoAmIRequestSpec$$]__ | | *`Status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-identity-whoamirequeststatus[$$WhoAmIRequestStatus$$]__ | |=== diff --git a/generated/1.17/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/1.17/apis/supervisor/config/v1alpha1/types_oidcclient.go index 36d86de4..8604a4f1 100644 --- a/generated/1.17/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/1.17/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -88,7 +88,7 @@ type OIDCClientStatus struct { Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` // totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. - TotalClientSecrets int `json:"totalClientSecrets"` + TotalClientSecrets int32 `json:"totalClientSecrets,omitempty"` } // OIDCClient describes the configuration of an OIDC client. diff --git a/generated/1.17/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.17/crds/config.supervisor.pinniped.dev_oidcclients.yaml index c61e9c45..76c0cab0 100644 --- a/generated/1.17/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.17/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -194,9 +194,8 @@ spec: totalClientSecrets: description: totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. + format: int32 type: integer - required: - - totalClientSecrets type: object required: - spec diff --git a/generated/1.18/README.adoc b/generated/1.18/README.adoc index 1d705d41..704d1ca7 100644 --- a/generated/1.18/README.adoc +++ b/generated/1.18/README.adoc @@ -832,7 +832,30 @@ WhoAmIRequest submits a request to echo back the current authenticated user. [cols="25a,75a", options="header"] |=== | Field | Description -| *`ObjectMeta`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta[$$ObjectMeta$$]__ | +| *`name`* __string__ | Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names +| *`generateName`* __string__ | GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server. + If this field is specified and the generated name exists, the server will NOT return a 409 - instead, it will either return 201 Created or 500 with Reason ServerTimeout indicating a unique name could not be found in the time allotted, and the client should retry (optionally after the time indicated in the Retry-After header). + Applied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency +| *`namespace`* __string__ | Namespace defines the space within each name must be unique. An empty namespace is equivalent to the "default" namespace, but "default" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty. + Must be a DNS_LABEL. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/namespaces +| *`selfLink`* __string__ | SelfLink is a URL representing this object. Populated by the system. Read-only. + DEPRECATED Kubernetes will stop propagating this field in 1.20 release and the field is planned to be removed in 1.21 release. +| *`uid`* __UID__ | UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations. + Populated by the system. Read-only. More info: http://kubernetes.io/docs/user-guide/identifiers#uids +| *`resourceVersion`* __string__ | An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources. + Populated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency +| *`generation`* __integer__ | A sequence number representing a specific generation of the desired state. Populated by the system. Read-only. +| *`creationTimestamp`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#time-v1-meta[$$Time$$]__ | CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +| *`deletionTimestamp`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#time-v1-meta[$$Time$$]__ | DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This field is set by the server when a graceful deletion is requested by the user, and is not directly settable by a client. The resource is expected to be deleted (no longer visible from resource lists, and not reachable by name) after the time in this field, once the finalizers list is empty. As long as the finalizers list contains items, deletion is blocked. Once the deletionTimestamp is set, this value may not be unset or be set further into the future, although it may be shortened or the resource may be deleted prior to this time. For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, remove the pod from the API. In the presence of network partitions, this object may still exist after this timestamp, until an administrator or automated process can determine the resource is fully terminated. If not set, graceful deletion of the object has not been requested. + Populated by the system when a graceful deletion is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +| *`deletionGracePeriodSeconds`* __integer__ | Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only. +| *`labels`* __object (keys:string, values:string)__ | Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels +| *`annotations`* __object (keys:string, values:string)__ | Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations +| *`ownerReferences`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#ownerreference-v1-meta[$$OwnerReference$$] array__ | List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller. +| *`finalizers`* __string array__ | Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list. +| *`clusterName`* __string__ | The name of the cluster which the object belongs to. This is used to distinguish resources with same name and namespace in different clusters. This field is not set anywhere right now and apiserver is going to ignore it if set in create or update request. +| *`managedFields`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#managedfieldsentry-v1-meta[$$ManagedFieldsEntry$$] array__ | ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like "ci-cd". The set of fields is always in the version that the workflow used when modifying the object. | *`Spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-identity-whoamirequestspec[$$WhoAmIRequestSpec$$]__ | | *`Status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-identity-whoamirequeststatus[$$WhoAmIRequestStatus$$]__ | |=== diff --git a/generated/1.18/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/1.18/apis/supervisor/config/v1alpha1/types_oidcclient.go index 36d86de4..8604a4f1 100644 --- a/generated/1.18/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/1.18/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -88,7 +88,7 @@ type OIDCClientStatus struct { Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` // totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. - TotalClientSecrets int `json:"totalClientSecrets"` + TotalClientSecrets int32 `json:"totalClientSecrets,omitempty"` } // OIDCClient describes the configuration of an OIDC client. diff --git a/generated/1.18/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.18/crds/config.supervisor.pinniped.dev_oidcclients.yaml index c61e9c45..76c0cab0 100644 --- a/generated/1.18/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.18/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -194,9 +194,8 @@ spec: totalClientSecrets: description: totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. + format: int32 type: integer - required: - - totalClientSecrets type: object required: - spec diff --git a/generated/1.19/README.adoc b/generated/1.19/README.adoc index dee1f150..58e990b4 100644 --- a/generated/1.19/README.adoc +++ b/generated/1.19/README.adoc @@ -832,7 +832,30 @@ WhoAmIRequest submits a request to echo back the current authenticated user. [cols="25a,75a", options="header"] |=== | Field | Description -| *`ObjectMeta`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#objectmeta-v1-meta[$$ObjectMeta$$]__ | +| *`name`* __string__ | Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names +| *`generateName`* __string__ | GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server. + If this field is specified and the generated name exists, the server will NOT return a 409 - instead, it will either return 201 Created or 500 with Reason ServerTimeout indicating a unique name could not be found in the time allotted, and the client should retry (optionally after the time indicated in the Retry-After header). + Applied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency +| *`namespace`* __string__ | Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the "default" namespace, but "default" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty. + Must be a DNS_LABEL. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/namespaces +| *`selfLink`* __string__ | SelfLink is a URL representing this object. Populated by the system. Read-only. + DEPRECATED Kubernetes will stop propagating this field in 1.20 release and the field is planned to be removed in 1.21 release. +| *`uid`* __UID__ | UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations. + Populated by the system. Read-only. More info: http://kubernetes.io/docs/user-guide/identifiers#uids +| *`resourceVersion`* __string__ | An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources. + Populated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency +| *`generation`* __integer__ | A sequence number representing a specific generation of the desired state. Populated by the system. Read-only. +| *`creationTimestamp`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#time-v1-meta[$$Time$$]__ | CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +| *`deletionTimestamp`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#time-v1-meta[$$Time$$]__ | DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This field is set by the server when a graceful deletion is requested by the user, and is not directly settable by a client. The resource is expected to be deleted (no longer visible from resource lists, and not reachable by name) after the time in this field, once the finalizers list is empty. As long as the finalizers list contains items, deletion is blocked. Once the deletionTimestamp is set, this value may not be unset or be set further into the future, although it may be shortened or the resource may be deleted prior to this time. For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, remove the pod from the API. In the presence of network partitions, this object may still exist after this timestamp, until an administrator or automated process can determine the resource is fully terminated. If not set, graceful deletion of the object has not been requested. + Populated by the system when a graceful deletion is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +| *`deletionGracePeriodSeconds`* __integer__ | Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only. +| *`labels`* __object (keys:string, values:string)__ | Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels +| *`annotations`* __object (keys:string, values:string)__ | Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations +| *`ownerReferences`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#ownerreference-v1-meta[$$OwnerReference$$] array__ | List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller. +| *`finalizers`* __string array__ | Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list. +| *`clusterName`* __string__ | The name of the cluster which the object belongs to. This is used to distinguish resources with same name and namespace in different clusters. This field is not set anywhere right now and apiserver is going to ignore it if set in create or update request. +| *`managedFields`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#managedfieldsentry-v1-meta[$$ManagedFieldsEntry$$] array__ | ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like "ci-cd". The set of fields is always in the version that the workflow used when modifying the object. | *`Spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-identity-whoamirequestspec[$$WhoAmIRequestSpec$$]__ | | *`Status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-identity-whoamirequeststatus[$$WhoAmIRequestStatus$$]__ | |=== diff --git a/generated/1.19/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/1.19/apis/supervisor/config/v1alpha1/types_oidcclient.go index 36d86de4..8604a4f1 100644 --- a/generated/1.19/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/1.19/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -88,7 +88,7 @@ type OIDCClientStatus struct { Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` // totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. - TotalClientSecrets int `json:"totalClientSecrets"` + TotalClientSecrets int32 `json:"totalClientSecrets,omitempty"` } // OIDCClient describes the configuration of an OIDC client. diff --git a/generated/1.19/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.19/crds/config.supervisor.pinniped.dev_oidcclients.yaml index c61e9c45..76c0cab0 100644 --- a/generated/1.19/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.19/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -194,9 +194,8 @@ spec: totalClientSecrets: description: totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. + format: int32 type: integer - required: - - totalClientSecrets type: object required: - spec diff --git a/generated/1.20/README.adoc b/generated/1.20/README.adoc index e70a070d..c733073c 100644 --- a/generated/1.20/README.adoc +++ b/generated/1.20/README.adoc @@ -832,7 +832,30 @@ WhoAmIRequest submits a request to echo back the current authenticated user. [cols="25a,75a", options="header"] |=== | Field | Description -| *`ObjectMeta`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.2/#objectmeta-v1-meta[$$ObjectMeta$$]__ | +| *`name`* __string__ | Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names +| *`generateName`* __string__ | GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server. + If this field is specified and the generated name exists, the server will NOT return a 409 - instead, it will either return 201 Created or 500 with Reason ServerTimeout indicating a unique name could not be found in the time allotted, and the client should retry (optionally after the time indicated in the Retry-After header). + Applied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency +| *`namespace`* __string__ | Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the "default" namespace, but "default" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty. + Must be a DNS_LABEL. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/namespaces +| *`selfLink`* __string__ | SelfLink is a URL representing this object. Populated by the system. Read-only. + DEPRECATED Kubernetes will stop propagating this field in 1.20 release and the field is planned to be removed in 1.21 release. +| *`uid`* __UID__ | UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations. + Populated by the system. Read-only. More info: http://kubernetes.io/docs/user-guide/identifiers#uids +| *`resourceVersion`* __string__ | An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources. + Populated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency +| *`generation`* __integer__ | A sequence number representing a specific generation of the desired state. Populated by the system. Read-only. +| *`creationTimestamp`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.2/#time-v1-meta[$$Time$$]__ | CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +| *`deletionTimestamp`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.2/#time-v1-meta[$$Time$$]__ | DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This field is set by the server when a graceful deletion is requested by the user, and is not directly settable by a client. The resource is expected to be deleted (no longer visible from resource lists, and not reachable by name) after the time in this field, once the finalizers list is empty. As long as the finalizers list contains items, deletion is blocked. Once the deletionTimestamp is set, this value may not be unset or be set further into the future, although it may be shortened or the resource may be deleted prior to this time. For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, remove the pod from the API. In the presence of network partitions, this object may still exist after this timestamp, until an administrator or automated process can determine the resource is fully terminated. If not set, graceful deletion of the object has not been requested. + Populated by the system when a graceful deletion is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +| *`deletionGracePeriodSeconds`* __integer__ | Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only. +| *`labels`* __object (keys:string, values:string)__ | Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels +| *`annotations`* __object (keys:string, values:string)__ | Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations +| *`ownerReferences`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.2/#ownerreference-v1-meta[$$OwnerReference$$] array__ | List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller. +| *`finalizers`* __string array__ | Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list. +| *`clusterName`* __string__ | The name of the cluster which the object belongs to. This is used to distinguish resources with same name and namespace in different clusters. This field is not set anywhere right now and apiserver is going to ignore it if set in create or update request. +| *`managedFields`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.2/#managedfieldsentry-v1-meta[$$ManagedFieldsEntry$$] array__ | ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like "ci-cd". The set of fields is always in the version that the workflow used when modifying the object. | *`Spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-identity-whoamirequestspec[$$WhoAmIRequestSpec$$]__ | | *`Status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-identity-whoamirequeststatus[$$WhoAmIRequestStatus$$]__ | |=== diff --git a/generated/1.20/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/1.20/apis/supervisor/config/v1alpha1/types_oidcclient.go index 36d86de4..8604a4f1 100644 --- a/generated/1.20/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/1.20/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -88,7 +88,7 @@ type OIDCClientStatus struct { Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` // totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. - TotalClientSecrets int `json:"totalClientSecrets"` + TotalClientSecrets int32 `json:"totalClientSecrets,omitempty"` } // OIDCClient describes the configuration of an OIDC client. diff --git a/generated/1.20/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.20/crds/config.supervisor.pinniped.dev_oidcclients.yaml index c61e9c45..76c0cab0 100644 --- a/generated/1.20/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.20/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -194,9 +194,8 @@ spec: totalClientSecrets: description: totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. + format: int32 type: integer - required: - - totalClientSecrets type: object required: - spec diff --git a/generated/1.21/README.adoc b/generated/1.21/README.adoc index 3d106f96..c786695e 100644 --- a/generated/1.21/README.adoc +++ b/generated/1.21/README.adoc @@ -832,7 +832,30 @@ WhoAmIRequest submits a request to echo back the current authenticated user. [cols="25a,75a", options="header"] |=== | Field | Description -| *`ObjectMeta`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#objectmeta-v1-meta[$$ObjectMeta$$]__ | +| *`name`* __string__ | Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names +| *`generateName`* __string__ | GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server. + If this field is specified and the generated name exists, the server will NOT return a 409 - instead, it will either return 201 Created or 500 with Reason ServerTimeout indicating a unique name could not be found in the time allotted, and the client should retry (optionally after the time indicated in the Retry-After header). + Applied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency +| *`namespace`* __string__ | Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the "default" namespace, but "default" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty. + Must be a DNS_LABEL. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/namespaces +| *`selfLink`* __string__ | SelfLink is a URL representing this object. Populated by the system. Read-only. + DEPRECATED Kubernetes will stop propagating this field in 1.20 release and the field is planned to be removed in 1.21 release. +| *`uid`* __UID__ | UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations. + Populated by the system. Read-only. More info: http://kubernetes.io/docs/user-guide/identifiers#uids +| *`resourceVersion`* __string__ | An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources. + Populated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency +| *`generation`* __integer__ | A sequence number representing a specific generation of the desired state. Populated by the system. Read-only. +| *`creationTimestamp`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#time-v1-meta[$$Time$$]__ | CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +| *`deletionTimestamp`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#time-v1-meta[$$Time$$]__ | DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This field is set by the server when a graceful deletion is requested by the user, and is not directly settable by a client. The resource is expected to be deleted (no longer visible from resource lists, and not reachable by name) after the time in this field, once the finalizers list is empty. As long as the finalizers list contains items, deletion is blocked. Once the deletionTimestamp is set, this value may not be unset or be set further into the future, although it may be shortened or the resource may be deleted prior to this time. For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, remove the pod from the API. In the presence of network partitions, this object may still exist after this timestamp, until an administrator or automated process can determine the resource is fully terminated. If not set, graceful deletion of the object has not been requested. + Populated by the system when a graceful deletion is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +| *`deletionGracePeriodSeconds`* __integer__ | Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only. +| *`labels`* __object (keys:string, values:string)__ | Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels +| *`annotations`* __object (keys:string, values:string)__ | Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations +| *`ownerReferences`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#ownerreference-v1-meta[$$OwnerReference$$] array__ | List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller. +| *`finalizers`* __string array__ | Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list. +| *`clusterName`* __string__ | The name of the cluster which the object belongs to. This is used to distinguish resources with same name and namespace in different clusters. This field is not set anywhere right now and apiserver is going to ignore it if set in create or update request. +| *`managedFields`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#managedfieldsentry-v1-meta[$$ManagedFieldsEntry$$] array__ | ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like "ci-cd". The set of fields is always in the version that the workflow used when modifying the object. | *`Spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-identity-whoamirequestspec[$$WhoAmIRequestSpec$$]__ | | *`Status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-identity-whoamirequeststatus[$$WhoAmIRequestStatus$$]__ | |=== diff --git a/generated/1.21/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/1.21/apis/supervisor/config/v1alpha1/types_oidcclient.go index 36d86de4..8604a4f1 100644 --- a/generated/1.21/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/1.21/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -88,7 +88,7 @@ type OIDCClientStatus struct { Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` // totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. - TotalClientSecrets int `json:"totalClientSecrets"` + TotalClientSecrets int32 `json:"totalClientSecrets,omitempty"` } // OIDCClient describes the configuration of an OIDC client. diff --git a/generated/1.21/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.21/crds/config.supervisor.pinniped.dev_oidcclients.yaml index c61e9c45..76c0cab0 100644 --- a/generated/1.21/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.21/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -194,9 +194,8 @@ spec: totalClientSecrets: description: totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. + format: int32 type: integer - required: - - totalClientSecrets type: object required: - spec diff --git a/generated/1.22/README.adoc b/generated/1.22/README.adoc index 36a03dd1..8dc774ea 100644 --- a/generated/1.22/README.adoc +++ b/generated/1.22/README.adoc @@ -832,7 +832,30 @@ WhoAmIRequest submits a request to echo back the current authenticated user. [cols="25a,75a", options="header"] |=== | Field | Description -| *`ObjectMeta`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#objectmeta-v1-meta[$$ObjectMeta$$]__ | +| *`name`* __string__ | Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names +| *`generateName`* __string__ | GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server. + If this field is specified and the generated name exists, the server will NOT return a 409 - instead, it will either return 201 Created or 500 with Reason ServerTimeout indicating a unique name could not be found in the time allotted, and the client should retry (optionally after the time indicated in the Retry-After header). + Applied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency +| *`namespace`* __string__ | Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the "default" namespace, but "default" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty. + Must be a DNS_LABEL. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/namespaces +| *`selfLink`* __string__ | SelfLink is a URL representing this object. Populated by the system. Read-only. + DEPRECATED Kubernetes will stop propagating this field in 1.20 release and the field is planned to be removed in 1.21 release. +| *`uid`* __UID__ | UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations. + Populated by the system. Read-only. More info: http://kubernetes.io/docs/user-guide/identifiers#uids +| *`resourceVersion`* __string__ | An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources. + Populated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency +| *`generation`* __integer__ | A sequence number representing a specific generation of the desired state. Populated by the system. Read-only. +| *`creationTimestamp`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#time-v1-meta[$$Time$$]__ | CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +| *`deletionTimestamp`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#time-v1-meta[$$Time$$]__ | DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This field is set by the server when a graceful deletion is requested by the user, and is not directly settable by a client. The resource is expected to be deleted (no longer visible from resource lists, and not reachable by name) after the time in this field, once the finalizers list is empty. As long as the finalizers list contains items, deletion is blocked. Once the deletionTimestamp is set, this value may not be unset or be set further into the future, although it may be shortened or the resource may be deleted prior to this time. For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, remove the pod from the API. In the presence of network partitions, this object may still exist after this timestamp, until an administrator or automated process can determine the resource is fully terminated. If not set, graceful deletion of the object has not been requested. + Populated by the system when a graceful deletion is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +| *`deletionGracePeriodSeconds`* __integer__ | Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only. +| *`labels`* __object (keys:string, values:string)__ | Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels +| *`annotations`* __object (keys:string, values:string)__ | Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations +| *`ownerReferences`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#ownerreference-v1-meta[$$OwnerReference$$] array__ | List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller. +| *`finalizers`* __string array__ | Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list. +| *`clusterName`* __string__ | The name of the cluster which the object belongs to. This is used to distinguish resources with same name and namespace in different clusters. This field is not set anywhere right now and apiserver is going to ignore it if set in create or update request. +| *`managedFields`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#managedfieldsentry-v1-meta[$$ManagedFieldsEntry$$] array__ | ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like "ci-cd". The set of fields is always in the version that the workflow used when modifying the object. | *`Spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-concierge-identity-whoamirequestspec[$$WhoAmIRequestSpec$$]__ | | *`Status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-concierge-identity-whoamirequeststatus[$$WhoAmIRequestStatus$$]__ | |=== diff --git a/generated/1.22/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/1.22/apis/supervisor/config/v1alpha1/types_oidcclient.go index 36d86de4..8604a4f1 100644 --- a/generated/1.22/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/1.22/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -88,7 +88,7 @@ type OIDCClientStatus struct { Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` // totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. - TotalClientSecrets int `json:"totalClientSecrets"` + TotalClientSecrets int32 `json:"totalClientSecrets,omitempty"` } // OIDCClient describes the configuration of an OIDC client. diff --git a/generated/1.22/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.22/crds/config.supervisor.pinniped.dev_oidcclients.yaml index c61e9c45..76c0cab0 100644 --- a/generated/1.22/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.22/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -194,9 +194,8 @@ spec: totalClientSecrets: description: totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. + format: int32 type: integer - required: - - totalClientSecrets type: object required: - spec diff --git a/generated/1.23/README.adoc b/generated/1.23/README.adoc index ca8875dc..159caab6 100644 --- a/generated/1.23/README.adoc +++ b/generated/1.23/README.adoc @@ -832,7 +832,30 @@ WhoAmIRequest submits a request to echo back the current authenticated user. [cols="25a,75a", options="header"] |=== | Field | Description -| *`ObjectMeta`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#objectmeta-v1-meta[$$ObjectMeta$$]__ | +| *`name`* __string__ | Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names +| *`generateName`* __string__ | GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server. + If this field is specified and the generated name exists, the server will NOT return a 409 - instead, it will either return 201 Created or 500 with Reason ServerTimeout indicating a unique name could not be found in the time allotted, and the client should retry (optionally after the time indicated in the Retry-After header). + Applied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency +| *`namespace`* __string__ | Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the "default" namespace, but "default" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty. + Must be a DNS_LABEL. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/namespaces +| *`selfLink`* __string__ | SelfLink is a URL representing this object. Populated by the system. Read-only. + DEPRECATED Kubernetes will stop propagating this field in 1.20 release and the field is planned to be removed in 1.21 release. +| *`uid`* __UID__ | UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations. + Populated by the system. Read-only. More info: http://kubernetes.io/docs/user-guide/identifiers#uids +| *`resourceVersion`* __string__ | An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources. + Populated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency +| *`generation`* __integer__ | A sequence number representing a specific generation of the desired state. Populated by the system. Read-only. +| *`creationTimestamp`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#time-v1-meta[$$Time$$]__ | CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +| *`deletionTimestamp`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#time-v1-meta[$$Time$$]__ | DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This field is set by the server when a graceful deletion is requested by the user, and is not directly settable by a client. The resource is expected to be deleted (no longer visible from resource lists, and not reachable by name) after the time in this field, once the finalizers list is empty. As long as the finalizers list contains items, deletion is blocked. Once the deletionTimestamp is set, this value may not be unset or be set further into the future, although it may be shortened or the resource may be deleted prior to this time. For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, remove the pod from the API. In the presence of network partitions, this object may still exist after this timestamp, until an administrator or automated process can determine the resource is fully terminated. If not set, graceful deletion of the object has not been requested. + Populated by the system when a graceful deletion is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +| *`deletionGracePeriodSeconds`* __integer__ | Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only. +| *`labels`* __object (keys:string, values:string)__ | Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels +| *`annotations`* __object (keys:string, values:string)__ | Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations +| *`ownerReferences`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#ownerreference-v1-meta[$$OwnerReference$$] array__ | List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller. +| *`finalizers`* __string array__ | Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list. +| *`clusterName`* __string__ | The name of the cluster which the object belongs to. This is used to distinguish resources with same name and namespace in different clusters. This field is not set anywhere right now and apiserver is going to ignore it if set in create or update request. +| *`managedFields`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#managedfieldsentry-v1-meta[$$ManagedFieldsEntry$$] array__ | ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like "ci-cd". The set of fields is always in the version that the workflow used when modifying the object. | *`Spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-concierge-identity-whoamirequestspec[$$WhoAmIRequestSpec$$]__ | | *`Status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-concierge-identity-whoamirequeststatus[$$WhoAmIRequestStatus$$]__ | |=== diff --git a/generated/1.23/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/1.23/apis/supervisor/config/v1alpha1/types_oidcclient.go index 36d86de4..8604a4f1 100644 --- a/generated/1.23/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/1.23/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -88,7 +88,7 @@ type OIDCClientStatus struct { Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` // totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. - TotalClientSecrets int `json:"totalClientSecrets"` + TotalClientSecrets int32 `json:"totalClientSecrets,omitempty"` } // OIDCClient describes the configuration of an OIDC client. diff --git a/generated/1.23/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.23/crds/config.supervisor.pinniped.dev_oidcclients.yaml index c61e9c45..76c0cab0 100644 --- a/generated/1.23/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.23/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -194,9 +194,8 @@ spec: totalClientSecrets: description: totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. + format: int32 type: integer - required: - - totalClientSecrets type: object required: - spec diff --git a/generated/1.24/README.adoc b/generated/1.24/README.adoc index 73328c0e..6c4bf632 100644 --- a/generated/1.24/README.adoc +++ b/generated/1.24/README.adoc @@ -832,7 +832,30 @@ WhoAmIRequest submits a request to echo back the current authenticated user. [cols="25a,75a", options="header"] |=== | Field | Description -| *`ObjectMeta`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#objectmeta-v1-meta[$$ObjectMeta$$]__ | +| *`name`* __string__ | Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names +| *`generateName`* __string__ | GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server. + If this field is specified and the generated name exists, the server will return a 409. + Applied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency +| *`namespace`* __string__ | Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the "default" namespace, but "default" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty. + Must be a DNS_LABEL. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/namespaces +| *`selfLink`* __string__ | Deprecated: selfLink is a legacy read-only field that is no longer populated by the system. +| *`uid`* __UID__ | UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations. + Populated by the system. Read-only. More info: http://kubernetes.io/docs/user-guide/identifiers#uids +| *`resourceVersion`* __string__ | An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources. + Populated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency +| *`generation`* __integer__ | A sequence number representing a specific generation of the desired state. Populated by the system. Read-only. +| *`creationTimestamp`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#time-v1-meta[$$Time$$]__ | CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +| *`deletionTimestamp`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#time-v1-meta[$$Time$$]__ | DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This field is set by the server when a graceful deletion is requested by the user, and is not directly settable by a client. The resource is expected to be deleted (no longer visible from resource lists, and not reachable by name) after the time in this field, once the finalizers list is empty. As long as the finalizers list contains items, deletion is blocked. Once the deletionTimestamp is set, this value may not be unset or be set further into the future, although it may be shortened or the resource may be deleted prior to this time. For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, remove the pod from the API. In the presence of network partitions, this object may still exist after this timestamp, until an administrator or automated process can determine the resource is fully terminated. If not set, graceful deletion of the object has not been requested. + Populated by the system when a graceful deletion is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +| *`deletionGracePeriodSeconds`* __integer__ | Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only. +| *`labels`* __object (keys:string, values:string)__ | Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels +| *`annotations`* __object (keys:string, values:string)__ | Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations +| *`ownerReferences`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#ownerreference-v1-meta[$$OwnerReference$$] array__ | List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller. +| *`finalizers`* __string array__ | Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list. +| *`clusterName`* __string__ | Deprecated: ClusterName is a legacy field that was always cleared by the system and never used; it will be removed completely in 1.25. + The name in the go struct is changed to help clients detect accidental use. +| *`managedFields`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#managedfieldsentry-v1-meta[$$ManagedFieldsEntry$$] array__ | ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like "ci-cd". The set of fields is always in the version that the workflow used when modifying the object. | *`Spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-identity-whoamirequestspec[$$WhoAmIRequestSpec$$]__ | | *`Status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-identity-whoamirequeststatus[$$WhoAmIRequestStatus$$]__ | |=== diff --git a/generated/1.24/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/1.24/apis/supervisor/config/v1alpha1/types_oidcclient.go index 36d86de4..8604a4f1 100644 --- a/generated/1.24/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/1.24/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -88,7 +88,7 @@ type OIDCClientStatus struct { Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` // totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. - TotalClientSecrets int `json:"totalClientSecrets"` + TotalClientSecrets int32 `json:"totalClientSecrets,omitempty"` } // OIDCClient describes the configuration of an OIDC client. diff --git a/generated/1.24/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.24/crds/config.supervisor.pinniped.dev_oidcclients.yaml index c61e9c45..76c0cab0 100644 --- a/generated/1.24/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.24/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -194,9 +194,8 @@ spec: totalClientSecrets: description: totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. + format: int32 type: integer - required: - - totalClientSecrets type: object required: - spec diff --git a/generated/latest/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/latest/apis/supervisor/config/v1alpha1/types_oidcclient.go index 36d86de4..8604a4f1 100644 --- a/generated/latest/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/latest/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -88,7 +88,7 @@ type OIDCClientStatus struct { Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` // totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. - TotalClientSecrets int `json:"totalClientSecrets"` + TotalClientSecrets int32 `json:"totalClientSecrets,omitempty"` } // OIDCClient describes the configuration of an OIDC client. diff --git a/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go b/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go index 34d82941..eb6ab992 100644 --- a/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go +++ b/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go @@ -344,7 +344,7 @@ func (c *oidcClientWatcherController) updateStatus( updated.Status.Phase = v1alpha1.PhaseError } - updated.Status.TotalClientSecrets = totalClientSecrets + updated.Status.TotalClientSecrets = int32(totalClientSecrets) if equality.Semantic.DeepEqual(upstream, updated) { return nil From e0ecdc004b6aa062def800dff1e785a7c5ff5bdc Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Thu, 14 Jul 2022 09:51:11 -0700 Subject: [PATCH 31/61] Allow dynamic clients to be used in downstream OIDC flows This is only a first commit towards making this feature work. - Hook dynamic clients into fosite by returning them from the storage interface (after finding and validating them) - In the auth endpoint, prevent the use of the username and password headers for dynamic clients to force them to use the browser-based login flows for all the upstream types - Add happy path integration tests in supervisor_login_test.go - Add lots of comments (and some small refactors) in supervisor_login_test.go to make it much easier to understand - Add lots of unit tests for the auth endpoint regarding dynamic clients (more unit tests to be added for other endpoints in follow-up commits) - Enhance crud.go to make lifetime=0 mean never garbage collect, since we want client secret storage Secrets to last forever - Move the OIDCClient validation code to a package where it can be shared between the controller and the fosite storage interface - Make shared test helpers for tests that need to create OIDC client secret storage Secrets - Create a public const for "pinniped-cli" now that we are using that string in several places in the production code --- .../oidcclientwatcher/oidc_client_watcher.go | 211 +------ .../oidc_client_watcher_test.go | 105 +--- internal/crud/crud.go | 11 +- internal/crud/crud_test.go | 69 ++- internal/oidc/auth/auth_handler.go | 22 +- internal/oidc/auth/auth_handler_test.go | 535 +++++++++++++++++- internal/oidc/callback/callback_handler.go | 4 +- .../oidc/callback/callback_handler_test.go | 4 +- .../oidc/clientregistry/clientregistry.go | 158 +++++- .../clientregistry/clientregistry_test.go | 242 +++++++- internal/oidc/kube_storage.go | 6 +- internal/oidc/login/post_login_handler.go | 2 + .../oidc/login/post_login_handler_test.go | 4 +- internal/oidc/nullstorage.go | 13 +- .../oidcclientvalidator.go | 235 ++++++++ internal/oidc/provider/manager/manager.go | 20 +- .../oidc/provider/manager/manager_test.go | 7 +- internal/oidc/token/token_handler_test.go | 4 +- internal/oidc/token_exchange.go | 6 +- .../oidcclientsecretstorage.go | 27 +- .../oidcclientsecretstorage_test.go | 27 + internal/supervisor/server/server.go | 1 + internal/testutil/oidcclientsecretstorage.go | 51 ++ test/integration/supervisor_login_test.go | 241 ++++++-- .../supervisor_oidc_client_test.go | 22 +- test/integration/supervisor_warnings_test.go | 16 +- test/testlib/activedirectory.go | 14 +- test/testlib/client.go | 96 +++- 28 files changed, 1692 insertions(+), 461 deletions(-) create mode 100644 internal/oidc/oidcclientvalidator/oidcclientvalidator.go create mode 100644 internal/testutil/oidcclientsecretstorage.go diff --git a/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go b/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go index eb6ab992..12123731 100644 --- a/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go +++ b/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go @@ -8,9 +8,6 @@ import ( "fmt" "strings" - "github.com/coreos/go-oidc/v3/oidc" - "golang.org/x/crypto/bcrypt" - v1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/equality" k8serrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -23,37 +20,14 @@ import ( pinnipedcontroller "go.pinniped.dev/internal/controller" "go.pinniped.dev/internal/controller/conditionsutil" "go.pinniped.dev/internal/controllerlib" + "go.pinniped.dev/internal/oidc/oidcclientvalidator" "go.pinniped.dev/internal/oidcclientsecretstorage" "go.pinniped.dev/internal/plog" ) const ( - clientSecretExists = "ClientSecretExists" - allowedGrantTypesValid = "AllowedGrantTypesValid" - allowedScopesValid = "AllowedScopesValid" - - reasonSuccess = "Success" - reasonMissingRequiredValue = "MissingRequiredValue" - reasonNoClientSecretFound = "NoClientSecretFound" - reasonInvalidClientSecretFound = "InvalidClientSecretFound" - - authorizationCodeGrantTypeName = "authorization_code" - refreshTokenGrantTypeName = "refresh_token" - tokenExchangeGrantTypeName = "urn:ietf:params:oauth:grant-type:token-exchange" //nolint:gosec // this is not a credential - - openidScopeName = oidc.ScopeOpenID - offlineAccessScopeName = oidc.ScopeOfflineAccess - requestAudienceScopeName = "pinniped:request-audience" - usernameScopeName = "username" - groupsScopeName = "groups" - - allowedGrantTypesFieldName = "allowedGrantTypes" - allowedScopesFieldName = "allowedScopes" - secretTypeToObserve = "storage.pinniped.dev/oidc-client-secret" //nolint:gosec // this is not a credential oidcClientPrefixToObserve = "client.oauth.pinniped.dev-" //nolint:gosec // this is not a credential - - minimumRequiredBcryptCost = 15 ) type oidcClientWatcherController struct { @@ -133,9 +107,9 @@ func (c *oidcClientWatcherController) Sync(ctx controllerlib.Context) error { secret = nil } - conditions, totalClientSecrets := validateOIDCClient(oidcClient, secret) + _, conditions, clientSecrets := oidcclientvalidator.Validate(oidcClient, secret) - if err := c.updateStatus(ctx.Context, oidcClient, conditions, totalClientSecrets); err != nil { + if err := c.updateStatus(ctx.Context, oidcClient, conditions, len(clientSecrets)); err != nil { return fmt.Errorf("cannot update OIDCClient '%s/%s': %w", oidcClient.Namespace, oidcClient.Name, err) } @@ -150,185 +124,6 @@ func (c *oidcClientWatcherController) Sync(ctx controllerlib.Context) error { return nil } -// validateOIDCClient validates the OIDCClient and its corresponding client secret storage Secret. -// When the corresponding client secret storage Secret was not found, pass nil to this function to -// get the validation error for that case. It returns a slice of conditions along with the number -// of client secrets found. -func validateOIDCClient(oidcClient *v1alpha1.OIDCClient, secret *v1.Secret) ([]*v1alpha1.Condition, int) { - c, totalClientSecrets := validateSecret(secret, make([]*v1alpha1.Condition, 0, 3)) - c = validateAllowedGrantTypes(oidcClient, c) - c = validateAllowedScopes(oidcClient, c) - return c, totalClientSecrets -} - -// validateAllowedScopes checks if allowedScopes is valid on the OIDCClient. -func validateAllowedScopes(oidcClient *v1alpha1.OIDCClient, conditions []*v1alpha1.Condition) []*v1alpha1.Condition { - m := make([]string, 0, 4) - - if !allowedScopesContains(oidcClient, openidScopeName) { - m = append(m, fmt.Sprintf("%q must always be included in %q", openidScopeName, allowedScopesFieldName)) - } - if allowedGrantTypesContains(oidcClient, refreshTokenGrantTypeName) && !allowedScopesContains(oidcClient, offlineAccessScopeName) { - m = append(m, fmt.Sprintf("%q must be included in %q when %q is included in %q", - offlineAccessScopeName, allowedScopesFieldName, refreshTokenGrantTypeName, allowedGrantTypesFieldName)) - } - if allowedScopesContains(oidcClient, requestAudienceScopeName) && - (!allowedScopesContains(oidcClient, usernameScopeName) || !allowedScopesContains(oidcClient, groupsScopeName)) { - m = append(m, fmt.Sprintf("%q and %q must be included in %q when %q is included in %q", - usernameScopeName, groupsScopeName, allowedScopesFieldName, requestAudienceScopeName, allowedScopesFieldName)) - } - if allowedGrantTypesContains(oidcClient, tokenExchangeGrantTypeName) && !allowedScopesContains(oidcClient, requestAudienceScopeName) { - m = append(m, fmt.Sprintf("%q must be included in %q when %q is included in %q", - requestAudienceScopeName, allowedScopesFieldName, tokenExchangeGrantTypeName, allowedGrantTypesFieldName)) - } - - if len(m) == 0 { - conditions = append(conditions, &v1alpha1.Condition{ - Type: allowedScopesValid, - Status: v1alpha1.ConditionTrue, - Reason: reasonSuccess, - Message: fmt.Sprintf("%q is valid", allowedScopesFieldName), - }) - } else { - conditions = append(conditions, &v1alpha1.Condition{ - Type: allowedScopesValid, - Status: v1alpha1.ConditionFalse, - Reason: reasonMissingRequiredValue, - Message: strings.Join(m, "; "), - }) - } - - return conditions -} - -// validateAllowedGrantTypes checks if allowedGrantTypes is valid on the OIDCClient. -func validateAllowedGrantTypes(oidcClient *v1alpha1.OIDCClient, conditions []*v1alpha1.Condition) []*v1alpha1.Condition { - m := make([]string, 0, 3) - - if !allowedGrantTypesContains(oidcClient, authorizationCodeGrantTypeName) { - m = append(m, fmt.Sprintf("%q must always be included in %q", - authorizationCodeGrantTypeName, allowedGrantTypesFieldName)) - } - if allowedScopesContains(oidcClient, offlineAccessScopeName) && !allowedGrantTypesContains(oidcClient, refreshTokenGrantTypeName) { - m = append(m, fmt.Sprintf("%q must be included in %q when %q is included in %q", - refreshTokenGrantTypeName, allowedGrantTypesFieldName, offlineAccessScopeName, allowedScopesFieldName)) - } - if allowedScopesContains(oidcClient, requestAudienceScopeName) && !allowedGrantTypesContains(oidcClient, tokenExchangeGrantTypeName) { - m = append(m, fmt.Sprintf("%q must be included in %q when %q is included in %q", - tokenExchangeGrantTypeName, allowedGrantTypesFieldName, requestAudienceScopeName, allowedScopesFieldName)) - } - - if len(m) == 0 { - conditions = append(conditions, &v1alpha1.Condition{ - Type: allowedGrantTypesValid, - Status: v1alpha1.ConditionTrue, - Reason: reasonSuccess, - Message: fmt.Sprintf("%q is valid", allowedGrantTypesFieldName), - }) - } else { - conditions = append(conditions, &v1alpha1.Condition{ - Type: allowedGrantTypesValid, - Status: v1alpha1.ConditionFalse, - Reason: reasonMissingRequiredValue, - Message: strings.Join(m, "; "), - }) - } - - return conditions -} - -// validateSecret checks if the client secret storage Secret is valid and contains at least one client secret. -// It returns the updated conditions slice along with the number of client secrets found. -func validateSecret(secret *v1.Secret, conditions []*v1alpha1.Condition) ([]*v1alpha1.Condition, int) { - if secret == nil { - // Invalid: no storage Secret found. - conditions = append(conditions, &v1alpha1.Condition{ - Type: clientSecretExists, - Status: v1alpha1.ConditionFalse, - Reason: reasonNoClientSecretFound, - Message: "no client secret found (no Secret storage found)", - }) - return conditions, 0 - } - - storedClientSecret, err := oidcclientsecretstorage.ReadFromSecret(secret) - if err != nil { - // Invalid: storage Secret exists but its data could not be parsed. - conditions = append(conditions, &v1alpha1.Condition{ - Type: clientSecretExists, - Status: v1alpha1.ConditionFalse, - Reason: reasonNoClientSecretFound, - Message: fmt.Sprintf("error reading client secret storage: %s", err.Error()), - }) - return conditions, 0 - } - - // Successfully read the stored client secrets, so check if there are any stored in the list. - storedClientSecretsCount := len(storedClientSecret.SecretHashes) - if storedClientSecretsCount == 0 { - // Invalid: no client secrets stored. - conditions = append(conditions, &v1alpha1.Condition{ - Type: clientSecretExists, - Status: v1alpha1.ConditionFalse, - Reason: reasonNoClientSecretFound, - Message: "no client secret found (empty list in storage)", - }) - return conditions, 0 - } - - // Check each hashed password's format and bcrypt cost. - bcryptErrs := make([]string, 0, storedClientSecretsCount) - for i, p := range storedClientSecret.SecretHashes { - cost, err := bcrypt.Cost([]byte(p)) - if err != nil { - bcryptErrs = append(bcryptErrs, fmt.Sprintf( - "hashed client secret at index %d: %s", - i, err.Error())) - } else if cost < minimumRequiredBcryptCost { - bcryptErrs = append(bcryptErrs, fmt.Sprintf( - "hashed client secret at index %d: bcrypt cost %d is below the required minimum of %d", - i, cost, minimumRequiredBcryptCost)) - } - } - if len(bcryptErrs) > 0 { - // Invalid: some stored client secrets were not valid. - conditions = append(conditions, &v1alpha1.Condition{ - Type: clientSecretExists, - Status: v1alpha1.ConditionFalse, - Reason: reasonInvalidClientSecretFound, - Message: strings.Join(bcryptErrs, "; "), - }) - return conditions, storedClientSecretsCount - } - - // Valid: has at least one client secret stored for this OIDC client, and all stored client secrets are valid. - conditions = append(conditions, &v1alpha1.Condition{ - Type: clientSecretExists, - Status: v1alpha1.ConditionTrue, - Reason: reasonSuccess, - Message: fmt.Sprintf("%d client secret(s) found", storedClientSecretsCount), - }) - return conditions, storedClientSecretsCount -} - -func allowedGrantTypesContains(haystack *v1alpha1.OIDCClient, needle string) bool { - for _, hay := range haystack.Spec.AllowedGrantTypes { - if hay == v1alpha1.GrantType(needle) { - return true - } - } - return false -} - -func allowedScopesContains(haystack *v1alpha1.OIDCClient, needle string) bool { - for _, hay := range haystack.Spec.AllowedScopes { - if hay == v1alpha1.Scope(needle) { - return true - } - } - return false -} - func (c *oidcClientWatcherController) updateStatus( ctx context.Context, upstream *v1alpha1.OIDCClient, diff --git a/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher_test.go b/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher_test.go index 92a0d358..b1d147fe 100644 --- a/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher_test.go +++ b/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher_test.go @@ -5,9 +5,7 @@ package oidcclientwatcher import ( "context" - "encoding/base32" "fmt" - "strings" "testing" "time" @@ -257,51 +255,6 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { } } - secretNameForUID := func(uid string) string { - // See GetName() in OIDCClientSecretStorage for how the production code determines the Secret name. - // This test helper is intended to choose the same name. - return "pinniped-storage-oidc-client-secret-" + - strings.ToLower(base32.StdEncoding.WithPadding(base32.NoPadding).EncodeToString([]byte(uid))) - } - - secretStringDataWithZeroClientSecrets := map[string][]byte{ - "pinniped-storage-data": []byte(`{"version":"1","hashes":[]}`), - "pinniped-storage-version": []byte("1"), - } - - secretStringDataWithOneClientSecret := map[string][]byte{ - "pinniped-storage-data": []byte(`{"version":"1","hashes":["` + testBcryptSecret1 + `"]}`), - "pinniped-storage-version": []byte("1"), - } - - secretStringDataWithTwoClientSecrets := map[string][]byte{ - "pinniped-storage-data": []byte(`{"version":"1","hashes":["` + testBcryptSecret1 + `","` + testBcryptSecret2 + `"]}`), - "pinniped-storage-version": []byte("1"), - } - - secretStringDataWithSomeInvalidClientSecrets := map[string][]byte{ - "pinniped-storage-data": []byte(`{"version":"1","hashes":["` + - testBcryptSecret1 + `","` + testInvalidBcryptSecretCostTooLow + `","` + testInvalidBcryptSecretInvalidFormat + `"]}`), - "pinniped-storage-version": []byte("1"), - } - - secretStringDataWithWrongVersion := map[string][]byte{ - "pinniped-storage-data": []byte(`{"version":"wrong-version","hashes":[]}`), - "pinniped-storage-version": []byte("1"), - } - - storageSecretForUIDWithData := func(uid string, data map[string][]byte) *corev1.Secret { - return &corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Namespace: testNamespace, - Name: secretNameForUID(uid), - Labels: map[string]string{"storage.pinniped.dev/type": "oidc-client-secret"}, - }, - Type: "storage.pinniped.dev/oidc-client-secret", - Data: data, - } - } - tests := []struct { name string inputObjects []runtime.Object @@ -338,7 +291,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { }, }, }, - inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testBcryptSecret1})}, wantAPIActions: 1, // one update wantResultingOIDCClients: []configv1alpha1.OIDCClient{ { @@ -367,7 +320,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { AllowedScopes: []configv1alpha1.Scope{"openid"}, }, }}, - inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithTwoClientSecrets)}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testBcryptSecret1, testBcryptSecret2})}, wantAPIActions: 1, // one update wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, @@ -400,7 +353,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { TotalClientSecrets: 1, }, }}, - inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testBcryptSecret1})}, wantAPIActions: 0, // no updates wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, @@ -443,7 +396,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { AllowedScopes: []configv1alpha1.Scope{"openid"}, }, }}, - inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithWrongVersion)}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUIDWithWrongVersion(t, testNamespace, testUID)}, wantAPIActions: 1, // one update wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, @@ -466,7 +419,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { AllowedScopes: []configv1alpha1.Scope{"openid"}, }, }}, - inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithZeroClientSecrets)}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{})}, wantAPIActions: 1, // one update wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, @@ -490,7 +443,10 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { AllowedScopes: []configv1alpha1.Scope{"openid"}, }, }}, - inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithSomeInvalidClientSecrets)}, + inputSecrets: []runtime.Object{ + testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, + []string{testBcryptSecret1, testInvalidBcryptSecretCostTooLow, testInvalidBcryptSecretInvalidFormat}), + }, wantAPIActions: 1, // one update wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, @@ -500,10 +456,11 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { happyAllowedGrantTypesCondition(now, 1234), happyAllowedScopesCondition(now, 1234), sadInvalidClientSecretsCondition(now, 1234, - "hashed client secret at index 1: bcrypt cost 14 is below the required minimum of 15; "+ + "3 stored client secrets found, but some were invalid, so none will be used: "+ + "hashed client secret at index 1: bcrypt cost 14 is below the required minimum of 15; "+ "hashed client secret at index 2: crypto/bcrypt: hashedSecret too short to be a bcrypted password"), }, - TotalClientSecrets: 3, + TotalClientSecrets: 0, }, }}, }, @@ -522,7 +479,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { Spec: configv1alpha1.OIDCClientSpec{}, }, }, - inputSecrets: []runtime.Object{storageSecretForUIDWithData("uid1", secretStringDataWithOneClientSecret)}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, "uid1", []string{testBcryptSecret1})}, wantAPIActions: 2, // one update for each OIDCClient wantResultingOIDCClients: []configv1alpha1.OIDCClient{ { @@ -570,7 +527,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { TotalClientSecrets: 1, }, }}, - inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testBcryptSecret1})}, wantAPIActions: 1, // one update wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 4567, UID: testUID}, @@ -596,7 +553,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { }, }}, wantAPIActions: 1, // one update - inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testBcryptSecret1})}, wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, Status: configv1alpha1.OIDCClientStatus{ @@ -620,7 +577,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { }, }}, wantAPIActions: 1, // one update - inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testBcryptSecret1})}, wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, Status: configv1alpha1.OIDCClientStatus{ @@ -649,7 +606,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { }, }}, wantAPIActions: 1, // one update - inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testBcryptSecret1})}, wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, Status: configv1alpha1.OIDCClientStatus{ @@ -676,7 +633,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { AllowedScopes: []configv1alpha1.Scope{"openid", "pinniped:request-audience", "username", "groups"}, }, }}, - inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testBcryptSecret1})}, wantAPIActions: 1, // one update wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, @@ -700,7 +657,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { AllowedScopes: []configv1alpha1.Scope{"openid"}, }, }}, - inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testBcryptSecret1})}, wantAPIActions: 1, // one update wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, @@ -724,7 +681,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { AllowedScopes: []configv1alpha1.Scope{"openid", "pinniped:request-audience"}, }, }}, - inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testBcryptSecret1})}, wantAPIActions: 1, // one update wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, @@ -748,7 +705,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { AllowedScopes: []configv1alpha1.Scope{"openid", "pinniped:request-audience", "groups"}, }, }}, - inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testBcryptSecret1})}, wantAPIActions: 1, // one update wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, @@ -772,7 +729,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { AllowedScopes: []configv1alpha1.Scope{"openid", "pinniped:request-audience", "username"}, }, }}, - inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testBcryptSecret1})}, wantAPIActions: 1, // one update wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, @@ -796,7 +753,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { AllowedScopes: []configv1alpha1.Scope{"openid"}, }, }}, - inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testBcryptSecret1})}, wantAPIActions: 1, // one update wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, @@ -820,7 +777,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { AllowedScopes: []configv1alpha1.Scope{"openid", "offline_access", "pinniped:request-audience", "username", "groups"}, }, }}, - inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testBcryptSecret1})}, wantAPIActions: 1, // one update wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, @@ -844,7 +801,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { AllowedScopes: []configv1alpha1.Scope{"openid", "offline_access"}, }, }}, - inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testBcryptSecret1})}, wantAPIActions: 1, // one update wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, @@ -868,7 +825,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { AllowedScopes: []configv1alpha1.Scope{"openid", "offline_access", "username"}, }, }}, - inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testBcryptSecret1})}, wantAPIActions: 1, // one update wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, @@ -892,7 +849,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { AllowedScopes: []configv1alpha1.Scope{"openid", "offline_access", "groups"}, }, }}, - inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testBcryptSecret1})}, wantAPIActions: 1, // one update wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, @@ -916,7 +873,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { AllowedScopes: []configv1alpha1.Scope{"openid", "offline_access", "username", "groups"}, }, }}, - inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testBcryptSecret1})}, wantAPIActions: 1, // one update wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, @@ -940,7 +897,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { AllowedScopes: []configv1alpha1.Scope{"openid", "username"}, }, }}, - inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testBcryptSecret1})}, wantAPIActions: 1, // one update wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, @@ -964,7 +921,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { AllowedScopes: []configv1alpha1.Scope{"openid", "username"}, }, }}, - inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testBcryptSecret1})}, wantAPIActions: 1, // one update wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, @@ -988,7 +945,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { AllowedScopes: []configv1alpha1.Scope{"openid", "username", "groups"}, }, }}, - inputSecrets: []runtime.Object{storageSecretForUIDWithData(testUID, secretStringDataWithOneClientSecret)}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testBcryptSecret1})}, wantAPIActions: 1, // one update wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, diff --git a/internal/crud/crud.go b/internal/crud/crud.go index 29ad6b65..2d33959a 100644 --- a/internal/crud/crud.go +++ b/internal/crud/crud.go @@ -193,14 +193,19 @@ func (s *secretsStorage) toSecret(signature, resourceVersion string, data JSON, labelsToAdd[labelName] = labelValue } + var annotations map[string]string + if s.lifetime > 0 { + annotations = map[string]string{ + SecretLifetimeAnnotationKey: s.clock().Add(s.lifetime).UTC().Format(SecretLifetimeAnnotationDateFormat), + } + } + return &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: s.GetName(signature), ResourceVersion: resourceVersion, Labels: labelsToAdd, - Annotations: map[string]string{ - SecretLifetimeAnnotationKey: s.clock().Add(s.lifetime).UTC().Format(SecretLifetimeAnnotationDateFormat), - }, + Annotations: annotations, OwnerReferences: nil, }, Data: map[string][]byte{ diff --git a/internal/crud/crud_test.go b/internal/crud/crud_test.go index 61720a0f..25ffdfad 100644 --- a/internal/crud/crud_test.go +++ b/internal/crud/crud_test.go @@ -62,6 +62,7 @@ func TestStorage(t *testing.T) { name string resource string mocks func(*testing.T, mocker) + lifetime func() time.Duration run func(*testing.T, Storage, *clocktesting.FakeClock) error wantActions []coretesting.Action wantSecrets []corev1.Secret @@ -1014,7 +1015,69 @@ func TestStorage(t *testing.T) { }, wantErr: "", }, + { + name: "create and get with infinite lifetime when lifetime is specified as zero", + resource: "access-tokens", + mocks: nil, + lifetime: func() time.Duration { return 0 }, // 0 == infinity + run: func(t *testing.T, storage Storage, fakeClock *clocktesting.FakeClock) error { + signature := hmac.AuthorizeCodeSignature(authorizationCode1) + require.NotEmpty(t, signature) + require.NotEmpty(t, validateSecretName(signature, false)) // signature is not valid secret name as-is + + data := &testJSON{Data: "create-and-get"} + rv1, err := storage.Create(ctx, signature, data, nil) + require.Empty(t, rv1) // fake client does not set this + require.NoError(t, err) + + out := &testJSON{} + rv2, err := storage.Get(ctx, signature, out) + require.Empty(t, rv2) // fake client does not set this + require.NoError(t, err) + require.Equal(t, data, out) + + return nil + }, + wantActions: []coretesting.Action{ + coretesting.NewCreateAction(secretsGVR, namespace, &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: "pinniped-storage-access-tokens-i6mhp4azwdxshgsy3s2mvedxpxuh3nudh3ot3m4xamlugj4e6qoq", + ResourceVersion: "", + // No garbage collection annotation was added. + Labels: map[string]string{ + "storage.pinniped.dev/type": "access-tokens", + }, + }, + Data: map[string][]byte{ + "pinniped-storage-data": []byte(`{"Data":"create-and-get"}`), + "pinniped-storage-version": []byte("1"), + }, + Type: "storage.pinniped.dev/access-tokens", + }), + coretesting.NewGetAction(secretsGVR, namespace, "pinniped-storage-access-tokens-i6mhp4azwdxshgsy3s2mvedxpxuh3nudh3ot3m4xamlugj4e6qoq"), + }, + wantSecrets: []corev1.Secret{ + { + ObjectMeta: metav1.ObjectMeta{ + Name: "pinniped-storage-access-tokens-i6mhp4azwdxshgsy3s2mvedxpxuh3nudh3ot3m4xamlugj4e6qoq", + Namespace: namespace, + ResourceVersion: "", + // No garbage collection annotation was added. + Labels: map[string]string{ + "storage.pinniped.dev/type": "access-tokens", + }, + }, + Data: map[string][]byte{ + "pinniped-storage-data": []byte(`{"Data":"create-and-get"}`), + "pinniped-storage-version": []byte("1"), + }, + Type: "storage.pinniped.dev/access-tokens", + }, + }, + wantErr: "", + }, } + for _, tt := range tests { tt := tt t.Run(tt.name, func(t *testing.T) { @@ -1024,9 +1087,13 @@ func TestStorage(t *testing.T) { if tt.mocks != nil { tt.mocks(t, client) } + useLifetime := lifetime + if tt.lifetime != nil { + useLifetime = tt.lifetime() + } secrets := client.CoreV1().Secrets(namespace) fakeClock := clocktesting.NewFakeClock(fakeNow) - storage := New(tt.resource, secrets, fakeClock.Now, lifetime) + storage := New(tt.resource, secrets, fakeClock.Now, useLifetime) err := tt.run(t, storage, fakeClock) diff --git a/internal/oidc/auth/auth_handler.go b/internal/oidc/auth/auth_handler.go index adbbec7c..370f8baa 100644 --- a/internal/oidc/auth/auth_handler.go +++ b/internal/oidc/auth/auth_handler.go @@ -20,6 +20,7 @@ import ( "go.pinniped.dev/internal/httputil/httperr" "go.pinniped.dev/internal/httputil/securityheader" "go.pinniped.dev/internal/oidc" + "go.pinniped.dev/internal/oidc/clientregistry" "go.pinniped.dev/internal/oidc/csrftoken" "go.pinniped.dev/internal/oidc/downstreamsession" "go.pinniped.dev/internal/oidc/login" @@ -126,6 +127,10 @@ func handleAuthRequestForLDAPUpstreamCLIFlow( return nil } + if !requireStaticClientForUsernameAndPasswordHeaders(w, oauthHelper, authorizeRequester) { + return nil + } + username, password, hadUsernamePasswordValues := requireNonEmptyUsernameAndPasswordHeaders(r, w, oauthHelper, authorizeRequester) if !hadUsernamePasswordValues { return nil @@ -199,6 +204,10 @@ func handleAuthRequestForOIDCUpstreamPasswordGrant( return nil } + if !requireStaticClientForUsernameAndPasswordHeaders(w, oauthHelper, authorizeRequester) { + return nil + } + username, password, hadUsernamePasswordValues := requireNonEmptyUsernameAndPasswordHeaders(r, w, oauthHelper, authorizeRequester) if !hadUsernamePasswordValues { return nil @@ -312,6 +321,15 @@ func handleAuthRequestForOIDCUpstreamBrowserFlow( return nil } +func requireStaticClientForUsernameAndPasswordHeaders(w http.ResponseWriter, oauthHelper fosite.OAuth2Provider, authorizeRequester fosite.AuthorizeRequester) bool { + isStaticClient := authorizeRequester.GetClient().GetID() == clientregistry.PinnipedCLIClientID + if !isStaticClient { + oidc.WriteAuthorizeError(w, oauthHelper, authorizeRequester, + fosite.ErrAccessDenied.WithHintf("This client is not allowed to submit username or password headers to this endpoint."), true) + } + return isStaticClient +} + func requireNonEmptyUsernameAndPasswordHeaders(r *http.Request, w http.ResponseWriter, oauthHelper fosite.OAuth2Provider, authorizeRequester fosite.AuthorizeRequester) (string, string, bool) { username := r.Header.Get(supervisoroidc.AuthorizeUsernameHeaderName) password := r.Header.Get(supervisoroidc.AuthorizePasswordHeaderName) @@ -330,10 +348,12 @@ func newAuthorizeRequest(r *http.Request, w http.ResponseWriter, oauthHelper fos return nil, false } - // Automatically grant the openid, offline_access, and pinniped:request-audience scopes, but only if they were requested. + // Automatically grant the openid, offline_access, pinniped:request-audience, and groups scopes, but only if they were requested. // Grant the openid scope (for now) if they asked for it so that `NewAuthorizeResponse` will perform its OIDC validations. // There don't seem to be any validations inside `NewAuthorizeResponse` related to the offline_access scope // at this time, however we will temporarily grant the scope just in case that changes in a future release of fosite. + // This is instead of asking the user to approve these scopes. Note that `NewAuthorizeRequest` would have returned + // an error if the client requested a scope that they are not allowed to request, so we don't need to worry about that here. downstreamsession.GrantScopesIfRequested(authorizeRequester, []string{coreosoidc.ScopeOpenID, coreosoidc.ScopeOfflineAccess, oidc.RequestAudienceScope, oidc.DownstreamGroupsScope}) return authorizeRequester, true diff --git a/internal/oidc/auth/auth_handler_test.go b/internal/oidc/auth/auth_handler_test.go index 8847d8c4..2cc98471 100644 --- a/internal/oidc/auth/auth_handler_test.go +++ b/internal/oidc/auth/auth_handler_test.go @@ -24,8 +24,12 @@ import ( "k8s.io/apiserver/pkg/authentication/user" "k8s.io/client-go/kubernetes/fake" v1 "k8s.io/client-go/kubernetes/typed/core/v1" + kubetesting "k8s.io/client-go/testing" "k8s.io/utils/pointer" + configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" + supervisorfake "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/fake" + "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1" "go.pinniped.dev/internal/authenticators" "go.pinniped.dev/internal/here" "go.pinniped.dev/internal/oidc" @@ -67,11 +71,16 @@ func TestAuthorizationEndpoint(t *testing.T) { downstreamPKCEChallenge = "some-challenge" downstreamPKCEChallengeMethod = "S256" happyState = "8b-state" - downstreamClientID = "pinniped-cli" upstreamLDAPURL = "ldaps://some-ldap-host:123?base=ou%3Dusers%2Cdc%3Dpinniped%2Cdc%3Ddev" htmlContentType = "text/html; charset=utf-8" jsonContentType = "application/json; charset=utf-8" formContentType = "application/x-www-form-urlencoded" + + pinnipedCLIClientID = "pinniped-cli" + dynamicClientID = "client.oauth.pinniped.dev-test-name" + dynamicClientUID = "fake-client-uid" + //nolint:gosec // this is not a credential + dynamicClientHashedSecret = "$2y$15$Kh7cRj0ScSD5QelE3ZNSl.nF04JDv7zb3SgGN.tSfLIX.4kt3UX7m" // bcrypt of "password1" at cost 15 ) require.Len(t, happyState, 8, "we expect fosite to allow 8 byte state params, so we want to test that boundary case") @@ -177,6 +186,12 @@ func TestAuthorizationEndpoint(t *testing.T) { "state": happyState, } + fositeAccessDeniedWithUsernamePasswordHeadersDisallowedHintErrorQuery = map[string]string{ + "error": "access_denied", + "error_description": "The resource owner or authorization server denied the request. This client is not allowed to submit username or password headers to this endpoint.", + "state": happyState, + } + fositeAccessDeniedWithInvalidEmailVerifiedHintErrorQuery = map[string]string{ "error": "access_denied", "error_description": "The resource owner or authorization server denied the request. Reason: email_verified claim in upstream ID token has invalid format.", @@ -219,16 +234,18 @@ func TestAuthorizationEndpoint(t *testing.T) { jwksProviderIsUnused := jwks.NewDynamicJWKSProvider() timeoutsConfiguration := oidc.DefaultOIDCTimeoutsConfiguration() - createOauthHelperWithRealStorage := func(secretsClient v1.SecretInterface) (fosite.OAuth2Provider, *oidc.KubeStorage) { + createOauthHelperWithRealStorage := func(secretsClient v1.SecretInterface, oidcClientsClient v1alpha1.OIDCClientInterface) (fosite.OAuth2Provider, *oidc.KubeStorage) { // Configure fosite the same way that the production code would when using Kube storage. // Inject this into our test subject at the last second so we get a fresh storage for every test. - kubeOauthStore := oidc.NewKubeStorage(secretsClient, timeoutsConfiguration) + kubeOauthStore := oidc.NewKubeStorage(secretsClient, oidcClientsClient, timeoutsConfiguration) return oidc.FositeOauth2Helper(kubeOauthStore, downstreamIssuer, hmacSecretFunc, jwksProviderIsUnused, timeoutsConfiguration), kubeOauthStore } - // Configure fosite the same way that the production code would, using NullStorage to turn off storage. - nullOauthStore := oidc.NullStorage{} - oauthHelperWithNullStorage := oidc.FositeOauth2Helper(nullOauthStore, downstreamIssuer, hmacSecretFunc, jwksProviderIsUnused, timeoutsConfiguration) + createOauthHelperWithNullStorage := func(secretsClient v1.SecretInterface, oidcClientsClient v1alpha1.OIDCClientInterface) (fosite.OAuth2Provider, *oidc.NullStorage) { + // Configure fosite the same way that the production code would, using NullStorage to turn off storage. + nullOauthStore := oidc.NewNullStorage(secretsClient, oidcClientsClient) + return oidc.FositeOauth2Helper(nullOauthStore, downstreamIssuer, hmacSecretFunc, jwksProviderIsUnused, timeoutsConfiguration), nullOauthStore + } upstreamAuthURL, err := url.Parse("https://some-upstream-idp:8443/auth") require.NoError(t, err) @@ -381,7 +398,7 @@ func TestAuthorizationEndpoint(t *testing.T) { happyGetRequestQueryMap := map[string]string{ "response_type": "code", "scope": strings.Join(happyDownstreamScopesRequested, " "), - "client_id": downstreamClientID, + "client_id": pinnipedCLIClientID, "state": happyState, "nonce": downstreamNonce, "code_challenge": downstreamPKCEChallenge, @@ -494,6 +511,26 @@ func TestAuthorizationEndpoint(t *testing.T) { }, } + fullyCapableDynamicClient := &configv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{Namespace: "some-namespace", Name: dynamicClientID, Generation: 1, UID: dynamicClientUID}, + Spec: configv1alpha1.OIDCClientSpec{ + AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code", "urn:ietf:params:oauth:grant-type:token-exchange", "refresh_token"}, + AllowedScopes: []configv1alpha1.Scope{"openid", "offline_access", "pinniped:request-audience", "username", "groups"}, + AllowedRedirectURIs: []configv1alpha1.RedirectURI{downstreamRedirectURI}, + }, + } + + allDynamicClientScopes := "openid offline_access pinniped:request-audience username groups" + + storageSecretWithOneClientSecretForDynamicClient := testutil.OIDCClientSecretStorageSecretForUID(t, + "some-namespace", dynamicClientUID, []string{dynamicClientHashedSecret}, + ) + + addFullyCapableDynamicClientAndSecretToKubeResources := func(t *testing.T, supervisorClient *supervisorfake.Clientset, kubeClient *fake.Clientset) { + require.NoError(t, supervisorClient.Tracker().Add(fullyCapableDynamicClient)) + require.NoError(t, kubeClient.Tracker().Add(storageSecretWithOneClientSecretForDynamicClient)) + } + // Note that fosite puts the granted scopes as a param in the redirect URI even though the spec doesn't seem to require it happyAuthcodeDownstreamRedirectLocationRegexp := downstreamRedirectURI + `\?code=([^&]+)&scope=openid\+groups&state=` + happyState @@ -517,6 +554,7 @@ func TestAuthorizationEndpoint(t *testing.T) { csrfCookie string customUsernameHeader *string // nil means do not send header, empty means send header with empty value customPasswordHeader *string // nil means do not send header, empty means send header with empty value + kubeResources func(t *testing.T, supervisorClient *supervisorfake.Clientset, kubeClient *fake.Clientset) wantStatus int wantContentType string @@ -540,6 +578,7 @@ func TestAuthorizationEndpoint(t *testing.T) { wantDownstreamPKCEChallenge string wantDownstreamPKCEChallengeMethod string wantDownstreamNonce string + wantDownstreamClientID string // defaults to wanting "pinniped-cli" when not set wantUnnecessaryStoredRecords int wantPasswordGrantCall *expectedPasswordGrant wantDownstreamCustomSessionData *psession.CustomSessionData @@ -562,6 +601,24 @@ func TestAuthorizationEndpoint(t *testing.T) { wantUpstreamStateParamInLocationHeader: true, wantBodyStringWithLocationInHref: true, }, + { + name: "OIDC upstream browser flow happy path using GET without a CSRF cookie using a dynamic client", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(upstreamOIDCIdentityProviderBuilder().Build()), + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + generateCSRF: happyCSRFGenerator, + generatePKCE: happyPKCEGenerator, + generateNonce: happyNonceGenerator, + stateEncoder: happyStateEncoder, + cookieEncoder: happyCookieEncoder, + method: http.MethodGet, + path: modifiedHappyGetRequestPath(map[string]string{"client_id": dynamicClientID, "scope": allDynamicClientScopes}), + wantStatus: http.StatusSeeOther, + wantContentType: htmlContentType, + wantCSRFValueInCookieHeader: happyCSRF, + wantLocationHeader: expectedRedirectLocationForUpstreamOIDC(expectedUpstreamStateParam(map[string]string{"client_id": dynamicClientID, "scope": allDynamicClientScopes}, "", oidcUpstreamName, "oidc"), nil), + wantUpstreamStateParamInLocationHeader: true, + wantBodyStringWithLocationInHref: true, + }, { name: "LDAP upstream browser flow happy path using GET without a CSRF cookie", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider), @@ -579,6 +636,24 @@ func TestAuthorizationEndpoint(t *testing.T) { wantUpstreamStateParamInLocationHeader: true, wantBodyStringWithLocationInHref: true, }, + { + name: "LDAP upstream browser flow happy path using GET without a CSRF cookie using a dynamic client", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider), + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + generateCSRF: happyCSRFGenerator, + generatePKCE: happyPKCEGenerator, + generateNonce: happyNonceGenerator, + stateEncoder: happyStateEncoder, + cookieEncoder: happyCookieEncoder, + method: http.MethodGet, + path: modifiedHappyGetRequestPath(map[string]string{"client_id": dynamicClientID, "scope": allDynamicClientScopes}), + wantStatus: http.StatusSeeOther, + wantContentType: htmlContentType, + wantCSRFValueInCookieHeader: happyCSRF, + wantLocationHeader: urlWithQuery(downstreamIssuer+"/login", map[string]string{"state": expectedUpstreamStateParam(map[string]string{"client_id": dynamicClientID, "scope": allDynamicClientScopes}, "", ldapUpstreamName, "ldap")}), + wantUpstreamStateParamInLocationHeader: true, + wantBodyStringWithLocationInHref: true, + }, { name: "Active Directory upstream browser flow happy path using GET without a CSRF cookie", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithActiveDirectory(&upstreamActiveDirectoryIdentityProvider), @@ -596,6 +671,24 @@ func TestAuthorizationEndpoint(t *testing.T) { wantUpstreamStateParamInLocationHeader: true, wantBodyStringWithLocationInHref: true, }, + { + name: "Active Directory upstream browser flow happy path using GET without a CSRF cookie using a dynamic client", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithActiveDirectory(&upstreamActiveDirectoryIdentityProvider), + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + generateCSRF: happyCSRFGenerator, + generatePKCE: happyPKCEGenerator, + generateNonce: happyNonceGenerator, + stateEncoder: happyStateEncoder, + cookieEncoder: happyCookieEncoder, + method: http.MethodGet, + path: modifiedHappyGetRequestPath(map[string]string{"client_id": dynamicClientID, "scope": allDynamicClientScopes}), + wantStatus: http.StatusSeeOther, + wantContentType: htmlContentType, + wantCSRFValueInCookieHeader: happyCSRF, + wantLocationHeader: urlWithQuery(downstreamIssuer+"/login", map[string]string{"state": expectedUpstreamStateParam(map[string]string{"client_id": dynamicClientID, "scope": allDynamicClientScopes}, "", activeDirectoryUpstreamName, "activedirectory")}), + wantUpstreamStateParamInLocationHeader: true, + wantBodyStringWithLocationInHref: true, + }, { name: "OIDC upstream password grant happy path using GET", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(passwordGrantUpstreamOIDCIdentityProviderBuilder().Build()), @@ -730,6 +823,26 @@ func TestAuthorizationEndpoint(t *testing.T) { wantLocationHeader: expectedRedirectLocationForUpstreamOIDC(expectedUpstreamStateParam(nil, "", oidcUpstreamName, "oidc"), nil), wantUpstreamStateParamInLocationHeader: true, }, + { + name: "OIDC upstream browser flow happy path using POST with a dynamic client", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(upstreamOIDCIdentityProviderBuilder().Build()), + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + generateCSRF: happyCSRFGenerator, + generatePKCE: happyPKCEGenerator, + generateNonce: happyNonceGenerator, + stateEncoder: happyStateEncoder, + cookieEncoder: happyCookieEncoder, + method: http.MethodPost, + path: "/some/path", + contentType: formContentType, + body: encodeQuery(modifiedHappyGetRequestQueryMap(map[string]string{"client_id": dynamicClientID, "scope": allDynamicClientScopes})), + wantStatus: http.StatusSeeOther, + wantContentType: "", + wantBodyString: "", + wantCSRFValueInCookieHeader: happyCSRF, + wantLocationHeader: expectedRedirectLocationForUpstreamOIDC(expectedUpstreamStateParam(map[string]string{"client_id": dynamicClientID, "scope": allDynamicClientScopes}, "", oidcUpstreamName, "oidc"), nil), + wantUpstreamStateParamInLocationHeader: true, + }, { name: "LDAP upstream browser flow happy path using POST", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider), @@ -749,6 +862,26 @@ func TestAuthorizationEndpoint(t *testing.T) { wantLocationHeader: urlWithQuery(downstreamIssuer+"/login", map[string]string{"state": expectedUpstreamStateParam(nil, "", ldapUpstreamName, "ldap")}), wantUpstreamStateParamInLocationHeader: true, }, + { + name: "LDAP upstream browser flow happy path using POST with a dynamic client", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider), + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + generateCSRF: happyCSRFGenerator, + generatePKCE: happyPKCEGenerator, + generateNonce: happyNonceGenerator, + stateEncoder: happyStateEncoder, + cookieEncoder: happyCookieEncoder, + method: http.MethodPost, + path: "/some/path", + contentType: formContentType, + body: encodeQuery(modifiedHappyGetRequestQueryMap(map[string]string{"client_id": dynamicClientID, "scope": allDynamicClientScopes})), + wantStatus: http.StatusSeeOther, + wantContentType: "", + wantBodyString: "", + wantCSRFValueInCookieHeader: happyCSRF, + wantLocationHeader: urlWithQuery(downstreamIssuer+"/login", map[string]string{"state": expectedUpstreamStateParam(map[string]string{"client_id": dynamicClientID, "scope": allDynamicClientScopes}, "", ldapUpstreamName, "ldap")}), + wantUpstreamStateParamInLocationHeader: true, + }, { name: "Active Directory upstream browser flow happy path using POST", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithActiveDirectory(&upstreamActiveDirectoryIdentityProvider), @@ -768,6 +901,26 @@ func TestAuthorizationEndpoint(t *testing.T) { wantLocationHeader: urlWithQuery(downstreamIssuer+"/login", map[string]string{"state": expectedUpstreamStateParam(nil, "", activeDirectoryUpstreamName, "activedirectory")}), wantUpstreamStateParamInLocationHeader: true, }, + { + name: "Active Directory upstream browser flow happy path using POST with a dynamic client", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithActiveDirectory(&upstreamActiveDirectoryIdentityProvider), + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + generateCSRF: happyCSRFGenerator, + generatePKCE: happyPKCEGenerator, + generateNonce: happyNonceGenerator, + stateEncoder: happyStateEncoder, + cookieEncoder: happyCookieEncoder, + method: http.MethodPost, + path: "/some/path", + contentType: formContentType, + body: encodeQuery(modifiedHappyGetRequestQueryMap(map[string]string{"client_id": dynamicClientID, "scope": allDynamicClientScopes})), + wantStatus: http.StatusSeeOther, + wantContentType: "", + wantBodyString: "", + wantCSRFValueInCookieHeader: happyCSRF, + wantLocationHeader: urlWithQuery(downstreamIssuer+"/login", map[string]string{"state": expectedUpstreamStateParam(map[string]string{"client_id": dynamicClientID, "scope": allDynamicClientScopes}, "", activeDirectoryUpstreamName, "activedirectory")}), + wantUpstreamStateParamInLocationHeader: true, + }, { name: "OIDC upstream password grant happy path using POST", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(passwordGrantUpstreamOIDCIdentityProviderBuilder().Build()), @@ -945,6 +1098,32 @@ func TestAuthorizationEndpoint(t *testing.T) { wantUpstreamStateParamInLocationHeader: true, wantBodyStringWithLocationInHref: true, }, + { + name: "OIDC upstream browser flow happy path using dynamic client when downstream redirect uri matches what is configured for client except for the port number", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(upstreamOIDCIdentityProviderBuilder().Build()), + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + generateCSRF: happyCSRFGenerator, + generatePKCE: happyPKCEGenerator, + generateNonce: happyNonceGenerator, + stateEncoder: happyStateEncoder, + cookieEncoder: happyCookieEncoder, + method: http.MethodGet, + path: modifiedHappyGetRequestPath(map[string]string{ + "redirect_uri": downstreamRedirectURIWithDifferentPort, // not the same port number that is registered for the client + "client_id": dynamicClientID, + "scope": allDynamicClientScopes, + }), + wantStatus: http.StatusSeeOther, + wantContentType: htmlContentType, + wantCSRFValueInCookieHeader: happyCSRF, + wantLocationHeader: expectedRedirectLocationForUpstreamOIDC(expectedUpstreamStateParam(map[string]string{ + "redirect_uri": downstreamRedirectURIWithDifferentPort, // not the same port number that is registered for the client + "client_id": dynamicClientID, + "scope": allDynamicClientScopes, + }, "", oidcUpstreamName, "oidc"), nil), + wantUpstreamStateParamInLocationHeader: true, + wantBodyStringWithLocationInHref: true, + }, { name: "OIDC upstream password grant happy path when downstream redirect uri matches what is configured for client except for the port number", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(passwordGrantUpstreamOIDCIdentityProviderBuilder().Build()), @@ -1342,6 +1521,45 @@ func TestAuthorizationEndpoint(t *testing.T) { wantLocationHeader: urlWithQuery(downstreamRedirectURI, fositeAccessDeniedWithPasswordGrantDisallowedHintErrorQuery), wantBodyString: "", }, + { + name: "dynamic clients are not allowed to use OIDC password grant because we don't want them to handle user credentials", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(passwordGrantUpstreamOIDCIdentityProviderBuilder().Build()), + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + method: http.MethodGet, + path: modifiedHappyGetRequestPath(map[string]string{"client_id": dynamicClientID, "scope": allDynamicClientScopes}), + customUsernameHeader: pointer.StringPtr(oidcUpstreamUsername), + customPasswordHeader: pointer.StringPtr(oidcUpstreamPassword), + wantStatus: http.StatusFound, + wantContentType: jsonContentType, + wantLocationHeader: urlWithQuery(downstreamRedirectURI, fositeAccessDeniedWithUsernamePasswordHeadersDisallowedHintErrorQuery), + wantBodyString: "", + }, + { + name: "dynamic clients are not allowed to use LDAP CLI-flow authentication because we don't want them to handle user credentials", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider), + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + method: http.MethodGet, + path: modifiedHappyGetRequestPath(map[string]string{"client_id": dynamicClientID, "scope": allDynamicClientScopes}), + customUsernameHeader: pointer.StringPtr(happyLDAPUsername), + customPasswordHeader: pointer.StringPtr(happyLDAPPassword), + wantStatus: http.StatusFound, + wantContentType: jsonContentType, + wantLocationHeader: urlWithQuery(downstreamRedirectURI, fositeAccessDeniedWithUsernamePasswordHeadersDisallowedHintErrorQuery), + wantBodyString: "", + }, + { + name: "dynamic clients are not allowed to use Active Directory CLI-flow authentication because we don't want them to handle user credentials", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithActiveDirectory(&upstreamActiveDirectoryIdentityProvider), + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + method: http.MethodGet, + path: modifiedHappyGetRequestPath(map[string]string{"client_id": dynamicClientID, "scope": allDynamicClientScopes}), + customUsernameHeader: pointer.StringPtr(happyLDAPUsername), + customPasswordHeader: pointer.StringPtr(happyLDAPPassword), + wantStatus: http.StatusFound, + wantContentType: jsonContentType, + wantLocationHeader: urlWithQuery(downstreamRedirectURI, fositeAccessDeniedWithUsernamePasswordHeadersDisallowedHintErrorQuery), + wantBodyString: "", + }, { name: "downstream redirect uri does not match what is configured for client when using OIDC upstream browser flow", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(upstreamOIDCIdentityProviderBuilder().Build()), @@ -1358,6 +1576,25 @@ func TestAuthorizationEndpoint(t *testing.T) { wantContentType: jsonContentType, wantBodyJSON: fositeInvalidRedirectURIErrorBody, }, + { + name: "downstream redirect uri does not match what is configured for client when using OIDC upstream browser flow with a dynamic client", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(upstreamOIDCIdentityProviderBuilder().Build()), + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + generateCSRF: happyCSRFGenerator, + generatePKCE: happyPKCEGenerator, + generateNonce: happyNonceGenerator, + stateEncoder: happyStateEncoder, + cookieEncoder: happyCookieEncoder, + method: http.MethodGet, + path: modifiedHappyGetRequestPath(map[string]string{ + "redirect_uri": "http://127.0.0.1/does-not-match-what-is-configured-for-dynamic-client", + "client_id": dynamicClientID, + "scope": allDynamicClientScopes, + }), + wantStatus: http.StatusBadRequest, + wantContentType: jsonContentType, + wantBodyJSON: fositeInvalidRedirectURIErrorBody, + }, { name: "downstream redirect uri does not match what is configured for client when using OIDC upstream password grant", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(passwordGrantUpstreamOIDCIdentityProviderBuilder().Build()), @@ -1455,6 +1692,26 @@ func TestAuthorizationEndpoint(t *testing.T) { wantLocationHeader: urlWithQuery(downstreamRedirectURI, fositeUnsupportedResponseTypeErrorQuery), wantBodyString: "", }, + { + name: "response type is unsupported when using OIDC upstream browser flow with dynamic client", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(upstreamOIDCIdentityProviderBuilder().Build()), + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + generateCSRF: happyCSRFGenerator, + generatePKCE: happyPKCEGenerator, + generateNonce: happyNonceGenerator, + stateEncoder: happyStateEncoder, + cookieEncoder: happyCookieEncoder, + method: http.MethodGet, + path: modifiedHappyGetRequestPath(map[string]string{ + "response_type": "unsupported", + "client_id": dynamicClientID, + "scope": allDynamicClientScopes, + }), + wantStatus: http.StatusSeeOther, + wantContentType: jsonContentType, + wantLocationHeader: urlWithQuery(downstreamRedirectURI, fositeUnsupportedResponseTypeErrorQuery), + wantBodyString: "", + }, { name: "response type is unsupported when using OIDC upstream password grant", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(passwordGrantUpstreamOIDCIdentityProviderBuilder().Build()), @@ -1489,6 +1746,21 @@ func TestAuthorizationEndpoint(t *testing.T) { wantLocationHeader: urlWithQuery(downstreamRedirectURI, fositeUnsupportedResponseTypeErrorQuery), wantBodyString: "", }, + { + name: "response type is unsupported when using LDAP browser upstream with dynamic client", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider), + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + method: http.MethodGet, + path: modifiedHappyGetRequestPath(map[string]string{ + "response_type": "unsupported", + "client_id": dynamicClientID, + "scope": allDynamicClientScopes, + }), + wantStatus: http.StatusSeeOther, + wantContentType: jsonContentType, + wantLocationHeader: urlWithQuery(downstreamRedirectURI, fositeUnsupportedResponseTypeErrorQuery), + wantBodyString: "", + }, { name: "response type is unsupported when using active directory cli upstream", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithActiveDirectory(&upstreamActiveDirectoryIdentityProvider), @@ -1511,6 +1783,21 @@ func TestAuthorizationEndpoint(t *testing.T) { wantLocationHeader: urlWithQuery(downstreamRedirectURI, fositeUnsupportedResponseTypeErrorQuery), wantBodyString: "", }, + { + name: "response type is unsupported when using active directory browser upstream with dynamic client", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithActiveDirectory(&upstreamActiveDirectoryIdentityProvider), + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + method: http.MethodGet, + path: modifiedHappyGetRequestPath(map[string]string{ + "response_type": "unsupported", + "client_id": dynamicClientID, + "scope": allDynamicClientScopes, + }), + wantStatus: http.StatusSeeOther, + wantContentType: jsonContentType, + wantLocationHeader: urlWithQuery(downstreamRedirectURI, fositeUnsupportedResponseTypeErrorQuery), + wantBodyString: "", + }, { name: "downstream scopes do not match what is configured for client using OIDC upstream browser flow", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(upstreamOIDCIdentityProviderBuilder().Build()), @@ -1526,6 +1813,22 @@ func TestAuthorizationEndpoint(t *testing.T) { wantLocationHeader: urlWithQuery(downstreamRedirectURI, fositeInvalidScopeErrorQuery), wantBodyString: "", }, + { + name: "downstream scopes do not match what is configured for client using OIDC upstream browser flow with dynamic client", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(upstreamOIDCIdentityProviderBuilder().Build()), + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + generateCSRF: happyCSRFGenerator, + generatePKCE: happyPKCEGenerator, + generateNonce: happyNonceGenerator, + stateEncoder: happyStateEncoder, + cookieEncoder: happyCookieEncoder, + method: http.MethodGet, + path: modifiedHappyGetRequestPath(map[string]string{"client_id": dynamicClientID, "scope": "openid tuna"}), + wantStatus: http.StatusSeeOther, + wantContentType: jsonContentType, + wantLocationHeader: urlWithQuery(downstreamRedirectURI, fositeInvalidScopeErrorQuery), + wantBodyString: "", + }, { name: "downstream scopes do not match what is configured for client using OIDC upstream password grant", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(passwordGrantUpstreamOIDCIdentityProviderBuilder().Build()), @@ -1552,6 +1855,21 @@ func TestAuthorizationEndpoint(t *testing.T) { wantContentType: htmlContentType, wantBodyRegex: ` 0 { + // Invalid: some stored client secrets were not valid. + conditions = append(conditions, &v1alpha1.Condition{ + Type: clientSecretExists, + Status: v1alpha1.ConditionFalse, + Reason: reasonInvalidClientSecretFound, + Message: fmt.Sprintf("%d stored client secrets found, but some were invalid, so none will be used: %s", + storedClientSecretsCount, strings.Join(bcryptErrs, "; ")), + }) + return conditions, emptyList + } + + // Valid: has at least one client secret stored for this OIDC client, and all stored client secrets are valid. + conditions = append(conditions, &v1alpha1.Condition{ + Type: clientSecretExists, + Status: v1alpha1.ConditionTrue, + Reason: reasonSuccess, + Message: fmt.Sprintf("%d client secret(s) found", storedClientSecretsCount), + }) + return conditions, storedClientSecret.SecretHashes +} + +func allowedGrantTypesContains(haystack *v1alpha1.OIDCClient, needle string) bool { + for _, hay := range haystack.Spec.AllowedGrantTypes { + if hay == v1alpha1.GrantType(needle) { + return true + } + } + return false +} + +func allowedScopesContains(haystack *v1alpha1.OIDCClient, needle string) bool { + for _, hay := range haystack.Spec.AllowedScopes { + if hay == v1alpha1.Scope(needle) { + return true + } + } + return false +} diff --git a/internal/oidc/provider/manager/manager.go b/internal/oidc/provider/manager/manager.go index 2833efa2..83a91d07 100644 --- a/internal/oidc/provider/manager/manager.go +++ b/internal/oidc/provider/manager/manager.go @@ -10,6 +10,7 @@ import ( corev1client "k8s.io/client-go/kubernetes/typed/core/v1" + "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1" "go.pinniped.dev/internal/oidc" "go.pinniped.dev/internal/oidc/auth" "go.pinniped.dev/internal/oidc/callback" @@ -39,6 +40,7 @@ type Manager struct { upstreamIDPs oidc.UpstreamIdentityProvidersLister // in-memory cache of upstream IDPs secretCache *secret.Cache // in-memory cache of cryptographic material secretsClient corev1client.SecretInterface + oidcClientsClient v1alpha1.OIDCClientInterface } // NewManager returns an empty Manager. @@ -51,6 +53,7 @@ func NewManager( upstreamIDPs oidc.UpstreamIdentityProvidersLister, secretCache *secret.Cache, secretsClient corev1client.SecretInterface, + oidcClientsClient v1alpha1.OIDCClientInterface, ) *Manager { return &Manager{ providerHandlers: make(map[string]http.Handler), @@ -59,6 +62,7 @@ func NewManager( upstreamIDPs: upstreamIDPs, secretCache: secretCache, secretsClient: secretsClient, + oidcClientsClient: oidcClientsClient, } } @@ -93,10 +97,22 @@ func (m *Manager) SetProviders(federationDomains ...*provider.FederationDomainIs // Use NullStorage for the authorize endpoint because we do not actually want to store anything until // the upstream callback endpoint is called later. - oauthHelperWithNullStorage := oidc.FositeOauth2Helper(oidc.NullStorage{}, issuer, tokenHMACKeyGetter, nil, timeoutsConfiguration) + oauthHelperWithNullStorage := oidc.FositeOauth2Helper( + oidc.NewNullStorage(m.secretsClient, m.oidcClientsClient), + issuer, + tokenHMACKeyGetter, + nil, + timeoutsConfiguration, + ) // For all the other endpoints, make another oauth helper with exactly the same settings except use real storage. - oauthHelperWithKubeStorage := oidc.FositeOauth2Helper(oidc.NewKubeStorage(m.secretsClient, timeoutsConfiguration), issuer, tokenHMACKeyGetter, m.dynamicJWKSProvider, timeoutsConfiguration) + oauthHelperWithKubeStorage := oidc.FositeOauth2Helper( + oidc.NewKubeStorage(m.secretsClient, m.oidcClientsClient, timeoutsConfiguration), + issuer, + tokenHMACKeyGetter, + m.dynamicJWKSProvider, + timeoutsConfiguration, + ) var upstreamStateEncoder = dynamiccodec.New( timeoutsConfiguration.UpstreamStateParamLifespan, diff --git a/internal/oidc/provider/manager/manager_test.go b/internal/oidc/provider/manager/manager_test.go index 1f18dcf7..272387e9 100644 --- a/internal/oidc/provider/manager/manager_test.go +++ b/internal/oidc/provider/manager/manager_test.go @@ -15,18 +15,18 @@ import ( "strings" "testing" - "go.pinniped.dev/internal/secret" - "github.com/sclevine/spec" "github.com/stretchr/testify/require" "gopkg.in/square/go-jose.v2" "k8s.io/client-go/kubernetes/fake" + supervisorfake "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/fake" "go.pinniped.dev/internal/here" "go.pinniped.dev/internal/oidc" "go.pinniped.dev/internal/oidc/discovery" "go.pinniped.dev/internal/oidc/jwks" "go.pinniped.dev/internal/oidc/provider" + "go.pinniped.dev/internal/secret" "go.pinniped.dev/internal/testutil" "go.pinniped.dev/internal/testutil/oidctestutil" "go.pinniped.dev/pkg/oidcclient/nonce" @@ -271,6 +271,7 @@ func TestManager(t *testing.T) { kubeClient = fake.NewSimpleClientset() secretsClient := kubeClient.CoreV1().Secrets("some-namespace") + oidcClientsClient := supervisorfake.NewSimpleClientset().ConfigV1alpha1().OIDCClients("some-namespace") cache := secret.Cache{} cache.SetCSRFCookieEncoderHashKey([]byte("fake-csrf-hash-secret")) @@ -283,7 +284,7 @@ func TestManager(t *testing.T) { cache.SetStateEncoderHashKey(issuer2, []byte("some-state-encoder-hash-key-2")) cache.SetStateEncoderBlockKey(issuer2, []byte("16-bytes-STATE02")) - subject = NewManager(nextHandler, dynamicJWKSProvider, idpLister, &cache, secretsClient) + subject = NewManager(nextHandler, dynamicJWKSProvider, idpLister, &cache, secretsClient, oidcClientsClient) }) when("given no providers via SetProviders()", func() { diff --git a/internal/oidc/token/token_handler_test.go b/internal/oidc/token/token_handler_test.go index 0fc1143d..5bdd3688 100644 --- a/internal/oidc/token/token_handler_test.go +++ b/internal/oidc/token/token_handler_test.go @@ -37,6 +37,7 @@ import ( "k8s.io/client-go/kubernetes/fake" v1 "k8s.io/client-go/kubernetes/typed/core/v1" + supervisorfake "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/fake" "go.pinniped.dev/internal/crud" "go.pinniped.dev/internal/fositestorage/accesstoken" "go.pinniped.dev/internal/fositestorage/authorizationcode" @@ -3068,10 +3069,11 @@ func exchangeAuthcodeForTokens(t *testing.T, test authcodeExchangeInputs, idps p client := fake.NewSimpleClientset() secrets = client.CoreV1().Secrets("some-namespace") + oidcClientsClient := supervisorfake.NewSimpleClientset().ConfigV1alpha1().OIDCClients("some-namespace") var oauthHelper fosite.OAuth2Provider - oauthStore = oidc.NewKubeStorage(secrets, oidc.DefaultOIDCTimeoutsConfiguration()) + oauthStore = oidc.NewKubeStorage(secrets, oidcClientsClient, oidc.DefaultOIDCTimeoutsConfiguration()) if test.makeOathHelper != nil { oauthHelper, authCode, jwtSigningKey = test.makeOathHelper(t, authRequest, oauthStore, test.customSessionData) } else { diff --git a/internal/oidc/token_exchange.go b/internal/oidc/token_exchange.go index a7a7812b..4c2f5500 100644 --- a/internal/oidc/token_exchange.go +++ b/internal/oidc/token_exchange.go @@ -14,6 +14,8 @@ import ( "github.com/ory/fosite/handler/oauth2" "github.com/ory/fosite/handler/openid" "github.com/pkg/errors" + + "go.pinniped.dev/internal/oidc/clientregistry" ) const ( @@ -142,8 +144,8 @@ func (t *TokenExchangeHandler) validateParams(params url.Values) (*stsParams, er if strings.Contains(result.requestedAudience, ".pinniped.dev") { return nil, fosite.ErrInvalidRequest.WithHintf("requested audience cannot contain '.pinniped.dev'") } - if result.requestedAudience == "pinniped-cli" { - return nil, fosite.ErrInvalidRequest.WithHintf("requested audience cannot equal 'pinniped-cli'") + if result.requestedAudience == clientregistry.PinnipedCLIClientID { + return nil, fosite.ErrInvalidRequest.WithHintf("requested audience cannot equal '%s'", clientregistry.PinnipedCLIClientID) } return &result, nil diff --git a/internal/oidcclientsecretstorage/oidcclientsecretstorage.go b/internal/oidcclientsecretstorage/oidcclientsecretstorage.go index 257e674c..7bec307e 100644 --- a/internal/oidcclientsecretstorage/oidcclientsecretstorage.go +++ b/internal/oidcclientsecretstorage/oidcclientsecretstorage.go @@ -4,11 +4,14 @@ package oidcclientsecretstorage import ( + "context" "encoding/base64" "fmt" "time" - v1 "k8s.io/api/core/v1" + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" corev1client "k8s.io/client-go/kubernetes/typed/core/v1" @@ -26,6 +29,7 @@ const ( type OIDCClientSecretStorage struct { storage crud.Storage + secrets corev1client.SecretInterface } // StoredClientSecret defines the format of the content of a client's secrets when stored in a Secret @@ -39,12 +43,27 @@ type StoredClientSecret struct { } func New(secrets corev1client.SecretInterface, clock func() time.Time) *OIDCClientSecretStorage { - // TODO make lifetime = 0 mean that it does not get annotated with any garbage collection annotation - return &OIDCClientSecretStorage{storage: crud.New(TypeLabelValue, secrets, clock, 0)} + return &OIDCClientSecretStorage{ + storage: crud.New(TypeLabelValue, secrets, clock, 0), + secrets: secrets, + } } // TODO expose other methods as needed for get, create, update, etc. +// GetStorageSecret gets the corev1.Secret which is used to store the client secrets for the given client. +// Returns nil,nil when the corev1.Secret was not found, as this is not an error for a client to not have any secrets yet. +func (s *OIDCClientSecretStorage) GetStorageSecret(ctx context.Context, oidcClientUID types.UID) (*corev1.Secret, error) { + secret, err := s.secrets.Get(ctx, s.GetName(oidcClientUID), metav1.GetOptions{}) + if errors.IsNotFound(err) { + return nil, nil + } + if err != nil { + return nil, err + } + return secret, nil +} + // GetName returns the name of the Secret which would be used to store data for the given signature. func (s *OIDCClientSecretStorage) GetName(oidcClientUID types.UID) string { // Avoid having s.storage.GetName() base64 decode something that wasn't ever encoded by encoding it here. @@ -53,7 +72,7 @@ func (s *OIDCClientSecretStorage) GetName(oidcClientUID types.UID) string { } // ReadFromSecret reads the contents of a Secret as a StoredClientSecret. -func ReadFromSecret(secret *v1.Secret) (*StoredClientSecret, error) { +func ReadFromSecret(secret *corev1.Secret) (*StoredClientSecret, error) { storedClientSecret := &StoredClientSecret{} err := crud.FromSecret(TypeLabelValue, secret, storedClientSecret) if err != nil { diff --git a/internal/oidcclientsecretstorage/oidcclientsecretstorage_test.go b/internal/oidcclientsecretstorage/oidcclientsecretstorage_test.go index ac81565a..09ff908c 100644 --- a/internal/oidcclientsecretstorage/oidcclientsecretstorage_test.go +++ b/internal/oidcclientsecretstorage/oidcclientsecretstorage_test.go @@ -9,6 +9,8 @@ import ( "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + "go.pinniped.dev/internal/testutil" ) func TestGetName(t *testing.T) { @@ -106,6 +108,31 @@ func TestReadFromSecret(t *testing.T) { }, wantErr: "secret storage data has incorrect version", }, + { + name: "OIDCClientSecretStorageSecretForUID() test helper generates readable format, to ensure that test helpers are kept up to date", + secret: testutil.OIDCClientSecretStorageSecretForUID(t, + "some-namespace", "some-uid", []string{"first-hash", "second-hash"}, + ), + wantStored: &StoredClientSecret{ + Version: "1", + SecretHashes: []string{"first-hash", "second-hash"}, + }, + }, + { + name: "OIDCClientSecretStorageSecretWithoutName() test helper generates readable format, to ensure that test helpers are kept up to date", + secret: testutil.OIDCClientSecretStorageSecretWithoutName(t, + "some-namespace", []string{"first-hash", "second-hash"}, + ), + wantStored: &StoredClientSecret{ + Version: "1", + SecretHashes: []string{"first-hash", "second-hash"}, + }, + }, + { + name: "OIDCClientSecretStorageSecretForUIDWithWrongVersion() test helper generates readable format, to ensure that test helpers are kept up to date", + secret: testutil.OIDCClientSecretStorageSecretForUIDWithWrongVersion(t, "some-namespace", "some-uid"), + wantErr: "OIDC client secret storage data has wrong version: OIDC client secret storage has version wrong-version instead of 1", + }, } for _, tt := range tests { diff --git a/internal/supervisor/server/server.go b/internal/supervisor/server/server.go index 677165ee..ac71376a 100644 --- a/internal/supervisor/server/server.go +++ b/internal/supervisor/server/server.go @@ -439,6 +439,7 @@ func runSupervisor(ctx context.Context, podInfo *downward.PodInfo, cfg *supervis dynamicUpstreamIDPProvider, &secretCache, clientWithoutLeaderElection.Kubernetes.CoreV1().Secrets(serverInstallationNamespace), // writes to kube storage are allowed for non-leaders + clientWithoutLeaderElection.PinnipedSupervisor.ConfigV1alpha1().OIDCClients(serverInstallationNamespace), ) // Get the "real" name of the client secret supervisor API group (i.e., the API group name with the diff --git a/internal/testutil/oidcclientsecretstorage.go b/internal/testutil/oidcclientsecretstorage.go new file mode 100644 index 00000000..b7904fc6 --- /dev/null +++ b/internal/testutil/oidcclientsecretstorage.go @@ -0,0 +1,51 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package testutil + +import ( + "encoding/base32" + "encoding/json" + "strings" + "testing" + + "github.com/stretchr/testify/require" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +func secretNameForUID(uid string) string { + // See GetName() in OIDCClientSecretStorage for how the production code determines the Secret name. + // This test helper is intended to choose the same name. + return "pinniped-storage-oidc-client-secret-" + + strings.ToLower(base32.StdEncoding.WithPadding(base32.NoPadding).EncodeToString([]byte(uid))) +} + +func OIDCClientSecretStorageSecretWithoutName(t *testing.T, namespace string, hashes []string) *corev1.Secret { + hashesJSON, err := json.Marshal(hashes) + require.NoError(t, err) // this shouldn't really happen since we can always encode a slice of strings + + return &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: namespace, + Labels: map[string]string{"storage.pinniped.dev/type": "oidc-client-secret"}, + }, + Type: "storage.pinniped.dev/oidc-client-secret", + Data: map[string][]byte{ + "pinniped-storage-data": []byte(`{"version":"1","hashes":` + string(hashesJSON) + `}`), + "pinniped-storage-version": []byte("1"), + }, + } +} + +func OIDCClientSecretStorageSecretForUID(t *testing.T, namespace string, oidcClientUID string, hashes []string) *corev1.Secret { + secret := OIDCClientSecretStorageSecretWithoutName(t, namespace, hashes) + secret.Name = secretNameForUID(oidcClientUID) + return secret +} + +func OIDCClientSecretStorageSecretForUIDWithWrongVersion(t *testing.T, namespace string, oidcClientUID string) *corev1.Secret { + secret := OIDCClientSecretStorageSecretForUID(t, namespace, oidcClientUID, []string{}) + secret.Data["pinniped-storage-data"] = []byte(`{"version":"wrong-version","hashes":[]}`) + return secret +} diff --git a/test/integration/supervisor_login_test.go b/test/integration/supervisor_login_test.go index 1d43cdd0..af134fc1 100644 --- a/test/integration/supervisor_login_test.go +++ b/test/integration/supervisor_login_test.go @@ -156,29 +156,90 @@ func TestSupervisorLogin_Browser(t *testing.T) { return ldapIDP, secret } + // These tests attempt to exercise the entire login and refresh flow of the Supervisor for various cases. + // They do not use the Pinniped CLI as the client, which allows them to exercise the Supervisor as an + // OIDC provider in ways that the CLI might not use. Similar tests exist using the CLI in e2e_test.go. + // + // Each of these tests perform the following flow: + // 1. Create a FederationDomain with TLS configured and wait for its JWKS endpoint to be available. + // 2. Configure an IDP CR. + // 3. Call the authorization endpoint and log in as a specific user. + // Note that these tests do not use form_post response type (which is tested by e2e_test.go). + // 4. Listen on a local callback server for the authorization redirect, and assert that it was success or failure. + // 5. Call the token endpoint to exchange the authcode. + // 6. Call the token endpoint to perform the RFC8693 token exchange for the cluster-scoped ID token. + // 7. Potentially edit the refresh session data or IDP settings before the refresh. + // 8. Call the token endpoint to perform a refresh, and expect it to succeed. + // 9. Call the token endpoint again to perform another RFC8693 token exchange for the cluster-scoped ID token, + // this time using the recently refreshed tokens when submitting the request. + // 10. Potentially edit the refresh session data or IDP settings again, this time in such a way that the next + // refresh should fail. If done, then perform one more refresh and expect failure. tests := []struct { - name string - maybeSkip func(t *testing.T) - createTestUser func(t *testing.T) (string, string) - deleteTestUser func(t *testing.T, username string) - requestAuthorization func(t *testing.T, downstreamIssuer, downstreamAuthorizeURL, downstreamCallbackURL, username, password string, httpClient *http.Client) - createIDP func(t *testing.T) string - requestTokenExchangeAud string - downstreamScopes []string - wantLocalhostCallbackToNeverHappen bool - wantDownstreamIDTokenSubjectToMatch string - wantDownstreamIDTokenUsernameToMatch func(username string) string - wantDownstreamIDTokenGroups []string - wantErrorDescription string - wantErrorType string - wantTokenExchangeResponse func(t *testing.T, status int, body string) + name string - // Either revoke the user's session on the upstream provider, or manipulate the user's session + // This required function might choose to skip the test case, for example if the LDAP server is not + // available for an LDAP test. + maybeSkip func(t *testing.T) + + // This required function should configure an IDP CR. It should also wait for it to be ready and schedule + // its cleanup. Return the name of the IDP CR. + createIDP func(t *testing.T) string + + // Optionally create an OIDCClient CR for the test to use. Return the client ID and client secret for the + // test to use. When not set, the test will default to using the "pinniped-cli" static client with no secret. + // When a client secret is returned, it will be used for authcode exchange, refresh requests, and RFC8693 + // token exchanges for cluster-scoped tokens (client secrets are not needed in authorization requests). + createOIDCClient func(t *testing.T, callbackURL string) (string, string) + + // Optionally return the username and password for the test to use when logging in. This username/password + // will be passed to requestAuthorization(), or empty strings will be passed to indicate that the defaults + // should be used. If there is any cleanup required, then this function should also schedule that cleanup. + testUser func(t *testing.T) (string, string) + + // This required function should call the authorization endpoint using the given URL and also perform whatever + // interactions are needed to log in as the user. + requestAuthorization func(t *testing.T, downstreamIssuer, downstreamAuthorizeURL, downstreamCallbackURL, username, password string, httpClient *http.Client) + + // This string will be used as the requested audience in the RFC8693 token exchange for + // the cluster-scoped ID token. When it is not specified, a default string will be used. + requestTokenExchangeAud string + + // The scopes to request from the authorization endpoint. Defaults will be used when not specified. + downstreamScopes []string + + // When we want the localhost callback to have never happened, then the flow will stop there. The login was + // unable to finish so there is nothing to assert about what should have happened with the callback, and there + // won't be any error sent to the callback either. This would happen, for example, when the user fails to log + // in at the LDAP/AD login page, because then they would be redirected back to that page again, instead of + // getting a callback success/error redirect. + wantLocalhostCallbackToNeverHappen bool + + // The expected ID token subject claim value as a regexp, for the original ID token and the refreshed ID token. + wantDownstreamIDTokenSubjectToMatch string + // The expected ID token username claim value as a regexp, for the original ID token and the refreshed ID token. + wantDownstreamIDTokenUsernameToMatch func(username string) string + // The expected ID token groups claim value, for the original ID token and the refreshed ID token. + wantDownstreamIDTokenGroups []string + + // Want the authorization endpoint to redirect to the callback with this error type. + // The rest of the flow will be skipped since the initial authorization failed. + wantErrorType string + // Want the authorization endpoint to redirect to the callback with this error description. + // Should be used with wantErrorType. + wantErrorDescription string + + // Optionally make all required assertions about the response of the RFC8693 token exchange for + // the cluster-scoped ID token, given the http response status and response body from the token endpoint. + // When this is not specified then the appropriate default assertions for a successful exchange are made. + // Even if this expects failures, the rest of the flow will continue. + wantTokenExchangeResponse func(t *testing.T, status int, body string) + + // Optionally edit the refresh session data between the initial login and the first refresh, + // which is still expected to succeed after these edits. + editRefreshSessionDataWithoutBreaking func(t *testing.T, sessionData *psession.PinnipedSession, idpName, username string) []string + // Optionally either revoke the user's session on the upstream provider, or manipulate the user's session // data in such a way that it should cause the next upstream refresh attempt to fail. breakRefreshSessionData func(t *testing.T, sessionData *psession.PinnipedSession, idpName, username string) - // Edit the refresh session data between the initial login and the refresh, which is expected to - // succeed. - editRefreshSessionDataWithoutBreaking func(t *testing.T, sessionData *psession.PinnipedSession, idpName, username string) []string }{ { name: "oidc with default username and groups claim settings", @@ -389,7 +450,7 @@ func TestSupervisorLogin_Browser(t *testing.T) { idp, _ := createLDAPIdentityProvider(t, nil) return idp.Name }, - createTestUser: func(t *testing.T) (string, string) { + testUser: func(t *testing.T) (string, string) { // return the username and password of the existing user that we want to use for this test return env.SupervisorUpstreamLDAP.TestUserMailAttributeValue, // username to present to server during login env.SupervisorUpstreamLDAP.TestUserPassword // password to present to server during login @@ -414,7 +475,7 @@ func TestSupervisorLogin_Browser(t *testing.T) { idp, _ := createLDAPIdentityProvider(t, nil) return idp.Name }, - createTestUser: func(t *testing.T) (string, string) { + testUser: func(t *testing.T) (string, string) { // return the username and password of the existing user that we want to use for this test return env.SupervisorUpstreamLDAP.TestUserMailAttributeValue, // username to present to server during login "this is the wrong password" // password to present to server during login @@ -429,7 +490,7 @@ func TestSupervisorLogin_Browser(t *testing.T) { idp, _ := createLDAPIdentityProvider(t, nil) return idp.Name }, - createTestUser: func(t *testing.T) (string, string) { + testUser: func(t *testing.T) (string, string) { // return the username and password of the existing user that we want to use for this test return "this is the wrong username", // username to present to server during login env.SupervisorUpstreamLDAP.TestUserPassword // password to present to server during login @@ -444,7 +505,7 @@ func TestSupervisorLogin_Browser(t *testing.T) { idp, _ := createLDAPIdentityProvider(t, nil) return idp.Name }, - createTestUser: func(t *testing.T) (string, string) { + testUser: func(t *testing.T) (string, string) { // return the username and password of the existing user that we want to use for this test return env.SupervisorUpstreamLDAP.TestUserMailAttributeValue, // username to present to server during login env.SupervisorUpstreamLDAP.TestUserPassword // password to present to server during login @@ -964,12 +1025,9 @@ func TestSupervisorLogin_Browser(t *testing.T) { idp, _ := createActiveDirectoryIdentityProvider(t, nil) return idp.Name }, - createTestUser: func(t *testing.T) (string, string) { + testUser: func(t *testing.T) (string, string) { return testlib.CreateFreshADTestUser(t, env) }, - deleteTestUser: func(t *testing.T, username string) { - testlib.DeleteTestADUser(t, env, username) - }, requestAuthorization: func(t *testing.T, _, downstreamAuthorizeURL, _, testUserName, testUserPassword string, httpClient *http.Client) { requestAuthorizationUsingCLIPasswordFlow(t, downstreamAuthorizeURL, @@ -997,12 +1055,9 @@ func TestSupervisorLogin_Browser(t *testing.T) { idp, _ := createActiveDirectoryIdentityProvider(t, nil) return idp.Name }, - createTestUser: func(t *testing.T) (string, string) { + testUser: func(t *testing.T) (string, string) { return testlib.CreateFreshADTestUser(t, env) }, - deleteTestUser: func(t *testing.T, username string) { - testlib.DeleteTestADUser(t, env, username) - }, requestAuthorization: func(t *testing.T, _, downstreamAuthorizeURL, _, testUserName, testUserPassword string, httpClient *http.Client) { requestAuthorizationUsingCLIPasswordFlow(t, downstreamAuthorizeURL, @@ -1030,12 +1085,9 @@ func TestSupervisorLogin_Browser(t *testing.T) { idp, _ := createActiveDirectoryIdentityProvider(t, nil) return idp.Name }, - createTestUser: func(t *testing.T) (string, string) { + testUser: func(t *testing.T) (string, string) { return testlib.CreateFreshADTestUser(t, env) }, - deleteTestUser: func(t *testing.T, username string) { - testlib.DeleteTestADUser(t, env, username) - }, requestAuthorization: func(t *testing.T, _, downstreamAuthorizeURL, _, testUserName, testUserPassword string, httpClient *http.Client) { requestAuthorizationUsingCLIPasswordFlow(t, downstreamAuthorizeURL, @@ -1226,7 +1278,62 @@ func TestSupervisorLogin_Browser(t *testing.T) { body) }, }, + { + name: "oidc upstream with downstream dynamic client happy path", + maybeSkip: skipNever, + createIDP: func(t *testing.T) string { + return testlib.CreateTestOIDCIdentityProvider(t, basicOIDCIdentityProviderSpec(), idpv1alpha1.PhaseReady).Name + }, + createOIDCClient: func(t *testing.T, callbackURL string) (string, string) { + return testlib.CreateOIDCClient(t, configv1alpha1.OIDCClientSpec{ + AllowedRedirectURIs: []configv1alpha1.RedirectURI{configv1alpha1.RedirectURI(callbackURL)}, + AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code", "urn:ietf:params:oauth:grant-type:token-exchange", "refresh_token"}, + AllowedScopes: []configv1alpha1.Scope{"openid", "offline_access", "pinniped:request-audience", "groups"}, + }, configv1alpha1.PhaseReady) + }, + requestAuthorization: requestAuthorizationUsingBrowserAuthcodeFlowOIDC, + // the ID token Subject should include the upstream user ID after the upstream issuer name + wantDownstreamIDTokenSubjectToMatch: "^" + regexp.QuoteMeta(env.SupervisorUpstreamOIDC.Issuer+"?sub=") + ".+", + // the ID token Username should include the upstream user ID after the upstream issuer name + wantDownstreamIDTokenUsernameToMatch: func(_ string) string { return "^" + regexp.QuoteMeta(env.SupervisorUpstreamOIDC.Issuer+"?sub=") + ".+" }, + }, + { + name: "ldap upstream with downstream dynamic client happy path", + maybeSkip: skipLDAPTests, + createIDP: func(t *testing.T) string { + idp, _ := createLDAPIdentityProvider(t, nil) + return idp.Name + }, + createOIDCClient: func(t *testing.T, callbackURL string) (string, string) { + return testlib.CreateOIDCClient(t, configv1alpha1.OIDCClientSpec{ + AllowedRedirectURIs: []configv1alpha1.RedirectURI{configv1alpha1.RedirectURI(callbackURL)}, + AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code", "urn:ietf:params:oauth:grant-type:token-exchange", "refresh_token"}, + AllowedScopes: []configv1alpha1.Scope{"openid", "offline_access", "pinniped:request-audience", "groups"}, + }, configv1alpha1.PhaseReady) + }, + requestAuthorization: func(t *testing.T, _, downstreamAuthorizeURL, _, _, _ string, httpClient *http.Client) { + requestAuthorizationUsingCLIPasswordFlow(t, + downstreamAuthorizeURL, + env.SupervisorUpstreamLDAP.TestUserMailAttributeValue, // username to present to server during login + env.SupervisorUpstreamLDAP.TestUserPassword, // password to present to server during login + httpClient, + false, + ) + }, + // the ID token Subject should be the Host URL plus the value pulled from the requested UserSearch.Attributes.UID attribute + wantDownstreamIDTokenSubjectToMatch: "^" + regexp.QuoteMeta( + "ldaps://"+env.SupervisorUpstreamLDAP.Host+ + "?base="+url.QueryEscape(env.SupervisorUpstreamLDAP.UserSearchBase)+ + "&sub="+base64.RawURLEncoding.EncodeToString([]byte(env.SupervisorUpstreamLDAP.TestUserUniqueIDAttributeValue)), + ) + "$", + // the ID token Username should have been pulled from the requested UserSearch.Attributes.Username attribute + wantDownstreamIDTokenUsernameToMatch: func(_ string) string { + return "^" + regexp.QuoteMeta(env.SupervisorUpstreamLDAP.TestUserMailAttributeValue) + "$" + }, + wantDownstreamIDTokenGroups: env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs, + }, } + for _, test := range tests { tt := test t.Run(tt.name, func(t *testing.T) { @@ -1237,8 +1344,8 @@ func TestSupervisorLogin_Browser(t *testing.T) { tt.requestAuthorization, tt.editRefreshSessionDataWithoutBreaking, tt.breakRefreshSessionData, - tt.createTestUser, - tt.deleteTestUser, + tt.testUser, + tt.createOIDCClient, tt.downstreamScopes, tt.requestTokenExchangeAud, tt.wantLocalhostCallbackToNeverHappen, @@ -1377,8 +1484,8 @@ func testSupervisorLogin( requestAuthorization func(t *testing.T, downstreamIssuer string, downstreamAuthorizeURL string, downstreamCallbackURL string, username string, password string, httpClient *http.Client), editRefreshSessionDataWithoutBreaking func(t *testing.T, pinnipedSession *psession.PinnipedSession, idpName, username string) []string, breakRefreshSessionData func(t *testing.T, pinnipedSession *psession.PinnipedSession, idpName, username string), - createTestUser func(t *testing.T) (string, string), - deleteTestUser func(t *testing.T, username string), + testUser func(t *testing.T) (string, string), + createOIDCClient func(t *testing.T, callbackURL string) (string, string), downstreamScopes []string, requestTokenExchangeAud string, wantLocalhostCallbackToNeverHappen bool, @@ -1475,12 +1582,20 @@ func testSupervisorLogin( // Create upstream IDP and wait for it to become ready. idpName := createIDP(t) + // Start a callback server on localhost. + localCallbackServer := startLocalCallbackServer(t) + + // Optionally create an OIDCClient. Default to using the hardcoded public client that the Supervisor supports. + clientID, clientSecret := "pinniped-cli", "" //nolint:gosec // empty credential is not a hardcoded credential + if createOIDCClient != nil { + clientID, clientSecret = createOIDCClient(t, localCallbackServer.URL) + } + + // Optionally override which user to use for the test, or choose zero values to mean use the default for + // the test's IDP. username, password := "", "" - if createTestUser != nil { - username, password = createTestUser(t) - if deleteTestUser != nil { - defer deleteTestUser(t, username) - } + if testUser != nil { + username, password = testUser(t) } // Perform OIDC discovery for our downstream. @@ -1491,23 +1606,27 @@ func testSupervisorLogin( requireEventually.NoError(err) }, 30*time.Second, 200*time.Millisecond) - // Start a callback server on localhost. - localCallbackServer := startLocalCallbackServer(t) - if downstreamScopes == nil { downstreamScopes = []string{"openid", "pinniped:request-audience", "offline_access", "groups"} } - // Form the OAuth2 configuration corresponding to our CLI client. + // Create the OAuth2 configuration. // Note that this is not using response_type=form_post, so the Supervisor will redirect to the callback endpoint // directly, without using the Javascript form_post HTML page to POST back to the callback endpoint. The e2e // tests which use the Pinniped CLI are testing the form_post part of the flow, so that is covered elsewhere. + // When ClientSecret is set here, it will be used for all token endpoint requests, but not for the authorization + // request, where it is not needed. + endpoint := discovery.Endpoint() + if clientSecret != "" { + // We only support basic auth for dynamic clients, so use basic auth in these tests. + endpoint.AuthStyle = oauth2.AuthStyleInHeader + } downstreamOAuth2Config := oauth2.Config{ - // This is the hardcoded public client that the supervisor supports. - ClientID: "pinniped-cli", - Endpoint: discovery.Endpoint(), - RedirectURL: localCallbackServer.URL, - Scopes: downstreamScopes, + ClientID: clientID, + ClientSecret: clientSecret, + Endpoint: endpoint, + RedirectURL: localCallbackServer.URL, + Scopes: downstreamScopes, } // Build a valid downstream authorize URL for the supervisor. @@ -1573,9 +1692,9 @@ func testSupervisorLogin( signatureOfLatestRefreshToken := getFositeDataSignature(t, latestRefreshToken) // First use the latest downstream refresh token to look up the corresponding session in the Supervisor's storage. - kubeClient := testlib.NewKubernetesClientset(t) - supervisorSecretsClient := kubeClient.CoreV1().Secrets(env.SupervisorNamespace) - oauthStore := oidc.NewKubeStorage(supervisorSecretsClient, oidc.DefaultOIDCTimeoutsConfiguration()) + supervisorSecretsClient := testlib.NewKubernetesClientset(t).CoreV1().Secrets(env.SupervisorNamespace) + supervisorOIDCClientsClient := testlib.NewSupervisorClientset(t).ConfigV1alpha1().OIDCClients(env.SupervisorNamespace) + oauthStore := oidc.NewKubeStorage(supervisorSecretsClient, supervisorOIDCClientsClient, oidc.DefaultOIDCTimeoutsConfiguration()) storedRefreshSession, err := oauthStore.GetRefreshTokenSession(ctx, signatureOfLatestRefreshToken, nil) require.NoError(t, err) @@ -1618,9 +1737,9 @@ func testSupervisorLogin( signatureOfLatestRefreshToken := getFositeDataSignature(t, latestRefreshToken) // First use the latest downstream refresh token to look up the corresponding session in the Supervisor's storage. - kubeClient := testlib.NewKubernetesClientset(t) - supervisorSecretsClient := kubeClient.CoreV1().Secrets(env.SupervisorNamespace) - oauthStore := oidc.NewKubeStorage(supervisorSecretsClient, oidc.DefaultOIDCTimeoutsConfiguration()) + supervisorSecretsClient := testlib.NewKubernetesClientset(t).CoreV1().Secrets(env.SupervisorNamespace) + supervisorOIDCClientsClient := testlib.NewSupervisorClientset(t).ConfigV1alpha1().OIDCClients(env.SupervisorNamespace) + oauthStore := oidc.NewKubeStorage(supervisorSecretsClient, supervisorOIDCClientsClient, oidc.DefaultOIDCTimeoutsConfiguration()) storedRefreshSession, err := oauthStore.GetRefreshTokenSession(ctx, signatureOfLatestRefreshToken, nil) require.NoError(t, err) @@ -1922,6 +2041,10 @@ func doTokenExchange( req, err := http.NewRequestWithContext(ctx, http.MethodPost, config.Endpoint.TokenURL, reqBody) require.NoError(t, err) req.Header.Set("content-type", "application/x-www-form-urlencoded") + if config.ClientSecret != "" { + // We only support basic auth for dynamic clients, so use basic auth in these tests. + req.SetBasicAuth(config.ClientID, config.ClientSecret) + } resp, err := httpClient.Do(req) require.NoError(t, err) diff --git a/test/integration/supervisor_oidc_client_test.go b/test/integration/supervisor_oidc_client_test.go index cf059fd3..4ec9fc55 100644 --- a/test/integration/supervisor_oidc_client_test.go +++ b/test/integration/supervisor_oidc_client_test.go @@ -528,16 +528,7 @@ func TestOIDCClientControllerValidations_Parallel(t *testing.T) { AllowedScopes: []supervisorconfigv1alpha1.Scope{"openid"}, }, }, - secret: &corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Labels: map[string]string{"storage.pinniped.dev/type": "oidc-client-secret"}, - }, - Type: "storage.pinniped.dev/oidc-client-secret", - Data: map[string][]byte{ - "pinniped-storage-data": []byte(`{"version":"1","hashes":[]}`), - "pinniped-storage-version": []byte("1"), - }, - }, + secret: testutil.OIDCClientSecretStorageSecretWithoutName(t, env.SupervisorNamespace, []string{}), wantPhase: "Error", wantConditions: []supervisorconfigv1alpha1.Condition{ { @@ -572,16 +563,7 @@ func TestOIDCClientControllerValidations_Parallel(t *testing.T) { AllowedScopes: []supervisorconfigv1alpha1.Scope{"openid", "offline_access", "pinniped:request-audience", "username", "groups"}, }, }, - secret: &corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Labels: map[string]string{"storage.pinniped.dev/type": "oidc-client-secret"}, - }, - Type: "storage.pinniped.dev/oidc-client-secret", - Data: map[string][]byte{ - "pinniped-storage-data": []byte(`{"version":"1","hashes":["$2y$15$Kh7cRj0ScSD5QelE3ZNSl.nF04JDv7zb3SgGN.tSfLIX.4kt3UX7m"]}`), - "pinniped-storage-version": []byte("1"), - }, - }, + secret: testutil.OIDCClientSecretStorageSecretWithoutName(t, env.SupervisorNamespace, []string{"$2y$15$Kh7cRj0ScSD5QelE3ZNSl.nF04JDv7zb3SgGN.tSfLIX.4kt3UX7m"}), wantPhase: "Ready", wantConditions: []supervisorconfigv1alpha1.Condition{ { diff --git a/test/integration/supervisor_warnings_test.go b/test/integration/supervisor_warnings_test.go index 3fdfffb9..e3ea9485 100644 --- a/test/integration/supervisor_warnings_test.go +++ b/test/integration/supervisor_warnings_test.go @@ -186,9 +186,10 @@ func TestSupervisorWarnings_Browser(t *testing.T) { // using the refresh token signature contained in the cache, get the refresh token session // out of kube secret storage. - kubeClient := testlib.NewKubernetesClientset(t).CoreV1() + supervisorSecretsClient := testlib.NewKubernetesClientset(t).CoreV1().Secrets(env.SupervisorNamespace) + supervisorOIDCClientsClient := testlib.NewSupervisorClientset(t).ConfigV1alpha1().OIDCClients(env.SupervisorNamespace) + oauthStore := oidc.NewKubeStorage(supervisorSecretsClient, supervisorOIDCClientsClient, oidc.DefaultOIDCTimeoutsConfiguration()) refreshTokenSignature := strings.Split(token.RefreshToken.Token, ".")[1] - oauthStore := oidc.NewKubeStorage(kubeClient.Secrets(env.SupervisorNamespace), oidc.DefaultOIDCTimeoutsConfiguration()) storedRefreshSession, err := oauthStore.GetRefreshTokenSession(ctx, refreshTokenSignature, nil) require.NoError(t, err) @@ -246,9 +247,6 @@ func TestSupervisorWarnings_Browser(t *testing.T) { testlib.SkipTestWhenActiveDirectoryIsUnavailable(t, env) expectedUsername, password := testlib.CreateFreshADTestUser(t, env) - t.Cleanup(func() { - testlib.DeleteTestADUser(t, env, expectedUsername) - }) sAMAccountName := expectedUsername + "@" + env.SupervisorUpstreamActiveDirectory.Domain setupClusterForEndToEndActiveDirectoryTest(t, sAMAccountName, env) @@ -308,9 +306,6 @@ func TestSupervisorWarnings_Browser(t *testing.T) { // create an active directory group, and add our user to it. groupName := testlib.CreateFreshADTestGroup(t, env) - t.Cleanup(func() { - testlib.DeleteTestADUser(t, env, groupName) - }) testlib.AddTestUserToGroup(t, env, groupName, expectedUsername) // remove the credential cache, which includes the cached cert, so it won't be reused and the refresh flow will be triggered. @@ -499,9 +494,10 @@ func TestSupervisorWarnings_Browser(t *testing.T) { // using the refresh token signature contained in the cache, get the refresh token session // out of kube secret storage. - kubeClient := testlib.NewKubernetesClientset(t).CoreV1() + supervisorSecretsClient := testlib.NewKubernetesClientset(t).CoreV1().Secrets(env.SupervisorNamespace) + supervisorOIDCClientsClient := testlib.NewSupervisorClientset(t).ConfigV1alpha1().OIDCClients(env.SupervisorNamespace) + oauthStore := oidc.NewKubeStorage(supervisorSecretsClient, supervisorOIDCClientsClient, oidc.DefaultOIDCTimeoutsConfiguration()) refreshTokenSignature := strings.Split(token.RefreshToken.Token, ".")[1] - oauthStore := oidc.NewKubeStorage(kubeClient.Secrets(env.SupervisorNamespace), oidc.DefaultOIDCTimeoutsConfiguration()) storedRefreshSession, err := oauthStore.GetRefreshTokenSession(ctx, refreshTokenSignature, nil) require.NoError(t, err) diff --git a/test/testlib/activedirectory.go b/test/testlib/activedirectory.go index b4440a99..25580059 100644 --- a/test/testlib/activedirectory.go +++ b/test/testlib/activedirectory.go @@ -42,6 +42,11 @@ func CreateFreshADTestUser(t *testing.T, env *TestEnv) (string, string) { err = conn.Add(a) require.NoError(t, err) + // Now that it has been created, schedule it for cleanup. + t.Cleanup(func() { + deleteTestADUser(t, env, testUserName) + }) + // modify password and enable account testUserPassword := createRandomASCIIString(t, 20) enc := unicode.UTF16(unicode.LittleEndian, unicode.IgnoreBOM).NewEncoder() @@ -83,6 +88,11 @@ func CreateFreshADTestGroup(t *testing.T, env *TestEnv) string { err = conn.Add(a) require.NoError(t, err) + // Now that it has been created, schedule it for cleanup. + t.Cleanup(func() { + deleteTestADUser(t, env, testGroupName) + }) + time.Sleep(20 * time.Second) // intrasite domain controller replication can take up to 15 seconds, so wait to ensure the change has propogated. return testGroupName } @@ -164,8 +174,8 @@ func ChangeADTestUserPassword(t *testing.T, env *TestEnv, testUserName string) { // don't bother to return the new password... we won't be using it, just checking that it's changed. } -// DeleteTestADUser deletes the test user created for this test. -func DeleteTestADUser(t *testing.T, env *TestEnv, testUserName string) { +// deleteTestADUser deletes the test user created for this test. +func deleteTestADUser(t *testing.T, env *TestEnv, testUserName string) { t.Helper() conn := dialTLS(t, env) // bind diff --git a/test/testlib/client.go b/test/testlib/client.go index b395d6fe..2c514f7d 100644 --- a/test/testlib/client.go +++ b/test/testlib/client.go @@ -16,9 +16,11 @@ import ( "time" "github.com/stretchr/testify/require" + "golang.org/x/crypto/bcrypt" authorizationv1 "k8s.io/api/authorization/v1" corev1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" + apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1" k8serrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/kubernetes" @@ -26,8 +28,6 @@ import ( "k8s.io/client-go/tools/clientcmd" aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset" - apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1" - auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" "go.pinniped.dev/generated/latest/apis/concierge/login/v1alpha1" configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" @@ -36,6 +36,7 @@ import ( supervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" "go.pinniped.dev/internal/groupsuffix" "go.pinniped.dev/internal/kubeclient" + "go.pinniped.dev/internal/oidcclientsecretstorage" // Import to initialize client auth plugins - the kubeconfig that we use for // testing may use gcloud, az, oidc, etc. @@ -378,6 +379,89 @@ func CreateClientCredsSecret(t *testing.T, clientID string, clientSecret string) ) } +func CreateOIDCClient(t *testing.T, spec configv1alpha1.OIDCClientSpec, expectedPhase configv1alpha1.OIDCClientPhase) (string, string) { + t.Helper() + env := IntegrationEnv(t) + client := NewSupervisorClientset(t) + ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute) + defer cancel() + + oidcClientClient := client.ConfigV1alpha1().OIDCClients(env.SupervisorNamespace) + + // Create the OIDCClient using GenerateName to get a random name. + created, err := oidcClientClient.Create(ctx, &configv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{ + GenerateName: "client.oauth.pinniped.dev-test-", // use the required name prefix + Labels: map[string]string{"pinniped.dev/test": ""}, + Annotations: map[string]string{"pinniped.dev/testName": t.Name()}, + }, + Spec: spec, + }, metav1.CreateOptions{}) + require.NoError(t, err) + + // Always clean this up after this point. + t.Cleanup(func() { + t.Logf("cleaning up test OIDCClient %s/%s", created.Namespace, created.Name) + err := oidcClientClient.Delete(context.Background(), created.Name, metav1.DeleteOptions{}) + require.NoError(t, err) + }) + t.Logf("created test OIDCClient %s", created.Name) + + // Create a client secret for the new OIDCClient. + clientSecret := createOIDCClientSecret(t, created) + + // Wait for the OIDCClient to enter the expected phase (or time out). + var result *configv1alpha1.OIDCClient + RequireEventuallyf(t, func(requireEventually *require.Assertions) { + var err error + result, err = oidcClientClient.Get(ctx, created.Name, metav1.GetOptions{}) + requireEventually.NoErrorf(err, "error while getting OIDCClient %s/%s", created.Namespace, created.Name) + requireEventually.Equal(expectedPhase, result.Status.Phase) + }, 60*time.Second, 1*time.Second, "expected the OIDCClient to go into phase %s, OIDCClient was: %s", expectedPhase, Sdump(result)) + + return created.Name, clientSecret +} + +func createOIDCClientSecret(t *testing.T, forOIDCClient *configv1alpha1.OIDCClient) string { + // TODO Replace this with a call to the real Supervisor API for creating client secrets after that gets implemented. + // For now, just manually create a Secret with the right format so the tests can work. + t.Helper() + env := IntegrationEnv(t) + kubeClient := NewKubernetesClientset(t) + ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute) + defer cancel() + + var buf [32]byte + _, err := io.ReadFull(rand.Reader, buf[:]) + require.NoError(t, err) + randomSecret := hex.EncodeToString(buf[:]) + hashedRandomSecret, err := bcrypt.GenerateFromPassword([]byte(randomSecret), 15) + require.NoError(t, err) + + created, err := kubeClient.CoreV1().Secrets(env.SupervisorNamespace).Create(ctx, &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: oidcclientsecretstorage.New(nil, nil).GetName(forOIDCClient.UID), // use the required name + Labels: map[string]string{"storage.pinniped.dev/type": "oidc-client-secret", "pinniped.dev/test": ""}, + Annotations: map[string]string{"pinniped.dev/testName": t.Name()}, + }, + Type: "storage.pinniped.dev/oidc-client-secret", + Data: map[string][]byte{ + "pinniped-storage-data": []byte(`{"version":"1","hashes":["` + string(hashedRandomSecret) + `"]}`), + "pinniped-storage-version": []byte("1"), + }, + }, metav1.CreateOptions{}) + require.NoError(t, err) + + t.Cleanup(func() { + t.Logf("cleaning up test Secret %s/%s", created.Namespace, created.Name) + err := kubeClient.CoreV1().Secrets(env.SupervisorNamespace).Delete(context.Background(), created.Name, metav1.DeleteOptions{}) + require.NoError(t, err) + }) + + t.Logf("created test Secret %s", created.Name) + return randomSecret +} + func CreateTestOIDCIdentityProvider(t *testing.T, spec idpv1alpha1.OIDCIdentityProviderSpec, expectedPhase idpv1alpha1.OIDCIdentityProviderPhase) *idpv1alpha1.OIDCIdentityProvider { t.Helper() env := IntegrationEnv(t) @@ -385,9 +469,9 @@ func CreateTestOIDCIdentityProvider(t *testing.T, spec idpv1alpha1.OIDCIdentityP ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute) defer cancel() - // Create the OIDCIdentityProvider using GenerateName to get a random name. upstreams := client.IDPV1alpha1().OIDCIdentityProviders(env.SupervisorNamespace) + // Create the OIDCIdentityProvider using GenerateName to get a random name. created, err := upstreams.Create(ctx, &idpv1alpha1.OIDCIdentityProvider{ ObjectMeta: testObjectMeta(t, "upstream-oidc-idp"), Spec: spec, @@ -420,9 +504,9 @@ func CreateTestLDAPIdentityProvider(t *testing.T, spec idpv1alpha1.LDAPIdentityP ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute) defer cancel() - // Create the LDAPIdentityProvider using GenerateName to get a random name. upstreams := client.IDPV1alpha1().LDAPIdentityProviders(env.SupervisorNamespace) + // Create the LDAPIdentityProvider using GenerateName to get a random name. created, err := upstreams.Create(ctx, &idpv1alpha1.LDAPIdentityProvider{ ObjectMeta: testObjectMeta(t, "upstream-ldap-idp"), Spec: spec, @@ -461,9 +545,9 @@ func CreateTestActiveDirectoryIdentityProvider(t *testing.T, spec idpv1alpha1.Ac ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute) defer cancel() - // Create the ActiveDirectoryIdentityProvider using GenerateName to get a random name. upstreams := client.IDPV1alpha1().ActiveDirectoryIdentityProviders(env.SupervisorNamespace) + // Create the ActiveDirectoryIdentityProvider using GenerateName to get a random name. created, err := upstreams.Create(ctx, &idpv1alpha1.ActiveDirectoryIdentityProvider{ ObjectMeta: testObjectMeta(t, "upstream-ad-idp"), Spec: spec, @@ -501,9 +585,9 @@ func CreateTestClusterRoleBinding(t *testing.T, subject rbacv1.Subject, roleRef ctx, cancel := context.WithTimeout(context.Background(), time.Minute) defer cancel() - // Create the ClusterRoleBinding using GenerateName to get a random name. clusterRoles := client.RbacV1().ClusterRoleBindings() + // Create the ClusterRoleBinding using GenerateName to get a random name. created, err := clusterRoles.Create(ctx, &rbacv1.ClusterRoleBinding{ ObjectMeta: testObjectMeta(t, "cluster-role"), Subjects: []rbacv1.Subject{subject}, From f5f55176af9e45492fa1042014d352293993b1a7 Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Thu, 14 Jul 2022 18:50:23 -0700 Subject: [PATCH 32/61] Enhance integration tests for OIDCClients in supervisor_login_test.go --- test/integration/supervisor_login_test.go | 53 ++++++++++++++++++----- 1 file changed, 43 insertions(+), 10 deletions(-) diff --git a/test/integration/supervisor_login_test.go b/test/integration/supervisor_login_test.go index af134fc1..fa9c74b3 100644 --- a/test/integration/supervisor_login_test.go +++ b/test/integration/supervisor_login_test.go @@ -1288,7 +1288,7 @@ func TestSupervisorLogin_Browser(t *testing.T) { return testlib.CreateOIDCClient(t, configv1alpha1.OIDCClientSpec{ AllowedRedirectURIs: []configv1alpha1.RedirectURI{configv1alpha1.RedirectURI(callbackURL)}, AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code", "urn:ietf:params:oauth:grant-type:token-exchange", "refresh_token"}, - AllowedScopes: []configv1alpha1.Scope{"openid", "offline_access", "pinniped:request-audience", "groups"}, + AllowedScopes: []configv1alpha1.Scope{"openid", "offline_access", "pinniped:request-audience", "username", "groups"}, }, configv1alpha1.PhaseReady) }, requestAuthorization: requestAuthorizationUsingBrowserAuthcodeFlowOIDC, @@ -1308,18 +1308,15 @@ func TestSupervisorLogin_Browser(t *testing.T) { return testlib.CreateOIDCClient(t, configv1alpha1.OIDCClientSpec{ AllowedRedirectURIs: []configv1alpha1.RedirectURI{configv1alpha1.RedirectURI(callbackURL)}, AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code", "urn:ietf:params:oauth:grant-type:token-exchange", "refresh_token"}, - AllowedScopes: []configv1alpha1.Scope{"openid", "offline_access", "pinniped:request-audience", "groups"}, + AllowedScopes: []configv1alpha1.Scope{"openid", "offline_access", "pinniped:request-audience", "username", "groups"}, }, configv1alpha1.PhaseReady) }, - requestAuthorization: func(t *testing.T, _, downstreamAuthorizeURL, _, _, _ string, httpClient *http.Client) { - requestAuthorizationUsingCLIPasswordFlow(t, - downstreamAuthorizeURL, - env.SupervisorUpstreamLDAP.TestUserMailAttributeValue, // username to present to server during login - env.SupervisorUpstreamLDAP.TestUserPassword, // password to present to server during login - httpClient, - false, - ) + testUser: func(t *testing.T) (string, string) { + // return the username and password of the existing user that we want to use for this test + return env.SupervisorUpstreamLDAP.TestUserMailAttributeValue, // username to present to server during login + env.SupervisorUpstreamLDAP.TestUserPassword // password to present to server during login }, + requestAuthorization: requestAuthorizationUsingBrowserAuthcodeFlowLDAP, // the ID token Subject should be the Host URL plus the value pulled from the requested UserSearch.Attributes.UID attribute wantDownstreamIDTokenSubjectToMatch: "^" + regexp.QuoteMeta( "ldaps://"+env.SupervisorUpstreamLDAP.Host+ @@ -1332,6 +1329,42 @@ func TestSupervisorLogin_Browser(t *testing.T) { }, wantDownstreamIDTokenGroups: env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs, }, + { + name: "active directory with all default options with downstream dynamic client happy path", + maybeSkip: skipActiveDirectoryTests, + createIDP: func(t *testing.T) string { + idp, _ := createActiveDirectoryIdentityProvider(t, nil) + return idp.Name + }, + createOIDCClient: func(t *testing.T, callbackURL string) (string, string) { + return testlib.CreateOIDCClient(t, configv1alpha1.OIDCClientSpec{ + AllowedRedirectURIs: []configv1alpha1.RedirectURI{configv1alpha1.RedirectURI(callbackURL)}, + AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code", "urn:ietf:params:oauth:grant-type:token-exchange", "refresh_token"}, + AllowedScopes: []configv1alpha1.Scope{"openid", "offline_access", "pinniped:request-audience", "username", "groups"}, + }, configv1alpha1.PhaseReady) + }, + requestAuthorization: func(t *testing.T, downstreamIssuer, downstreamAuthorizeURL, downstreamCallbackURL, _, _ string, httpClient *http.Client) { + requestAuthorizationUsingBrowserAuthcodeFlowLDAP(t, + downstreamIssuer, + downstreamAuthorizeURL, + downstreamCallbackURL, + env.SupervisorUpstreamActiveDirectory.TestUserPrincipalNameValue, // username to present to server during login + env.SupervisorUpstreamActiveDirectory.TestUserPassword, // password to present to server during login + httpClient, + ) + }, + // the ID token Subject should be the Host URL plus the value pulled from the requested UserSearch.Attributes.UID attribute + wantDownstreamIDTokenSubjectToMatch: "^" + regexp.QuoteMeta( + "ldaps://"+env.SupervisorUpstreamActiveDirectory.Host+ + "?base="+url.QueryEscape(env.SupervisorUpstreamActiveDirectory.DefaultNamingContextSearchBase)+ + "&sub="+env.SupervisorUpstreamActiveDirectory.TestUserUniqueIDAttributeValue, + ) + "$", + // the ID token Username should have been pulled from the requested UserSearch.Attributes.Username attribute + wantDownstreamIDTokenUsernameToMatch: func(_ string) string { + return "^" + regexp.QuoteMeta(env.SupervisorUpstreamActiveDirectory.TestUserPrincipalNameValue) + "$" + }, + wantDownstreamIDTokenGroups: env.SupervisorUpstreamActiveDirectory.TestUserIndirectGroupsSAMAccountPlusDomainNames, + }, } for _, test := range tests { From 34509e74305e7779e5064c1e70f83888f77ca5d6 Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Wed, 20 Jul 2022 13:55:56 -0700 Subject: [PATCH 33/61] Add more unit tests for dynamic clients and enhance token exchange - Enhance the token exchange to check that the same client is used compared to the client used during the original authorization and token requests, and also check that the client has the token-exchange grant type allowed in its configuration. - Reduce the minimum required bcrypt cost for OIDCClient secrets because 15 is too slow for real-life use, especially considering that every login and every refresh flow will require two client auths. - In unit tests, use bcrypt hashes with a cost of 4, because bcrypt slows down by 13x when run with the race detector, and we run our tests with the race detector enabled, causing the tests to be unacceptably slow. The production code uses a higher minimum cost. - Centralize all pre-computed bcrypt hashes used by unit tests to a single place. Also extract some other useful test helpers for unit tests related to OIDCClients. - Add tons of unit tests for the token endpoint related to dynamic clients for authcode exchanges, token exchanges, and refreshes. --- .../oidcclientwatcher/oidc_client_watcher.go | 2 +- .../oidc_client_watcher_test.go | 57 +- internal/oidc/auth/auth_handler_test.go | 93 +-- .../oidc/callback/callback_handler_test.go | 28 +- .../oidc/clientregistry/clientregistry.go | 5 +- .../clientregistry/clientregistry_test.go | 20 +- internal/oidc/kube_storage.go | 9 +- .../oidc/login/post_login_handler_test.go | 22 +- internal/oidc/nullstorage.go | 8 +- .../oidcclientvalidator.go | 14 +- internal/oidc/provider/manager/manager.go | 5 +- internal/oidc/token/token_handler_test.go | 763 ++++++++++++++++-- internal/oidc/token_exchange.go | 22 +- internal/testutil/assertions.go | 18 + internal/testutil/oidcclient.go | 67 ++ internal/testutil/oidcclient_test.go | 61 ++ test/integration/supervisor_login_test.go | 5 +- .../supervisor_oidc_client_test.go | 2 +- test/integration/supervisor_warnings_test.go | 5 +- 19 files changed, 1007 insertions(+), 199 deletions(-) create mode 100644 internal/testutil/oidcclient.go create mode 100644 internal/testutil/oidcclient_test.go diff --git a/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go b/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go index 12123731..041e5c94 100644 --- a/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go +++ b/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go @@ -107,7 +107,7 @@ func (c *oidcClientWatcherController) Sync(ctx controllerlib.Context) error { secret = nil } - _, conditions, clientSecrets := oidcclientvalidator.Validate(oidcClient, secret) + _, conditions, clientSecrets := oidcclientvalidator.Validate(oidcClient, secret, oidcclientvalidator.DefaultMinBcryptCost) if err := c.updateStatus(ctx.Context, oidcClient, conditions, len(clientSecrets)); err != nil { return fmt.Errorf("cannot update OIDCClient '%s/%s': %w", oidcClient.Namespace, oidcClient.Name, err) diff --git a/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher_test.go b/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher_test.go index b1d147fe..05ea4fd8 100644 --- a/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher_test.go +++ b/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher_test.go @@ -164,15 +164,6 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { testName = "client.oauth.pinniped.dev-test-name" testNamespace = "test-namespace" testUID = "test-uid-123" - - //nolint:gosec // this is not a credential - testBcryptSecret1 = "$2y$15$Kh7cRj0ScSD5QelE3ZNSl.nF04JDv7zb3SgGN.tSfLIX.4kt3UX7m" // bcrypt of "password1" at cost 15 - //nolint:gosec // this is not a credential - testBcryptSecret2 = "$2y$15$Kh7cRj0ScSD5QelE3ZNSl.nF04JDv7zb3SgGN.tSfLIX.4kt3UX7m" // bcrypt of "password2" at cost 15 - //nolint:gosec // this is not a credential - testInvalidBcryptSecretCostTooLow = "$2y$14$njwk1cItiRy6cb6u9aiJLuhtJG83zM9111t.xU6MxvnqqYbkXxzwy" // bcrypt of "password1" at cost 14 - //nolint:gosec // this is not a credential - testInvalidBcryptSecretInvalidFormat = "$2y$14$njwk1cItiRy6cb6u9aiJLuhtJG83zM9111t.xU6MxvnqqYbkXxz" // not enough characters in hash value ) now := metav1.NewTime(time.Now().UTC()) @@ -291,7 +282,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { }, }, }, - inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testBcryptSecret1})}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testutil.HashedPassword1AtSupervisorMinCost})}, wantAPIActions: 1, // one update wantResultingOIDCClients: []configv1alpha1.OIDCClient{ { @@ -320,7 +311,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { AllowedScopes: []configv1alpha1.Scope{"openid"}, }, }}, - inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testBcryptSecret1, testBcryptSecret2})}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testutil.HashedPassword1AtSupervisorMinCost, testutil.HashedPassword2AtSupervisorMinCost})}, wantAPIActions: 1, // one update wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, @@ -353,7 +344,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { TotalClientSecrets: 1, }, }}, - inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testBcryptSecret1})}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testutil.HashedPassword1AtSupervisorMinCost})}, wantAPIActions: 0, // no updates wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, @@ -445,7 +436,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { }}, inputSecrets: []runtime.Object{ testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, - []string{testBcryptSecret1, testInvalidBcryptSecretCostTooLow, testInvalidBcryptSecretInvalidFormat}), + []string{testutil.HashedPassword1AtSupervisorMinCost, testutil.HashedPassword1JustBelowSupervisorMinCost, testutil.HashedPassword1InvalidFormat}), }, wantAPIActions: 1, // one update wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ @@ -457,7 +448,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { happyAllowedScopesCondition(now, 1234), sadInvalidClientSecretsCondition(now, 1234, "3 stored client secrets found, but some were invalid, so none will be used: "+ - "hashed client secret at index 1: bcrypt cost 14 is below the required minimum of 15; "+ + "hashed client secret at index 1: bcrypt cost 11 is below the required minimum of 12; "+ "hashed client secret at index 2: crypto/bcrypt: hashedSecret too short to be a bcrypted password"), }, TotalClientSecrets: 0, @@ -479,7 +470,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { Spec: configv1alpha1.OIDCClientSpec{}, }, }, - inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, "uid1", []string{testBcryptSecret1})}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, "uid1", []string{testutil.HashedPassword1AtSupervisorMinCost})}, wantAPIActions: 2, // one update for each OIDCClient wantResultingOIDCClients: []configv1alpha1.OIDCClient{ { @@ -527,7 +518,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { TotalClientSecrets: 1, }, }}, - inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testBcryptSecret1})}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testutil.HashedPassword1AtSupervisorMinCost})}, wantAPIActions: 1, // one update wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 4567, UID: testUID}, @@ -553,7 +544,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { }, }}, wantAPIActions: 1, // one update - inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testBcryptSecret1})}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testutil.HashedPassword1AtSupervisorMinCost})}, wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, Status: configv1alpha1.OIDCClientStatus{ @@ -577,7 +568,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { }, }}, wantAPIActions: 1, // one update - inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testBcryptSecret1})}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testutil.HashedPassword1AtSupervisorMinCost})}, wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, Status: configv1alpha1.OIDCClientStatus{ @@ -606,7 +597,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { }, }}, wantAPIActions: 1, // one update - inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testBcryptSecret1})}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testutil.HashedPassword1AtSupervisorMinCost})}, wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, Status: configv1alpha1.OIDCClientStatus{ @@ -633,7 +624,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { AllowedScopes: []configv1alpha1.Scope{"openid", "pinniped:request-audience", "username", "groups"}, }, }}, - inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testBcryptSecret1})}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testutil.HashedPassword1AtSupervisorMinCost})}, wantAPIActions: 1, // one update wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, @@ -657,7 +648,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { AllowedScopes: []configv1alpha1.Scope{"openid"}, }, }}, - inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testBcryptSecret1})}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testutil.HashedPassword1AtSupervisorMinCost})}, wantAPIActions: 1, // one update wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, @@ -681,7 +672,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { AllowedScopes: []configv1alpha1.Scope{"openid", "pinniped:request-audience"}, }, }}, - inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testBcryptSecret1})}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testutil.HashedPassword1AtSupervisorMinCost})}, wantAPIActions: 1, // one update wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, @@ -705,7 +696,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { AllowedScopes: []configv1alpha1.Scope{"openid", "pinniped:request-audience", "groups"}, }, }}, - inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testBcryptSecret1})}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testutil.HashedPassword1AtSupervisorMinCost})}, wantAPIActions: 1, // one update wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, @@ -729,7 +720,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { AllowedScopes: []configv1alpha1.Scope{"openid", "pinniped:request-audience", "username"}, }, }}, - inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testBcryptSecret1})}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testutil.HashedPassword1AtSupervisorMinCost})}, wantAPIActions: 1, // one update wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, @@ -753,7 +744,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { AllowedScopes: []configv1alpha1.Scope{"openid"}, }, }}, - inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testBcryptSecret1})}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testutil.HashedPassword1AtSupervisorMinCost})}, wantAPIActions: 1, // one update wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, @@ -777,7 +768,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { AllowedScopes: []configv1alpha1.Scope{"openid", "offline_access", "pinniped:request-audience", "username", "groups"}, }, }}, - inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testBcryptSecret1})}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testutil.HashedPassword1AtSupervisorMinCost})}, wantAPIActions: 1, // one update wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, @@ -801,7 +792,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { AllowedScopes: []configv1alpha1.Scope{"openid", "offline_access"}, }, }}, - inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testBcryptSecret1})}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testutil.HashedPassword1AtSupervisorMinCost})}, wantAPIActions: 1, // one update wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, @@ -825,7 +816,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { AllowedScopes: []configv1alpha1.Scope{"openid", "offline_access", "username"}, }, }}, - inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testBcryptSecret1})}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testutil.HashedPassword1AtSupervisorMinCost})}, wantAPIActions: 1, // one update wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, @@ -849,7 +840,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { AllowedScopes: []configv1alpha1.Scope{"openid", "offline_access", "groups"}, }, }}, - inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testBcryptSecret1})}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testutil.HashedPassword1AtSupervisorMinCost})}, wantAPIActions: 1, // one update wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, @@ -873,7 +864,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { AllowedScopes: []configv1alpha1.Scope{"openid", "offline_access", "username", "groups"}, }, }}, - inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testBcryptSecret1})}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testutil.HashedPassword1AtSupervisorMinCost})}, wantAPIActions: 1, // one update wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, @@ -897,7 +888,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { AllowedScopes: []configv1alpha1.Scope{"openid", "username"}, }, }}, - inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testBcryptSecret1})}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testutil.HashedPassword1AtSupervisorMinCost})}, wantAPIActions: 1, // one update wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, @@ -921,7 +912,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { AllowedScopes: []configv1alpha1.Scope{"openid", "username"}, }, }}, - inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testBcryptSecret1})}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testutil.HashedPassword1AtSupervisorMinCost})}, wantAPIActions: 1, // one update wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, @@ -945,7 +936,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) { AllowedScopes: []configv1alpha1.Scope{"openid", "username", "groups"}, }, }}, - inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testBcryptSecret1})}, + inputSecrets: []runtime.Object{testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testutil.HashedPassword1AtSupervisorMinCost})}, wantAPIActions: 1, // one update wantResultingOIDCClients: []configv1alpha1.OIDCClient{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, diff --git a/internal/oidc/auth/auth_handler_test.go b/internal/oidc/auth/auth_handler_test.go index 2cc98471..768ab10f 100644 --- a/internal/oidc/auth/auth_handler_test.go +++ b/internal/oidc/auth/auth_handler_test.go @@ -19,6 +19,7 @@ import ( "github.com/gorilla/securecookie" "github.com/ory/fosite" "github.com/stretchr/testify/require" + "golang.org/x/crypto/bcrypt" "golang.org/x/oauth2" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apiserver/pkg/authentication/user" @@ -27,7 +28,6 @@ import ( kubetesting "k8s.io/client-go/testing" "k8s.io/utils/pointer" - configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" supervisorfake "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/fake" "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1" "go.pinniped.dev/internal/authenticators" @@ -79,8 +79,6 @@ func TestAuthorizationEndpoint(t *testing.T) { pinnipedCLIClientID = "pinniped-cli" dynamicClientID = "client.oauth.pinniped.dev-test-name" dynamicClientUID = "fake-client-uid" - //nolint:gosec // this is not a credential - dynamicClientHashedSecret = "$2y$15$Kh7cRj0ScSD5QelE3ZNSl.nF04JDv7zb3SgGN.tSfLIX.4kt3UX7m" // bcrypt of "password1" at cost 15 ) require.Len(t, happyState, 8, "we expect fosite to allow 8 byte state params, so we want to test that boundary case") @@ -237,13 +235,15 @@ func TestAuthorizationEndpoint(t *testing.T) { createOauthHelperWithRealStorage := func(secretsClient v1.SecretInterface, oidcClientsClient v1alpha1.OIDCClientInterface) (fosite.OAuth2Provider, *oidc.KubeStorage) { // Configure fosite the same way that the production code would when using Kube storage. // Inject this into our test subject at the last second so we get a fresh storage for every test. - kubeOauthStore := oidc.NewKubeStorage(secretsClient, oidcClientsClient, timeoutsConfiguration) + // Use lower minimum required bcrypt cost than we would use in production to keep unit the tests fast. + kubeOauthStore := oidc.NewKubeStorage(secretsClient, oidcClientsClient, timeoutsConfiguration, bcrypt.MinCost) return oidc.FositeOauth2Helper(kubeOauthStore, downstreamIssuer, hmacSecretFunc, jwksProviderIsUnused, timeoutsConfiguration), kubeOauthStore } createOauthHelperWithNullStorage := func(secretsClient v1.SecretInterface, oidcClientsClient v1alpha1.OIDCClientInterface) (fosite.OAuth2Provider, *oidc.NullStorage) { // Configure fosite the same way that the production code would, using NullStorage to turn off storage. - nullOauthStore := oidc.NewNullStorage(secretsClient, oidcClientsClient) + // Use lower minimum required bcrypt cost than we would use in production to keep unit the tests fast. + nullOauthStore := oidc.NewNullStorage(secretsClient, oidcClientsClient, bcrypt.MinCost) return oidc.FositeOauth2Helper(nullOauthStore, downstreamIssuer, hmacSecretFunc, jwksProviderIsUnused, timeoutsConfiguration), nullOauthStore } @@ -511,24 +511,11 @@ func TestAuthorizationEndpoint(t *testing.T) { }, } - fullyCapableDynamicClient := &configv1alpha1.OIDCClient{ - ObjectMeta: metav1.ObjectMeta{Namespace: "some-namespace", Name: dynamicClientID, Generation: 1, UID: dynamicClientUID}, - Spec: configv1alpha1.OIDCClientSpec{ - AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code", "urn:ietf:params:oauth:grant-type:token-exchange", "refresh_token"}, - AllowedScopes: []configv1alpha1.Scope{"openid", "offline_access", "pinniped:request-audience", "username", "groups"}, - AllowedRedirectURIs: []configv1alpha1.RedirectURI{downstreamRedirectURI}, - }, - } - - allDynamicClientScopes := "openid offline_access pinniped:request-audience username groups" - - storageSecretWithOneClientSecretForDynamicClient := testutil.OIDCClientSecretStorageSecretForUID(t, - "some-namespace", dynamicClientUID, []string{dynamicClientHashedSecret}, - ) - addFullyCapableDynamicClientAndSecretToKubeResources := func(t *testing.T, supervisorClient *supervisorfake.Clientset, kubeClient *fake.Clientset) { - require.NoError(t, supervisorClient.Tracker().Add(fullyCapableDynamicClient)) - require.NoError(t, kubeClient.Tracker().Add(storageSecretWithOneClientSecretForDynamicClient)) + oidcClient, secret := testutil.FullyCapableOIDCClientAndStorageSecret(t, + "some-namespace", dynamicClientID, dynamicClientUID, downstreamRedirectURI, []string{testutil.HashedPassword1AtGoMinCost}) + require.NoError(t, supervisorClient.Tracker().Add(oidcClient)) + require.NoError(t, kubeClient.Tracker().Add(secret)) } // Note that fosite puts the granted scopes as a param in the redirect URI even though the spec doesn't seem to require it @@ -611,11 +598,11 @@ func TestAuthorizationEndpoint(t *testing.T) { stateEncoder: happyStateEncoder, cookieEncoder: happyCookieEncoder, method: http.MethodGet, - path: modifiedHappyGetRequestPath(map[string]string{"client_id": dynamicClientID, "scope": allDynamicClientScopes}), + path: modifiedHappyGetRequestPath(map[string]string{"client_id": dynamicClientID, "scope": testutil.AllDynamicClientScopesSpaceSep}), wantStatus: http.StatusSeeOther, wantContentType: htmlContentType, wantCSRFValueInCookieHeader: happyCSRF, - wantLocationHeader: expectedRedirectLocationForUpstreamOIDC(expectedUpstreamStateParam(map[string]string{"client_id": dynamicClientID, "scope": allDynamicClientScopes}, "", oidcUpstreamName, "oidc"), nil), + wantLocationHeader: expectedRedirectLocationForUpstreamOIDC(expectedUpstreamStateParam(map[string]string{"client_id": dynamicClientID, "scope": testutil.AllDynamicClientScopesSpaceSep}, "", oidcUpstreamName, "oidc"), nil), wantUpstreamStateParamInLocationHeader: true, wantBodyStringWithLocationInHref: true, }, @@ -646,11 +633,11 @@ func TestAuthorizationEndpoint(t *testing.T) { stateEncoder: happyStateEncoder, cookieEncoder: happyCookieEncoder, method: http.MethodGet, - path: modifiedHappyGetRequestPath(map[string]string{"client_id": dynamicClientID, "scope": allDynamicClientScopes}), + path: modifiedHappyGetRequestPath(map[string]string{"client_id": dynamicClientID, "scope": testutil.AllDynamicClientScopesSpaceSep}), wantStatus: http.StatusSeeOther, wantContentType: htmlContentType, wantCSRFValueInCookieHeader: happyCSRF, - wantLocationHeader: urlWithQuery(downstreamIssuer+"/login", map[string]string{"state": expectedUpstreamStateParam(map[string]string{"client_id": dynamicClientID, "scope": allDynamicClientScopes}, "", ldapUpstreamName, "ldap")}), + wantLocationHeader: urlWithQuery(downstreamIssuer+"/login", map[string]string{"state": expectedUpstreamStateParam(map[string]string{"client_id": dynamicClientID, "scope": testutil.AllDynamicClientScopesSpaceSep}, "", ldapUpstreamName, "ldap")}), wantUpstreamStateParamInLocationHeader: true, wantBodyStringWithLocationInHref: true, }, @@ -681,11 +668,11 @@ func TestAuthorizationEndpoint(t *testing.T) { stateEncoder: happyStateEncoder, cookieEncoder: happyCookieEncoder, method: http.MethodGet, - path: modifiedHappyGetRequestPath(map[string]string{"client_id": dynamicClientID, "scope": allDynamicClientScopes}), + path: modifiedHappyGetRequestPath(map[string]string{"client_id": dynamicClientID, "scope": testutil.AllDynamicClientScopesSpaceSep}), wantStatus: http.StatusSeeOther, wantContentType: htmlContentType, wantCSRFValueInCookieHeader: happyCSRF, - wantLocationHeader: urlWithQuery(downstreamIssuer+"/login", map[string]string{"state": expectedUpstreamStateParam(map[string]string{"client_id": dynamicClientID, "scope": allDynamicClientScopes}, "", activeDirectoryUpstreamName, "activedirectory")}), + wantLocationHeader: urlWithQuery(downstreamIssuer+"/login", map[string]string{"state": expectedUpstreamStateParam(map[string]string{"client_id": dynamicClientID, "scope": testutil.AllDynamicClientScopesSpaceSep}, "", activeDirectoryUpstreamName, "activedirectory")}), wantUpstreamStateParamInLocationHeader: true, wantBodyStringWithLocationInHref: true, }, @@ -835,12 +822,12 @@ func TestAuthorizationEndpoint(t *testing.T) { method: http.MethodPost, path: "/some/path", contentType: formContentType, - body: encodeQuery(modifiedHappyGetRequestQueryMap(map[string]string{"client_id": dynamicClientID, "scope": allDynamicClientScopes})), + body: encodeQuery(modifiedHappyGetRequestQueryMap(map[string]string{"client_id": dynamicClientID, "scope": testutil.AllDynamicClientScopesSpaceSep})), wantStatus: http.StatusSeeOther, wantContentType: "", wantBodyString: "", wantCSRFValueInCookieHeader: happyCSRF, - wantLocationHeader: expectedRedirectLocationForUpstreamOIDC(expectedUpstreamStateParam(map[string]string{"client_id": dynamicClientID, "scope": allDynamicClientScopes}, "", oidcUpstreamName, "oidc"), nil), + wantLocationHeader: expectedRedirectLocationForUpstreamOIDC(expectedUpstreamStateParam(map[string]string{"client_id": dynamicClientID, "scope": testutil.AllDynamicClientScopesSpaceSep}, "", oidcUpstreamName, "oidc"), nil), wantUpstreamStateParamInLocationHeader: true, }, { @@ -874,12 +861,12 @@ func TestAuthorizationEndpoint(t *testing.T) { method: http.MethodPost, path: "/some/path", contentType: formContentType, - body: encodeQuery(modifiedHappyGetRequestQueryMap(map[string]string{"client_id": dynamicClientID, "scope": allDynamicClientScopes})), + body: encodeQuery(modifiedHappyGetRequestQueryMap(map[string]string{"client_id": dynamicClientID, "scope": testutil.AllDynamicClientScopesSpaceSep})), wantStatus: http.StatusSeeOther, wantContentType: "", wantBodyString: "", wantCSRFValueInCookieHeader: happyCSRF, - wantLocationHeader: urlWithQuery(downstreamIssuer+"/login", map[string]string{"state": expectedUpstreamStateParam(map[string]string{"client_id": dynamicClientID, "scope": allDynamicClientScopes}, "", ldapUpstreamName, "ldap")}), + wantLocationHeader: urlWithQuery(downstreamIssuer+"/login", map[string]string{"state": expectedUpstreamStateParam(map[string]string{"client_id": dynamicClientID, "scope": testutil.AllDynamicClientScopesSpaceSep}, "", ldapUpstreamName, "ldap")}), wantUpstreamStateParamInLocationHeader: true, }, { @@ -913,12 +900,12 @@ func TestAuthorizationEndpoint(t *testing.T) { method: http.MethodPost, path: "/some/path", contentType: formContentType, - body: encodeQuery(modifiedHappyGetRequestQueryMap(map[string]string{"client_id": dynamicClientID, "scope": allDynamicClientScopes})), + body: encodeQuery(modifiedHappyGetRequestQueryMap(map[string]string{"client_id": dynamicClientID, "scope": testutil.AllDynamicClientScopesSpaceSep})), wantStatus: http.StatusSeeOther, wantContentType: "", wantBodyString: "", wantCSRFValueInCookieHeader: happyCSRF, - wantLocationHeader: urlWithQuery(downstreamIssuer+"/login", map[string]string{"state": expectedUpstreamStateParam(map[string]string{"client_id": dynamicClientID, "scope": allDynamicClientScopes}, "", activeDirectoryUpstreamName, "activedirectory")}), + wantLocationHeader: urlWithQuery(downstreamIssuer+"/login", map[string]string{"state": expectedUpstreamStateParam(map[string]string{"client_id": dynamicClientID, "scope": testutil.AllDynamicClientScopesSpaceSep}, "", activeDirectoryUpstreamName, "activedirectory")}), wantUpstreamStateParamInLocationHeader: true, }, { @@ -1111,7 +1098,7 @@ func TestAuthorizationEndpoint(t *testing.T) { path: modifiedHappyGetRequestPath(map[string]string{ "redirect_uri": downstreamRedirectURIWithDifferentPort, // not the same port number that is registered for the client "client_id": dynamicClientID, - "scope": allDynamicClientScopes, + "scope": testutil.AllDynamicClientScopesSpaceSep, }), wantStatus: http.StatusSeeOther, wantContentType: htmlContentType, @@ -1119,7 +1106,7 @@ func TestAuthorizationEndpoint(t *testing.T) { wantLocationHeader: expectedRedirectLocationForUpstreamOIDC(expectedUpstreamStateParam(map[string]string{ "redirect_uri": downstreamRedirectURIWithDifferentPort, // not the same port number that is registered for the client "client_id": dynamicClientID, - "scope": allDynamicClientScopes, + "scope": testutil.AllDynamicClientScopesSpaceSep, }, "", oidcUpstreamName, "oidc"), nil), wantUpstreamStateParamInLocationHeader: true, wantBodyStringWithLocationInHref: true, @@ -1526,7 +1513,7 @@ func TestAuthorizationEndpoint(t *testing.T) { idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(passwordGrantUpstreamOIDCIdentityProviderBuilder().Build()), kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, method: http.MethodGet, - path: modifiedHappyGetRequestPath(map[string]string{"client_id": dynamicClientID, "scope": allDynamicClientScopes}), + path: modifiedHappyGetRequestPath(map[string]string{"client_id": dynamicClientID, "scope": testutil.AllDynamicClientScopesSpaceSep}), customUsernameHeader: pointer.StringPtr(oidcUpstreamUsername), customPasswordHeader: pointer.StringPtr(oidcUpstreamPassword), wantStatus: http.StatusFound, @@ -1539,7 +1526,7 @@ func TestAuthorizationEndpoint(t *testing.T) { idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider), kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, method: http.MethodGet, - path: modifiedHappyGetRequestPath(map[string]string{"client_id": dynamicClientID, "scope": allDynamicClientScopes}), + path: modifiedHappyGetRequestPath(map[string]string{"client_id": dynamicClientID, "scope": testutil.AllDynamicClientScopesSpaceSep}), customUsernameHeader: pointer.StringPtr(happyLDAPUsername), customPasswordHeader: pointer.StringPtr(happyLDAPPassword), wantStatus: http.StatusFound, @@ -1552,7 +1539,7 @@ func TestAuthorizationEndpoint(t *testing.T) { idps: oidctestutil.NewUpstreamIDPListerBuilder().WithActiveDirectory(&upstreamActiveDirectoryIdentityProvider), kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, method: http.MethodGet, - path: modifiedHappyGetRequestPath(map[string]string{"client_id": dynamicClientID, "scope": allDynamicClientScopes}), + path: modifiedHappyGetRequestPath(map[string]string{"client_id": dynamicClientID, "scope": testutil.AllDynamicClientScopesSpaceSep}), customUsernameHeader: pointer.StringPtr(happyLDAPUsername), customPasswordHeader: pointer.StringPtr(happyLDAPPassword), wantStatus: http.StatusFound, @@ -1589,7 +1576,7 @@ func TestAuthorizationEndpoint(t *testing.T) { path: modifiedHappyGetRequestPath(map[string]string{ "redirect_uri": "http://127.0.0.1/does-not-match-what-is-configured-for-dynamic-client", "client_id": dynamicClientID, - "scope": allDynamicClientScopes, + "scope": testutil.AllDynamicClientScopesSpaceSep, }), wantStatus: http.StatusBadRequest, wantContentType: jsonContentType, @@ -1705,7 +1692,7 @@ func TestAuthorizationEndpoint(t *testing.T) { path: modifiedHappyGetRequestPath(map[string]string{ "response_type": "unsupported", "client_id": dynamicClientID, - "scope": allDynamicClientScopes, + "scope": testutil.AllDynamicClientScopesSpaceSep, }), wantStatus: http.StatusSeeOther, wantContentType: jsonContentType, @@ -1754,7 +1741,7 @@ func TestAuthorizationEndpoint(t *testing.T) { path: modifiedHappyGetRequestPath(map[string]string{ "response_type": "unsupported", "client_id": dynamicClientID, - "scope": allDynamicClientScopes, + "scope": testutil.AllDynamicClientScopesSpaceSep, }), wantStatus: http.StatusSeeOther, wantContentType: jsonContentType, @@ -1791,7 +1778,7 @@ func TestAuthorizationEndpoint(t *testing.T) { path: modifiedHappyGetRequestPath(map[string]string{ "response_type": "unsupported", "client_id": dynamicClientID, - "scope": allDynamicClientScopes, + "scope": testutil.AllDynamicClientScopesSpaceSep, }), wantStatus: http.StatusSeeOther, wantContentType: jsonContentType, @@ -1865,7 +1852,7 @@ func TestAuthorizationEndpoint(t *testing.T) { stateEncoder: happyStateEncoder, cookieEncoder: happyCookieEncoder, method: http.MethodGet, - path: modifiedHappyGetRequestPath(map[string]string{"response_mode": "form_post", "client_id": dynamicClientID, "scope": allDynamicClientScopes}), + path: modifiedHappyGetRequestPath(map[string]string{"response_mode": "form_post", "client_id": dynamicClientID, "scope": testutil.AllDynamicClientScopesSpaceSep}), wantStatus: http.StatusOK, // this is weird, but fosite uses a form_post response to tell the client that it is not allowed to use form_post responses wantContentType: htmlContentType, wantBodyRegex: ` 0 { diff --git a/internal/oidc/provider/manager/manager.go b/internal/oidc/provider/manager/manager.go index 83a91d07..47d25981 100644 --- a/internal/oidc/provider/manager/manager.go +++ b/internal/oidc/provider/manager/manager.go @@ -20,6 +20,7 @@ import ( "go.pinniped.dev/internal/oidc/idpdiscovery" "go.pinniped.dev/internal/oidc/jwks" "go.pinniped.dev/internal/oidc/login" + "go.pinniped.dev/internal/oidc/oidcclientvalidator" "go.pinniped.dev/internal/oidc/provider" "go.pinniped.dev/internal/oidc/token" "go.pinniped.dev/internal/plog" @@ -98,7 +99,7 @@ func (m *Manager) SetProviders(federationDomains ...*provider.FederationDomainIs // Use NullStorage for the authorize endpoint because we do not actually want to store anything until // the upstream callback endpoint is called later. oauthHelperWithNullStorage := oidc.FositeOauth2Helper( - oidc.NewNullStorage(m.secretsClient, m.oidcClientsClient), + oidc.NewNullStorage(m.secretsClient, m.oidcClientsClient, oidcclientvalidator.DefaultMinBcryptCost), issuer, tokenHMACKeyGetter, nil, @@ -107,7 +108,7 @@ func (m *Manager) SetProviders(federationDomains ...*provider.FederationDomainIs // For all the other endpoints, make another oauth helper with exactly the same settings except use real storage. oauthHelperWithKubeStorage := oidc.FositeOauth2Helper( - oidc.NewKubeStorage(m.secretsClient, m.oidcClientsClient, timeoutsConfiguration), + oidc.NewKubeStorage(m.secretsClient, m.oidcClientsClient, timeoutsConfiguration, oidcclientvalidator.DefaultMinBcryptCost), issuer, tokenHMACKeyGetter, m.dynamicJWKSProvider, diff --git a/internal/oidc/token/token_handler_test.go b/internal/oidc/token/token_handler_test.go index 5bdd3688..b22e8ad4 100644 --- a/internal/oidc/token/token_handler_test.go +++ b/internal/oidc/token/token_handler_test.go @@ -29,14 +29,17 @@ import ( "github.com/ory/fosite/token/jwt" "github.com/pkg/errors" "github.com/stretchr/testify/require" + "golang.org/x/crypto/bcrypt" "golang.org/x/oauth2" "gopkg.in/square/go-jose.v2" josejwt "gopkg.in/square/go-jose.v2/jwt" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" + "k8s.io/apimachinery/pkg/types" "k8s.io/client-go/kubernetes/fake" v1 "k8s.io/client-go/kubernetes/typed/core/v1" + configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" supervisorfake "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/fake" "go.pinniped.dev/internal/crud" "go.pinniped.dev/internal/fositestorage/accesstoken" @@ -50,6 +53,7 @@ import ( "go.pinniped.dev/internal/oidc" "go.pinniped.dev/internal/oidc/jwks" "go.pinniped.dev/internal/oidc/provider" + "go.pinniped.dev/internal/oidcclientsecretstorage" "go.pinniped.dev/internal/psession" "go.pinniped.dev/internal/testutil" "go.pinniped.dev/internal/testutil/oidctestutil" @@ -59,20 +63,23 @@ import ( const ( goodIssuer = "https://some-issuer.com" goodUpstreamSubject = "some-subject" - goodClient = "pinniped-cli" goodRedirectURI = "http://127.0.0.1/callback" goodPKCECodeVerifier = "some-pkce-verifier-that-must-be-at-least-43-characters-to-meet-entropy-requirements" goodNonce = "some-nonce-value-with-enough-bytes-to-exceed-min-allowed" goodSubject = "https://issuer?sub=some-subject" goodUsername = "some-username" + pinnipedCLIClientID = "pinniped-cli" + dynamicClientID = "client.oauth.pinniped.dev-test-name" + dynamicClientUID = "fake-client-uid" + hmacSecret = "this needs to be at least 32 characters to meet entropy requirements" authCodeExpirationSeconds = 10 * 60 // Current, we set our auth code expiration to 10 minutes accessTokenExpirationSeconds = 2 * 60 // Currently, we set our access token expiration to 2 minutes idTokenExpirationSeconds = 2 * 60 // Currently, we set our ID token expiration to 2 minutes - timeComparisonFudgeSeconds = 15 + timeComparisonFudge = 15 * time.Second ) var ( @@ -156,6 +163,20 @@ var ( } `) + fositeClientIDMismatchDuringAuthcodeExchangeErrorBody = here.Doc(` + { + "error": "invalid_grant", + "error_description": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The OAuth 2.0 Client ID from this request does not match the one from the authorize request." + } + `) + + fositeClientIDMismatchDuringRefreshErrorBody = here.Doc(` + { + "error": "invalid_grant", + "error_description": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The OAuth 2.0 Client ID from this request does not match the ID during the initial token issuance." + } + `) + fositeInvalidRedirectURIErrorBody = here.Doc(` { "error": "invalid_grant", @@ -198,11 +219,25 @@ var ( } `) + fositeClientAuthFailedErrorBody = here.Doc(` + { + "error": "invalid_client", + "error_description": "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)." + } + `) + + fositeClientAuthMustBeBasicAuthErrorBody = here.Doc(` + { + "error": "invalid_client", + "error_description": "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The OAuth 2.0 Client supports client authentication method 'client_secret_basic', but method 'client_secret_post' was requested. You must configure the OAuth 2.0 client's 'token_endpoint_auth_method' value to accept 'client_secret_post'." + } + `) + happyAuthRequest = &http.Request{ Form: url.Values{ "response_type": {"code"}, "scope": {"openid profile email groups"}, - "client_id": {goodClient}, + "client_id": {pinnipedCLIClientID}, "state": {"some-state-value-with-enough-bytes-to-exceed-min-allowed"}, "nonce": {goodNonce}, "code_challenge": {testutil.SHA256(goodPKCECodeVerifier)}, @@ -219,7 +254,7 @@ var ( "subject_token": {subjectToken}, "subject_token_type": {"urn:ietf:params:oauth:token-type:access_token"}, "requested_token_type": {"urn:ietf:params:oauth:token-type:jwt"}, - "client_id": {goodClient}, + "client_id": {pinnipedCLIClientID}, }, } } @@ -239,6 +274,7 @@ type tokenEndpointResponseExpectedValues struct { wantStatus int wantSuccessBodyFields []string wantErrorResponseBody string + wantClientID string wantRequestedScopes []string wantGrantedScopes []string wantGroups []string @@ -260,10 +296,32 @@ type authcodeExchangeInputs struct { want tokenEndpointResponseExpectedValues } +func addFullyCapableDynamicClientAndSecretToKubeResources(t *testing.T, supervisorClient *supervisorfake.Clientset, kubeClient *fake.Clientset) { + oidcClient, secret := testutil.FullyCapableOIDCClientAndStorageSecret(t, + "some-namespace", + dynamicClientID, + dynamicClientUID, + goodRedirectURI, + []string{testutil.HashedPassword1AtGoMinCost, testutil.HashedPassword2AtGoMinCost}, + ) + require.NoError(t, supervisorClient.Tracker().Add(oidcClient)) + require.NoError(t, kubeClient.Tracker().Add(secret)) +} + +func modifyAuthcodeTokenRequestWithDynamicClientAuth(r *http.Request, authCode string) { + r.Body = happyAuthcodeRequestBody(authCode).WithClientID("").ReadCloser() // No client_id in body. + r.SetBasicAuth(dynamicClientID, testutil.PlaintextPassword1) // Use basic auth header instead. +} + +func addDynamicClientIDToFormPostBody(r *http.Request) { + r.Form.Set("client_id", dynamicClientID) +} + func TestTokenEndpointAuthcodeExchange(t *testing.T) { tests := []struct { name string authcodeExchange authcodeExchangeInputs + kubeResources func(t *testing.T, supervisorClient *supervisorfake.Clientset, kubeClient *fake.Clientset) }{ // happy path { @@ -272,6 +330,7 @@ func TestTokenEndpointAuthcodeExchange(t *testing.T) { modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid profile email groups") }, want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, + wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "scope", "expires_in"}, // no refresh token wantRequestedScopes: []string{"openid", "profile", "email", "groups"}, wantGrantedScopes: []string{"openid", "groups"}, @@ -279,25 +338,84 @@ func TestTokenEndpointAuthcodeExchange(t *testing.T) { }, }, }, + { + name: "request is valid and tokens are issued for dynamic client", + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + authcodeExchange: authcodeExchangeInputs{ + modifyAuthRequest: func(r *http.Request) { + addDynamicClientIDToFormPostBody(r) + r.Form.Set("scope", "openid pinniped:request-audience groups") + }, + modifyTokenRequest: modifyAuthcodeTokenRequestWithDynamicClientAuth, + want: tokenEndpointResponseExpectedValues{ + wantStatus: http.StatusOK, + wantClientID: dynamicClientID, + wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "scope", "expires_in"}, // no refresh token + wantRequestedScopes: []string{"openid", "pinniped:request-audience", "groups"}, + wantGrantedScopes: []string{"openid", "pinniped:request-audience", "groups"}, + wantGroups: goodGroups, + }, + }, + }, { name: "openid scope was not requested from authorize endpoint", authcodeExchange: authcodeExchangeInputs{ modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "profile email") }, want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, + wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"access_token", "token_type", "scope", "expires_in"}, // no id or refresh tokens wantRequestedScopes: []string{"profile", "email"}, wantGrantedScopes: []string{}, - wantGroups: goodGroups, + wantGroups: nil, }, }, }, { - name: "offline_access and openid scopes were requested and granted from authorize endpoint", + name: "openid scope was not requested from authorize endpoint for dynamic client", + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + authcodeExchange: authcodeExchangeInputs{ + modifyAuthRequest: func(r *http.Request) { + addDynamicClientIDToFormPostBody(r) + r.Form.Set("scope", "pinniped:request-audience groups") + }, + modifyTokenRequest: modifyAuthcodeTokenRequestWithDynamicClientAuth, + want: tokenEndpointResponseExpectedValues{ + wantStatus: http.StatusOK, + wantClientID: dynamicClientID, + wantSuccessBodyFields: []string{"access_token", "token_type", "scope", "expires_in"}, // no id or refresh tokens + wantRequestedScopes: []string{"pinniped:request-audience", "groups"}, + wantGrantedScopes: []string{"pinniped:request-audience", "groups"}, + wantGroups: nil, + }, + }, + }, + { + name: "offline_access and openid scopes were requested and granted from authorize endpoint (no groups)", authcodeExchange: authcodeExchangeInputs{ modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, + wantClientID: pinnipedCLIClientID, + wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "scope", "expires_in", "refresh_token"}, // all possible tokens + wantRequestedScopes: []string{"openid", "offline_access"}, + wantGrantedScopes: []string{"openid", "offline_access"}, + wantGroups: nil, + }, + }, + }, + { + name: "offline_access and openid scopes were requested and granted from authorize endpoint for dynamic client (no groups)", + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + authcodeExchange: authcodeExchangeInputs{ + modifyAuthRequest: func(r *http.Request) { + addDynamicClientIDToFormPostBody(r) + r.Form.Set("scope", "openid offline_access") + }, + modifyTokenRequest: modifyAuthcodeTokenRequestWithDynamicClientAuth, + want: tokenEndpointResponseExpectedValues{ + wantStatus: http.StatusOK, + wantClientID: dynamicClientID, wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "scope", "expires_in", "refresh_token"}, // all possible tokens wantRequestedScopes: []string{"openid", "offline_access"}, wantGrantedScopes: []string{"openid", "offline_access"}, @@ -311,10 +429,30 @@ func TestTokenEndpointAuthcodeExchange(t *testing.T) { modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "offline_access") }, want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, + wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"access_token", "token_type", "scope", "expires_in", "refresh_token"}, // no id token wantRequestedScopes: []string{"offline_access"}, wantGrantedScopes: []string{"offline_access"}, - wantGroups: goodGroups, + wantGroups: nil, + }, + }, + }, + { + name: "offline_access (without openid scope) was requested and granted from authorize endpoint for dynamic client", + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + authcodeExchange: authcodeExchangeInputs{ + modifyAuthRequest: func(r *http.Request) { + addDynamicClientIDToFormPostBody(r) + r.Form.Set("scope", "offline_access") + }, + modifyTokenRequest: modifyAuthcodeTokenRequestWithDynamicClientAuth, + want: tokenEndpointResponseExpectedValues{ + wantStatus: http.StatusOK, + wantClientID: dynamicClientID, + wantSuccessBodyFields: []string{"access_token", "token_type", "scope", "expires_in", "refresh_token"}, // no id token + wantRequestedScopes: []string{"offline_access"}, + wantGrantedScopes: []string{"offline_access"}, + wantGroups: nil, }, }, }, @@ -324,6 +462,7 @@ func TestTokenEndpointAuthcodeExchange(t *testing.T) { modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid profile email groups") }, want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, + wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "scope", "expires_in"}, // no refresh token wantRequestedScopes: []string{"openid", "profile", "email", "groups"}, wantGrantedScopes: []string{"openid", "groups"}, @@ -331,6 +470,28 @@ func TestTokenEndpointAuthcodeExchange(t *testing.T) { }, }, }, + { + name: "dynamic client uses a secondary client secret (one of the other client secrets after the first one in the list)", + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + authcodeExchange: authcodeExchangeInputs{ + modifyAuthRequest: func(r *http.Request) { + addDynamicClientIDToFormPostBody(r) + r.Form.Set("scope", "openid pinniped:request-audience groups") + }, + modifyTokenRequest: func(r *http.Request, authCode string) { + r.Body = happyAuthcodeRequestBody(authCode).WithClientID("").ReadCloser() + r.SetBasicAuth(dynamicClientID, testutil.PlaintextPassword2) // use the second client secret that was configured on the client + }, + want: tokenEndpointResponseExpectedValues{ + wantStatus: http.StatusOK, + wantClientID: dynamicClientID, + wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "scope", "expires_in"}, // no refresh token + wantRequestedScopes: []string{"openid", "pinniped:request-audience", "groups"}, + wantGrantedScopes: []string{"openid", "pinniped:request-audience", "groups"}, + wantGroups: goodGroups, + }, + }, + }, // sad path { @@ -373,6 +534,57 @@ func TestTokenEndpointAuthcodeExchange(t *testing.T) { }, }, }, + { + name: "dynamic client uses wrong client secret", + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + authcodeExchange: authcodeExchangeInputs{ + modifyAuthRequest: func(r *http.Request) { + addDynamicClientIDToFormPostBody(r) + r.Form.Set("scope", "openid pinniped:request-audience groups") + }, + modifyTokenRequest: func(r *http.Request, authCode string) { + r.Body = happyAuthcodeRequestBody(authCode).WithClientID("").ReadCloser() + r.SetBasicAuth(dynamicClientID, "wrong client secret") + }, + want: tokenEndpointResponseExpectedValues{ + wantStatus: http.StatusUnauthorized, + wantErrorResponseBody: fositeClientAuthFailedErrorBody, + }, + }, + }, + { + name: "dynamic client uses wrong auth method (must use basic auth)", + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + authcodeExchange: authcodeExchangeInputs{ + modifyAuthRequest: func(r *http.Request) { + addDynamicClientIDToFormPostBody(r) + r.Form.Set("scope", "openid pinniped:request-audience groups") + }, + modifyTokenRequest: func(r *http.Request, authCode string) { + // Add client auth to the form, when it should be in basic auth headers. + r.Body = happyAuthcodeRequestBody(authCode).WithClientID(dynamicClientID).WithClientSecret(testutil.PlaintextPassword1).ReadCloser() + }, + want: tokenEndpointResponseExpectedValues{ + wantStatus: http.StatusUnauthorized, + wantErrorResponseBody: fositeClientAuthMustBeBasicAuthErrorBody, + }, + }, + }, + { + name: "tries to change client ID between authorization request and token request", + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + authcodeExchange: authcodeExchangeInputs{ + modifyAuthRequest: func(r *http.Request) { + // Test uses pinniped-cli client_id by default here. + r.Form.Set("scope", "openid pinniped:request-audience") + }, + modifyTokenRequest: modifyAuthcodeTokenRequestWithDynamicClientAuth, + want: tokenEndpointResponseExpectedValues{ + wantStatus: http.StatusBadRequest, + wantErrorResponseBody: fositeClientIDMismatchDuringAuthcodeExchangeErrorBody, + }, + }, + }, { name: "content type is invalid", authcodeExchange: authcodeExchangeInputs{ @@ -417,18 +629,6 @@ func TestTokenEndpointAuthcodeExchange(t *testing.T) { }, }, }, - { - name: "grant type is not authorization_code", - authcodeExchange: authcodeExchangeInputs{ - modifyTokenRequest: func(r *http.Request, authCode string) { - r.Body = happyAuthcodeRequestBody(authCode).WithGrantType("bogus").ReadCloser() - }, - want: tokenEndpointResponseExpectedValues{ - wantStatus: http.StatusBadRequest, - wantErrorResponseBody: fositeInvalidRequestErrorBody, - }, - }, - }, { name: "client id is missing in request", authcodeExchange: authcodeExchangeInputs{ @@ -568,7 +768,8 @@ func TestTokenEndpointAuthcodeExchange(t *testing.T) { t.Parallel() // Authcode exchange doesn't use the upstream provider cache, so just pass an empty cache. - exchangeAuthcodeForTokens(t, test.authcodeExchange, oidctestutil.NewUpstreamIDPListerBuilder().Build()) + exchangeAuthcodeForTokens(t, + test.authcodeExchange, oidctestutil.NewUpstreamIDPListerBuilder().Build(), test.kubeResources) }) } } @@ -577,6 +778,7 @@ func TestTokenEndpointWhenAuthcodeIsUsedTwice(t *testing.T) { tests := []struct { name string authcodeExchange authcodeExchangeInputs + kubeResources func(t *testing.T, supervisorClient *supervisorfake.Clientset, kubeClient *fake.Clientset) }{ { name: "authcode exchange succeeds once and then fails when the same authcode is used again", @@ -584,6 +786,7 @@ func TestTokenEndpointWhenAuthcodeIsUsedTwice(t *testing.T) { modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access profile email groups") }, want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, + wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"id_token", "refresh_token", "access_token", "token_type", "expires_in", "scope"}, wantRequestedScopes: []string{"openid", "offline_access", "profile", "email", "groups"}, wantGrantedScopes: []string{"openid", "offline_access", "groups"}, @@ -600,7 +803,7 @@ func TestTokenEndpointWhenAuthcodeIsUsedTwice(t *testing.T) { // First call - should be successful. // Authcode exchange doesn't use the upstream provider cache, so just pass an empty cache. subject, rsp, authCode, _, secrets, oauthStore := exchangeAuthcodeForTokens(t, - test.authcodeExchange, oidctestutil.NewUpstreamIDPListerBuilder().Build()) + test.authcodeExchange, oidctestutil.NewUpstreamIDPListerBuilder().Build(), test.kubeResources) var parsedResponseBody map[string]interface{} require.NoError(t, json.Unmarshal(rsp.Body.Bytes(), &parsedResponseBody)) @@ -611,6 +814,7 @@ func TestTokenEndpointWhenAuthcodeIsUsedTwice(t *testing.T) { req := httptest.NewRequest("POST", "/path/shouldn't/matter", happyAuthcodeRequestBody(authCode).ReadCloser()) req.Header.Set("Content-Type", "application/x-www-form-urlencoded") reusedAuthcodeResponse := httptest.NewRecorder() + approxRequestTime := time.Now() subject.ServeHTTP(reusedAuthcodeResponse, req) t.Logf("second response: %#v", reusedAuthcodeResponse) t.Logf("second response body: %q", reusedAuthcodeResponse.Body.String()) @@ -619,7 +823,7 @@ func TestTokenEndpointWhenAuthcodeIsUsedTwice(t *testing.T) { require.JSONEq(t, fositeReusedAuthCodeErrorBody, reusedAuthcodeResponse.Body.String()) // This was previously invalidated by the first request, so it remains invalidated - requireInvalidAuthCodeStorage(t, authCode, oauthStore, secrets) + requireInvalidAuthCodeStorage(t, authCode, oauthStore, secrets, approxRequestTime) // Has now invalidated the access token that was previously handed out by the first request requireInvalidAccessTokenStorage(t, parsedResponseBody, oauthStore) // This was previously invalidated by the first request, so it remains invalidated @@ -628,7 +832,9 @@ func TestTokenEndpointWhenAuthcodeIsUsedTwice(t *testing.T) { // Note that customSessionData is only relevant to refresh grant, so we leave it as nil for this // authcode exchange test, even though in practice it would actually be in the session. requireValidOIDCStorage(t, parsedResponseBody, authCode, oauthStore, - test.authcodeExchange.want.wantRequestedScopes, test.authcodeExchange.want.wantGrantedScopes, test.authcodeExchange.want.wantGroups, nil) + test.authcodeExchange.want.wantClientID, test.authcodeExchange.want.wantRequestedScopes, + test.authcodeExchange.want.wantGrantedScopes, test.authcodeExchange.want.wantGroups, nil, + approxRequestTime) // Check that the access token and refresh token storage were both deleted, and the number of other storage objects did not change. testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: authorizationcode.TypeLabelValue}, 1) @@ -636,7 +842,8 @@ func TestTokenEndpointWhenAuthcodeIsUsedTwice(t *testing.T) { testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: accesstoken.TypeLabelValue}, 0) testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: refreshtoken.TypeLabelValue}, 0) testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: storagepkce.TypeLabelValue}, 0) - testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{}, 2) + // Assert the number of all secrets, excluding any OIDCClient's storage secret, since those are not related to session storage. + testutil.RequireNumberOfSecretsExcludingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: oidcclientsecretstorage.TypeLabelValue}, 2) }) } } @@ -644,6 +851,16 @@ func TestTokenEndpointWhenAuthcodeIsUsedTwice(t *testing.T) { func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn:ietf:params:oauth:grant-type:token-exchange" successfulAuthCodeExchange := tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, + wantClientID: pinnipedCLIClientID, + wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "expires_in", "scope"}, + wantRequestedScopes: []string{"openid", "pinniped:request-audience", "groups"}, + wantGrantedScopes: []string{"openid", "pinniped:request-audience", "groups"}, + wantGroups: goodGroups, + } + + successfulAuthCodeExchangeUsingDynamicClient := tokenEndpointResponseExpectedValues{ + wantStatus: http.StatusOK, + wantClientID: dynamicClientID, wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "expires_in", "scope"}, wantRequestedScopes: []string{"openid", "pinniped:request-audience", "groups"}, wantGrantedScopes: []string{"openid", "pinniped:request-audience", "groups"}, @@ -657,13 +874,24 @@ func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn want: successfulAuthCodeExchange, } + doValidAuthCodeExchangeUsingDynamicClient := authcodeExchangeInputs{ + modifyAuthRequest: func(authRequest *http.Request) { + addDynamicClientIDToFormPostBody(authRequest) + authRequest.Form.Set("scope", "openid pinniped:request-audience groups") + }, + modifyTokenRequest: modifyAuthcodeTokenRequestWithDynamicClientAuth, + want: successfulAuthCodeExchangeUsingDynamicClient, + } + tests := []struct { name string - authcodeExchange authcodeExchangeInputs - modifyRequestParams func(t *testing.T, params url.Values) - modifyStorage func(t *testing.T, storage *oidc.KubeStorage, pendingRequest *http.Request) - requestedAudience string + authcodeExchange authcodeExchangeInputs + modifyRequestParams func(t *testing.T, params url.Values) + modifyRequestHeaders func(r *http.Request) + modifyStorage func(t *testing.T, storage *oidc.KubeStorage, pendingRequest *http.Request) + requestedAudience string + kubeResources func(t *testing.T, supervisorClient *supervisorfake.Clientset, kubeClient *fake.Clientset) wantStatus int wantResponseBodyContains string @@ -674,6 +902,116 @@ func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn requestedAudience: "some-workload-cluster", wantStatus: http.StatusOK, }, + { + name: "happy path with dynamic client", + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + authcodeExchange: doValidAuthCodeExchangeUsingDynamicClient, + modifyRequestParams: func(t *testing.T, params url.Values) { + params.Del("client_id") // client auth for dynamic clients must be in basic auth header + }, + modifyRequestHeaders: func(r *http.Request) { + r.SetBasicAuth(dynamicClientID, testutil.PlaintextPassword1) + }, + requestedAudience: "some-workload-cluster", + wantStatus: http.StatusOK, + }, + { + name: "dynamic client lacks the required urn:ietf:params:oauth:grant-type:token-exchange grant type", + kubeResources: func(t *testing.T, supervisorClient *supervisorfake.Clientset, kubeClient *fake.Clientset) { + namespace, clientID, clientUID, redirectURI := "some-namespace", dynamicClientID, dynamicClientUID, goodRedirectURI + oidcClient := &configv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{Namespace: namespace, Name: clientID, Generation: 1, UID: types.UID(clientUID)}, + Spec: configv1alpha1.OIDCClientSpec{ + AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code", "refresh_token"}, // does not have the grant type + AllowedScopes: []configv1alpha1.Scope{"openid", "offline_access", "username", "groups"}, // would be invalid if it also asked for pinniped:request-audience since it lacks the grant type + AllowedRedirectURIs: []configv1alpha1.RedirectURI{configv1alpha1.RedirectURI(redirectURI)}, + }, + } + secret := testutil.OIDCClientSecretStorageSecretForUID(t, namespace, clientUID, []string{testutil.HashedPassword1AtGoMinCost, testutil.HashedPassword2AtGoMinCost}) + require.NoError(t, supervisorClient.Tracker().Add(oidcClient)) + require.NoError(t, kubeClient.Tracker().Add(secret)) + }, + authcodeExchange: authcodeExchangeInputs{ + modifyAuthRequest: func(authRequest *http.Request) { + addDynamicClientIDToFormPostBody(authRequest) + authRequest.Form.Set("scope", "openid groups") // don't request pinniped:request-audience scope + }, + modifyTokenRequest: modifyAuthcodeTokenRequestWithDynamicClientAuth, + want: tokenEndpointResponseExpectedValues{ + wantStatus: http.StatusOK, + wantClientID: dynamicClientID, + wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "expires_in", "scope"}, + wantRequestedScopes: []string{"openid", "groups"}, // don't want pinniped:request-audience scope + wantGrantedScopes: []string{"openid", "groups"}, // don't want pinniped:request-audience scope + wantGroups: goodGroups, + }, + }, + modifyRequestParams: func(t *testing.T, params url.Values) { + params.Del("client_id") // client auth for dynamic clients must be in basic auth header + }, + modifyRequestHeaders: func(r *http.Request) { + r.SetBasicAuth(dynamicClientID, testutil.PlaintextPassword1) + }, + requestedAudience: "some-workload-cluster", + wantStatus: http.StatusBadRequest, + wantResponseBodyContains: `The client is not authorized to request a token using this method. The OAuth 2.0 Client is not allowed to use token exchange grant 'urn:ietf:params:oauth:grant-type:token-exchange'.`, + }, + { + name: "dynamic client did not ask for the pinniped:request-audience scope in the original authorization request, so the access token submitted during token exchange lacks the scope", + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + authcodeExchange: authcodeExchangeInputs{ + modifyAuthRequest: func(authRequest *http.Request) { + addDynamicClientIDToFormPostBody(authRequest) + authRequest.Form.Set("scope", "openid groups") // don't request pinniped:request-audience scope + }, + modifyTokenRequest: modifyAuthcodeTokenRequestWithDynamicClientAuth, + want: tokenEndpointResponseExpectedValues{ + wantStatus: http.StatusOK, + wantClientID: dynamicClientID, + wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "expires_in", "scope"}, + wantRequestedScopes: []string{"openid", "groups"}, // don't want pinniped:request-audience scope + wantGrantedScopes: []string{"openid", "groups"}, // don't want pinniped:request-audience scope + wantGroups: goodGroups, + }, + }, + modifyRequestParams: func(t *testing.T, params url.Values) { + params.Del("client_id") // client auth for dynamic clients must be in basic auth header + }, + modifyRequestHeaders: func(r *http.Request) { + r.SetBasicAuth(dynamicClientID, testutil.PlaintextPassword1) + }, + requestedAudience: "some-workload-cluster", + wantStatus: http.StatusForbidden, + wantResponseBodyContains: `The resource owner or authorization server denied the request. missing the 'pinniped:request-audience' scope`, + }, + { + name: "dynamic client did not ask for the openid scope in the original authorization request, so the access token submitted during token exchange lacks the scope", + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + authcodeExchange: authcodeExchangeInputs{ + modifyAuthRequest: func(authRequest *http.Request) { + addDynamicClientIDToFormPostBody(authRequest) + authRequest.Form.Set("scope", "pinniped:request-audience groups") // don't request openid scope + }, + modifyTokenRequest: modifyAuthcodeTokenRequestWithDynamicClientAuth, + want: tokenEndpointResponseExpectedValues{ + wantStatus: http.StatusOK, + wantClientID: dynamicClientID, + wantSuccessBodyFields: []string{"access_token", "token_type", "expires_in", "scope"}, // no id token + wantRequestedScopes: []string{"pinniped:request-audience", "groups"}, // don't want openid scope + wantGrantedScopes: []string{"pinniped:request-audience", "groups"}, // don't want openid scope + wantGroups: nil, + }, + }, + modifyRequestParams: func(t *testing.T, params url.Values) { + params.Del("client_id") // client auth for dynamic clients must be in basic auth header + }, + modifyRequestHeaders: func(r *http.Request) { + r.SetBasicAuth(dynamicClientID, testutil.PlaintextPassword1) + }, + requestedAudience: "some-workload-cluster", + wantStatus: http.StatusForbidden, + wantResponseBodyContains: `The resource owner or authorization server denied the request. missing the 'openid' scope`, + }, { name: "missing audience", authcodeExchange: doValidAuthCodeExchange, @@ -752,6 +1090,60 @@ func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn wantStatus: http.StatusBadRequest, wantResponseBodyContains: `Invalid token format`, }, + { + name: "bad client ID", + authcodeExchange: doValidAuthCodeExchange, + requestedAudience: "some-workload-cluster", + modifyRequestParams: func(t *testing.T, params url.Values) { + params.Set("client_id", "some-bogus-value") + }, + wantStatus: http.StatusUnauthorized, + wantResponseBodyContains: `Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method).`, + }, + { + name: "dynamic client uses wrong client secret", + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + authcodeExchange: doValidAuthCodeExchangeUsingDynamicClient, + modifyRequestParams: func(t *testing.T, params url.Values) { + params.Del("client_id") // client auth for dynamic clients must be in basic auth header + }, + modifyRequestHeaders: func(r *http.Request) { + r.SetBasicAuth(dynamicClientID, "bad client secret") + }, + requestedAudience: "some-workload-cluster", + wantStatus: http.StatusUnauthorized, + wantResponseBodyContains: `Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method).`, + }, + { + name: "dynamic client uses wrong auth method (must use basic auth)", + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + authcodeExchange: doValidAuthCodeExchangeUsingDynamicClient, + modifyRequestParams: func(t *testing.T, params url.Values) { + // Dynamic clients do not support this method of auth. + params.Set("client_id", dynamicClientID) + params.Set("client_secret", testutil.PlaintextPassword1) + }, + modifyRequestHeaders: func(r *http.Request) { + // would usually set the basic auth header here, but we don't for this test case + }, + requestedAudience: "some-workload-cluster", + wantStatus: http.StatusUnauthorized, + wantResponseBodyContains: `Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The OAuth 2.0 Client supports client authentication method 'client_secret_basic', but method 'client_secret_post' was requested. You must configure the OAuth 2.0 client's 'token_endpoint_auth_method' value to accept 'client_secret_post'.`, + }, + { + name: "different client used between authorize/authcode calls and the call to token exchange", + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + authcodeExchange: doValidAuthCodeExchange, // use pinniped-cli for authorize and authcode exchange + modifyRequestParams: func(t *testing.T, params url.Values) { + params.Del("client_id") // client auth for dynamic clients must be in basic auth header + }, + modifyRequestHeaders: func(r *http.Request) { + r.SetBasicAuth(dynamicClientID, testutil.PlaintextPassword1) // use dynamic client for token exchange + }, + requestedAudience: "some-workload-cluster", + wantStatus: http.StatusBadRequest, + wantResponseBodyContains: `The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The OAuth 2.0 Client ID from this request does not match the one from the authorize request.`, + }, { name: "valid access token, but deleted from storage", authcodeExchange: doValidAuthCodeExchange, @@ -772,6 +1164,7 @@ func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn }, want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, + wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "expires_in", "scope"}, wantRequestedScopes: []string{"openid", "groups"}, wantGrantedScopes: []string{"openid", "groups"}, @@ -790,10 +1183,11 @@ func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn }, want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, + wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"access_token", "token_type", "expires_in", "scope"}, wantRequestedScopes: []string{"pinniped:request-audience", "groups"}, wantGrantedScopes: []string{"pinniped:request-audience", "groups"}, - wantGroups: goodGroups, + wantGroups: nil, }, }, requestedAudience: "some-workload-cluster", @@ -808,6 +1202,7 @@ func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn }, want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, + wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"access_token", "token_type", "expires_in", "scope", "id_token"}, wantRequestedScopes: []string{"openid", "pinniped:request-audience"}, wantGrantedScopes: []string{"openid", "pinniped:request-audience"}, @@ -839,7 +1234,7 @@ func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn // Authcode exchange doesn't use the upstream provider cache, so just pass an empty cache. subject, rsp, _, _, secrets, storage := exchangeAuthcodeForTokens(t, - test.authcodeExchange, oidctestutil.NewUpstreamIDPListerBuilder().Build()) + test.authcodeExchange, oidctestutil.NewUpstreamIDPListerBuilder().Build(), test.kubeResources) var parsedAuthcodeExchangeResponseBody map[string]interface{} require.NoError(t, json.Unmarshal(rsp.Body.Bytes(), &parsedAuthcodeExchangeResponseBody)) @@ -855,6 +1250,10 @@ func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn req.Header.Set("Content-Type", "application/x-www-form-urlencoded") rsp = httptest.NewRecorder() + if test.modifyRequestHeaders != nil { + test.modifyRequestHeaders(req) + } + // Measure the secrets in storage after the auth code flow. existingSecrets, err := secrets.List(context.Background(), metav1.ListOptions{}) require.NoError(t, err) @@ -1062,6 +1461,7 @@ func TestRefreshGrant(t *testing.T) { happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess := func(wantCustomSessionDataStored *psession.CustomSessionData) tokenEndpointResponseExpectedValues { want := tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, + wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"id_token", "refresh_token", "access_token", "token_type", "expires_in", "scope"}, wantRequestedScopes: []string{"openid", "offline_access", "groups"}, wantGrantedScopes: []string{"openid", "offline_access", "groups"}, @@ -1071,6 +1471,16 @@ func TestRefreshGrant(t *testing.T) { return want } + withWantDynamicClientID := func(w tokenEndpointResponseExpectedValues) tokenEndpointResponseExpectedValues { + w.wantClientID = dynamicClientID + return w + } + + modifyRefreshTokenRequestWithDynamicClientAuth := func(tokenRequest *http.Request, refreshToken string, accessToken string) { + tokenRequest.Body = happyRefreshRequestBody(refreshToken).WithClientID("").ReadCloser() // No client_id in body. + tokenRequest.SetBasicAuth(dynamicClientID, testutil.PlaintextPassword1) // Use basic auth header instead. + } + happyRefreshTokenResponseForOpenIDAndOfflineAccess := func(wantCustomSessionDataStored *psession.CustomSessionData, expectToValidateToken *oauth2.Token) tokenEndpointResponseExpectedValues { // Should always have some custom session data stored. The other expectations happens to be the // same as the same values as the authcode exchange case. @@ -1134,6 +1544,7 @@ func TestRefreshGrant(t *testing.T) { tests := []struct { name string idps *oidctestutil.UpstreamIDPListerBuilder + kubeResources func(t *testing.T, supervisorClient *supervisorfake.Clientset, kubeClient *fake.Clientset) authcodeExchange authcodeExchangeInputs refreshRequest refreshRequestInputs modifyRefreshTokenStorage func(t *testing.T, oauthStore *oidc.KubeStorage, refreshToken string) @@ -1160,6 +1571,34 @@ func TestRefreshGrant(t *testing.T) { ), }, }, + { + name: "happy path refresh grant with openid scope granted (id token returned) using dynamic client", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC( + upstreamOIDCIdentityProviderBuilder().WithValidatedAndMergedWithUserInfoTokens(&oidctypes.Token{ + IDToken: &oidctypes.IDToken{ + Claims: map[string]interface{}{ + "sub": goodUpstreamSubject, + }, + }, + }).WithRefreshedTokens(refreshedUpstreamTokensWithIDAndRefreshTokens()).Build()), + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + authcodeExchange: authcodeExchangeInputs{ + customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), + modifyAuthRequest: func(r *http.Request) { + addDynamicClientIDToFormPostBody(r) + r.Form.Set("scope", "openid offline_access groups") + }, + modifyTokenRequest: modifyAuthcodeTokenRequestWithDynamicClientAuth, + want: withWantDynamicClientID(happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData())), + }, + refreshRequest: refreshRequestInputs{ + modifyTokenRequest: modifyRefreshTokenRequestWithDynamicClientAuth, + want: withWantDynamicClientID(happyRefreshTokenResponseForOpenIDAndOfflineAccess( + upstreamOIDCCustomSessionDataWithNewRefreshToken(oidcUpstreamRefreshedRefreshToken), + refreshedUpstreamTokensWithIDAndRefreshTokens(), + )), + }, + }, { name: "refresh grant with unchanged username claim", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC( @@ -1208,6 +1647,7 @@ func TestRefreshGrant(t *testing.T) { refreshRequest: refreshRequestInputs{ want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, + wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"refresh_token", "id_token", "access_token", "token_type", "expires_in", "scope"}, wantRequestedScopes: []string{"openid", "offline_access", "groups"}, wantGrantedScopes: []string{"openid", "offline_access", "groups"}, @@ -1239,6 +1679,7 @@ func TestRefreshGrant(t *testing.T) { modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "offline_access") }, want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, + wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"refresh_token", "access_token", "token_type", "expires_in", "scope"}, wantRequestedScopes: []string{"offline_access"}, wantGrantedScopes: []string{"offline_access"}, @@ -1248,6 +1689,7 @@ func TestRefreshGrant(t *testing.T) { refreshRequest: refreshRequestInputs{ want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, + wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"refresh_token", "access_token", "token_type", "expires_in", "scope"}, wantRequestedScopes: []string{"offline_access"}, wantGrantedScopes: []string{"offline_access"}, @@ -1273,6 +1715,7 @@ func TestRefreshGrant(t *testing.T) { refreshRequest: refreshRequestInputs{ want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, + wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"refresh_token", "access_token", "id_token", "token_type", "expires_in", "scope"}, wantRequestedScopes: []string{"openid", "offline_access", "groups"}, wantGrantedScopes: []string{"openid", "offline_access", "groups"}, @@ -1302,6 +1745,7 @@ func TestRefreshGrant(t *testing.T) { refreshRequest: refreshRequestInputs{ want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, + wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"refresh_token", "access_token", "id_token", "token_type", "expires_in", "scope"}, wantRequestedScopes: []string{"openid", "offline_access", "groups"}, wantGrantedScopes: []string{"openid", "offline_access", "groups"}, @@ -1331,6 +1775,7 @@ func TestRefreshGrant(t *testing.T) { refreshRequest: refreshRequestInputs{ want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, + wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"refresh_token", "access_token", "id_token", "token_type", "expires_in", "scope"}, wantRequestedScopes: []string{"openid", "offline_access", "groups"}, wantGrantedScopes: []string{"openid", "offline_access", "groups"}, @@ -1360,6 +1805,7 @@ func TestRefreshGrant(t *testing.T) { refreshRequest: refreshRequestInputs{ want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, + wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"refresh_token", "access_token", "id_token", "token_type", "expires_in", "scope"}, wantRequestedScopes: []string{"openid", "offline_access", "groups"}, wantGrantedScopes: []string{"openid", "offline_access", "groups"}, @@ -1389,6 +1835,7 @@ func TestRefreshGrant(t *testing.T) { refreshRequest: refreshRequestInputs{ want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, + wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"refresh_token", "access_token", "id_token", "token_type", "expires_in", "scope"}, wantRequestedScopes: []string{"openid", "offline_access", "groups"}, wantGrantedScopes: []string{"openid", "offline_access", "groups"}, @@ -1417,6 +1864,7 @@ func TestRefreshGrant(t *testing.T) { refreshRequest: refreshRequestInputs{ want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, + wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"refresh_token", "access_token", "id_token", "token_type", "expires_in", "scope"}, wantRequestedScopes: []string{"openid", "offline_access", "groups"}, wantGrantedScopes: []string{"openid", "offline_access", "groups"}, @@ -1444,6 +1892,7 @@ func TestRefreshGrant(t *testing.T) { refreshRequest: refreshRequestInputs{ want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, + wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"refresh_token", "access_token", "id_token", "token_type", "expires_in", "scope"}, wantRequestedScopes: []string{"openid", "offline_access", "groups"}, wantGrantedScopes: []string{"openid", "offline_access", "groups"}, @@ -1466,6 +1915,7 @@ func TestRefreshGrant(t *testing.T) { customSessionData: happyLDAPCustomSessionData, want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, + wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"id_token", "refresh_token", "access_token", "token_type", "expires_in", "scope"}, wantRequestedScopes: []string{"openid", "offline_access"}, wantGrantedScopes: []string{"openid", "offline_access"}, @@ -1479,6 +1929,7 @@ func TestRefreshGrant(t *testing.T) { }, want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, + wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"refresh_token", "access_token", "id_token", "token_type", "expires_in", "scope"}, wantRequestedScopes: []string{"openid", "offline_access"}, wantGrantedScopes: []string{"openid", "offline_access"}, @@ -1504,6 +1955,7 @@ func TestRefreshGrant(t *testing.T) { customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, + wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"id_token", "refresh_token", "access_token", "token_type", "expires_in", "scope"}, wantRequestedScopes: []string{"openid", "offline_access"}, wantGrantedScopes: []string{"openid", "offline_access"}, @@ -1517,6 +1969,54 @@ func TestRefreshGrant(t *testing.T) { }, want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, + wantClientID: pinnipedCLIClientID, + wantSuccessBodyFields: []string{"refresh_token", "access_token", "id_token", "token_type", "expires_in", "scope"}, + wantRequestedScopes: []string{"openid", "offline_access"}, + wantGrantedScopes: []string{"openid", "offline_access"}, + wantGroups: nil, + wantUpstreamRefreshCall: happyOIDCUpstreamRefreshCall(), + wantUpstreamOIDCValidateTokenCall: happyUpstreamValidateTokenCall(refreshedUpstreamTokensWithIDAndRefreshTokens(), true), + wantCustomSessionDataStored: upstreamOIDCCustomSessionDataWithNewRefreshToken(oidcUpstreamRefreshedRefreshToken), + }, + }, + }, + { + name: "oidc refresh grant when the upstream refresh when groups scope not requested on original request or refresh when using dynamic client", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC( + upstreamOIDCIdentityProviderBuilder().WithGroupsClaim("my-groups-claim").WithValidatedAndMergedWithUserInfoTokens(&oidctypes.Token{ + IDToken: &oidctypes.IDToken{ + Claims: map[string]interface{}{ + "sub": goodUpstreamSubject, + "my-groups-claim": []string{"new-group1", "new-group2", "new-group3"}, // refreshed claims includes updated groups + }, + }, + }).WithRefreshedTokens(refreshedUpstreamTokensWithIDAndRefreshTokens()).Build()), + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + authcodeExchange: authcodeExchangeInputs{ + modifyAuthRequest: func(r *http.Request) { + addDynamicClientIDToFormPostBody(r) + r.Form.Set("scope", "openid offline_access") + }, + modifyTokenRequest: modifyAuthcodeTokenRequestWithDynamicClientAuth, + customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), + want: tokenEndpointResponseExpectedValues{ + wantStatus: http.StatusOK, + wantClientID: dynamicClientID, + wantSuccessBodyFields: []string{"id_token", "refresh_token", "access_token", "token_type", "expires_in", "scope"}, + wantRequestedScopes: []string{"openid", "offline_access"}, + wantGrantedScopes: []string{"openid", "offline_access"}, + wantCustomSessionDataStored: initialUpstreamOIDCRefreshTokenCustomSessionData(), + wantGroups: nil, + }, + }, + refreshRequest: refreshRequestInputs{ + modifyTokenRequest: func(r *http.Request, refreshToken string, accessToken string) { + r.Body = happyRefreshRequestBody(refreshToken).WithClientID("").WithScope("openid offline_access").ReadCloser() + r.SetBasicAuth(dynamicClientID, testutil.PlaintextPassword1) // Use basic auth header instead. + }, + want: tokenEndpointResponseExpectedValues{ + wantStatus: http.StatusOK, + wantClientID: dynamicClientID, wantSuccessBodyFields: []string{"refresh_token", "access_token", "id_token", "token_type", "expires_in", "scope"}, wantRequestedScopes: []string{"openid", "offline_access"}, wantGrantedScopes: []string{"openid", "offline_access"}, @@ -1542,6 +2042,7 @@ func TestRefreshGrant(t *testing.T) { customSessionData: happyLDAPCustomSessionData, want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, + wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"id_token", "refresh_token", "access_token", "token_type", "expires_in", "scope"}, wantRequestedScopes: []string{"openid", "offline_access", "groups"}, wantGrantedScopes: []string{"openid", "offline_access", "groups"}, @@ -1555,6 +2056,7 @@ func TestRefreshGrant(t *testing.T) { }, want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, + wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"refresh_token", "access_token", "id_token", "token_type", "expires_in", "scope"}, wantRequestedScopes: []string{"openid", "offline_access", "groups"}, wantGrantedScopes: []string{"openid", "offline_access", "groups"}, @@ -1651,6 +2153,7 @@ func TestRefreshGrant(t *testing.T) { modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access pinniped:request-audience groups") }, want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, + wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"id_token", "refresh_token", "access_token", "token_type", "expires_in", "scope"}, wantRequestedScopes: []string{"openid", "offline_access", "pinniped:request-audience", "groups"}, wantGrantedScopes: []string{"openid", "offline_access", "pinniped:request-audience", "groups"}, @@ -1664,6 +2167,7 @@ func TestRefreshGrant(t *testing.T) { }, want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, + wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"id_token", "refresh_token", "access_token", "token_type", "expires_in", "scope"}, wantRequestedScopes: []string{"openid", "offline_access", "pinniped:request-audience", "groups"}, wantGrantedScopes: []string{"openid", "offline_access", "pinniped:request-audience", "groups"}, @@ -1707,6 +2211,7 @@ func TestRefreshGrant(t *testing.T) { modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "offline_access") }, want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, + wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"refresh_token", "access_token", "token_type", "expires_in", "scope"}, wantRequestedScopes: []string{"offline_access"}, wantGrantedScopes: []string{"offline_access"}, @@ -1731,6 +2236,7 @@ func TestRefreshGrant(t *testing.T) { modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "offline_access") }, want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, + wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"refresh_token", "access_token", "token_type", "expires_in", "scope"}, wantRequestedScopes: []string{"offline_access"}, wantGrantedScopes: []string{"offline_access"}, @@ -1755,6 +2261,7 @@ func TestRefreshGrant(t *testing.T) { modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "offline_access") }, want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, + wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"refresh_token", "access_token", "token_type", "expires_in", "scope"}, wantRequestedScopes: []string{"offline_access"}, wantGrantedScopes: []string{"offline_access"}, @@ -1771,6 +2278,96 @@ func TestRefreshGrant(t *testing.T) { }, }, }, + { + name: "when the refresh request uses a different client than the one that was used to get the refresh token", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC( + upstreamOIDCIdentityProviderBuilder().WithValidatedAndMergedWithUserInfoTokens(&oidctypes.Token{ + IDToken: &oidctypes.IDToken{ + Claims: map[string]interface{}{ + "sub": goodUpstreamSubject, + }, + }, + }).WithRefreshedTokens(refreshedUpstreamTokensWithIDAndRefreshTokens()).Build()), + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + authcodeExchange: authcodeExchangeInputs{ + // Make the auth request and authcode exchange request using the pinniped-cli client. + customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), + modifyAuthRequest: func(r *http.Request) { + r.Form.Set("scope", "openid offline_access groups") + }, + want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData()), + }, + refreshRequest: refreshRequestInputs{ + // Make the refresh request with the dynamic client. + modifyTokenRequest: modifyRefreshTokenRequestWithDynamicClientAuth, + want: tokenEndpointResponseExpectedValues{ + wantStatus: http.StatusBadRequest, + wantErrorResponseBody: fositeClientIDMismatchDuringRefreshErrorBody, + }, + }, + }, + { + name: "when the client auth fails on the refresh request using dynamic client", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC( + upstreamOIDCIdentityProviderBuilder().WithValidatedAndMergedWithUserInfoTokens(&oidctypes.Token{ + IDToken: &oidctypes.IDToken{ + Claims: map[string]interface{}{ + "sub": goodUpstreamSubject, + }, + }, + }).WithRefreshedTokens(refreshedUpstreamTokensWithIDAndRefreshTokens()).Build()), + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + authcodeExchange: authcodeExchangeInputs{ + customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), + modifyAuthRequest: func(r *http.Request) { + addDynamicClientIDToFormPostBody(r) + r.Form.Set("scope", "openid offline_access groups") + }, + modifyTokenRequest: modifyAuthcodeTokenRequestWithDynamicClientAuth, + want: withWantDynamicClientID(happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData())), + }, + refreshRequest: refreshRequestInputs{ + modifyTokenRequest: func(tokenRequest *http.Request, refreshToken string, accessToken string) { + tokenRequest.Body = happyRefreshRequestBody(refreshToken).WithClientID("").ReadCloser() + tokenRequest.SetBasicAuth(dynamicClientID, "wrong client secret") + }, + want: tokenEndpointResponseExpectedValues{ + wantStatus: http.StatusUnauthorized, + wantErrorResponseBody: fositeClientAuthFailedErrorBody, + }, + }, + }, + { + name: "dynamic client uses wrong auth method on the refresh request (must use basic auth)", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC( + upstreamOIDCIdentityProviderBuilder().WithValidatedAndMergedWithUserInfoTokens(&oidctypes.Token{ + IDToken: &oidctypes.IDToken{ + Claims: map[string]interface{}{ + "sub": goodUpstreamSubject, + }, + }, + }).WithRefreshedTokens(refreshedUpstreamTokensWithIDAndRefreshTokens()).Build()), + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + authcodeExchange: authcodeExchangeInputs{ + customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), + modifyAuthRequest: func(r *http.Request) { + addDynamicClientIDToFormPostBody(r) + r.Form.Set("scope", "openid offline_access groups") + }, + modifyTokenRequest: modifyAuthcodeTokenRequestWithDynamicClientAuth, + want: withWantDynamicClientID(happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData())), + }, + refreshRequest: refreshRequestInputs{ + modifyTokenRequest: func(tokenRequest *http.Request, refreshToken string, accessToken string) { + // Add client auth to the form, when it should be in basic auth headers. + tokenRequest.Body = happyRefreshRequestBody(refreshToken).WithClientID(dynamicClientID).WithClientSecret(testutil.PlaintextPassword1).ReadCloser() + }, + want: tokenEndpointResponseExpectedValues{ + wantStatus: http.StatusUnauthorized, + wantErrorResponseBody: fositeClientAuthMustBeBasicAuthErrorBody, + }, + }, + }, { name: "when there is no custom session data found in the session storage during the refresh request", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(upstreamOIDCIdentityProviderBuilder().Build()), @@ -2920,7 +3517,8 @@ func TestRefreshGrant(t *testing.T) { // First exchange the authcode for tokens, including a refresh token. // its actually fine to use this function even when simulating ldap (which uses a different flow) because it's // just populating a secret in storage. - subject, rsp, authCode, jwtSigningKey, secrets, oauthStore := exchangeAuthcodeForTokens(t, test.authcodeExchange, test.idps.Build()) + subject, rsp, authCode, jwtSigningKey, secrets, oauthStore := exchangeAuthcodeForTokens(t, + test.authcodeExchange, test.idps.Build(), test.kubeResources) var parsedAuthcodeExchangeResponseBody map[string]interface{} require.NoError(t, json.Unmarshal(rsp.Body.Bytes(), &parsedAuthcodeExchangeResponseBody)) @@ -2951,6 +3549,7 @@ func TestRefreshGrant(t *testing.T) { } refreshResponse := httptest.NewRecorder() + approxRequestTime := time.Now() subject.ServeHTTP(refreshResponse, req) t.Logf("second response: %#v", refreshResponse) t.Logf("second response body: %q", refreshResponse.Body.String()) @@ -2994,6 +3593,7 @@ func TestRefreshGrant(t *testing.T) { oauthStore, jwtSigningKey, secrets, + approxRequestTime, ) if test.refreshRequest.want.wantStatus == http.StatusOK { @@ -3054,7 +3654,12 @@ func requireClaimsAreEqual(t *testing.T, claimName string, claimsOfTokenA map[st require.Equal(t, claimsOfTokenA[claimName], claimsOfTokenB[claimName]) } -func exchangeAuthcodeForTokens(t *testing.T, test authcodeExchangeInputs, idps provider.DynamicUpstreamIDPProvider) ( +func exchangeAuthcodeForTokens( + t *testing.T, + test authcodeExchangeInputs, + idps provider.DynamicUpstreamIDPProvider, + kubeResources func(t *testing.T, supervisorClient *supervisorfake.Clientset, kubeClient *fake.Clientset), +) ( subject http.Handler, rsp *httptest.ResponseRecorder, authCode string, @@ -3067,13 +3672,18 @@ func exchangeAuthcodeForTokens(t *testing.T, test authcodeExchangeInputs, idps p test.modifyAuthRequest(authRequest) } - client := fake.NewSimpleClientset() - secrets = client.CoreV1().Secrets("some-namespace") - oidcClientsClient := supervisorfake.NewSimpleClientset().ConfigV1alpha1().OIDCClients("some-namespace") + kubeClient := fake.NewSimpleClientset() + supervisorClient := supervisorfake.NewSimpleClientset() + secrets = kubeClient.CoreV1().Secrets("some-namespace") + oidcClientsClient := supervisorClient.ConfigV1alpha1().OIDCClients("some-namespace") + + if kubeResources != nil { + kubeResources(t, supervisorClient, kubeClient) + } var oauthHelper fosite.OAuth2Provider - - oauthStore = oidc.NewKubeStorage(secrets, oidcClientsClient, oidc.DefaultOIDCTimeoutsConfiguration()) + // Use lower minimum required bcrypt cost than we would use in production to keep unit the tests fast. + oauthStore = oidc.NewKubeStorage(secrets, oidcClientsClient, oidc.DefaultOIDCTimeoutsConfiguration(), bcrypt.MinCost) if test.makeOathHelper != nil { oauthHelper, authCode, jwtSigningKey = test.makeOathHelper(t, authRequest, oauthStore, test.customSessionData) } else { @@ -3096,7 +3706,8 @@ func exchangeAuthcodeForTokens(t *testing.T, test authcodeExchangeInputs, idps p testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: authorizationcode.TypeLabelValue}, 1) testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: storagepkce.TypeLabelValue}, 1) testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: openidconnect.TypeLabelValue}, expectedNumberOfIDSessionsStored) - testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{}, 2+expectedNumberOfIDSessionsStored) + // Assert the number of all secrets, excluding any OIDCClient's storage secret, since those are not related to session storage. + testutil.RequireNumberOfSecretsExcludingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: oidcclientsecretstorage.TypeLabelValue}, 2+expectedNumberOfIDSessionsStored) req := httptest.NewRequest("POST", "/path/shouldn't/matter", happyAuthcodeRequestBody(authCode).ReadCloser()) req.Header.Set("Content-Type", "application/x-www-form-urlencoded") @@ -3105,12 +3716,13 @@ func exchangeAuthcodeForTokens(t *testing.T, test authcodeExchangeInputs, idps p } rsp = httptest.NewRecorder() + approxRequestTime := time.Now() subject.ServeHTTP(rsp, req) t.Logf("response: %#v", rsp) t.Logf("response body: %q", rsp.Body.String()) wantAtHashClaimInIDToken := false // due to a bug in fosite, the at_hash claim is not filled in during authcode exchange - wantNonceValueInIDToken := true // ID tokens returned by the authcode exchange must include the nonce from the auth request (unliked refreshed ID tokens) + wantNonceValueInIDToken := true // ID tokens returned by the authcode exchange must include the nonce from the auth request (unlike refreshed ID tokens) requireTokenEndpointBehavior(t, test.want, @@ -3123,6 +3735,7 @@ func exchangeAuthcodeForTokens(t *testing.T, test authcodeExchangeInputs, idps p oauthStore, jwtSigningKey, secrets, + approxRequestTime, ) return subject, rsp, authCode, jwtSigningKey, secrets, oauthStore @@ -3140,6 +3753,7 @@ func requireTokenEndpointBehavior( oauthStore *oidc.KubeStorage, jwtSigningKey *ecdsa.PrivateKey, secrets v1.SecretInterface, + requestTime time.Time, ) { testutil.RequireEqualContentType(t, tokenEndpointResponse.Header().Get("Content-Type"), "application/json") require.Equal(t, test.wantStatus, tokenEndpointResponse.Code) @@ -3154,11 +3768,11 @@ func requireTokenEndpointBehavior( wantIDToken := contains(test.wantSuccessBodyFields, "id_token") wantRefreshToken := contains(test.wantSuccessBodyFields, "refresh_token") - requireInvalidAuthCodeStorage(t, authCode, oauthStore, secrets) - requireValidAccessTokenStorage(t, parsedResponseBody, oauthStore, test.wantRequestedScopes, test.wantGrantedScopes, test.wantGroups, test.wantCustomSessionDataStored, secrets) + requireInvalidAuthCodeStorage(t, authCode, oauthStore, secrets, requestTime) + requireValidAccessTokenStorage(t, parsedResponseBody, oauthStore, test.wantClientID, test.wantRequestedScopes, test.wantGrantedScopes, test.wantGroups, test.wantCustomSessionDataStored, secrets, requestTime) requireInvalidPKCEStorage(t, authCode, oauthStore) // Performing a refresh does not update the OIDC storage, so after a refresh it should still have the old custom session data and old groups from the initial login. - requireValidOIDCStorage(t, parsedResponseBody, authCode, oauthStore, test.wantRequestedScopes, test.wantGrantedScopes, oldGroups, oldCustomSessionData) + requireValidOIDCStorage(t, parsedResponseBody, authCode, oauthStore, test.wantClientID, test.wantRequestedScopes, test.wantGrantedScopes, oldGroups, oldCustomSessionData, requestTime) expectedNumberOfRefreshTokenSessionsStored := 0 if wantRefreshToken { @@ -3167,10 +3781,10 @@ func requireTokenEndpointBehavior( expectedNumberOfIDSessionsStored := 0 if wantIDToken { expectedNumberOfIDSessionsStored = 1 - requireValidIDToken(t, parsedResponseBody, jwtSigningKey, wantAtHashClaimInIDToken, wantNonceValueInIDToken, test.wantGroups, parsedResponseBody["access_token"].(string)) + requireValidIDToken(t, parsedResponseBody, jwtSigningKey, test.wantClientID, wantAtHashClaimInIDToken, wantNonceValueInIDToken, test.wantGroups, parsedResponseBody["access_token"].(string), requestTime) } if wantRefreshToken { - requireValidRefreshTokenStorage(t, parsedResponseBody, oauthStore, test.wantRequestedScopes, test.wantGrantedScopes, test.wantGroups, test.wantCustomSessionDataStored, secrets) + requireValidRefreshTokenStorage(t, parsedResponseBody, oauthStore, test.wantClientID, test.wantRequestedScopes, test.wantGrantedScopes, test.wantGroups, test.wantCustomSessionDataStored, secrets, requestTime) } testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: authorizationcode.TypeLabelValue}, 1) @@ -3178,7 +3792,8 @@ func requireTokenEndpointBehavior( testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: storagepkce.TypeLabelValue}, 0) testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: refreshtoken.TypeLabelValue}, expectedNumberOfRefreshTokenSessionsStored) testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: openidconnect.TypeLabelValue}, expectedNumberOfIDSessionsStored) - testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{}, 2+expectedNumberOfRefreshTokenSessionsStored+expectedNumberOfIDSessionsStored) + // Assert the number of all secrets, excluding any OIDCClient's storage secret, since those are not related to session storage. + testutil.RequireNumberOfSecretsExcludingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: oidcclientsecretstorage.TypeLabelValue}, 2+expectedNumberOfRefreshTokenSessionsStored+expectedNumberOfIDSessionsStored) } else { require.NotNil(t, test.wantErrorResponseBody, "problem with test table setup: wanted failure but did not specify failure response body") @@ -3204,7 +3819,7 @@ func happyAuthcodeRequestBody(happyAuthCode string) body { "code": {happyAuthCode}, "redirect_uri": {goodRedirectURI}, "code_verifier": {goodPKCECodeVerifier}, - "client_id": {goodClient}, + "client_id": {pinnipedCLIClientID}, } } @@ -3212,7 +3827,7 @@ func happyRefreshRequestBody(refreshToken string) body { return map[string][]string{ "grant_type": {"refresh_token"}, "scope": {"openid"}, - "client_id": {goodClient}, + "client_id": {pinnipedCLIClientID}, "refresh_token": {refreshToken}, } } @@ -3229,6 +3844,10 @@ func (b body) WithClientID(clientID string) body { return b.with("client_id", clientID) } +func (b body) WithClientSecret(clientSecret string) body { + return b.with("client_secret", clientSecret) +} + func (b body) WithAuthCode(code string) body { return b.with("code", code) } @@ -3395,6 +4014,7 @@ func requireInvalidAuthCodeStorage( code string, storage fositeoauth2.CoreStorage, secrets v1.SecretInterface, + requestTime time.Time, ) { t.Helper() @@ -3402,18 +4022,20 @@ func requireInvalidAuthCodeStorage( _, err := storage.GetAuthorizeCodeSession(context.Background(), getFositeDataSignature(t, code), nil) require.True(t, errors.Is(err, fosite.ErrInvalidatedAuthorizeCode)) // make sure that its still around in storage so if someone tries to use it again we invalidate everything - requireGarbageCollectTimeInDelta(t, code, "authcode", secrets, time.Now().Add(9*time.Hour).Add(10*time.Minute), 30*time.Second) + requireGarbageCollectTimeInDelta(t, code, "authcode", secrets, requestTime.Add(9*time.Hour).Add(10*time.Minute), 30*time.Second) } func requireValidRefreshTokenStorage( t *testing.T, body map[string]interface{}, storage fositeoauth2.CoreStorage, + wantClientID string, wantRequestedScopes []string, wantGrantedScopes []string, wantGroups []string, wantCustomSessionData *psession.CustomSessionData, secrets v1.SecretInterface, + requestTime time.Time, ) { t.Helper() @@ -3434,25 +4056,29 @@ func requireValidRefreshTokenStorage( t, storedRequest, storedRequest.Sanitize([]string{}).GetRequestForm(), + wantClientID, wantRequestedScopes, wantGrantedScopes, true, wantGroups, wantCustomSessionData, + requestTime, ) - requireGarbageCollectTimeInDelta(t, refreshTokenString, "refresh-token", secrets, time.Now().Add(9*time.Hour).Add(2*time.Minute), 1*time.Minute) + requireGarbageCollectTimeInDelta(t, refreshTokenString, "refresh-token", secrets, requestTime.Add(9*time.Hour).Add(2*time.Minute), 1*time.Minute) } func requireValidAccessTokenStorage( t *testing.T, body map[string]interface{}, storage fositeoauth2.CoreStorage, + wantClientID string, wantRequestedScopes []string, wantGrantedScopes []string, wantGroups []string, wantCustomSessionData *psession.CustomSessionData, secrets v1.SecretInterface, + requestTime time.Time, ) { t.Helper() @@ -3492,14 +4118,16 @@ func requireValidAccessTokenStorage( t, storedRequest, storedRequest.Sanitize([]string{}).GetRequestForm(), + wantClientID, wantRequestedScopes, wantGrantedScopes, true, wantGroups, wantCustomSessionData, + requestTime, ) - requireGarbageCollectTimeInDelta(t, accessTokenString, "access-token", secrets, time.Now().Add(9*time.Hour).Add(2*time.Minute), 1*time.Minute) + requireGarbageCollectTimeInDelta(t, accessTokenString, "access-token", secrets, requestTime.Add(9*time.Hour).Add(2*time.Minute), 1*time.Minute) } func requireInvalidAccessTokenStorage( @@ -3536,10 +4164,12 @@ func requireValidOIDCStorage( body map[string]interface{}, code string, storage openid.OpenIDConnectRequestStorage, + wantClientID string, wantRequestedScopes []string, wantGrantedScopes []string, wantGroups []string, wantCustomSessionData *psession.CustomSessionData, + requestTime time.Time, ) { t.Helper() @@ -3559,11 +4189,13 @@ func requireValidOIDCStorage( t, storedRequest, storedRequest.Sanitize([]string{"nonce"}).GetRequestForm(), + wantClientID, wantRequestedScopes, wantGrantedScopes, false, wantGroups, wantCustomSessionData, + requestTime, ) } else { _, err := storage.GetOpenIDConnectSession(context.Background(), code, nil) @@ -3575,18 +4207,20 @@ func requireValidStoredRequest( t *testing.T, request fosite.Requester, wantRequestForm url.Values, + wantClientID string, wantRequestedScopes []string, wantGrantedScopes []string, wantAccessTokenExpiresAt bool, wantGroups []string, wantCustomSessionData *psession.CustomSessionData, + requestTime time.Time, ) { t.Helper() // Assert that the getters on the request return what we think they should. require.NotEmpty(t, request.GetID()) - testutil.RequireTimeInDelta(t, request.GetRequestedAt(), time.Now().UTC(), timeComparisonFudgeSeconds*time.Second) - require.Equal(t, goodClient, request.GetClient().GetID()) + testutil.RequireTimeInDelta(t, request.GetRequestedAt(), requestTime.UTC(), timeComparisonFudge) + require.Equal(t, wantClientID, request.GetClient().GetID()) require.Equal(t, fosite.Arguments(wantRequestedScopes), request.GetRequestedScopes()) require.Equal(t, fosite.Arguments(wantGrantedScopes), request.GetGrantedScopes()) require.Empty(t, request.GetRequestedAudience()) @@ -3636,6 +4270,9 @@ func requireValidStoredRequest( require.Empty(t, claims.AuthenticationContextClassReference) require.Empty(t, claims.AuthenticationMethodsReferences) require.Empty(t, claims.CodeHash) + } else if wantGroups != nil { + t.Fatal("test did not want the openid scope to be granted, but also wanted groups, " + + "which is a combination that doesn't make sense since you need an ID token to get groups") } // Assert that the session headers are what we think they should be. @@ -3647,9 +4284,9 @@ func requireValidStoredRequest( require.True(t, ok, "expected session to hold expiration time for auth code") testutil.RequireTimeInDelta( t, - time.Now().UTC().Add(authCodeExpirationSeconds*time.Second), + requestTime.UTC().Add(authCodeExpirationSeconds*time.Second), authCodeExpiresAt, - timeComparisonFudgeSeconds*time.Second, + timeComparisonFudge, ) // OpenID Connect sessions do not store access token expiration information. @@ -3658,9 +4295,9 @@ func requireValidStoredRequest( require.True(t, ok, "expected session to hold expiration time for access token") testutil.RequireTimeInDelta( t, - time.Now().UTC().Add(accessTokenExpirationSeconds*time.Second), + requestTime.UTC().Add(accessTokenExpirationSeconds*time.Second), accessTokenExpiresAt, - timeComparisonFudgeSeconds*time.Second, + timeComparisonFudge, ) } else { require.False(t, ok, "expected session to not hold expiration time for access token, but it did") @@ -3696,10 +4333,12 @@ func requireValidIDToken( t *testing.T, body map[string]interface{}, jwtSigningKey *ecdsa.PrivateKey, + wantClientID string, wantAtHashClaimInIDToken bool, wantNonceValueInIDToken bool, wantGroupsInIDToken []string, actualAccessToken string, + requestTime time.Time, ) { t.Helper() @@ -3709,7 +4348,7 @@ func requireValidIDToken( require.Truef(t, ok, "wanted id_token to be a string, but got %T", idToken) // The go-oidc library will validate the signature and the client claim in the ID token. - token := oidctestutil.VerifyECDSAIDToken(t, goodIssuer, goodClient, jwtSigningKey, idTokenString) + token := oidctestutil.VerifyECDSAIDToken(t, goodIssuer, wantClientID, jwtSigningKey, idTokenString) var claims struct { Subject string `json:"sub"` @@ -3752,7 +4391,7 @@ func requireValidIDToken( require.Equal(t, goodUsername, claims.Username) require.Equal(t, wantGroupsInIDToken, claims.Groups) require.Len(t, claims.Audience, 1) - require.Equal(t, goodClient, claims.Audience[0]) + require.Equal(t, wantClientID, claims.Audience[0]) require.Equal(t, goodIssuer, claims.Issuer) require.NotEmpty(t, claims.JTI) @@ -3766,10 +4405,10 @@ func requireValidIDToken( issuedAt := time.Unix(claims.IssuedAt, 0) requestedAt := time.Unix(claims.RequestedAt, 0) authTime := time.Unix(claims.AuthTime, 0) - testutil.RequireTimeInDelta(t, time.Now().UTC().Add(idTokenExpirationSeconds*time.Second), expiresAt, timeComparisonFudgeSeconds*time.Second) - testutil.RequireTimeInDelta(t, time.Now().UTC(), issuedAt, timeComparisonFudgeSeconds*time.Second) - testutil.RequireTimeInDelta(t, goodRequestedAtTime, requestedAt, timeComparisonFudgeSeconds*time.Second) - testutil.RequireTimeInDelta(t, goodAuthTime, authTime, timeComparisonFudgeSeconds*time.Second) + testutil.RequireTimeInDelta(t, requestTime.UTC().Add(idTokenExpirationSeconds*time.Second), expiresAt, timeComparisonFudge) + testutil.RequireTimeInDelta(t, requestTime.UTC(), issuedAt, timeComparisonFudge) + testutil.RequireTimeInDelta(t, goodRequestedAtTime, requestedAt, timeComparisonFudge) + testutil.RequireTimeInDelta(t, goodAuthTime, authTime, timeComparisonFudge) if wantAtHashClaimInIDToken { require.NotEmpty(t, actualAccessToken) diff --git a/internal/oidc/token_exchange.go b/internal/oidc/token_exchange.go index 4c2f5500..5ed83b5e 100644 --- a/internal/oidc/token_exchange.go +++ b/internal/oidc/token_exchange.go @@ -13,15 +13,17 @@ import ( "github.com/ory/fosite/compose" "github.com/ory/fosite/handler/oauth2" "github.com/ory/fosite/handler/openid" + "github.com/ory/x/errorsx" "github.com/pkg/errors" "go.pinniped.dev/internal/oidc/clientregistry" ) const ( - tokenTypeAccessToken = "urn:ietf:params:oauth:token-type:access_token" //nolint: gosec - tokenTypeJWT = "urn:ietf:params:oauth:token-type:jwt" //nolint: gosec - pinnipedTokenExchangeScope = "pinniped:request-audience" //nolint: gosec + tokenExchangeGrantType = "urn:ietf:params:oauth:grant-type:token-exchange" //nolint: gosec + tokenTypeAccessToken = "urn:ietf:params:oauth:token-type:access_token" //nolint: gosec + tokenTypeJWT = "urn:ietf:params:oauth:token-type:jwt" //nolint: gosec + pinnipedTokenExchangeScope = "pinniped:request-audience" //nolint: gosec ) type stsParams struct { @@ -70,6 +72,18 @@ func (t *TokenExchangeHandler) PopulateTokenEndpointResponse(ctx context.Context return errors.WithStack(err) } + // Check that the currently authenticated client and the client which was originally used to get the access token are the same. + if originalRequester.GetClient().GetID() != requester.GetClient().GetID() { + // This error message is copied from the similar check in fosite's flow_authorize_code_token.go. + return errorsx.WithStack(fosite.ErrInvalidGrant.WithHint("The OAuth 2.0 Client ID from this request does not match the one from the authorize request.")) + } + + // Check that the client is allowed to perform this grant type. + if !requester.GetClient().GetGrantTypes().Has(tokenExchangeGrantType) { + // This error message is trying to be similar to the analogous one in fosite's flow_authorize_code_token.go. + return errorsx.WithStack(fosite.ErrUnauthorizedClient.WithHintf("The OAuth 2.0 Client is not allowed to use token exchange grant \"%s\".", tokenExchangeGrantType)) + } + // Require that the incoming access token has the pinniped:request-audience and OpenID scopes. if !originalRequester.GetGrantedScopes().Has(pinnipedTokenExchangeScope) { return errors.WithStack(fosite.ErrAccessDenied.WithHintf("missing the %q scope", pinnipedTokenExchangeScope)) @@ -168,5 +182,5 @@ func (t *TokenExchangeHandler) CanSkipClientAuth(_ fosite.AccessRequester) bool } func (t *TokenExchangeHandler) CanHandleTokenEndpointRequest(requester fosite.AccessRequester) bool { - return requester.GetGrantTypes().ExactOne("urn:ietf:params:oauth:grant-type:token-exchange") + return requester.GetGrantTypes().ExactOne(tokenExchangeGrantType) } diff --git a/internal/testutil/assertions.go b/internal/testutil/assertions.go index ee7bc2ed..6117357f 100644 --- a/internal/testutil/assertions.go +++ b/internal/testutil/assertions.go @@ -13,6 +13,7 @@ import ( "github.com/stretchr/testify/require" v12 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" + "k8s.io/apimachinery/pkg/selection" v1 "k8s.io/client-go/kubernetes/typed/core/v1" ) @@ -54,6 +55,23 @@ func RequireNumberOfSecretsMatchingLabelSelector(t *testing.T, secrets v1.Secret require.Len(t, storedAuthcodeSecrets.Items, expectedNumberOfSecrets) } +func RequireNumberOfSecretsExcludingLabelSelector(t *testing.T, secrets v1.SecretInterface, labelSet labels.Set, expectedNumberOfSecrets int) { + t.Helper() + + selector := labels.Everything() + for k, v := range labelSet { + requirement, err := labels.NewRequirement(k, selection.NotEquals, []string{v}) + require.NoError(t, err) + selector = selector.Add(*requirement) + } + + storedAuthcodeSecrets, err := secrets.List(context.Background(), v12.ListOptions{ + LabelSelector: selector.String(), + }) + require.NoError(t, err) + require.Len(t, storedAuthcodeSecrets.Items, expectedNumberOfSecrets) +} + func RequireSecurityHeadersWithFormPostPageCSPs(t *testing.T, response *httptest.ResponseRecorder) { // Loosely confirm that the unique CSPs needed for the form_post page were used. cspHeader := response.Header().Get("Content-Security-Policy") diff --git a/internal/testutil/oidcclient.go b/internal/testutil/oidcclient.go new file mode 100644 index 00000000..621aea2e --- /dev/null +++ b/internal/testutil/oidcclient.go @@ -0,0 +1,67 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package testutil + +import ( + "strings" + "testing" + + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + + configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" +) + +const ( + AllDynamicClientScopesSpaceSep = "openid offline_access pinniped:request-audience username groups" + + // PlaintextPassword1 is a fake client secret for use in unit tests, along with several flavors of the bcrypt + // hashed version of the password. Do not use for integration tests. + PlaintextPassword1 = "password1" + HashedPassword1AtGoMinCost = "$2a$04$JfX1ba/ctAt3AGk73E9Zz.Fdki5GiQtj.O/CnPbRRSKQWWfv1svoe" //nolint:gosec // this is not a credential + HashedPassword1JustBelowSupervisorMinCost = "$2a$11$w/incy7Z1/ljLYvv2XRg4.WrPgY9oR7phebcgr6rGA3u/5TG9MKOe" //nolint:gosec // this is not a credential + HashedPassword1AtSupervisorMinCost = "$2a$12$id4i/yFYxS99txKOFEeboea2kU6DyZY0Nh4ul0eR46sDuoFoNTRV." //nolint:gosec // this is not a credential + HashedPassword1InvalidFormat = "$2a$12$id4i/yFYxS99txKOFEeboea2kU6DyZY0Nh4ul0eR46sDuo" //nolint:gosec // this is not a credential + + // PlaintextPassword2 is a second fake client secret for use in unit tests, along with several flavors of the bcrypt + // hashed version of the password. Do not use for integration tests. + PlaintextPassword2 = "password2" + HashedPassword2AtGoMinCost = "$2a$04$VQ5z6kkgU8JPLGSGctg.s.iYyoac3Oisa/SIM3sDK5BxTrVbCkyNm" //nolint:gosec // this is not a credential + HashedPassword2AtSupervisorMinCost = "$2a$12$SdUqoJOn4/3yEQfJx616V.q.f76KaXD.ISgJT1oydqFdgfjJpBh6u" //nolint:gosec // this is not a credential +) + +// allDynamicClientScopes returns a slice of all scopes that are supported by the Supervisor for dynamic clients. +func allDynamicClientScopes() []configv1alpha1.Scope { + scopes := []configv1alpha1.Scope{} + for _, s := range strings.Split(AllDynamicClientScopesSpaceSep, " ") { + scopes = append(scopes, configv1alpha1.Scope(s)) + } + return scopes +} + +// fullyCapableOIDCClient returns an OIDC client which is allowed to use all grant types and all scopes that +// are supported by the Supervisor for dynamic clients. +func fullyCapableOIDCClient(namespace string, clientID string, clientUID string, redirectURI string) *configv1alpha1.OIDCClient { + return &configv1alpha1.OIDCClient{ + ObjectMeta: metav1.ObjectMeta{Namespace: namespace, Name: clientID, Generation: 1, UID: types.UID(clientUID)}, + Spec: configv1alpha1.OIDCClientSpec{ + AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code", "urn:ietf:params:oauth:grant-type:token-exchange", "refresh_token"}, + AllowedScopes: allDynamicClientScopes(), + AllowedRedirectURIs: []configv1alpha1.RedirectURI{configv1alpha1.RedirectURI(redirectURI)}, + }, + } +} + +func FullyCapableOIDCClientAndStorageSecret( + t *testing.T, + namespace string, + clientID string, + clientUID string, + redirectURI string, + hashes []string, +) (*configv1alpha1.OIDCClient, *corev1.Secret) { + return fullyCapableOIDCClient(namespace, clientID, clientUID, redirectURI), + OIDCClientSecretStorageSecretForUID(t, namespace, clientUID, hashes) +} diff --git a/internal/testutil/oidcclient_test.go b/internal/testutil/oidcclient_test.go new file mode 100644 index 00000000..cd892313 --- /dev/null +++ b/internal/testutil/oidcclient_test.go @@ -0,0 +1,61 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package testutil + +import ( + "testing" + + "go.pinniped.dev/internal/oidc/oidcclientvalidator" + + "github.com/stretchr/testify/require" + "golang.org/x/crypto/bcrypt" +) + +func TestBcryptConstants(t *testing.T) { + t.Parallel() + + // It would be helpful to know if upgrading golang changes these constants some day, so test them here for visibility during upgrades. + require.Equal(t, 4, bcrypt.MinCost, "golang has changed bcrypt.MinCost: please consider implications to the other tests") + require.Equal(t, 10, bcrypt.DefaultCost, "golang has changed bcrypt.DefaultCost: please consider implications to the production code and tests") +} + +func TestBcryptHashedPassword1TestHelpers(t *testing.T) { + t.Parallel() + + // Can use this to help generate or regenerate the test helper hash constants. + // t.Log(generateHash(t, PlaintextPassword1, 12)) + + require.NoError(t, bcrypt.CompareHashAndPassword([]byte(HashedPassword1AtGoMinCost), []byte(PlaintextPassword1))) + require.NoError(t, bcrypt.CompareHashAndPassword([]byte(HashedPassword1JustBelowSupervisorMinCost), []byte(PlaintextPassword1))) + require.NoError(t, bcrypt.CompareHashAndPassword([]byte(HashedPassword1AtSupervisorMinCost), []byte(PlaintextPassword1))) + + requireCost(t, bcrypt.MinCost, HashedPassword1AtGoMinCost) + requireCost(t, oidcclientvalidator.DefaultMinBcryptCost-1, HashedPassword1JustBelowSupervisorMinCost) + requireCost(t, oidcclientvalidator.DefaultMinBcryptCost, HashedPassword1AtSupervisorMinCost) +} + +func TestBcryptHashedPassword2TestHelpers(t *testing.T) { + t.Parallel() + + // Can use this to help generate or regenerate the test helper hash constants. + // t.Log(generateHash(t, PlaintextPassword2, 12)) + + require.NoError(t, bcrypt.CompareHashAndPassword([]byte(HashedPassword2AtGoMinCost), []byte(PlaintextPassword2))) + require.NoError(t, bcrypt.CompareHashAndPassword([]byte(HashedPassword2AtSupervisorMinCost), []byte(PlaintextPassword2))) + + requireCost(t, bcrypt.MinCost, HashedPassword2AtGoMinCost) + requireCost(t, oidcclientvalidator.DefaultMinBcryptCost, HashedPassword2AtSupervisorMinCost) +} + +func generateHash(t *testing.T, password string, cost int) string { //nolint:unused,deadcode // used in comments above + hash, err := bcrypt.GenerateFromPassword([]byte(password), cost) + require.NoError(t, err) + return string(hash) +} + +func requireCost(t *testing.T, wantCost int, hash string) { + cost, err := bcrypt.Cost([]byte(hash)) + require.NoError(t, err) + require.Equal(t, wantCost, cost) +} diff --git a/test/integration/supervisor_login_test.go b/test/integration/supervisor_login_test.go index fa9c74b3..86c3f67f 100644 --- a/test/integration/supervisor_login_test.go +++ b/test/integration/supervisor_login_test.go @@ -31,6 +31,7 @@ import ( idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" "go.pinniped.dev/internal/certauthority" "go.pinniped.dev/internal/oidc" + "go.pinniped.dev/internal/oidc/oidcclientvalidator" "go.pinniped.dev/internal/psession" "go.pinniped.dev/internal/testutil" "go.pinniped.dev/pkg/oidcclient/nonce" @@ -1727,7 +1728,7 @@ func testSupervisorLogin( // First use the latest downstream refresh token to look up the corresponding session in the Supervisor's storage. supervisorSecretsClient := testlib.NewKubernetesClientset(t).CoreV1().Secrets(env.SupervisorNamespace) supervisorOIDCClientsClient := testlib.NewSupervisorClientset(t).ConfigV1alpha1().OIDCClients(env.SupervisorNamespace) - oauthStore := oidc.NewKubeStorage(supervisorSecretsClient, supervisorOIDCClientsClient, oidc.DefaultOIDCTimeoutsConfiguration()) + oauthStore := oidc.NewKubeStorage(supervisorSecretsClient, supervisorOIDCClientsClient, oidc.DefaultOIDCTimeoutsConfiguration(), oidcclientvalidator.DefaultMinBcryptCost) storedRefreshSession, err := oauthStore.GetRefreshTokenSession(ctx, signatureOfLatestRefreshToken, nil) require.NoError(t, err) @@ -1772,7 +1773,7 @@ func testSupervisorLogin( // First use the latest downstream refresh token to look up the corresponding session in the Supervisor's storage. supervisorSecretsClient := testlib.NewKubernetesClientset(t).CoreV1().Secrets(env.SupervisorNamespace) supervisorOIDCClientsClient := testlib.NewSupervisorClientset(t).ConfigV1alpha1().OIDCClients(env.SupervisorNamespace) - oauthStore := oidc.NewKubeStorage(supervisorSecretsClient, supervisorOIDCClientsClient, oidc.DefaultOIDCTimeoutsConfiguration()) + oauthStore := oidc.NewKubeStorage(supervisorSecretsClient, supervisorOIDCClientsClient, oidc.DefaultOIDCTimeoutsConfiguration(), oidcclientvalidator.DefaultMinBcryptCost) storedRefreshSession, err := oauthStore.GetRefreshTokenSession(ctx, signatureOfLatestRefreshToken, nil) require.NoError(t, err) diff --git a/test/integration/supervisor_oidc_client_test.go b/test/integration/supervisor_oidc_client_test.go index 4ec9fc55..d8a5ac55 100644 --- a/test/integration/supervisor_oidc_client_test.go +++ b/test/integration/supervisor_oidc_client_test.go @@ -563,7 +563,7 @@ func TestOIDCClientControllerValidations_Parallel(t *testing.T) { AllowedScopes: []supervisorconfigv1alpha1.Scope{"openid", "offline_access", "pinniped:request-audience", "username", "groups"}, }, }, - secret: testutil.OIDCClientSecretStorageSecretWithoutName(t, env.SupervisorNamespace, []string{"$2y$15$Kh7cRj0ScSD5QelE3ZNSl.nF04JDv7zb3SgGN.tSfLIX.4kt3UX7m"}), + secret: testutil.OIDCClientSecretStorageSecretWithoutName(t, env.SupervisorNamespace, []string{testutil.HashedPassword1AtSupervisorMinCost}), wantPhase: "Ready", wantConditions: []supervisorconfigv1alpha1.Condition{ { diff --git a/test/integration/supervisor_warnings_test.go b/test/integration/supervisor_warnings_test.go index e3ea9485..55cbf7dd 100644 --- a/test/integration/supervisor_warnings_test.go +++ b/test/integration/supervisor_warnings_test.go @@ -31,6 +31,7 @@ import ( idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" "go.pinniped.dev/internal/certauthority" "go.pinniped.dev/internal/oidc" + "go.pinniped.dev/internal/oidc/oidcclientvalidator" "go.pinniped.dev/internal/psession" "go.pinniped.dev/internal/testutil" "go.pinniped.dev/pkg/oidcclient" @@ -188,7 +189,7 @@ func TestSupervisorWarnings_Browser(t *testing.T) { // out of kube secret storage. supervisorSecretsClient := testlib.NewKubernetesClientset(t).CoreV1().Secrets(env.SupervisorNamespace) supervisorOIDCClientsClient := testlib.NewSupervisorClientset(t).ConfigV1alpha1().OIDCClients(env.SupervisorNamespace) - oauthStore := oidc.NewKubeStorage(supervisorSecretsClient, supervisorOIDCClientsClient, oidc.DefaultOIDCTimeoutsConfiguration()) + oauthStore := oidc.NewKubeStorage(supervisorSecretsClient, supervisorOIDCClientsClient, oidc.DefaultOIDCTimeoutsConfiguration(), oidcclientvalidator.DefaultMinBcryptCost) refreshTokenSignature := strings.Split(token.RefreshToken.Token, ".")[1] storedRefreshSession, err := oauthStore.GetRefreshTokenSession(ctx, refreshTokenSignature, nil) require.NoError(t, err) @@ -496,7 +497,7 @@ func TestSupervisorWarnings_Browser(t *testing.T) { // out of kube secret storage. supervisorSecretsClient := testlib.NewKubernetesClientset(t).CoreV1().Secrets(env.SupervisorNamespace) supervisorOIDCClientsClient := testlib.NewSupervisorClientset(t).ConfigV1alpha1().OIDCClients(env.SupervisorNamespace) - oauthStore := oidc.NewKubeStorage(supervisorSecretsClient, supervisorOIDCClientsClient, oidc.DefaultOIDCTimeoutsConfiguration()) + oauthStore := oidc.NewKubeStorage(supervisorSecretsClient, supervisorOIDCClientsClient, oidc.DefaultOIDCTimeoutsConfiguration(), oidcclientvalidator.DefaultMinBcryptCost) refreshTokenSignature := strings.Split(token.RefreshToken.Token, ".")[1] storedRefreshSession, err := oauthStore.GetRefreshTokenSession(ctx, refreshTokenSignature, nil) require.NoError(t, err) From e42f5488fa4a39fc5a7756f84f003cd71ed88cf8 Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Thu, 21 Jul 2022 09:26:00 -0700 Subject: [PATCH 34/61] More unit tests for dynamic clients - Add dynamic client unit tests for the upstream OIDC callback and POST login endpoints. - Enhance a few log statements to print the full fosite error messages into the logs where they were previously only printing the name of the error type. --- internal/oidc/auth/auth_handler_test.go | 20 +- internal/oidc/callback/callback_handler.go | 6 +- .../oidc/callback/callback_handler_test.go | 109 +++++- internal/oidc/login/post_login_handler.go | 3 +- .../oidc/login/post_login_handler_test.go | 345 ++++++++++++++---- internal/oidc/oidc.go | 2 +- .../testutil/oidctestutil/oidctestutil.go | 20 +- test/testlib/client.go | 4 +- 8 files changed, 400 insertions(+), 109 deletions(-) diff --git a/internal/oidc/auth/auth_handler_test.go b/internal/oidc/auth/auth_handler_test.go index 768ab10f..6f8e7598 100644 --- a/internal/oidc/auth/auth_handler_test.go +++ b/internal/oidc/auth/auth_handler_test.go @@ -25,7 +25,6 @@ import ( "k8s.io/apiserver/pkg/authentication/user" "k8s.io/client-go/kubernetes/fake" v1 "k8s.io/client-go/kubernetes/typed/core/v1" - kubetesting "k8s.io/client-go/testing" "k8s.io/utils/pointer" supervisorfake "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/fake" @@ -3088,7 +3087,7 @@ func TestAuthorizationEndpoint(t *testing.T) { // OIDC validations are checked in fosite after the OAuth authcode (and sometimes the OIDC session) // is stored, so it is possible with an LDAP upstream to store objects and then return an error to // the client anyway (which makes the stored objects useless, but oh well). - require.Len(t, filterActions(kubeClient.Actions()), test.wantUnnecessaryStoredRecords) + require.Len(t, oidctestutil.FilterClientSecretCreateActions(kubeClient.Actions()), test.wantUnnecessaryStoredRecords) case test.wantRedirectLocationRegexp != "": if test.wantDownstreamClientID == "" { test.wantDownstreamClientID = pinnipedCLIClientID // default assertion value when not provided by test case @@ -3301,20 +3300,3 @@ func requireEqualURLs(t *testing.T, actualURL string, expectedURL string, ignore } require.Equal(t, expectedLocationQuery, actualLocationQuery) } - -// filterActions ignores any reads made to get a storage secret corresponding to an OIDCClient, since these -// are normal actions when the request is using a dynamic client's client_id, and we don't need to make assertions -// about these Secrets since they are not related to session storage. -func filterActions(actions []kubetesting.Action) []kubetesting.Action { - filtered := make([]kubetesting.Action, 0, len(actions)) - for _, action := range actions { - if action.Matches("get", "secrets") { - getAction := action.(kubetesting.GetAction) - if strings.HasPrefix(getAction.GetName(), "pinniped-storage-oidc-client-secret-") { - continue // filter out OIDCClient's storage secret reads - } - } - filtered = append(filtered, action) // otherwise include the action - } - return filtered -} diff --git a/internal/oidc/callback/callback_handler.go b/internal/oidc/callback/callback_handler.go index db6ada1a..88b94392 100644 --- a/internal/oidc/callback/callback_handler.go +++ b/internal/oidc/callback/callback_handler.go @@ -48,7 +48,8 @@ func NewHandler( reconstitutedAuthRequest := &http.Request{Form: downstreamAuthParams} authorizeRequester, err := oauthHelper.NewAuthorizeRequest(r.Context(), reconstitutedAuthRequest) if err != nil { - plog.Error("error using state downstream auth params", err) + plog.Error("error using state downstream auth params", err, + "fositeErr", oidc.FositeErrorForLog(err)) return httperr.New(http.StatusBadRequest, "error using state downstream auth params") } @@ -83,7 +84,8 @@ func NewHandler( authorizeResponder, err := oauthHelper.NewAuthorizeResponse(r.Context(), authorizeRequester, openIDSession) if err != nil { - plog.WarningErr("error while generating and saving authcode", err, "upstreamName", upstreamIDPConfig.GetName()) + plog.WarningErr("error while generating and saving authcode", err, + "upstreamName", upstreamIDPConfig.GetName(), "fositeErr", oidc.FositeErrorForLog(err)) return httperr.Wrap(http.StatusInternalServerError, "error while generating and saving authcode", err) } diff --git a/internal/oidc/callback/callback_handler_test.go b/internal/oidc/callback/callback_handler_test.go index dea3f2df..57dcfcd5 100644 --- a/internal/oidc/callback/callback_handler_test.go +++ b/internal/oidc/callback/callback_handler_test.go @@ -54,7 +54,9 @@ const ( downstreamIssuer = "https://my-downstream-issuer.com/path" downstreamRedirectURI = "http://127.0.0.1/callback" - downstreamClientID = "pinniped-cli" + downstreamPinnipedClientID = "pinniped-cli" + downstreamDynamicClientID = "client.oauth.pinniped.dev-test-name" + downstreamDynamicClientUID = "fake-client-uid" downstreamNonce = "some-nonce-value" downstreamPKCEChallenge = "some-challenge" downstreamPKCEChallengeMethod = "S256" @@ -70,14 +72,19 @@ var ( happyDownstreamRequestParamsQuery = url.Values{ "response_type": []string{"code"}, "scope": []string{strings.Join(happyDownstreamScopesRequested, " ")}, - "client_id": []string{downstreamClientID}, + "client_id": []string{downstreamPinnipedClientID}, "state": []string{happyDownstreamState}, "nonce": []string{downstreamNonce}, "code_challenge": []string{downstreamPKCEChallenge}, "code_challenge_method": []string{downstreamPKCEChallengeMethod}, "redirect_uri": []string{downstreamRedirectURI}, } - happyDownstreamRequestParams = happyDownstreamRequestParamsQuery.Encode() + happyDownstreamRequestParams = happyDownstreamRequestParamsQuery.Encode() + + happyDownstreamRequestParamsForDynamicClient = shallowCopyAndModifyQuery(happyDownstreamRequestParamsQuery, + map[string]string{"client_id": downstreamDynamicClientID}, + ).Encode() + happyDownstreamCustomSessionData = &psession.CustomSessionData{ ProviderUID: happyUpstreamIDPResourceUID, ProviderName: happyUpstreamIDPName, @@ -122,6 +129,7 @@ func TestCallbackEndpoint(t *testing.T) { happyCookieCodec.SetSerializer(securecookie.JSONEncoder{}) happyState := happyUpstreamStateParam().Build(t, happyStateCodec) + happyStateForDynamicClient := happyUpstreamStateParamForDynamicClient().Build(t, happyStateCodec) encodedIncomingCookieCSRFValue, err := happyCookieCodec.Encode("csrf", happyDownstreamCSRF) require.NoError(t, err) @@ -137,6 +145,13 @@ func TestCallbackEndpoint(t *testing.T) { // Note that fosite puts the granted scopes as a param in the redirect URI even though the spec doesn't seem to require it happyDownstreamRedirectLocationRegexp := downstreamRedirectURI + `\?code=([^&]+)&scope=openid\+groups&state=` + happyDownstreamState + addFullyCapableDynamicClientAndSecretToKubeResources := func(t *testing.T, supervisorClient *supervisorfake.Clientset, kubeClient *fake.Clientset) { + oidcClient, secret := testutil.FullyCapableOIDCClientAndStorageSecret(t, + "some-namespace", downstreamDynamicClientID, downstreamDynamicClientUID, downstreamRedirectURI, []string{testutil.HashedPassword1AtGoMinCost}) + require.NoError(t, supervisorClient.Tracker().Add(oidcClient)) + require.NoError(t, kubeClient.Tracker().Add(secret)) + } + tests := []struct { name string @@ -157,6 +172,7 @@ func TestCallbackEndpoint(t *testing.T) { wantDownstreamIDTokenGroups []string wantDownstreamRequestedScopes []string wantDownstreamNonce string + wantDownstreamClientID string wantDownstreamPKCEChallenge string wantDownstreamPKCEChallengeMethod string wantDownstreamCustomSessionData *psession.CustomSessionData @@ -185,6 +201,7 @@ func TestCallbackEndpoint(t *testing.T) { wantDownstreamRequestedScopes: happyDownstreamScopesRequested, wantDownstreamGrantedScopes: happyDownstreamScopesGranted, wantDownstreamNonce: downstreamNonce, + wantDownstreamClientID: downstreamPinnipedClientID, wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamCustomSessionData: happyDownstreamCustomSessionData, @@ -208,6 +225,32 @@ func TestCallbackEndpoint(t *testing.T) { wantDownstreamRequestedScopes: happyDownstreamScopesRequested, wantDownstreamGrantedScopes: happyDownstreamScopesGranted, wantDownstreamNonce: downstreamNonce, + wantDownstreamClientID: downstreamPinnipedClientID, + wantDownstreamPKCEChallenge: downstreamPKCEChallenge, + wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, + wantDownstreamCustomSessionData: happyDownstreamCustomSessionData, + wantAuthcodeExchangeCall: &expectedAuthcodeExchange{ + performedByUpstreamName: happyUpstreamIDPName, + args: happyExchangeAndValidateTokensArgs, + }, + }, + { + name: "GET with good state and cookie and successful upstream token exchange returns 303 to downstream client callback with its state and code when using dynamic client", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyUpstream().Build()), + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + method: http.MethodGet, + path: newRequestPath().WithState(happyStateForDynamicClient).String(), + csrfCookie: happyCSRFCookie, + wantStatus: http.StatusSeeOther, + wantRedirectLocationRegexp: happyDownstreamRedirectLocationRegexp, + wantBody: "", + wantDownstreamIDTokenSubject: oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped, + wantDownstreamIDTokenUsername: oidcUpstreamUsername, + wantDownstreamIDTokenGroups: oidcUpstreamGroupMembership, + wantDownstreamRequestedScopes: happyDownstreamScopesRequested, + wantDownstreamGrantedScopes: happyDownstreamScopesGranted, + wantDownstreamNonce: downstreamNonce, + wantDownstreamClientID: downstreamDynamicClientID, wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamCustomSessionData: happyDownstreamCustomSessionData, @@ -231,6 +274,7 @@ func TestCallbackEndpoint(t *testing.T) { wantDownstreamRequestedScopes: happyDownstreamScopesRequested, wantDownstreamGrantedScopes: happyDownstreamScopesGranted, wantDownstreamNonce: downstreamNonce, + wantDownstreamClientID: downstreamPinnipedClientID, wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamCustomSessionData: happyDownstreamAccessTokenCustomSessionData, @@ -263,6 +307,7 @@ func TestCallbackEndpoint(t *testing.T) { wantDownstreamRequestedScopes: []string{"openid"}, wantDownstreamGrantedScopes: []string{"openid"}, wantDownstreamNonce: downstreamNonce, + wantDownstreamClientID: downstreamPinnipedClientID, wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamCustomSessionData: happyDownstreamCustomSessionData, @@ -286,6 +331,7 @@ func TestCallbackEndpoint(t *testing.T) { wantDownstreamRequestedScopes: happyDownstreamScopesRequested, wantDownstreamGrantedScopes: happyDownstreamScopesGranted, wantDownstreamNonce: downstreamNonce, + wantDownstreamClientID: downstreamPinnipedClientID, wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamCustomSessionData: &psession.CustomSessionData{ @@ -321,6 +367,7 @@ func TestCallbackEndpoint(t *testing.T) { wantDownstreamRequestedScopes: happyDownstreamScopesRequested, wantDownstreamGrantedScopes: happyDownstreamScopesGranted, wantDownstreamNonce: downstreamNonce, + wantDownstreamClientID: downstreamPinnipedClientID, wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamCustomSessionData: happyDownstreamCustomSessionData, @@ -346,6 +393,7 @@ func TestCallbackEndpoint(t *testing.T) { wantDownstreamRequestedScopes: happyDownstreamScopesRequested, wantDownstreamGrantedScopes: happyDownstreamScopesGranted, wantDownstreamNonce: downstreamNonce, + wantDownstreamClientID: downstreamPinnipedClientID, wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamCustomSessionData: happyDownstreamCustomSessionData, @@ -373,6 +421,7 @@ func TestCallbackEndpoint(t *testing.T) { wantDownstreamRequestedScopes: happyDownstreamScopesRequested, wantDownstreamGrantedScopes: happyDownstreamScopesGranted, wantDownstreamNonce: downstreamNonce, + wantDownstreamClientID: downstreamPinnipedClientID, wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamCustomSessionData: happyDownstreamCustomSessionData, @@ -401,6 +450,7 @@ func TestCallbackEndpoint(t *testing.T) { wantDownstreamRequestedScopes: happyDownstreamScopesRequested, wantDownstreamGrantedScopes: happyDownstreamScopesGranted, wantDownstreamNonce: downstreamNonce, + wantDownstreamClientID: downstreamPinnipedClientID, wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamCustomSessionData: happyDownstreamCustomSessionData, @@ -531,6 +581,7 @@ func TestCallbackEndpoint(t *testing.T) { wantDownstreamRequestedScopes: happyDownstreamScopesRequested, wantDownstreamGrantedScopes: happyDownstreamScopesGranted, wantDownstreamNonce: downstreamNonce, + wantDownstreamClientID: downstreamPinnipedClientID, wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamCustomSessionData: happyDownstreamCustomSessionData, @@ -556,6 +607,7 @@ func TestCallbackEndpoint(t *testing.T) { wantDownstreamRequestedScopes: happyDownstreamScopesRequested, wantDownstreamGrantedScopes: happyDownstreamScopesGranted, wantDownstreamNonce: downstreamNonce, + wantDownstreamClientID: downstreamPinnipedClientID, wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamCustomSessionData: happyDownstreamCustomSessionData, @@ -581,6 +633,7 @@ func TestCallbackEndpoint(t *testing.T) { wantDownstreamRequestedScopes: happyDownstreamScopesRequested, wantDownstreamGrantedScopes: happyDownstreamScopesGranted, wantDownstreamNonce: downstreamNonce, + wantDownstreamClientID: downstreamPinnipedClientID, wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamCustomSessionData: happyDownstreamCustomSessionData, @@ -714,6 +767,42 @@ func TestCallbackEndpoint(t *testing.T) { wantContentType: htmlContentType, wantBody: "Bad Request: error using state downstream auth params\n", }, + { + name: "state's downstream auth params have invalid client_id", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyUpstream().Build()), + method: http.MethodGet, + path: newRequestPath().WithState( + happyUpstreamStateParam(). + WithAuthorizeRequestParams(shallowCopyAndModifyQuery(happyDownstreamRequestParamsQuery, map[string]string{"client_id": "bogus"}).Encode()). + Build(t, happyStateCodec), + ).String(), + csrfCookie: happyCSRFCookie, + wantStatus: http.StatusBadRequest, + wantContentType: htmlContentType, + wantBody: "Bad Request: error using state downstream auth params\n", + }, + { + name: "dynamic clients do not allow response_mode=form_post", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyUpstream().Build()), + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + method: http.MethodGet, + path: newRequestPath().WithState( + happyUpstreamStateParam().WithAuthorizeRequestParams( + shallowCopyAndModifyQuery( + happyDownstreamRequestParamsQuery, + map[string]string{ + "client_id": downstreamDynamicClientID, + "response_mode": "form_post", + "scope": "openid", + }, + ).Encode(), + ).Build(t, happyStateCodec), + ).String(), + csrfCookie: happyCSRFCookie, + wantStatus: http.StatusBadRequest, + wantContentType: htmlContentType, + wantBody: "Bad Request: error using state downstream auth params\n", + }, { name: "state's downstream auth params does not contain openid scope", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyUpstream().Build()), @@ -733,6 +822,7 @@ func TestCallbackEndpoint(t *testing.T) { wantDownstreamGrantedScopes: []string{"groups"}, wantDownstreamIDTokenGroups: oidcUpstreamGroupMembership, wantDownstreamNonce: downstreamNonce, + wantDownstreamClientID: downstreamPinnipedClientID, wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamCustomSessionData: happyDownstreamCustomSessionData, @@ -759,6 +849,7 @@ func TestCallbackEndpoint(t *testing.T) { wantDownstreamRequestedScopes: []string{"profile", "email"}, wantDownstreamGrantedScopes: []string{}, wantDownstreamNonce: downstreamNonce, + wantDownstreamClientID: downstreamPinnipedClientID, wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamCustomSessionData: happyDownstreamCustomSessionData, @@ -786,6 +877,7 @@ func TestCallbackEndpoint(t *testing.T) { wantDownstreamGrantedScopes: []string{"openid", "offline_access", "groups"}, wantDownstreamIDTokenGroups: oidcUpstreamGroupMembership, wantDownstreamNonce: downstreamNonce, + wantDownstreamClientID: downstreamPinnipedClientID, wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamCustomSessionData: happyDownstreamCustomSessionData, @@ -884,6 +976,7 @@ func TestCallbackEndpoint(t *testing.T) { wantDownstreamGrantedScopes: happyDownstreamScopesGranted, wantDownstreamIDTokenGroups: []string{}, wantDownstreamNonce: downstreamNonce, + wantDownstreamClientID: downstreamPinnipedClientID, wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamCustomSessionData: happyDownstreamCustomSessionData, @@ -1139,7 +1232,7 @@ func TestCallbackEndpoint(t *testing.T) { test.wantDownstreamPKCEChallenge, test.wantDownstreamPKCEChallengeMethod, test.wantDownstreamNonce, - downstreamClientID, + test.wantDownstreamClientID, downstreamRedirectURI, test.wantDownstreamCustomSessionData, ) @@ -1166,7 +1259,7 @@ func TestCallbackEndpoint(t *testing.T) { test.wantDownstreamPKCEChallenge, test.wantDownstreamPKCEChallengeMethod, test.wantDownstreamNonce, - downstreamClientID, + test.wantDownstreamClientID, downstreamRedirectURI, test.wantDownstreamCustomSessionData, ) @@ -1237,6 +1330,12 @@ func happyUpstreamStateParam() *oidctestutil.UpstreamStateParamBuilder { } } +func happyUpstreamStateParamForDynamicClient() *oidctestutil.UpstreamStateParamBuilder { + p := happyUpstreamStateParam() + p.P = happyDownstreamRequestParamsForDynamicClient + return p +} + func happyUpstream() *oidctestutil.TestUpstreamOIDCIdentityProviderBuilder { return oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder(). WithName(happyUpstreamIDPName). diff --git a/internal/oidc/login/post_login_handler.go b/internal/oidc/login/post_login_handler.go index 85ccbc25..4c214452 100644 --- a/internal/oidc/login/post_login_handler.go +++ b/internal/oidc/login/post_login_handler.go @@ -41,7 +41,8 @@ func NewPostHandler(issuerURL string, upstreamIDPs oidc.UpstreamIdentityProvider if err != nil { // This shouldn't really happen because the authorization endpoint has already validated these params // by calling NewAuthorizeRequest() itself. - plog.Error("error using state downstream auth params", err) + plog.Error("error using state downstream auth params", err, + "fositeErr", oidc.FositeErrorForLog(err)) return httperr.New(http.StatusBadRequest, "error using state downstream auth params") } diff --git a/internal/oidc/login/post_login_handler_test.go b/internal/oidc/login/post_login_handler_test.go index 7e8cffef..80931ee9 100644 --- a/internal/oidc/login/post_login_handler_test.go +++ b/internal/oidc/login/post_login_handler_test.go @@ -38,7 +38,9 @@ func TestPostLoginEndpoint(t *testing.T) { downstreamIssuer = "https://my-downstream-issuer.com/path" downstreamRedirectURI = "http://127.0.0.1/callback" - downstreamClientID = "pinniped-cli" + downstreamPinnipedCLIClientID = "pinniped-cli" + downstreamDynamicClientID = "client.oauth.pinniped.dev-test-name" + downstreamDynamicClientUID = "fake-client-uid" happyDownstreamState = "8b-state" downstreamNonce = "some-nonce-value" downstreamPKCEChallenge = "some-challenge" @@ -90,7 +92,7 @@ func TestPostLoginEndpoint(t *testing.T) { happyDownstreamRequestParamsQuery := url.Values{ "response_type": []string{"code"}, "scope": []string{strings.Join(happyDownstreamScopesRequested, " ")}, - "client_id": []string{downstreamClientID}, + "client_id": []string{downstreamPinnipedCLIClientID}, "state": []string{happyDownstreamState}, "nonce": []string{downstreamNonce}, "code_challenge": []string{downstreamPKCEChallenge}, @@ -99,14 +101,10 @@ func TestPostLoginEndpoint(t *testing.T) { } happyDownstreamRequestParams := happyDownstreamRequestParamsQuery.Encode() - copyOfHappyDownstreamRequestParamsQuery := func() url.Values { - params := url.Values{} - for k, v := range happyDownstreamRequestParamsQuery { - params[k] = make([]string, len(v)) - copy(params[k], v) - } - return params - } + happyDownstreamRequestParamsQueryForDynamicClient := shallowCopyAndModifyQuery(happyDownstreamRequestParamsQuery, + map[string]string{"client_id": downstreamDynamicClientID}, + ) + happyDownstreamRequestParamsForDynamicClient := happyDownstreamRequestParamsQueryForDynamicClient.Encode() happyLDAPDecodedState := &oidc.UpstreamStateParamData{ AuthParams: happyDownstreamRequestParams, @@ -124,15 +122,20 @@ func TestPostLoginEndpoint(t *testing.T) { return ©OfHappyLDAPDecodedState } - happyActiveDirectoryDecodedState := &oidc.UpstreamStateParamData{ - AuthParams: happyDownstreamRequestParams, - UpstreamName: activeDirectoryUpstreamName, - UpstreamType: activeDirectoryUpstreamType, - Nonce: happyDownstreamNonce, - CSRFToken: happyDownstreamCSRF, - PKCECode: happyDownstreamPKCE, - FormatVersion: happyDownstreamStateVersion, - } + happyLDAPDecodedStateForDynamicClient := modifyHappyLDAPDecodedState(func(data *oidc.UpstreamStateParamData) { + data.AuthParams = happyDownstreamRequestParamsForDynamicClient + }) + + happyActiveDirectoryDecodedState := modifyHappyLDAPDecodedState(func(data *oidc.UpstreamStateParamData) { + data.UpstreamName = activeDirectoryUpstreamName + data.UpstreamType = activeDirectoryUpstreamType + }) + + happyActiveDirectoryDecodedStateForDynamicClient := modifyHappyLDAPDecodedState(func(data *oidc.UpstreamStateParamData) { + data.AuthParams = happyDownstreamRequestParamsForDynamicClient + data.UpstreamName = activeDirectoryUpstreamName + data.UpstreamType = activeDirectoryUpstreamType + }) happyLDAPUsername := "some-ldap-user" happyLDAPUsernameFromAuthenticator := "some-mapped-ldap-username" @@ -232,6 +235,13 @@ func TestPostLoginEndpoint(t *testing.T) { return urlToReturn } + addFullyCapableDynamicClientAndSecretToKubeResources := func(t *testing.T, supervisorClient *supervisorfake.Clientset, kubeClient *fake.Clientset) { + oidcClient, secret := testutil.FullyCapableOIDCClientAndStorageSecret(t, + "some-namespace", downstreamDynamicClientID, downstreamDynamicClientUID, downstreamRedirectURI, []string{testutil.HashedPassword1AtGoMinCost}) + require.NoError(t, supervisorClient.Tracker().Add(oidcClient)) + require.NoError(t, kubeClient.Tracker().Add(secret)) + } + tests := []struct { name string idps *oidctestutil.UpstreamIDPListerBuilder @@ -262,6 +272,7 @@ func TestPostLoginEndpoint(t *testing.T) { wantDownstreamPKCEChallenge string wantDownstreamPKCEChallengeMethod string wantDownstreamNonce string + wantDownstreamClient string wantDownstreamCustomSessionData *psession.CustomSessionData // Authorization requests for either a successful OIDC upstream or for an error with any upstream @@ -289,6 +300,31 @@ func TestPostLoginEndpoint(t *testing.T) { wantDownstreamRedirectURI: downstreamRedirectURI, wantDownstreamGrantedScopes: happyDownstreamScopesGranted, wantDownstreamNonce: downstreamNonce, + wantDownstreamClient: downstreamPinnipedCLIClientID, + wantDownstreamPKCEChallenge: downstreamPKCEChallenge, + wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, + wantDownstreamCustomSessionData: expectedHappyLDAPUpstreamCustomSession, + }, + { + name: "happy LDAP login with dynamic client", + idps: oidctestutil.NewUpstreamIDPListerBuilder(). + WithLDAP(&upstreamLDAPIdentityProvider). // should pick this one + WithActiveDirectory(&erroringUpstreamLDAPIdentityProvider), + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + decodedState: happyLDAPDecodedStateForDynamicClient, + formParams: happyUsernamePasswordFormParams, + wantStatus: http.StatusSeeOther, + wantContentType: htmlContentType, + wantBodyString: "", + wantRedirectLocationRegexp: happyAuthcodeDownstreamRedirectLocationRegexp, + wantDownstreamIDTokenSubject: upstreamLDAPURL + "&sub=" + happyLDAPUID, + wantDownstreamIDTokenUsername: happyLDAPUsernameFromAuthenticator, + wantDownstreamIDTokenGroups: happyLDAPGroups, + wantDownstreamRequestedScopes: happyDownstreamScopesRequested, + wantDownstreamRedirectURI: downstreamRedirectURI, + wantDownstreamGrantedScopes: happyDownstreamScopesGranted, + wantDownstreamNonce: downstreamNonce, + wantDownstreamClient: downstreamDynamicClientID, wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamCustomSessionData: expectedHappyLDAPUpstreamCustomSession, @@ -311,6 +347,31 @@ func TestPostLoginEndpoint(t *testing.T) { wantDownstreamRedirectURI: downstreamRedirectURI, wantDownstreamGrantedScopes: happyDownstreamScopesGranted, wantDownstreamNonce: downstreamNonce, + wantDownstreamClient: downstreamPinnipedCLIClientID, + wantDownstreamPKCEChallenge: downstreamPKCEChallenge, + wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, + wantDownstreamCustomSessionData: expectedHappyActiveDirectoryUpstreamCustomSession, + }, + { + name: "happy AD login with dynamic client", + idps: oidctestutil.NewUpstreamIDPListerBuilder(). + WithLDAP(&erroringUpstreamLDAPIdentityProvider). + WithActiveDirectory(&upstreamActiveDirectoryIdentityProvider), // should pick this one + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + decodedState: happyActiveDirectoryDecodedStateForDynamicClient, + formParams: happyUsernamePasswordFormParams, + wantStatus: http.StatusSeeOther, + wantContentType: htmlContentType, + wantBodyString: "", + wantRedirectLocationRegexp: happyAuthcodeDownstreamRedirectLocationRegexp, + wantDownstreamIDTokenSubject: upstreamLDAPURL + "&sub=" + happyLDAPUID, + wantDownstreamIDTokenUsername: happyLDAPUsernameFromAuthenticator, + wantDownstreamIDTokenGroups: happyLDAPGroups, + wantDownstreamRequestedScopes: happyDownstreamScopesRequested, + wantDownstreamRedirectURI: downstreamRedirectURI, + wantDownstreamGrantedScopes: happyDownstreamScopesGranted, + wantDownstreamNonce: downstreamNonce, + wantDownstreamClient: downstreamDynamicClientID, wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamCustomSessionData: expectedHappyActiveDirectoryUpstreamCustomSession, @@ -319,9 +380,9 @@ func TestPostLoginEndpoint(t *testing.T) { name: "happy LDAP login when downstream response_mode=form_post returns 200 with HTML+JS form", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider), decodedState: modifyHappyLDAPDecodedState(func(data *oidc.UpstreamStateParamData) { - query := copyOfHappyDownstreamRequestParamsQuery() - query["response_mode"] = []string{"form_post"} - data.AuthParams = query.Encode() + data.AuthParams = shallowCopyAndModifyQuery(happyDownstreamRequestParamsQuery, + map[string]string{"response_mode": "form_post"}, + ).Encode() }), formParams: happyUsernamePasswordFormParams, wantStatus: http.StatusOK, @@ -335,6 +396,7 @@ func TestPostLoginEndpoint(t *testing.T) { wantDownstreamRedirectURI: downstreamRedirectURI, wantDownstreamGrantedScopes: happyDownstreamScopesGranted, wantDownstreamNonce: downstreamNonce, + wantDownstreamClient: downstreamPinnipedCLIClientID, wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamCustomSessionData: expectedHappyLDAPUpstreamCustomSession, @@ -343,9 +405,9 @@ func TestPostLoginEndpoint(t *testing.T) { name: "happy LDAP login when downstream redirect uri matches what is configured for client except for the port number", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider), decodedState: modifyHappyLDAPDecodedState(func(data *oidc.UpstreamStateParamData) { - query := copyOfHappyDownstreamRequestParamsQuery() - query["redirect_uri"] = []string{"http://127.0.0.1:4242/callback"} - data.AuthParams = query.Encode() + data.AuthParams = shallowCopyAndModifyQuery(happyDownstreamRequestParamsQuery, + map[string]string{"redirect_uri": "http://127.0.0.1:4242/callback"}, + ).Encode() }), formParams: happyUsernamePasswordFormParams, wantStatus: http.StatusSeeOther, @@ -359,6 +421,33 @@ func TestPostLoginEndpoint(t *testing.T) { wantDownstreamRedirectURI: "http://127.0.0.1:4242/callback", wantDownstreamGrantedScopes: happyDownstreamScopesGranted, wantDownstreamNonce: downstreamNonce, + wantDownstreamClient: downstreamPinnipedCLIClientID, + wantDownstreamPKCEChallenge: downstreamPKCEChallenge, + wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, + wantDownstreamCustomSessionData: expectedHappyLDAPUpstreamCustomSession, + }, + { + name: "happy LDAP login when downstream redirect uri matches what is configured for client except for the port number with dynamic client", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider), + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + decodedState: modifyHappyLDAPDecodedState(func(data *oidc.UpstreamStateParamData) { + data.AuthParams = shallowCopyAndModifyQuery(happyDownstreamRequestParamsQueryForDynamicClient, + map[string]string{"redirect_uri": "http://127.0.0.1:4242/callback"}, + ).Encode() + }), + formParams: happyUsernamePasswordFormParams, + wantStatus: http.StatusSeeOther, + wantContentType: htmlContentType, + wantBodyString: "", + wantRedirectLocationRegexp: "http://127.0.0.1:4242/callback" + `\?code=([^&]+)&scope=openid\+groups&state=` + happyDownstreamState, + wantDownstreamIDTokenSubject: upstreamLDAPURL + "&sub=" + happyLDAPUID, + wantDownstreamIDTokenUsername: happyLDAPUsernameFromAuthenticator, + wantDownstreamIDTokenGroups: happyLDAPGroups, + wantDownstreamRequestedScopes: happyDownstreamScopesRequested, + wantDownstreamRedirectURI: "http://127.0.0.1:4242/callback", + wantDownstreamGrantedScopes: happyDownstreamScopesGranted, + wantDownstreamNonce: downstreamNonce, + wantDownstreamClient: downstreamDynamicClientID, wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamCustomSessionData: expectedHappyLDAPUpstreamCustomSession, @@ -367,9 +456,9 @@ func TestPostLoginEndpoint(t *testing.T) { name: "happy LDAP login when there are additional allowed downstream requested scopes", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider), decodedState: modifyHappyLDAPDecodedState(func(data *oidc.UpstreamStateParamData) { - query := copyOfHappyDownstreamRequestParamsQuery() - query["scope"] = []string{"openid offline_access pinniped:request-audience"} - data.AuthParams = query.Encode() + data.AuthParams = shallowCopyAndModifyQuery(happyDownstreamRequestParamsQuery, + map[string]string{"scope": "openid offline_access pinniped:request-audience"}, + ).Encode() }), formParams: happyUsernamePasswordFormParams, wantStatus: http.StatusSeeOther, @@ -383,6 +472,33 @@ func TestPostLoginEndpoint(t *testing.T) { wantDownstreamRedirectURI: downstreamRedirectURI, wantDownstreamGrantedScopes: []string{"openid", "offline_access", "pinniped:request-audience"}, wantDownstreamNonce: downstreamNonce, + wantDownstreamClient: downstreamPinnipedCLIClientID, + wantDownstreamPKCEChallenge: downstreamPKCEChallenge, + wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, + wantDownstreamCustomSessionData: expectedHappyLDAPUpstreamCustomSession, + }, + { + name: "happy LDAP login when there are additional allowed downstream requested scopes with dynamic client", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider), + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + decodedState: modifyHappyLDAPDecodedState(func(data *oidc.UpstreamStateParamData) { + data.AuthParams = shallowCopyAndModifyQuery(happyDownstreamRequestParamsQueryForDynamicClient, + map[string]string{"scope": "openid offline_access pinniped:request-audience"}, + ).Encode() + }), + formParams: happyUsernamePasswordFormParams, + wantStatus: http.StatusSeeOther, + wantContentType: htmlContentType, + wantBodyString: "", + wantRedirectLocationRegexp: downstreamRedirectURI + `\?code=([^&]+)&scope=openid\+offline_access\+pinniped%3Arequest-audience&state=` + happyDownstreamState, + wantDownstreamIDTokenSubject: upstreamLDAPURL + "&sub=" + happyLDAPUID, + wantDownstreamIDTokenUsername: happyLDAPUsernameFromAuthenticator, + wantDownstreamIDTokenGroups: happyLDAPGroups, + wantDownstreamRequestedScopes: []string{"openid", "offline_access", "pinniped:request-audience"}, + wantDownstreamRedirectURI: downstreamRedirectURI, + wantDownstreamGrantedScopes: []string{"openid", "offline_access", "pinniped:request-audience"}, + wantDownstreamNonce: downstreamNonce, + wantDownstreamClient: downstreamDynamicClientID, wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamCustomSessionData: expectedHappyLDAPUpstreamCustomSession, @@ -391,11 +507,13 @@ func TestPostLoginEndpoint(t *testing.T) { name: "happy LDAP when downstream OIDC validations are skipped because the openid scope was not requested", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider), decodedState: modifyHappyLDAPDecodedState(func(data *oidc.UpstreamStateParamData) { - query := copyOfHappyDownstreamRequestParamsQuery() - query["scope"] = []string{"email"} - // The following prompt value is illegal when openid is requested, but note that openid is not requested. - query["prompt"] = []string{"none login"} - data.AuthParams = query.Encode() + data.AuthParams = shallowCopyAndModifyQuery(happyDownstreamRequestParamsQuery, + map[string]string{ + "scope": "email", + // The following prompt value is illegal when openid is requested, but note that openid is not requested. + "prompt": "none login", + }, + ).Encode() }), formParams: happyUsernamePasswordFormParams, wantStatus: http.StatusSeeOther, @@ -409,6 +527,7 @@ func TestPostLoginEndpoint(t *testing.T) { wantDownstreamRedirectURI: downstreamRedirectURI, wantDownstreamGrantedScopes: []string{}, // no scopes granted wantDownstreamNonce: downstreamNonce, + wantDownstreamClient: downstreamPinnipedCLIClientID, wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamCustomSessionData: expectedHappyLDAPUpstreamCustomSession, @@ -419,9 +538,9 @@ func TestPostLoginEndpoint(t *testing.T) { WithLDAP(&upstreamLDAPIdentityProvider). // should pick this one WithActiveDirectory(&erroringUpstreamLDAPIdentityProvider), decodedState: modifyHappyLDAPDecodedState(func(data *oidc.UpstreamStateParamData) { - query := copyOfHappyDownstreamRequestParamsQuery() - query["scope"] = []string{"openid"} - data.AuthParams = query.Encode() + data.AuthParams = shallowCopyAndModifyQuery(happyDownstreamRequestParamsQuery, + map[string]string{"scope": "openid"}, + ).Encode() }), formParams: happyUsernamePasswordFormParams, wantStatus: http.StatusSeeOther, @@ -434,6 +553,7 @@ func TestPostLoginEndpoint(t *testing.T) { wantDownstreamRedirectURI: downstreamRedirectURI, wantDownstreamGrantedScopes: []string{"openid"}, wantDownstreamNonce: downstreamNonce, + wantDownstreamClient: downstreamPinnipedCLIClientID, wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamCustomSessionData: expectedHappyLDAPUpstreamCustomSession, @@ -502,9 +622,21 @@ func TestPostLoginEndpoint(t *testing.T) { name: "downstream redirect uri does not match what is configured for client", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider), decodedState: modifyHappyLDAPDecodedState(func(data *oidc.UpstreamStateParamData) { - query := copyOfHappyDownstreamRequestParamsQuery() - query["redirect_uri"] = []string{"http://127.0.0.1/wrong_callback"} - data.AuthParams = query.Encode() + data.AuthParams = shallowCopyAndModifyQuery(happyDownstreamRequestParamsQuery, + map[string]string{"redirect_uri": "http://127.0.0.1/wrong_callback"}, + ).Encode() + }), + formParams: happyUsernamePasswordFormParams, + wantErr: "error using state downstream auth params", + }, + { + name: "downstream redirect uri does not match what is configured for client with dynamic client", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider), + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + decodedState: modifyHappyLDAPDecodedState(func(data *oidc.UpstreamStateParamData) { + data.AuthParams = shallowCopyAndModifyQuery(happyDownstreamRequestParamsQueryForDynamicClient, + map[string]string{"redirect_uri": "http://127.0.0.1/wrong_callback"}, + ).Encode() }), formParams: happyUsernamePasswordFormParams, wantErr: "error using state downstream auth params", @@ -513,9 +645,9 @@ func TestPostLoginEndpoint(t *testing.T) { name: "downstream client does not exist", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider), decodedState: modifyHappyLDAPDecodedState(func(data *oidc.UpstreamStateParamData) { - query := copyOfHappyDownstreamRequestParamsQuery() - query["client_id"] = []string{"wrong_client_id"} - data.AuthParams = query.Encode() + data.AuthParams = shallowCopyAndModifyQuery(happyDownstreamRequestParamsQuery, + map[string]string{"client_id": "wrong_client_id"}, + ).Encode() }), formParams: happyUsernamePasswordFormParams, wantErr: "error using state downstream auth params", @@ -524,9 +656,9 @@ func TestPostLoginEndpoint(t *testing.T) { name: "downstream client is missing", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider), decodedState: modifyHappyLDAPDecodedState(func(data *oidc.UpstreamStateParamData) { - query := copyOfHappyDownstreamRequestParamsQuery() - delete(query, "client_id") - data.AuthParams = query.Encode() + data.AuthParams = shallowCopyAndModifyQuery(happyDownstreamRequestParamsQuery, + map[string]string{"client_id": ""}, + ).Encode() }), formParams: happyUsernamePasswordFormParams, wantErr: "error using state downstream auth params", @@ -535,9 +667,21 @@ func TestPostLoginEndpoint(t *testing.T) { name: "response type is unsupported", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider), decodedState: modifyHappyLDAPDecodedState(func(data *oidc.UpstreamStateParamData) { - query := copyOfHappyDownstreamRequestParamsQuery() - query["response_type"] = []string{"unsupported"} - data.AuthParams = query.Encode() + data.AuthParams = shallowCopyAndModifyQuery(happyDownstreamRequestParamsQuery, + map[string]string{"response_type": "unsupported"}, + ).Encode() + }), + formParams: happyUsernamePasswordFormParams, + wantErr: "error using state downstream auth params", + }, + { + name: "response type form_post is unsupported for dynamic clients", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider), + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + decodedState: modifyHappyLDAPDecodedState(func(data *oidc.UpstreamStateParamData) { + data.AuthParams = shallowCopyAndModifyQuery(happyDownstreamRequestParamsQueryForDynamicClient, + map[string]string{"response_type": "form_post"}, + ).Encode() }), formParams: happyUsernamePasswordFormParams, wantErr: "error using state downstream auth params", @@ -546,9 +690,9 @@ func TestPostLoginEndpoint(t *testing.T) { name: "response type is missing", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider), decodedState: modifyHappyLDAPDecodedState(func(data *oidc.UpstreamStateParamData) { - query := copyOfHappyDownstreamRequestParamsQuery() - delete(query, "response_type") - data.AuthParams = query.Encode() + data.AuthParams = shallowCopyAndModifyQuery(happyDownstreamRequestParamsQuery, + map[string]string{"response_type": ""}, + ).Encode() }), formParams: happyUsernamePasswordFormParams, wantErr: "error using state downstream auth params", @@ -557,9 +701,9 @@ func TestPostLoginEndpoint(t *testing.T) { name: "PKCE code_challenge is missing", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider), decodedState: modifyHappyLDAPDecodedState(func(data *oidc.UpstreamStateParamData) { - query := copyOfHappyDownstreamRequestParamsQuery() - delete(query, "code_challenge") - data.AuthParams = query.Encode() + data.AuthParams = shallowCopyAndModifyQuery(happyDownstreamRequestParamsQuery, + map[string]string{"code_challenge": ""}, + ).Encode() }), formParams: happyUsernamePasswordFormParams, wantStatus: http.StatusSeeOther, @@ -572,9 +716,9 @@ func TestPostLoginEndpoint(t *testing.T) { name: "PKCE code_challenge_method is invalid", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider), decodedState: modifyHappyLDAPDecodedState(func(data *oidc.UpstreamStateParamData) { - query := copyOfHappyDownstreamRequestParamsQuery() - query["code_challenge_method"] = []string{"this-is-not-a-valid-pkce-alg"} - data.AuthParams = query.Encode() + data.AuthParams = shallowCopyAndModifyQuery(happyDownstreamRequestParamsQuery, + map[string]string{"code_challenge_method": "this-is-not-a-valid-pkce-alg"}, + ).Encode() }), formParams: happyUsernamePasswordFormParams, wantStatus: http.StatusSeeOther, @@ -587,9 +731,9 @@ func TestPostLoginEndpoint(t *testing.T) { name: "PKCE code_challenge_method is `plain`", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider), decodedState: modifyHappyLDAPDecodedState(func(data *oidc.UpstreamStateParamData) { - query := copyOfHappyDownstreamRequestParamsQuery() - query["code_challenge_method"] = []string{"plain"} // plain is not allowed - data.AuthParams = query.Encode() + data.AuthParams = shallowCopyAndModifyQuery(happyDownstreamRequestParamsQuery, + map[string]string{"code_challenge_method": "plain"}, // plain is not allowed + ).Encode() }), formParams: happyUsernamePasswordFormParams, wantStatus: http.StatusSeeOther, @@ -602,9 +746,25 @@ func TestPostLoginEndpoint(t *testing.T) { name: "PKCE code_challenge_method is missing", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider), decodedState: modifyHappyLDAPDecodedState(func(data *oidc.UpstreamStateParamData) { - query := copyOfHappyDownstreamRequestParamsQuery() - delete(query, "code_challenge_method") - data.AuthParams = query.Encode() + data.AuthParams = shallowCopyAndModifyQuery(happyDownstreamRequestParamsQuery, + map[string]string{"code_challenge_method": ""}, + ).Encode() + }), + formParams: happyUsernamePasswordFormParams, + wantStatus: http.StatusSeeOther, + wantContentType: htmlContentType, + wantBodyString: "", + wantRedirectLocationString: urlWithQuery(downstreamRedirectURI, fositeMissingCodeChallengeMethodErrorQuery), + wantUnnecessaryStoredRecords: 2, // fosite already stored the authcode and oidc session before it noticed the error + }, + { + name: "PKCE code_challenge_method is missing with dynamic client", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider), + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + decodedState: modifyHappyLDAPDecodedState(func(data *oidc.UpstreamStateParamData) { + data.AuthParams = shallowCopyAndModifyQuery(happyDownstreamRequestParamsQueryForDynamicClient, + map[string]string{"code_challenge_method": ""}, + ).Encode() }), formParams: happyUsernamePasswordFormParams, wantStatus: http.StatusSeeOther, @@ -617,9 +777,9 @@ func TestPostLoginEndpoint(t *testing.T) { name: "prompt param is not allowed to have none and another legal value at the same time", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider), decodedState: modifyHappyLDAPDecodedState(func(data *oidc.UpstreamStateParamData) { - query := copyOfHappyDownstreamRequestParamsQuery() - query["prompt"] = []string{"none login"} - data.AuthParams = query.Encode() + data.AuthParams = shallowCopyAndModifyQuery(happyDownstreamRequestParamsQuery, + map[string]string{"prompt": "none login"}, + ).Encode() }), formParams: happyUsernamePasswordFormParams, wantStatus: http.StatusSeeOther, @@ -632,9 +792,9 @@ func TestPostLoginEndpoint(t *testing.T) { name: "downstream state does not have enough entropy", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider), decodedState: modifyHappyLDAPDecodedState(func(data *oidc.UpstreamStateParamData) { - query := copyOfHappyDownstreamRequestParamsQuery() - query["state"] = []string{"short"} - data.AuthParams = query.Encode() + data.AuthParams = shallowCopyAndModifyQuery(happyDownstreamRequestParamsQuery, + map[string]string{"state": "short"}, + ).Encode() }), formParams: happyUsernamePasswordFormParams, wantErr: "error using state downstream auth params", @@ -643,9 +803,21 @@ func TestPostLoginEndpoint(t *testing.T) { name: "downstream scopes do not match what is configured for client", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider), decodedState: modifyHappyLDAPDecodedState(func(data *oidc.UpstreamStateParamData) { - query := copyOfHappyDownstreamRequestParamsQuery() - query["scope"] = []string{"openid offline_access pinniped:request-audience scope_not_allowed"} - data.AuthParams = query.Encode() + data.AuthParams = shallowCopyAndModifyQuery(happyDownstreamRequestParamsQuery, + map[string]string{"scope": "openid offline_access pinniped:request-audience scope_not_allowed"}, + ).Encode() + }), + formParams: happyUsernamePasswordFormParams, + wantErr: "error using state downstream auth params", + }, + { + name: "downstream scopes do not match what is configured for client with dynamic client", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider), + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + decodedState: modifyHappyLDAPDecodedState(func(data *oidc.UpstreamStateParamData) { + data.AuthParams = shallowCopyAndModifyQuery(happyDownstreamRequestParamsQueryForDynamicClient, + map[string]string{"scope": "openid offline_access pinniped:request-audience scope_not_allowed"}, + ).Encode() }), formParams: happyUsernamePasswordFormParams, wantErr: "error using state downstream auth params", @@ -677,8 +849,8 @@ func TestPostLoginEndpoint(t *testing.T) { secretsClient := kubeClient.CoreV1().Secrets("some-namespace") oidcClientsClient := supervisorClient.ConfigV1alpha1().OIDCClients("some-namespace") - if test.kubeResources != nil { - test.kubeResources(t, supervisorClient, kubeClient) + if tt.kubeResources != nil { + tt.kubeResources(t, supervisorClient, kubeClient) } // Configure fosite the same way that the production code would. @@ -704,7 +876,7 @@ func TestPostLoginEndpoint(t *testing.T) { err := subject(rsp, req, happyEncodedUpstreamState, tt.decodedState) if tt.wantErr != "" { require.EqualError(t, err, tt.wantErr) - require.Empty(t, kubeClient.Actions()) + require.Empty(t, oidctestutil.FilterClientSecretCreateActions(kubeClient.Actions())) return // the http response doesn't matter when the function returns an error, because the caller should handle the error } // Otherwise, expect no error. @@ -735,7 +907,7 @@ func TestPostLoginEndpoint(t *testing.T) { tt.wantDownstreamPKCEChallenge, tt.wantDownstreamPKCEChallengeMethod, tt.wantDownstreamNonce, - downstreamClientID, + tt.wantDownstreamClient, tt.wantDownstreamRedirectURI, tt.wantDownstreamCustomSessionData, ) @@ -745,12 +917,12 @@ func TestPostLoginEndpoint(t *testing.T) { expectedLocation := downstreamIssuer + oidc.PinnipedLoginPath + "?err=" + tt.wantRedirectToLoginPageError + "&state=" + happyEncodedUpstreamState require.Equal(t, expectedLocation, actualLocation) - require.Len(t, kubeClient.Actions(), tt.wantUnnecessaryStoredRecords) + require.Len(t, oidctestutil.FilterClientSecretCreateActions(kubeClient.Actions()), tt.wantUnnecessaryStoredRecords) case tt.wantRedirectLocationString != "": // Expecting an error redirect to the client. require.Equal(t, tt.wantBodyString, rsp.Body.String()) require.Equal(t, tt.wantRedirectLocationString, actualLocation) - require.Len(t, kubeClient.Actions(), tt.wantUnnecessaryStoredRecords) + require.Len(t, oidctestutil.FilterClientSecretCreateActions(kubeClient.Actions()), tt.wantUnnecessaryStoredRecords) case tt.wantBodyFormResponseRegexp != "": // Expecting the body of the response to be a html page with a form (for "response_mode=form_post"). _, hasLocationHeader := rsp.Header()["Location"] @@ -770,7 +942,7 @@ func TestPostLoginEndpoint(t *testing.T) { tt.wantDownstreamPKCEChallenge, tt.wantDownstreamPKCEChallengeMethod, tt.wantDownstreamNonce, - downstreamClientID, + tt.wantDownstreamClient, tt.wantDownstreamRedirectURI, tt.wantDownstreamCustomSessionData, ) @@ -781,3 +953,18 @@ func TestPostLoginEndpoint(t *testing.T) { }) } } + +func shallowCopyAndModifyQuery(query url.Values, modifications map[string]string) url.Values { + copied := url.Values{} + for key, value := range query { + copied[key] = value + } + for key, value := range modifications { + if value == "" { + copied.Del(key) + } else { + copied[key] = []string{value} + } + } + return copied +} diff --git a/internal/oidc/oidc.go b/internal/oidc/oidc.go index f78eaef5..11218e58 100644 --- a/internal/oidc/oidc.go +++ b/internal/oidc/oidc.go @@ -457,7 +457,7 @@ func PerformAuthcodeRedirect( ) { authorizeResponder, err := oauthHelper.NewAuthorizeResponse(r.Context(), authorizeRequester, openIDSession) if err != nil { - plog.WarningErr("error while generating and saving authcode", err) + plog.WarningErr("error while generating and saving authcode", err, "fositeErr", FositeErrorForLog(err)) WriteAuthorizeError(w, oauthHelper, authorizeRequester, err, isBrowserless) return } diff --git a/internal/testutil/oidctestutil/oidctestutil.go b/internal/testutil/oidctestutil/oidctestutil.go index fb1e8a7a..23fcc821 100644 --- a/internal/testutil/oidctestutil/oidctestutil.go +++ b/internal/testutil/oidctestutil/oidctestutil.go @@ -25,6 +25,7 @@ import ( "k8s.io/apimachinery/pkg/types" "k8s.io/client-go/kubernetes/fake" v1 "k8s.io/client-go/kubernetes/typed/core/v1" + kubetesting "k8s.io/client-go/testing" "k8s.io/utils/strings/slices" "go.pinniped.dev/internal/authenticators" @@ -954,7 +955,7 @@ func RequireAuthCodeRegexpMatch( if includesOpenIDScope(wantDownstreamGrantedScopes) { expectedNumberOfCreatedSecrets++ } - require.Len(t, kubeClient.Actions(), expectedNumberOfCreatedSecrets) + require.Len(t, FilterClientSecretCreateActions(kubeClient.Actions()), expectedNumberOfCreatedSecrets) // One authcode should have been stored. testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secretsClient, labels.Set{crud.SecretLabelKey: authorizationcode.TypeLabelValue}, 1) @@ -1164,3 +1165,20 @@ func castStoredAuthorizeRequest(t *testing.T, storedAuthorizeRequest fosite.Requ return storedRequest, storedSession } + +// FilterClientSecretCreateActions ignores any reads made to get a storage secret corresponding to an OIDCClient, since these +// are normal actions when the request is using a dynamic client's client_id, and we don't need to make assertions +// about these Secrets since they are not related to session storage. +func FilterClientSecretCreateActions(actions []kubetesting.Action) []kubetesting.Action { + filtered := make([]kubetesting.Action, 0, len(actions)) + for _, action := range actions { + if action.Matches("get", "secrets") { + getAction := action.(kubetesting.GetAction) + if strings.HasPrefix(getAction.GetName(), "pinniped-storage-oidc-client-secret-") { + continue // filter out OIDCClient's storage secret reads + } + } + filtered = append(filtered, action) // otherwise include the action + } + return filtered +} diff --git a/test/testlib/client.go b/test/testlib/client.go index 2c514f7d..efad330b 100644 --- a/test/testlib/client.go +++ b/test/testlib/client.go @@ -15,6 +15,8 @@ import ( "testing" "time" + "go.pinniped.dev/internal/oidc/oidcclientvalidator" + "github.com/stretchr/testify/require" "golang.org/x/crypto/bcrypt" authorizationv1 "k8s.io/api/authorization/v1" @@ -435,7 +437,7 @@ func createOIDCClientSecret(t *testing.T, forOIDCClient *configv1alpha1.OIDCClie _, err := io.ReadFull(rand.Reader, buf[:]) require.NoError(t, err) randomSecret := hex.EncodeToString(buf[:]) - hashedRandomSecret, err := bcrypt.GenerateFromPassword([]byte(randomSecret), 15) + hashedRandomSecret, err := bcrypt.GenerateFromPassword([]byte(randomSecret), oidcclientvalidator.DefaultMinBcryptCost) require.NoError(t, err) created, err := kubeClient.CoreV1().Secrets(env.SupervisorNamespace).Create(ctx, &corev1.Secret{ From c12ffad29ebc5675b148eeea28002a269cdab0f9 Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Thu, 21 Jul 2022 10:13:34 -0700 Subject: [PATCH 35/61] Add integration test for failed client auth for a dynamic client --- test/integration/supervisor_login_test.go | 283 ++++++++++++---------- 1 file changed, 161 insertions(+), 122 deletions(-) diff --git a/test/integration/supervisor_login_test.go b/test/integration/supervisor_login_test.go index 86c3f67f..981d3343 100644 --- a/test/integration/supervisor_login_test.go +++ b/test/integration/supervisor_login_test.go @@ -224,10 +224,14 @@ func TestSupervisorLogin_Browser(t *testing.T) { // Want the authorization endpoint to redirect to the callback with this error type. // The rest of the flow will be skipped since the initial authorization failed. - wantErrorType string + wantAuthorizationErrorType string // Want the authorization endpoint to redirect to the callback with this error description. - // Should be used with wantErrorType. - wantErrorDescription string + // Should be used with wantAuthorizationErrorType. + wantAuthorizationErrorDescription string + + // Optionally want to the authcode exchange at the token endpoint to fail. The rest of the flow will be + // skipped since the authcode exchange failed. + wantAuthcodeExchangeError string // Optionally make all required assertions about the response of the RFC8693 token exchange for // the cluster-scoped ID token, given the http response status and response body from the token endpoint. @@ -674,8 +678,8 @@ func TestSupervisorLogin_Browser(t *testing.T) { true, ) }, - wantErrorDescription: "The resource owner or authorization server denied the request. Username/password not accepted by LDAP provider.", - wantErrorType: "access_denied", + wantAuthorizationErrorDescription: "The resource owner or authorization server denied the request. Username/password not accepted by LDAP provider.", + wantAuthorizationErrorType: "access_denied", }, { name: "ldap login still works after updating bind secret", @@ -1125,9 +1129,9 @@ func TestSupervisorLogin_Browser(t *testing.T) { true, ) }, - breakRefreshSessionData: nil, - wantErrorDescription: "The resource owner or authorization server denied the request. Username/password not accepted by LDAP provider.", - wantErrorType: "access_denied", + breakRefreshSessionData: nil, + wantAuthorizationErrorDescription: "The resource owner or authorization server denied the request. Username/password not accepted by LDAP provider.", + wantAuthorizationErrorType: "access_denied", }, { name: "ldap refresh fails when username changes from email as username to dn as username", @@ -1366,6 +1370,30 @@ func TestSupervisorLogin_Browser(t *testing.T) { }, wantDownstreamIDTokenGroups: env.SupervisorUpstreamActiveDirectory.TestUserIndirectGroupsSAMAccountPlusDomainNames, }, + { + name: "ldap upstream with downstream dynamic client, failed client authentication", + maybeSkip: skipLDAPTests, + createIDP: func(t *testing.T) string { + idp, _ := createLDAPIdentityProvider(t, nil) + return idp.Name + }, + createOIDCClient: func(t *testing.T, callbackURL string) (string, string) { + clientID, _ := testlib.CreateOIDCClient(t, configv1alpha1.OIDCClientSpec{ + AllowedRedirectURIs: []configv1alpha1.RedirectURI{configv1alpha1.RedirectURI(callbackURL)}, + AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code", "urn:ietf:params:oauth:grant-type:token-exchange", "refresh_token"}, + AllowedScopes: []configv1alpha1.Scope{"openid", "offline_access", "pinniped:request-audience", "username", "groups"}, + }, configv1alpha1.PhaseReady) + return clientID, "wrong-client-secret" + }, + testUser: func(t *testing.T) (string, string) { + // return the username and password of the existing user that we want to use for this test + return env.SupervisorUpstreamLDAP.TestUserMailAttributeValue, // username to present to server during login + env.SupervisorUpstreamLDAP.TestUserPassword // password to present to server during login + }, + requestAuthorization: requestAuthorizationUsingBrowserAuthcodeFlowLDAP, + wantAuthcodeExchangeError: "oauth2: cannot fetch token: 401 Unauthorized\n" + + `Response: {"error":"invalid_client","error_description":"Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)."}`, + }, } for _, test := range tests { @@ -1373,7 +1401,8 @@ func TestSupervisorLogin_Browser(t *testing.T) { t.Run(tt.name, func(t *testing.T) { tt.maybeSkip(t) - testSupervisorLogin(t, + testSupervisorLogin( + t, tt.createIDP, tt.requestAuthorization, tt.editRefreshSessionDataWithoutBreaking, @@ -1386,8 +1415,9 @@ func TestSupervisorLogin_Browser(t *testing.T) { tt.wantDownstreamIDTokenSubjectToMatch, tt.wantDownstreamIDTokenUsernameToMatch, tt.wantDownstreamIDTokenGroups, - tt.wantErrorDescription, - tt.wantErrorType, + tt.wantAuthorizationErrorType, + tt.wantAuthorizationErrorDescription, + tt.wantAuthcodeExchangeError, tt.wantTokenExchangeResponse, ) }) @@ -1516,8 +1546,8 @@ func testSupervisorLogin( t *testing.T, createIDP func(t *testing.T) string, requestAuthorization func(t *testing.T, downstreamIssuer string, downstreamAuthorizeURL string, downstreamCallbackURL string, username string, password string, httpClient *http.Client), - editRefreshSessionDataWithoutBreaking func(t *testing.T, pinnipedSession *psession.PinnipedSession, idpName, username string) []string, - breakRefreshSessionData func(t *testing.T, pinnipedSession *psession.PinnipedSession, idpName, username string), + editRefreshSessionDataWithoutBreaking func(t *testing.T, pinnipedSession *psession.PinnipedSession, idpName string, username string) []string, + breakRefreshSessionData func(t *testing.T, pinnipedSession *psession.PinnipedSession, idpName string, username string), testUser func(t *testing.T) (string, string), createOIDCClient func(t *testing.T, callbackURL string) (string, string), downstreamScopes []string, @@ -1526,8 +1556,9 @@ func testSupervisorLogin( wantDownstreamIDTokenSubjectToMatch string, wantDownstreamIDTokenUsernameToMatch func(username string) string, wantDownstreamIDTokenGroups []string, - wantErrorDescription string, - wantErrorType string, + wantAuthorizationErrorType string, + wantAuthorizationErrorDescription string, + wantAuthcodeExchangeError string, wantTokenExchangeResponse func(t *testing.T, status int, body string), ) { env := testlib.IntegrationEnv(t) @@ -1693,116 +1724,124 @@ func testSupervisorLogin( require.NoError(t, err) t.Logf("got callback request: %s", testlib.MaskTokens(callback.URL.String())) - if wantErrorType == "" { // nolint:nestif - require.Equal(t, stateParam.String(), callback.URL.Query().Get("state")) - require.ElementsMatch(t, downstreamScopes, strings.Split(callback.URL.Query().Get("scope"), " ")) - authcode := callback.URL.Query().Get("code") - require.NotEmpty(t, authcode) - // Authcodes should start with the custom prefix "pin_ac_" to make them identifiable as authcodes when seen by a user out of context. - require.True(t, strings.HasPrefix(authcode, "pin_ac_"), "token %q did not have expected prefix 'pin_ac_'", authcode) - - // Call the token endpoint to get tokens. - tokenResponse, err := downstreamOAuth2Config.Exchange(oidcHTTPClientContext, authcode, pkceParam.Verifier()) - require.NoError(t, err) - - expectedIDTokenClaims := []string{"iss", "exp", "sub", "aud", "auth_time", "iat", "jti", "nonce", "rat", "username"} - if slices.Contains(downstreamScopes, "groups") { - expectedIDTokenClaims = append(expectedIDTokenClaims, "groups") - } - verifyTokenResponse(t, - tokenResponse, discovery, downstreamOAuth2Config, nonceParam, - expectedIDTokenClaims, wantDownstreamIDTokenSubjectToMatch, wantDownstreamIDTokenUsernameToMatch(username), wantDownstreamIDTokenGroups) - - // token exchange on the original token - if requestTokenExchangeAud == "" { - requestTokenExchangeAud = "some-cluster-123" // use a default test value - } - doTokenExchange(t, requestTokenExchangeAud, &downstreamOAuth2Config, tokenResponse, httpClient, discovery, wantTokenExchangeResponse) - - refreshedGroups := wantDownstreamIDTokenGroups - if editRefreshSessionDataWithoutBreaking != nil { - latestRefreshToken := tokenResponse.RefreshToken - signatureOfLatestRefreshToken := getFositeDataSignature(t, latestRefreshToken) - - // First use the latest downstream refresh token to look up the corresponding session in the Supervisor's storage. - supervisorSecretsClient := testlib.NewKubernetesClientset(t).CoreV1().Secrets(env.SupervisorNamespace) - supervisorOIDCClientsClient := testlib.NewSupervisorClientset(t).ConfigV1alpha1().OIDCClients(env.SupervisorNamespace) - oauthStore := oidc.NewKubeStorage(supervisorSecretsClient, supervisorOIDCClientsClient, oidc.DefaultOIDCTimeoutsConfiguration(), oidcclientvalidator.DefaultMinBcryptCost) - storedRefreshSession, err := oauthStore.GetRefreshTokenSession(ctx, signatureOfLatestRefreshToken, nil) - require.NoError(t, err) - - // Next mutate the part of the session that is used during upstream refresh. - pinnipedSession, ok := storedRefreshSession.GetSession().(*psession.PinnipedSession) - require.True(t, ok, "should have been able to cast session data to PinnipedSession") - - refreshedGroups = editRefreshSessionDataWithoutBreaking(t, pinnipedSession, idpName, username) - - // Then save the mutated Secret back to Kubernetes. - // There is no update function, so delete and create again at the same name. - require.NoError(t, oauthStore.DeleteRefreshTokenSession(ctx, signatureOfLatestRefreshToken)) - require.NoError(t, oauthStore.CreateRefreshTokenSession(ctx, signatureOfLatestRefreshToken, storedRefreshSession)) - } - // Use the refresh token to get new tokens - refreshSource := downstreamOAuth2Config.TokenSource(oidcHTTPClientContext, &oauth2.Token{RefreshToken: tokenResponse.RefreshToken}) - refreshedTokenResponse, err := refreshSource.Token() - require.NoError(t, err) - - // When refreshing, expect to get an "at_hash" claim, but no "nonce" claim. - expectRefreshedIDTokenClaims := []string{"iss", "exp", "sub", "aud", "auth_time", "iat", "jti", "rat", "username", "at_hash"} - if slices.Contains(downstreamScopes, "groups") { - expectRefreshedIDTokenClaims = append(expectRefreshedIDTokenClaims, "groups") - } - verifyTokenResponse(t, - refreshedTokenResponse, discovery, downstreamOAuth2Config, "", - expectRefreshedIDTokenClaims, wantDownstreamIDTokenSubjectToMatch, wantDownstreamIDTokenUsernameToMatch(username), refreshedGroups) - - require.NotEqual(t, tokenResponse.AccessToken, refreshedTokenResponse.AccessToken) - require.NotEqual(t, tokenResponse.RefreshToken, refreshedTokenResponse.RefreshToken) - require.NotEqual(t, tokenResponse.Extra("id_token"), refreshedTokenResponse.Extra("id_token")) - - // token exchange on the refreshed token - doTokenExchange(t, requestTokenExchangeAud, &downstreamOAuth2Config, refreshedTokenResponse, httpClient, discovery, wantTokenExchangeResponse) - - // Now that we have successfully performed a refresh, let's test what happens when an - // upstream refresh fails during the next downstream refresh. - if breakRefreshSessionData != nil { - latestRefreshToken := refreshedTokenResponse.RefreshToken - signatureOfLatestRefreshToken := getFositeDataSignature(t, latestRefreshToken) - - // First use the latest downstream refresh token to look up the corresponding session in the Supervisor's storage. - supervisorSecretsClient := testlib.NewKubernetesClientset(t).CoreV1().Secrets(env.SupervisorNamespace) - supervisorOIDCClientsClient := testlib.NewSupervisorClientset(t).ConfigV1alpha1().OIDCClients(env.SupervisorNamespace) - oauthStore := oidc.NewKubeStorage(supervisorSecretsClient, supervisorOIDCClientsClient, oidc.DefaultOIDCTimeoutsConfiguration(), oidcclientvalidator.DefaultMinBcryptCost) - storedRefreshSession, err := oauthStore.GetRefreshTokenSession(ctx, signatureOfLatestRefreshToken, nil) - require.NoError(t, err) - - // Next mutate the part of the session that is used during upstream refresh. - pinnipedSession, ok := storedRefreshSession.GetSession().(*psession.PinnipedSession) - require.True(t, ok, "should have been able to cast session data to PinnipedSession") - breakRefreshSessionData(t, pinnipedSession, idpName, username) - - // Then save the mutated Secret back to Kubernetes. - // There is no update function, so delete and create again at the same name. - require.NoError(t, oauthStore.DeleteRefreshTokenSession(ctx, signatureOfLatestRefreshToken)) - require.NoError(t, oauthStore.CreateRefreshTokenSession(ctx, signatureOfLatestRefreshToken, storedRefreshSession)) - - // Now try to perform a downstream refresh again, knowing that the corresponding upstream refresh should fail. - _, err = downstreamOAuth2Config.TokenSource(oidcHTTPClientContext, &oauth2.Token{RefreshToken: latestRefreshToken}).Token() - // Should have got an error since the upstream refresh should have failed. - require.Error(t, err) - require.Regexp(t, - regexp.QuoteMeta("oauth2: cannot fetch token: 401 Unauthorized\n")+ - regexp.QuoteMeta(`Response: {"error":"error","error_description":"Error during upstream refresh. Upstream refresh failed`)+ - "[^']+", - err.Error(), - ) - } - } else { + if wantAuthorizationErrorType != "" { errorDescription := callback.URL.Query().Get("error_description") errorType := callback.URL.Query().Get("error") - require.Equal(t, errorDescription, wantErrorDescription) - require.Equal(t, errorType, wantErrorType) + require.Equal(t, errorDescription, wantAuthorizationErrorDescription) + require.Equal(t, errorType, wantAuthorizationErrorType) + // The authorization has failed, so can't continue the login flow, making this the end of the test case. + return + } + + require.Equal(t, stateParam.String(), callback.URL.Query().Get("state")) + require.ElementsMatch(t, downstreamScopes, strings.Split(callback.URL.Query().Get("scope"), " ")) + authcode := callback.URL.Query().Get("code") + require.NotEmpty(t, authcode) + + // Authcodes should start with the custom prefix "pin_ac_" to make them identifiable as authcodes when seen by a user out of context. + require.True(t, strings.HasPrefix(authcode, "pin_ac_"), "token %q did not have expected prefix 'pin_ac_'", authcode) + + // Call the token endpoint to get tokens. + tokenResponse, err := downstreamOAuth2Config.Exchange(oidcHTTPClientContext, authcode, pkceParam.Verifier()) + if wantAuthcodeExchangeError != "" { + require.EqualError(t, err, wantAuthcodeExchangeError) + // The authcode exchange has failed, so can't continue the login flow, making this the end of the test case. + return + } else { + require.NoError(t, err) + } + expectedIDTokenClaims := []string{"iss", "exp", "sub", "aud", "auth_time", "iat", "jti", "nonce", "rat", "username"} + if slices.Contains(downstreamScopes, "groups") { + expectedIDTokenClaims = append(expectedIDTokenClaims, "groups") + } + verifyTokenResponse(t, + tokenResponse, discovery, downstreamOAuth2Config, nonceParam, + expectedIDTokenClaims, wantDownstreamIDTokenSubjectToMatch, wantDownstreamIDTokenUsernameToMatch(username), wantDownstreamIDTokenGroups) + + // token exchange on the original token + if requestTokenExchangeAud == "" { + requestTokenExchangeAud = "some-cluster-123" // use a default test value + } + doTokenExchange(t, requestTokenExchangeAud, &downstreamOAuth2Config, tokenResponse, httpClient, discovery, wantTokenExchangeResponse) + + refreshedGroups := wantDownstreamIDTokenGroups + if editRefreshSessionDataWithoutBreaking != nil { + latestRefreshToken := tokenResponse.RefreshToken + signatureOfLatestRefreshToken := getFositeDataSignature(t, latestRefreshToken) + + // First use the latest downstream refresh token to look up the corresponding session in the Supervisor's storage. + supervisorSecretsClient := testlib.NewKubernetesClientset(t).CoreV1().Secrets(env.SupervisorNamespace) + supervisorOIDCClientsClient := testlib.NewSupervisorClientset(t).ConfigV1alpha1().OIDCClients(env.SupervisorNamespace) + oauthStore := oidc.NewKubeStorage(supervisorSecretsClient, supervisorOIDCClientsClient, oidc.DefaultOIDCTimeoutsConfiguration(), oidcclientvalidator.DefaultMinBcryptCost) + storedRefreshSession, err := oauthStore.GetRefreshTokenSession(ctx, signatureOfLatestRefreshToken, nil) + require.NoError(t, err) + + // Next mutate the part of the session that is used during upstream refresh. + pinnipedSession, ok := storedRefreshSession.GetSession().(*psession.PinnipedSession) + require.True(t, ok, "should have been able to cast session data to PinnipedSession") + + refreshedGroups = editRefreshSessionDataWithoutBreaking(t, pinnipedSession, idpName, username) + + // Then save the mutated Secret back to Kubernetes. + // There is no update function, so delete and create again at the same name. + require.NoError(t, oauthStore.DeleteRefreshTokenSession(ctx, signatureOfLatestRefreshToken)) + require.NoError(t, oauthStore.CreateRefreshTokenSession(ctx, signatureOfLatestRefreshToken, storedRefreshSession)) + } + // Use the refresh token to get new tokens + refreshSource := downstreamOAuth2Config.TokenSource(oidcHTTPClientContext, &oauth2.Token{RefreshToken: tokenResponse.RefreshToken}) + refreshedTokenResponse, err := refreshSource.Token() + require.NoError(t, err) + + // When refreshing, expect to get an "at_hash" claim, but no "nonce" claim. + expectRefreshedIDTokenClaims := []string{"iss", "exp", "sub", "aud", "auth_time", "iat", "jti", "rat", "username", "at_hash"} + if slices.Contains(downstreamScopes, "groups") { + expectRefreshedIDTokenClaims = append(expectRefreshedIDTokenClaims, "groups") + } + verifyTokenResponse(t, + refreshedTokenResponse, discovery, downstreamOAuth2Config, "", + expectRefreshedIDTokenClaims, wantDownstreamIDTokenSubjectToMatch, wantDownstreamIDTokenUsernameToMatch(username), refreshedGroups) + + require.NotEqual(t, tokenResponse.AccessToken, refreshedTokenResponse.AccessToken) + require.NotEqual(t, tokenResponse.RefreshToken, refreshedTokenResponse.RefreshToken) + require.NotEqual(t, tokenResponse.Extra("id_token"), refreshedTokenResponse.Extra("id_token")) + + // token exchange on the refreshed token + doTokenExchange(t, requestTokenExchangeAud, &downstreamOAuth2Config, refreshedTokenResponse, httpClient, discovery, wantTokenExchangeResponse) + + // Now that we have successfully performed a refresh, let's test what happens when an + // upstream refresh fails during the next downstream refresh. + if breakRefreshSessionData != nil { + latestRefreshToken := refreshedTokenResponse.RefreshToken + signatureOfLatestRefreshToken := getFositeDataSignature(t, latestRefreshToken) + + // First use the latest downstream refresh token to look up the corresponding session in the Supervisor's storage. + supervisorSecretsClient := testlib.NewKubernetesClientset(t).CoreV1().Secrets(env.SupervisorNamespace) + supervisorOIDCClientsClient := testlib.NewSupervisorClientset(t).ConfigV1alpha1().OIDCClients(env.SupervisorNamespace) + oauthStore := oidc.NewKubeStorage(supervisorSecretsClient, supervisorOIDCClientsClient, oidc.DefaultOIDCTimeoutsConfiguration(), oidcclientvalidator.DefaultMinBcryptCost) + storedRefreshSession, err := oauthStore.GetRefreshTokenSession(ctx, signatureOfLatestRefreshToken, nil) + require.NoError(t, err) + + // Next mutate the part of the session that is used during upstream refresh. + pinnipedSession, ok := storedRefreshSession.GetSession().(*psession.PinnipedSession) + require.True(t, ok, "should have been able to cast session data to PinnipedSession") + breakRefreshSessionData(t, pinnipedSession, idpName, username) + + // Then save the mutated Secret back to Kubernetes. + // There is no update function, so delete and create again at the same name. + require.NoError(t, oauthStore.DeleteRefreshTokenSession(ctx, signatureOfLatestRefreshToken)) + require.NoError(t, oauthStore.CreateRefreshTokenSession(ctx, signatureOfLatestRefreshToken, storedRefreshSession)) + + // Now try to perform a downstream refresh again, knowing that the corresponding upstream refresh should fail. + _, err = downstreamOAuth2Config.TokenSource(oidcHTTPClientContext, &oauth2.Token{RefreshToken: latestRefreshToken}).Token() + // Should have got an error since the upstream refresh should have failed. + require.Error(t, err) + require.Regexp(t, + regexp.QuoteMeta("oauth2: cannot fetch token: 401 Unauthorized\n")+ + regexp.QuoteMeta(`Response: {"error":"error","error_description":"Error during upstream refresh. Upstream refresh failed`)+ + "[^']+", + err.Error(), + ) } } From 0495286f9727fa39b362d3497f89466829fffb36 Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Thu, 21 Jul 2022 13:50:33 -0700 Subject: [PATCH 36/61] Fix lint error and remove accidental direct dep on ory/x Fixing some mistakes from previous commit on feature branch. --- internal/oidc/token_exchange.go | 5 ++--- test/integration/supervisor_login_test.go | 3 +-- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/internal/oidc/token_exchange.go b/internal/oidc/token_exchange.go index 5ed83b5e..9cbf566d 100644 --- a/internal/oidc/token_exchange.go +++ b/internal/oidc/token_exchange.go @@ -13,7 +13,6 @@ import ( "github.com/ory/fosite/compose" "github.com/ory/fosite/handler/oauth2" "github.com/ory/fosite/handler/openid" - "github.com/ory/x/errorsx" "github.com/pkg/errors" "go.pinniped.dev/internal/oidc/clientregistry" @@ -75,13 +74,13 @@ func (t *TokenExchangeHandler) PopulateTokenEndpointResponse(ctx context.Context // Check that the currently authenticated client and the client which was originally used to get the access token are the same. if originalRequester.GetClient().GetID() != requester.GetClient().GetID() { // This error message is copied from the similar check in fosite's flow_authorize_code_token.go. - return errorsx.WithStack(fosite.ErrInvalidGrant.WithHint("The OAuth 2.0 Client ID from this request does not match the one from the authorize request.")) + return errors.WithStack(fosite.ErrInvalidGrant.WithHint("The OAuth 2.0 Client ID from this request does not match the one from the authorize request.")) } // Check that the client is allowed to perform this grant type. if !requester.GetClient().GetGrantTypes().Has(tokenExchangeGrantType) { // This error message is trying to be similar to the analogous one in fosite's flow_authorize_code_token.go. - return errorsx.WithStack(fosite.ErrUnauthorizedClient.WithHintf("The OAuth 2.0 Client is not allowed to use token exchange grant \"%s\".", tokenExchangeGrantType)) + return errors.WithStack(fosite.ErrUnauthorizedClient.WithHintf(`The OAuth 2.0 Client is not allowed to use token exchange grant "%s".`, tokenExchangeGrantType)) } // Require that the incoming access token has the pinniped:request-audience and OpenID scopes. diff --git a/test/integration/supervisor_login_test.go b/test/integration/supervisor_login_test.go index 981d3343..b465a17d 100644 --- a/test/integration/supervisor_login_test.go +++ b/test/integration/supervisor_login_test.go @@ -1748,9 +1748,8 @@ func testSupervisorLogin( require.EqualError(t, err, wantAuthcodeExchangeError) // The authcode exchange has failed, so can't continue the login flow, making this the end of the test case. return - } else { - require.NoError(t, err) } + require.NoError(t, err) expectedIDTokenClaims := []string{"iss", "exp", "sub", "aud", "auth_time", "iat", "jti", "nonce", "rat", "username"} if slices.Contains(downstreamScopes, "groups") { expectedIDTokenClaims = append(expectedIDTokenClaims, "groups") From b65f872dcdb449fbcdc4e9638c1f7a557c7ed585 Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Thu, 21 Jul 2022 16:40:03 -0700 Subject: [PATCH 37/61] Configure printer columns for OIDCClient CRD --- apis/supervisor/config/v1alpha1/types_oidcclient.go.tmpl | 6 +++++- .../config.supervisor.pinniped.dev_oidcclients.yaml | 9 +++++++++ .../apis/supervisor/config/v1alpha1/types_oidcclient.go | 6 +++++- .../crds/config.supervisor.pinniped.dev_oidcclients.yaml | 9 +++++++++ .../apis/supervisor/config/v1alpha1/types_oidcclient.go | 6 +++++- .../crds/config.supervisor.pinniped.dev_oidcclients.yaml | 9 +++++++++ .../apis/supervisor/config/v1alpha1/types_oidcclient.go | 6 +++++- .../crds/config.supervisor.pinniped.dev_oidcclients.yaml | 9 +++++++++ .../apis/supervisor/config/v1alpha1/types_oidcclient.go | 6 +++++- .../crds/config.supervisor.pinniped.dev_oidcclients.yaml | 9 +++++++++ .../apis/supervisor/config/v1alpha1/types_oidcclient.go | 6 +++++- .../crds/config.supervisor.pinniped.dev_oidcclients.yaml | 9 +++++++++ .../apis/supervisor/config/v1alpha1/types_oidcclient.go | 6 +++++- .../crds/config.supervisor.pinniped.dev_oidcclients.yaml | 9 +++++++++ .../apis/supervisor/config/v1alpha1/types_oidcclient.go | 6 +++++- .../crds/config.supervisor.pinniped.dev_oidcclients.yaml | 9 +++++++++ .../apis/supervisor/config/v1alpha1/types_oidcclient.go | 6 +++++- .../crds/config.supervisor.pinniped.dev_oidcclients.yaml | 9 +++++++++ .../apis/supervisor/config/v1alpha1/types_oidcclient.go | 6 +++++- test/integration/kube_api_discovery_test.go | 3 +++ 20 files changed, 134 insertions(+), 10 deletions(-) diff --git a/apis/supervisor/config/v1alpha1/types_oidcclient.go.tmpl b/apis/supervisor/config/v1alpha1/types_oidcclient.go.tmpl index 8604a4f1..719a597f 100644 --- a/apis/supervisor/config/v1alpha1/types_oidcclient.go.tmpl +++ b/apis/supervisor/config/v1alpha1/types_oidcclient.go.tmpl @@ -88,13 +88,17 @@ type OIDCClientStatus struct { Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` // totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. - TotalClientSecrets int32 `json:"totalClientSecrets,omitempty"` + // +optional + TotalClientSecrets int32 `json:"totalClientSecrets"` // do not omitempty to allow it to show in the printer column even when it is 0 } // OIDCClient describes the configuration of an OIDC client. // +genclient // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:resource:categories=pinniped +// +kubebuilder:printcolumn:name="Privileged Scopes",type=string,JSONPath=`.spec.allowedScopes[?(@ == "pinniped:request-audience")]` +// +kubebuilder:printcolumn:name="Client Secrets",type=integer,JSONPath=`.status.totalClientSecrets` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` // +kubebuilder:subresource:status type OIDCClient struct { diff --git a/deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml b/deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml index 76c0cab0..e4978627 100644 --- a/deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml @@ -18,6 +18,15 @@ spec: scope: Namespaced versions: - additionalPrinterColumns: + - jsonPath: .spec.allowedScopes[?(@ == "pinniped:request-audience")] + name: Privileged Scopes + type: string + - jsonPath: .status.totalClientSecrets + name: Client Secrets + type: integer + - jsonPath: .status.phase + name: Status + type: string - jsonPath: .metadata.creationTimestamp name: Age type: date diff --git a/generated/1.17/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/1.17/apis/supervisor/config/v1alpha1/types_oidcclient.go index 8604a4f1..719a597f 100644 --- a/generated/1.17/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/1.17/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -88,13 +88,17 @@ type OIDCClientStatus struct { Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` // totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. - TotalClientSecrets int32 `json:"totalClientSecrets,omitempty"` + // +optional + TotalClientSecrets int32 `json:"totalClientSecrets"` // do not omitempty to allow it to show in the printer column even when it is 0 } // OIDCClient describes the configuration of an OIDC client. // +genclient // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:resource:categories=pinniped +// +kubebuilder:printcolumn:name="Privileged Scopes",type=string,JSONPath=`.spec.allowedScopes[?(@ == "pinniped:request-audience")]` +// +kubebuilder:printcolumn:name="Client Secrets",type=integer,JSONPath=`.status.totalClientSecrets` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` // +kubebuilder:subresource:status type OIDCClient struct { diff --git a/generated/1.17/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.17/crds/config.supervisor.pinniped.dev_oidcclients.yaml index 76c0cab0..e4978627 100644 --- a/generated/1.17/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.17/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -18,6 +18,15 @@ spec: scope: Namespaced versions: - additionalPrinterColumns: + - jsonPath: .spec.allowedScopes[?(@ == "pinniped:request-audience")] + name: Privileged Scopes + type: string + - jsonPath: .status.totalClientSecrets + name: Client Secrets + type: integer + - jsonPath: .status.phase + name: Status + type: string - jsonPath: .metadata.creationTimestamp name: Age type: date diff --git a/generated/1.18/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/1.18/apis/supervisor/config/v1alpha1/types_oidcclient.go index 8604a4f1..719a597f 100644 --- a/generated/1.18/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/1.18/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -88,13 +88,17 @@ type OIDCClientStatus struct { Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` // totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. - TotalClientSecrets int32 `json:"totalClientSecrets,omitempty"` + // +optional + TotalClientSecrets int32 `json:"totalClientSecrets"` // do not omitempty to allow it to show in the printer column even when it is 0 } // OIDCClient describes the configuration of an OIDC client. // +genclient // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:resource:categories=pinniped +// +kubebuilder:printcolumn:name="Privileged Scopes",type=string,JSONPath=`.spec.allowedScopes[?(@ == "pinniped:request-audience")]` +// +kubebuilder:printcolumn:name="Client Secrets",type=integer,JSONPath=`.status.totalClientSecrets` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` // +kubebuilder:subresource:status type OIDCClient struct { diff --git a/generated/1.18/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.18/crds/config.supervisor.pinniped.dev_oidcclients.yaml index 76c0cab0..e4978627 100644 --- a/generated/1.18/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.18/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -18,6 +18,15 @@ spec: scope: Namespaced versions: - additionalPrinterColumns: + - jsonPath: .spec.allowedScopes[?(@ == "pinniped:request-audience")] + name: Privileged Scopes + type: string + - jsonPath: .status.totalClientSecrets + name: Client Secrets + type: integer + - jsonPath: .status.phase + name: Status + type: string - jsonPath: .metadata.creationTimestamp name: Age type: date diff --git a/generated/1.19/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/1.19/apis/supervisor/config/v1alpha1/types_oidcclient.go index 8604a4f1..719a597f 100644 --- a/generated/1.19/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/1.19/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -88,13 +88,17 @@ type OIDCClientStatus struct { Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` // totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. - TotalClientSecrets int32 `json:"totalClientSecrets,omitempty"` + // +optional + TotalClientSecrets int32 `json:"totalClientSecrets"` // do not omitempty to allow it to show in the printer column even when it is 0 } // OIDCClient describes the configuration of an OIDC client. // +genclient // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:resource:categories=pinniped +// +kubebuilder:printcolumn:name="Privileged Scopes",type=string,JSONPath=`.spec.allowedScopes[?(@ == "pinniped:request-audience")]` +// +kubebuilder:printcolumn:name="Client Secrets",type=integer,JSONPath=`.status.totalClientSecrets` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` // +kubebuilder:subresource:status type OIDCClient struct { diff --git a/generated/1.19/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.19/crds/config.supervisor.pinniped.dev_oidcclients.yaml index 76c0cab0..e4978627 100644 --- a/generated/1.19/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.19/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -18,6 +18,15 @@ spec: scope: Namespaced versions: - additionalPrinterColumns: + - jsonPath: .spec.allowedScopes[?(@ == "pinniped:request-audience")] + name: Privileged Scopes + type: string + - jsonPath: .status.totalClientSecrets + name: Client Secrets + type: integer + - jsonPath: .status.phase + name: Status + type: string - jsonPath: .metadata.creationTimestamp name: Age type: date diff --git a/generated/1.20/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/1.20/apis/supervisor/config/v1alpha1/types_oidcclient.go index 8604a4f1..719a597f 100644 --- a/generated/1.20/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/1.20/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -88,13 +88,17 @@ type OIDCClientStatus struct { Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` // totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. - TotalClientSecrets int32 `json:"totalClientSecrets,omitempty"` + // +optional + TotalClientSecrets int32 `json:"totalClientSecrets"` // do not omitempty to allow it to show in the printer column even when it is 0 } // OIDCClient describes the configuration of an OIDC client. // +genclient // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:resource:categories=pinniped +// +kubebuilder:printcolumn:name="Privileged Scopes",type=string,JSONPath=`.spec.allowedScopes[?(@ == "pinniped:request-audience")]` +// +kubebuilder:printcolumn:name="Client Secrets",type=integer,JSONPath=`.status.totalClientSecrets` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` // +kubebuilder:subresource:status type OIDCClient struct { diff --git a/generated/1.20/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.20/crds/config.supervisor.pinniped.dev_oidcclients.yaml index 76c0cab0..e4978627 100644 --- a/generated/1.20/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.20/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -18,6 +18,15 @@ spec: scope: Namespaced versions: - additionalPrinterColumns: + - jsonPath: .spec.allowedScopes[?(@ == "pinniped:request-audience")] + name: Privileged Scopes + type: string + - jsonPath: .status.totalClientSecrets + name: Client Secrets + type: integer + - jsonPath: .status.phase + name: Status + type: string - jsonPath: .metadata.creationTimestamp name: Age type: date diff --git a/generated/1.21/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/1.21/apis/supervisor/config/v1alpha1/types_oidcclient.go index 8604a4f1..719a597f 100644 --- a/generated/1.21/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/1.21/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -88,13 +88,17 @@ type OIDCClientStatus struct { Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` // totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. - TotalClientSecrets int32 `json:"totalClientSecrets,omitempty"` + // +optional + TotalClientSecrets int32 `json:"totalClientSecrets"` // do not omitempty to allow it to show in the printer column even when it is 0 } // OIDCClient describes the configuration of an OIDC client. // +genclient // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:resource:categories=pinniped +// +kubebuilder:printcolumn:name="Privileged Scopes",type=string,JSONPath=`.spec.allowedScopes[?(@ == "pinniped:request-audience")]` +// +kubebuilder:printcolumn:name="Client Secrets",type=integer,JSONPath=`.status.totalClientSecrets` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` // +kubebuilder:subresource:status type OIDCClient struct { diff --git a/generated/1.21/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.21/crds/config.supervisor.pinniped.dev_oidcclients.yaml index 76c0cab0..e4978627 100644 --- a/generated/1.21/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.21/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -18,6 +18,15 @@ spec: scope: Namespaced versions: - additionalPrinterColumns: + - jsonPath: .spec.allowedScopes[?(@ == "pinniped:request-audience")] + name: Privileged Scopes + type: string + - jsonPath: .status.totalClientSecrets + name: Client Secrets + type: integer + - jsonPath: .status.phase + name: Status + type: string - jsonPath: .metadata.creationTimestamp name: Age type: date diff --git a/generated/1.22/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/1.22/apis/supervisor/config/v1alpha1/types_oidcclient.go index 8604a4f1..719a597f 100644 --- a/generated/1.22/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/1.22/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -88,13 +88,17 @@ type OIDCClientStatus struct { Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` // totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. - TotalClientSecrets int32 `json:"totalClientSecrets,omitempty"` + // +optional + TotalClientSecrets int32 `json:"totalClientSecrets"` // do not omitempty to allow it to show in the printer column even when it is 0 } // OIDCClient describes the configuration of an OIDC client. // +genclient // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:resource:categories=pinniped +// +kubebuilder:printcolumn:name="Privileged Scopes",type=string,JSONPath=`.spec.allowedScopes[?(@ == "pinniped:request-audience")]` +// +kubebuilder:printcolumn:name="Client Secrets",type=integer,JSONPath=`.status.totalClientSecrets` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` // +kubebuilder:subresource:status type OIDCClient struct { diff --git a/generated/1.22/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.22/crds/config.supervisor.pinniped.dev_oidcclients.yaml index 76c0cab0..e4978627 100644 --- a/generated/1.22/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.22/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -18,6 +18,15 @@ spec: scope: Namespaced versions: - additionalPrinterColumns: + - jsonPath: .spec.allowedScopes[?(@ == "pinniped:request-audience")] + name: Privileged Scopes + type: string + - jsonPath: .status.totalClientSecrets + name: Client Secrets + type: integer + - jsonPath: .status.phase + name: Status + type: string - jsonPath: .metadata.creationTimestamp name: Age type: date diff --git a/generated/1.23/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/1.23/apis/supervisor/config/v1alpha1/types_oidcclient.go index 8604a4f1..719a597f 100644 --- a/generated/1.23/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/1.23/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -88,13 +88,17 @@ type OIDCClientStatus struct { Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` // totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. - TotalClientSecrets int32 `json:"totalClientSecrets,omitempty"` + // +optional + TotalClientSecrets int32 `json:"totalClientSecrets"` // do not omitempty to allow it to show in the printer column even when it is 0 } // OIDCClient describes the configuration of an OIDC client. // +genclient // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:resource:categories=pinniped +// +kubebuilder:printcolumn:name="Privileged Scopes",type=string,JSONPath=`.spec.allowedScopes[?(@ == "pinniped:request-audience")]` +// +kubebuilder:printcolumn:name="Client Secrets",type=integer,JSONPath=`.status.totalClientSecrets` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` // +kubebuilder:subresource:status type OIDCClient struct { diff --git a/generated/1.23/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.23/crds/config.supervisor.pinniped.dev_oidcclients.yaml index 76c0cab0..e4978627 100644 --- a/generated/1.23/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.23/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -18,6 +18,15 @@ spec: scope: Namespaced versions: - additionalPrinterColumns: + - jsonPath: .spec.allowedScopes[?(@ == "pinniped:request-audience")] + name: Privileged Scopes + type: string + - jsonPath: .status.totalClientSecrets + name: Client Secrets + type: integer + - jsonPath: .status.phase + name: Status + type: string - jsonPath: .metadata.creationTimestamp name: Age type: date diff --git a/generated/1.24/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/1.24/apis/supervisor/config/v1alpha1/types_oidcclient.go index 8604a4f1..719a597f 100644 --- a/generated/1.24/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/1.24/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -88,13 +88,17 @@ type OIDCClientStatus struct { Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` // totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. - TotalClientSecrets int32 `json:"totalClientSecrets,omitempty"` + // +optional + TotalClientSecrets int32 `json:"totalClientSecrets"` // do not omitempty to allow it to show in the printer column even when it is 0 } // OIDCClient describes the configuration of an OIDC client. // +genclient // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:resource:categories=pinniped +// +kubebuilder:printcolumn:name="Privileged Scopes",type=string,JSONPath=`.spec.allowedScopes[?(@ == "pinniped:request-audience")]` +// +kubebuilder:printcolumn:name="Client Secrets",type=integer,JSONPath=`.status.totalClientSecrets` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` // +kubebuilder:subresource:status type OIDCClient struct { diff --git a/generated/1.24/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.24/crds/config.supervisor.pinniped.dev_oidcclients.yaml index 76c0cab0..e4978627 100644 --- a/generated/1.24/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.24/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -18,6 +18,15 @@ spec: scope: Namespaced versions: - additionalPrinterColumns: + - jsonPath: .spec.allowedScopes[?(@ == "pinniped:request-audience")] + name: Privileged Scopes + type: string + - jsonPath: .status.totalClientSecrets + name: Client Secrets + type: integer + - jsonPath: .status.phase + name: Status + type: string - jsonPath: .metadata.creationTimestamp name: Age type: date diff --git a/generated/latest/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/latest/apis/supervisor/config/v1alpha1/types_oidcclient.go index 8604a4f1..719a597f 100644 --- a/generated/latest/apis/supervisor/config/v1alpha1/types_oidcclient.go +++ b/generated/latest/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -88,13 +88,17 @@ type OIDCClientStatus struct { Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` // totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. - TotalClientSecrets int32 `json:"totalClientSecrets,omitempty"` + // +optional + TotalClientSecrets int32 `json:"totalClientSecrets"` // do not omitempty to allow it to show in the printer column even when it is 0 } // OIDCClient describes the configuration of an OIDC client. // +genclient // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:resource:categories=pinniped +// +kubebuilder:printcolumn:name="Privileged Scopes",type=string,JSONPath=`.spec.allowedScopes[?(@ == "pinniped:request-audience")]` +// +kubebuilder:printcolumn:name="Client Secrets",type=integer,JSONPath=`.status.totalClientSecrets` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` // +kubebuilder:subresource:status type OIDCClient struct { diff --git a/test/integration/kube_api_discovery_test.go b/test/integration/kube_api_discovery_test.go index c46d01bf..d2a49fa2 100644 --- a/test/integration/kube_api_discovery_test.go +++ b/test/integration/kube_api_discovery_test.go @@ -527,6 +527,9 @@ func TestCRDAdditionalPrinterColumns_Parallel(t *testing.T) { }, addSuffix("oidcclients.config.supervisor"): { "v1alpha1": []apiextensionsv1.CustomResourceColumnDefinition{ + {Name: "Privileged Scopes", Type: "string", JSONPath: `.spec.allowedScopes[?(@ == "pinniped:request-audience")]`}, + {Name: "Client Secrets", Type: "integer", JSONPath: ".status.totalClientSecrets"}, + {Name: "Status", Type: "string", JSONPath: ".status.phase"}, {Name: "Age", Type: "date", JSONPath: ".metadata.creationTimestamp"}, }, }, From 88f611d31a07382565ca78485980023ac8ef2145 Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Fri, 22 Jul 2022 15:19:19 -0700 Subject: [PATCH 38/61] Be extra defensive and don't lookup dynamic client ID's lacking prefix --- .../oidc/clientregistry/clientregistry.go | 17 ++++++++++--- .../clientregistry/clientregistry_test.go | 25 +++++++++++++++++++ internal/supervisor/server/server.go | 2 +- 3 files changed, 40 insertions(+), 4 deletions(-) diff --git a/internal/oidc/clientregistry/clientregistry.go b/internal/oidc/clientregistry/clientregistry.go index 0de96cfa..90451784 100644 --- a/internal/oidc/clientregistry/clientregistry.go +++ b/internal/oidc/clientregistry/clientregistry.go @@ -7,6 +7,7 @@ package clientregistry import ( "context" "fmt" + "strings" "time" "github.com/coreos/go-oidc/v3/oidc" @@ -21,8 +22,12 @@ import ( "go.pinniped.dev/internal/plog" ) -// PinnipedCLIClientID is the client ID of the statically defined public OIDC client which is used by the CLI. -const PinnipedCLIClientID = "pinniped-cli" +const ( + // PinnipedCLIClientID is the client ID of the statically defined public OIDC client which is used by the CLI. + PinnipedCLIClientID = "pinniped-cli" + + requiredOIDCClientPrefix = "client.oauth.pinniped.dev-" +) // Client represents a Pinniped OAuth/OIDC client. It can be the static pinniped-cli client // or a dynamic client defined by an OIDCClient CR. @@ -37,7 +42,7 @@ var ( _ fosite.ResponseModeClient = (*Client)(nil) ) -func (c Client) GetResponseModes() []fosite.ResponseModeType { +func (c *Client) GetResponseModes() []fosite.ResponseModeType { if c.ID == PinnipedCLIClientID { // The pinniped-cli client supports "" (unspecified), "query", and "form_post" response modes. return []fosite.ResponseModeType{fosite.ResponseModeDefault, fosite.ResponseModeQuery, fosite.ResponseModeFormPost} @@ -78,6 +83,12 @@ func (m *ClientManager) GetClient(ctx context.Context, id string) (fosite.Client return PinnipedCLI(), nil } + if !strings.HasPrefix(id, requiredOIDCClientPrefix) { + // It shouldn't really be possible to find this OIDCClient because the OIDCClient CRD validates the name prefix + // upon create, but just in case, don't even try to lookup clients which lack the required name prefix. + return nil, fosite.ErrNotFound.WithDescription("no such client") + } + // Try to look up an OIDCClient with the given client ID (which will be the Name of the OIDCClient). oidcClient, err := m.oidcClientsClient.Get(ctx, id, v1.GetOptions{}) if errors.IsNotFound(err) { diff --git a/internal/oidc/clientregistry/clientregistry_test.go b/internal/oidc/clientregistry/clientregistry_test.go index 77ab18b9..b0b2e01e 100644 --- a/internal/oidc/clientregistry/clientregistry_test.go +++ b/internal/oidc/clientregistry/clientregistry_test.go @@ -125,6 +125,31 @@ func TestClientManager(t *testing.T) { require.Nil(t, got) }, }, + { + name: "find a dynamic client which somehow does not have the required prefix in its name, just in case, although should not be possible since prefix is a validation on the CRD", + oidcClients: []*configv1alpha1.OIDCClient{ + { + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: "does-not-have-prefix", Generation: 1234, UID: testUID}, + Spec: configv1alpha1.OIDCClientSpec{ + AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code", "urn:ietf:params:oauth:grant-type:token-exchange", "refresh_token"}, + AllowedScopes: []configv1alpha1.Scope{"openid", "offline_access", "pinniped:request-audience", "username", "groups"}, + AllowedRedirectURIs: []configv1alpha1.RedirectURI{"http://localhost:80", "https://foobar.com/callback"}, + }, + }, + }, + secrets: []*corev1.Secret{ + testutil.OIDCClientSecretStorageSecretForUID(t, testNamespace, testUID, []string{testutil.HashedPassword1AtSupervisorMinCost, testutil.HashedPassword2AtSupervisorMinCost}), + }, + run: func(t *testing.T, subject *ClientManager) { + got, err := subject.GetClient(ctx, "does-not-have-prefix") + require.Error(t, err) + require.Nil(t, got) + rfcErr := fosite.ErrorToRFC6749Error(err) + require.NotNil(t, rfcErr) + require.Equal(t, rfcErr.CodeField, 404) + require.Equal(t, rfcErr.GetDescription(), "no such client") + }, + }, { name: "when there is an unexpected error getting the OIDCClient", addSupervisorReactions: func(client *supervisorfake.Clientset) { diff --git a/internal/supervisor/server/server.go b/internal/supervisor/server/server.go index ac71376a..76a034ff 100644 --- a/internal/supervisor/server/server.go +++ b/internal/supervisor/server/server.go @@ -439,7 +439,7 @@ func runSupervisor(ctx context.Context, podInfo *downward.PodInfo, cfg *supervis dynamicUpstreamIDPProvider, &secretCache, clientWithoutLeaderElection.Kubernetes.CoreV1().Secrets(serverInstallationNamespace), // writes to kube storage are allowed for non-leaders - clientWithoutLeaderElection.PinnipedSupervisor.ConfigV1alpha1().OIDCClients(serverInstallationNamespace), + client.PinnipedSupervisor.ConfigV1alpha1().OIDCClients(serverInstallationNamespace), ) // Get the "real" name of the client secret supervisor API group (i.e., the API group name with the From 22fbced863d3f9d6d032efac1b16eafc2d8691ee Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Mon, 8 Aug 2022 16:29:22 -0700 Subject: [PATCH 39/61] Create username scope, required for clients to get username in ID token - For backwards compatibility with older Pinniped CLIs, the pinniped-cli client does not need to request the username or groups scopes for them to be granted. For dynamic clients, the usual OAuth2 rules apply: the client must be allowed to request the scopes according to its configuration, and the client must actually request the scopes in the authorization request. - If the username scope was not granted, then there will be no username in the ID token, and the cluster-scoped token exchange will fail since there would be no username in the resulting cluster-scoped ID token. - The OIDC well-known discovery endpoint lists the username and groups scopes in the scopes_supported list, and lists the username and groups claims in the claims_supported list. - Add username and groups scopes to the default list of scopes put into kubeconfig files by "pinniped get kubeconfig" CLI command, and the default list of scopes used by "pinniped login oidc" when no list of scopes is specified in the kubeconfig file - The warning header about group memberships changing during upstream refresh will only be sent to the pinniped-cli client, since it is only intended for kubectl and it could leak the username to the client (which may not have the username scope granted) through the warning message text. - Add the user's username to the session storage as a new field, so that during upstream refresh we can compare the original username from the initial authorization to the refreshed username, even in the case when the username scope was not granted (and therefore the username is not stored in the ID token claims of the session storage) - Bump the Supervisor session storage format version from 2 to 3 due to the username field being added to the session struct - Extract commonly used string constants related to OIDC flows to api package. - Change some import names to make them consistent: - Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc" - Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc as "oidcapi" - Always import go.pinniped.dev/internal/oidc as "oidc" --- .../oidc/types_supervisor_oidc.go.tmpl | 65 +- cmd/pinniped/cmd/kubeconfig.go | 9 +- cmd/pinniped/cmd/kubeconfig_test.go | 40 +- cmd/pinniped/cmd/login_oidc.go | 6 +- cmd/pinniped/cmd/login_oidc_test.go | 2 +- .../supervisor/oidc/types_supervisor_oidc.go | 65 +- .../supervisor/oidc/types_supervisor_oidc.go | 65 +- .../supervisor/oidc/types_supervisor_oidc.go | 65 +- .../supervisor/oidc/types_supervisor_oidc.go | 65 +- .../supervisor/oidc/types_supervisor_oidc.go | 65 +- .../supervisor/oidc/types_supervisor_oidc.go | 65 +- .../supervisor/oidc/types_supervisor_oidc.go | 65 +- .../supervisor/oidc/types_supervisor_oidc.go | 65 +- .../supervisor/oidc/types_supervisor_oidc.go | 65 +- .../jwtcachefiller/jwtcachefiller.go | 5 +- .../oidcclientwatcher/oidc_client_watcher.go | 3 +- .../oidc_upstream_watcher.go | 19 +- .../supervisorstorage/garbage_collector.go | 5 +- .../garbage_collector_test.go | 45 +- .../fositestorage/accesstoken/accesstoken.go | 5 +- .../accesstoken/accesstoken_test.go | 19 +- .../authorizationcode/authorizationcode.go | 45 +- .../authorizationcode_test.go | 21 +- .../openidconnect/openidconnect.go | 5 +- .../openidconnect/openidconnect_test.go | 6 +- internal/fositestorage/pkce/pkce.go | 5 +- internal/fositestorage/pkce/pkce_test.go | 6 +- .../refreshtoken/refreshtoken.go | 3 +- .../refreshtoken/refreshtoken_test.go | 21 +- internal/oidc/auth/auth_handler.go | 42 +- internal/oidc/auth/auth_handler_test.go | 59 +- internal/oidc/callback/callback_handler.go | 7 +- .../oidc/callback/callback_handler_test.go | 308 +++- .../oidc/clientregistry/clientregistry.go | 41 +- .../clientregistry/clientregistry_test.go | 3 +- internal/oidc/discovery/discovery_handler.go | 5 +- .../oidc/discovery/discovery_handler_test.go | 4 +- .../downstreamsession/downstream_session.go | 58 +- internal/oidc/login/post_login_handler.go | 7 +- .../oidc/login/post_login_handler_test.go | 173 ++- internal/oidc/oidc.go | 38 +- .../oidcclientvalidator.go | 42 +- .../oidc/provider/manager/manager_test.go | 4 +- internal/oidc/token/token_handler.go | 77 +- internal/oidc/token/token_handler_test.go | 1256 +++++++++-------- internal/oidc/token_exchange.go | 49 +- internal/psession/pinniped_session.go | 5 + internal/testutil/oidcclient.go | 58 +- .../testutil/oidctestutil/oidctestutil.go | 14 +- internal/testutil/psession.go | 1 + internal/upstreamldap/upstreamldap.go | 6 +- internal/upstreamoidc/upstreamoidc.go | 12 +- pkg/oidcclient/login.go | 30 +- pkg/oidcclient/nonce/nonce.go | 10 +- .../docs/reference/code-walkthrough.md | 6 +- test/integration/e2e_test.go | 128 +- test/integration/supervisor_discovery_test.go | 4 +- test/integration/supervisor_login_test.go | 332 ++++- test/integration/supervisor_warnings_test.go | 5 +- 59 files changed, 2576 insertions(+), 1128 deletions(-) diff --git a/apis/supervisor/oidc/types_supervisor_oidc.go.tmpl b/apis/supervisor/oidc/types_supervisor_oidc.go.tmpl index b35aafcb..cb6fe627 100644 --- a/apis/supervisor/oidc/types_supervisor_oidc.go.tmpl +++ b/apis/supervisor/oidc/types_supervisor_oidc.go.tmpl @@ -15,11 +15,68 @@ const ( // or an LDAPIdentityProvider. AuthorizePasswordHeaderName = "Pinniped-Password" //nolint:gosec // this is not a credential - // AuthorizeUpstreamIDPNameParamName is the name of the HTTP request parameter which can be used to help select which - // identity provider should be used for authentication by sending the name of the desired identity provider. + // AuthorizeUpstreamIDPNameParamName is the name of the HTTP request parameter which can be used to help select + // which identity provider should be used for authentication by sending the name of the desired identity provider. AuthorizeUpstreamIDPNameParamName = "pinniped_idp_name" - // AuthorizeUpstreamIDPTypeParamName is the name of the HTTP request parameter which can be used to help select which - // identity provider should be used for authentication by sending the type of the desired identity provider. + // AuthorizeUpstreamIDPTypeParamName is the name of the HTTP request parameter which can be used to help select + // which identity provider should be used for authentication by sending the type of the desired identity provider. AuthorizeUpstreamIDPTypeParamName = "pinniped_idp_type" + + // IDTokenClaimIssuer is name of the issuer claim defined by the OIDC spec. + IDTokenClaimIssuer = "iss" + + // IDTokenClaimSubject is name of the subject claim defined by the OIDC spec. + IDTokenClaimSubject = "sub" + + // IDTokenClaimAuthorizedParty is name of the authorized party claim defined by the OIDC spec. + IDTokenClaimAuthorizedParty = "azp" + + // IDTokenClaimUsername is the name of a custom claim in the downstream ID token whose value will contain the user's + // username which was mapped from the upstream identity provider. + IDTokenClaimUsername = "username" + + // IDTokenClaimGroups is the name of a custom claim in the downstream ID token whose value will contain the user's + // group names which were mapped from the upstream identity provider. + IDTokenClaimGroups = "groups" + + // GrantTypeAuthorizationCode is the name of the grant type for authorization code flows defined by the OIDC spec. + GrantTypeAuthorizationCode = "authorization_code" + + // GrantTypeRefreshToken is the name of the grant type for refresh flow defined by the OIDC spec. + GrantTypeRefreshToken = "refresh_token" + + // GrantTypeTokenExchange is the name of a custom grant type for RFC8693 token exchanges. + GrantTypeTokenExchange = "urn:ietf:params:oauth:grant-type:token-exchange" //nolint:gosec // this is not a credential + + // ScopeOpenID is name of the openid scope defined by the OIDC spec. + ScopeOpenID = "openid" + + // ScopeOfflineAccess is name of the offline access scope defined by the OIDC spec, used for requesting refresh + // tokens. + ScopeOfflineAccess = "offline_access" + + // ScopeEmail is name of the email scope defined by the OIDC spec. + ScopeEmail = "email" + + // ScopeProfile is name of the profile scope defined by the OIDC spec. + ScopeProfile = "profile" + + // ScopeUsername is the name of a custom scope that determines whether the username claim will be returned inside + // ID tokens. + ScopeUsername = "username" + + // ScopeGroups is the name of a custom scope that determines whether the groups claim will be returned inside + // ID tokens. + ScopeGroups = "groups" + + // ScopeRequestAudience is the name of a custom scope that determines whether a RFC8693 token exchange is allowed to + // be used to request a different audience. + ScopeRequestAudience = "pinniped:request-audience" + + // ClientIDPinnipedCLI is the client ID of the statically defined public OIDC client which is used by the CLI. + ClientIDPinnipedCLI = "pinniped-cli" + + // ClientIDRequiredOIDCClientPrefix is the required prefix for the metadata.name of OIDCClient CRs. + ClientIDRequiredOIDCClientPrefix = "client.oauth.pinniped.dev-" ) diff --git a/cmd/pinniped/cmd/kubeconfig.go b/cmd/pinniped/cmd/kubeconfig.go index 1e59f481..e03834d3 100644 --- a/cmd/pinniped/cmd/kubeconfig.go +++ b/cmd/pinniped/cmd/kubeconfig.go @@ -17,7 +17,7 @@ import ( "strings" "time" - "github.com/coreos/go-oidc/v3/oidc" + coreosoidc "github.com/coreos/go-oidc/v3/oidc" "github.com/spf13/cobra" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1" @@ -28,6 +28,7 @@ import ( conciergev1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" configv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1" idpdiscoveryv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idpdiscovery/v1alpha1" + oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc" conciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned" "go.pinniped.dev/internal/groupsuffix" "go.pinniped.dev/internal/net/phttp" @@ -126,9 +127,9 @@ func kubeconfigCommand(deps kubeconfigDeps) *cobra.Command { f.Var(&flags.concierge.mode, "concierge-mode", "Concierge mode of operation") f.StringVar(&flags.oidc.issuer, "oidc-issuer", "", "OpenID Connect issuer URL (default: autodiscover)") - f.StringVar(&flags.oidc.clientID, "oidc-client-id", "pinniped-cli", "OpenID Connect client ID (default: autodiscover)") + f.StringVar(&flags.oidc.clientID, "oidc-client-id", oidcapi.ClientIDPinnipedCLI, "OpenID Connect client ID (default: autodiscover)") f.Uint16Var(&flags.oidc.listenPort, "oidc-listen-port", 0, "TCP port for localhost listener (authorization code flow only)") - f.StringSliceVar(&flags.oidc.scopes, "oidc-scopes", []string{oidc.ScopeOfflineAccess, oidc.ScopeOpenID, "pinniped:request-audience"}, "OpenID Connect scopes to request during login") + f.StringSliceVar(&flags.oidc.scopes, "oidc-scopes", []string{oidcapi.ScopeOfflineAccess, oidcapi.ScopeOpenID, oidcapi.ScopeRequestAudience, oidcapi.ScopeUsername, oidcapi.ScopeGroups}, "OpenID Connect scopes to request during login") f.BoolVar(&flags.oidc.skipBrowser, "oidc-skip-browser", false, "During OpenID Connect login, skip opening the browser (just print the URL)") f.BoolVar(&flags.oidc.skipListen, "oidc-skip-listen", false, "During OpenID Connect login, skip starting a localhost callback listener (manual copy/paste flow only)") f.StringVar(&flags.oidc.sessionCachePath, "oidc-session-cache", "", "Path to OpenID Connect session cache file") @@ -784,7 +785,7 @@ func newDiscoveryHTTPClient(caBundleFlag caBundleFlag) (*http.Client, error) { } func discoverIDPsDiscoveryEndpointURL(ctx context.Context, issuer string, httpClient *http.Client) (string, error) { - discoveredProvider, err := oidc.NewProvider(oidc.ClientContext(ctx, httpClient), issuer) + discoveredProvider, err := coreosoidc.NewProvider(coreosoidc.ClientContext(ctx, httpClient), issuer) if err != nil { return "", fmt.Errorf("while fetching OIDC discovery data from issuer: %w", err) } diff --git a/cmd/pinniped/cmd/kubeconfig_test.go b/cmd/pinniped/cmd/kubeconfig_test.go index 9c3ee5e0..b6c6428f 100644 --- a/cmd/pinniped/cmd/kubeconfig_test.go +++ b/cmd/pinniped/cmd/kubeconfig_test.go @@ -142,7 +142,7 @@ func TestGetKubeconfig(t *testing.T) { --oidc-issuer string OpenID Connect issuer URL (default: autodiscover) --oidc-listen-port uint16 TCP port for localhost listener (authorization code flow only) --oidc-request-audience string Request a token with an alternate audience using RFC8693 token exchange - --oidc-scopes strings OpenID Connect scopes to request during login (default [offline_access,openid,pinniped:request-audience]) + --oidc-scopes strings OpenID Connect scopes to request during login (default [offline_access,openid,pinniped:request-audience,username,groups]) --oidc-session-cache string Path to OpenID Connect session cache file --oidc-skip-browser During OpenID Connect login, skip opening the browser (just print the URL) -o, --output string Output file path (default: stdout) @@ -1290,7 +1290,7 @@ func TestGetKubeconfig(t *testing.T) { - oidc - --issuer=%s - --client-id=pinniped-cli - - --scopes=offline_access,openid,pinniped:request-audience + - --scopes=offline_access,openid,pinniped:request-audience,username,groups - --ca-bundle-data=%s - --upstream-identity-provider-name=some-ldap-idp - --upstream-identity-provider-type=ldap @@ -1496,7 +1496,7 @@ func TestGetKubeconfig(t *testing.T) { - --concierge-ca-bundle-data=ZmFrZS1jZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YS12YWx1ZQ== - --issuer=%s - --client-id=pinniped-cli - - --scopes=offline_access,openid,pinniped:request-audience + - --scopes=offline_access,openid,pinniped:request-audience,username,groups - --ca-bundle-data=%s - --request-audience=test-audience command: '.../path/to/pinniped' @@ -1577,7 +1577,7 @@ func TestGetKubeconfig(t *testing.T) { - --credential-cache=/path/to/cache/dir/credentials.yaml - --issuer=%s - --client-id=pinniped-cli - - --scopes=offline_access,openid,pinniped:request-audience + - --scopes=offline_access,openid,pinniped:request-audience,username,groups - --skip-browser - --skip-listen - --listen-port=1234 @@ -1695,7 +1695,7 @@ func TestGetKubeconfig(t *testing.T) { - --concierge-ca-bundle-data=%s - --issuer=%s - --client-id=pinniped-cli - - --scopes=offline_access,openid,pinniped:request-audience + - --scopes=offline_access,openid,pinniped:request-audience,username,groups - --ca-bundle-data=%s - --request-audience=test-audience command: '.../path/to/pinniped' @@ -1804,7 +1804,7 @@ func TestGetKubeconfig(t *testing.T) { - --concierge-ca-bundle-data=dGVzdC1jb25jaWVyZ2UtY2E= - --issuer=%s - --client-id=pinniped-cli - - --scopes=offline_access,openid,pinniped:request-audience + - --scopes=offline_access,openid,pinniped:request-audience,username,groups - --ca-bundle-data=%s - --request-audience=test-audience command: '.../path/to/pinniped' @@ -1881,7 +1881,7 @@ func TestGetKubeconfig(t *testing.T) { - --concierge-ca-bundle-data=ZmFrZS1jZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YS12YWx1ZQ== - --issuer=%s - --client-id=pinniped-cli - - --scopes=offline_access,openid,pinniped:request-audience + - --scopes=offline_access,openid,pinniped:request-audience,username,groups - --ca-bundle-data=%s - --request-audience=test-audience - --upstream-identity-provider-name=some-ldap-idp @@ -1960,7 +1960,7 @@ func TestGetKubeconfig(t *testing.T) { - --concierge-ca-bundle-data=ZmFrZS1jZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YS12YWx1ZQ== - --issuer=%s - --client-id=pinniped-cli - - --scopes=offline_access,openid,pinniped:request-audience + - --scopes=offline_access,openid,pinniped:request-audience,username,groups - --ca-bundle-data=%s - --request-audience=test-audience - --upstream-identity-provider-name=some-oidc-idp @@ -2037,7 +2037,7 @@ func TestGetKubeconfig(t *testing.T) { - --concierge-ca-bundle-data=ZmFrZS1jZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YS12YWx1ZQ== - --issuer=%s - --client-id=pinniped-cli - - --scopes=offline_access,openid,pinniped:request-audience + - --scopes=offline_access,openid,pinniped:request-audience,username,groups - --ca-bundle-data=%s - --request-audience=test-audience command: '.../path/to/pinniped' @@ -2110,7 +2110,7 @@ func TestGetKubeconfig(t *testing.T) { - --concierge-ca-bundle-data=ZmFrZS1jZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YS12YWx1ZQ== - --issuer=%s - --client-id=pinniped-cli - - --scopes=offline_access,openid,pinniped:request-audience + - --scopes=offline_access,openid,pinniped:request-audience,username,groups - --ca-bundle-data=%s - --request-audience=test-audience command: '.../path/to/pinniped' @@ -2190,7 +2190,7 @@ func TestGetKubeconfig(t *testing.T) { - --concierge-ca-bundle-data=ZmFrZS1jZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YS12YWx1ZQ== - --issuer=%s - --client-id=pinniped-cli - - --scopes=offline_access,openid,pinniped:request-audience + - --scopes=offline_access,openid,pinniped:request-audience,username,groups - --ca-bundle-data=%s - --request-audience=test-audience command: '.../path/to/pinniped' @@ -2265,7 +2265,7 @@ func TestGetKubeconfig(t *testing.T) { - --concierge-ca-bundle-data=ZmFrZS1jZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YS12YWx1ZQ== - --issuer=%s - --client-id=pinniped-cli - - --scopes=offline_access,openid,pinniped:request-audience + - --scopes=offline_access,openid,pinniped:request-audience,username,groups - --ca-bundle-data=%s - --request-audience=test-audience - --upstream-identity-provider-name=some-oidc-idp @@ -2348,7 +2348,7 @@ func TestGetKubeconfig(t *testing.T) { - --concierge-ca-bundle-data=ZmFrZS1jZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YS12YWx1ZQ== - --issuer=%s - --client-id=pinniped-cli - - --scopes=offline_access,openid,pinniped:request-audience + - --scopes=offline_access,openid,pinniped:request-audience,username,groups - --ca-bundle-data=%s - --request-audience=test-audience - --upstream-identity-provider-name=some-oidc-idp @@ -2408,7 +2408,7 @@ func TestGetKubeconfig(t *testing.T) { - oidc - --issuer=%s - --client-id=pinniped-cli - - --scopes=offline_access,openid,pinniped:request-audience + - --scopes=offline_access,openid,pinniped:request-audience,username,groups - --ca-bundle-data=%s - --upstream-identity-provider-name=some-ldap-idp - --upstream-identity-provider-type=ldap @@ -2469,7 +2469,7 @@ func TestGetKubeconfig(t *testing.T) { - oidc - --issuer=%s - --client-id=pinniped-cli - - --scopes=offline_access,openid,pinniped:request-audience + - --scopes=offline_access,openid,pinniped:request-audience,username,groups - --ca-bundle-data=%s - --upstream-identity-provider-name=some-ldap-idp - --upstream-identity-provider-type=ldap @@ -2530,7 +2530,7 @@ func TestGetKubeconfig(t *testing.T) { - oidc - --issuer=%s - --client-id=pinniped-cli - - --scopes=offline_access,openid,pinniped:request-audience + - --scopes=offline_access,openid,pinniped:request-audience,username,groups - --ca-bundle-data=%s - --upstream-identity-provider-name=some-ldap-idp - --upstream-identity-provider-type=ldap @@ -2592,7 +2592,7 @@ func TestGetKubeconfig(t *testing.T) { - oidc - --issuer=%s - --client-id=pinniped-cli - - --scopes=offline_access,openid,pinniped:request-audience + - --scopes=offline_access,openid,pinniped:request-audience,username,groups - --ca-bundle-data=%s - --upstream-identity-provider-name=some-ldap-idp - --upstream-identity-provider-type=ldap @@ -2654,7 +2654,7 @@ func TestGetKubeconfig(t *testing.T) { - oidc - --issuer=%s - --client-id=pinniped-cli - - --scopes=offline_access,openid,pinniped:request-audience + - --scopes=offline_access,openid,pinniped:request-audience,username,groups - --ca-bundle-data=%s - --upstream-identity-provider-name=some-ldap-idp - --upstream-identity-provider-type=ldap @@ -2715,7 +2715,7 @@ func TestGetKubeconfig(t *testing.T) { - oidc - --issuer=%s - --client-id=pinniped-cli - - --scopes=offline_access,openid,pinniped:request-audience + - --scopes=offline_access,openid,pinniped:request-audience,username,groups - --ca-bundle-data=%s - --upstream-identity-provider-name=some-ldap-idp - --upstream-identity-provider-type=ldap @@ -2775,7 +2775,7 @@ func TestGetKubeconfig(t *testing.T) { - oidc - --issuer=%s - --client-id=pinniped-cli - - --scopes=offline_access,openid,pinniped:request-audience + - --scopes=offline_access,openid,pinniped:request-audience,username,groups - --ca-bundle-data=%s - --upstream-identity-provider-name=some-ldap-idp - --upstream-identity-provider-type=ldap diff --git a/cmd/pinniped/cmd/login_oidc.go b/cmd/pinniped/cmd/login_oidc.go index b31f8dd6..c792c916 100644 --- a/cmd/pinniped/cmd/login_oidc.go +++ b/cmd/pinniped/cmd/login_oidc.go @@ -16,12 +16,12 @@ import ( "strings" "time" - "github.com/coreos/go-oidc/v3/oidc" "github.com/spf13/cobra" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" clientauthv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1" idpdiscoveryv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idpdiscovery/v1alpha1" + oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc" "go.pinniped.dev/internal/execcredcache" "go.pinniped.dev/internal/groupsuffix" "go.pinniped.dev/internal/net/phttp" @@ -98,9 +98,9 @@ func oidcLoginCommand(deps oidcLoginCommandDeps) *cobra.Command { conciergeNamespace string // unused now ) cmd.Flags().StringVar(&flags.issuer, "issuer", "", "OpenID Connect issuer URL") - cmd.Flags().StringVar(&flags.clientID, "client-id", "pinniped-cli", "OpenID Connect client ID") + cmd.Flags().StringVar(&flags.clientID, "client-id", oidcapi.ClientIDPinnipedCLI, "OpenID Connect client ID") cmd.Flags().Uint16Var(&flags.listenPort, "listen-port", 0, "TCP port for localhost listener (authorization code flow only)") - cmd.Flags().StringSliceVar(&flags.scopes, "scopes", []string{oidc.ScopeOfflineAccess, oidc.ScopeOpenID, "pinniped:request-audience"}, "OIDC scopes to request during login") + cmd.Flags().StringSliceVar(&flags.scopes, "scopes", []string{oidcapi.ScopeOfflineAccess, oidcapi.ScopeOpenID, oidcapi.ScopeRequestAudience, oidcapi.ScopeUsername, oidcapi.ScopeGroups}, "OIDC scopes to request during login") cmd.Flags().BoolVar(&flags.skipBrowser, "skip-browser", false, "Skip opening the browser (just print the URL)") cmd.Flags().BoolVar(&flags.skipListen, "skip-listen", false, "Skip starting a localhost callback listener (manual copy/paste flow only)") cmd.Flags().StringVar(&flags.sessionCachePath, "session-cache", filepath.Join(mustGetConfigDir(), "sessions.yaml"), "Path to session cache file") diff --git a/cmd/pinniped/cmd/login_oidc_test.go b/cmd/pinniped/cmd/login_oidc_test.go index 2e4fbd45..4d59861a 100644 --- a/cmd/pinniped/cmd/login_oidc_test.go +++ b/cmd/pinniped/cmd/login_oidc_test.go @@ -80,7 +80,7 @@ func TestLoginOIDCCommand(t *testing.T) { --issuer string OpenID Connect issuer URL --listen-port uint16 TCP port for localhost listener (authorization code flow only) --request-audience string Request a token with an alternate audience using RFC8693 token exchange - --scopes strings OIDC scopes to request during login (default [offline_access,openid,pinniped:request-audience]) + --scopes strings OIDC scopes to request during login (default [offline_access,openid,pinniped:request-audience,username,groups]) --session-cache string Path to session cache file (default "` + cfgDir + `/sessions.yaml") --skip-browser Skip opening the browser (just print the URL) --upstream-identity-provider-flow string The type of client flow to use with the upstream identity provider during login with a Supervisor (e.g. 'browser_authcode', 'cli_password') diff --git a/generated/1.17/apis/supervisor/oidc/types_supervisor_oidc.go b/generated/1.17/apis/supervisor/oidc/types_supervisor_oidc.go index b35aafcb..cb6fe627 100644 --- a/generated/1.17/apis/supervisor/oidc/types_supervisor_oidc.go +++ b/generated/1.17/apis/supervisor/oidc/types_supervisor_oidc.go @@ -15,11 +15,68 @@ const ( // or an LDAPIdentityProvider. AuthorizePasswordHeaderName = "Pinniped-Password" //nolint:gosec // this is not a credential - // AuthorizeUpstreamIDPNameParamName is the name of the HTTP request parameter which can be used to help select which - // identity provider should be used for authentication by sending the name of the desired identity provider. + // AuthorizeUpstreamIDPNameParamName is the name of the HTTP request parameter which can be used to help select + // which identity provider should be used for authentication by sending the name of the desired identity provider. AuthorizeUpstreamIDPNameParamName = "pinniped_idp_name" - // AuthorizeUpstreamIDPTypeParamName is the name of the HTTP request parameter which can be used to help select which - // identity provider should be used for authentication by sending the type of the desired identity provider. + // AuthorizeUpstreamIDPTypeParamName is the name of the HTTP request parameter which can be used to help select + // which identity provider should be used for authentication by sending the type of the desired identity provider. AuthorizeUpstreamIDPTypeParamName = "pinniped_idp_type" + + // IDTokenClaimIssuer is name of the issuer claim defined by the OIDC spec. + IDTokenClaimIssuer = "iss" + + // IDTokenClaimSubject is name of the subject claim defined by the OIDC spec. + IDTokenClaimSubject = "sub" + + // IDTokenClaimAuthorizedParty is name of the authorized party claim defined by the OIDC spec. + IDTokenClaimAuthorizedParty = "azp" + + // IDTokenClaimUsername is the name of a custom claim in the downstream ID token whose value will contain the user's + // username which was mapped from the upstream identity provider. + IDTokenClaimUsername = "username" + + // IDTokenClaimGroups is the name of a custom claim in the downstream ID token whose value will contain the user's + // group names which were mapped from the upstream identity provider. + IDTokenClaimGroups = "groups" + + // GrantTypeAuthorizationCode is the name of the grant type for authorization code flows defined by the OIDC spec. + GrantTypeAuthorizationCode = "authorization_code" + + // GrantTypeRefreshToken is the name of the grant type for refresh flow defined by the OIDC spec. + GrantTypeRefreshToken = "refresh_token" + + // GrantTypeTokenExchange is the name of a custom grant type for RFC8693 token exchanges. + GrantTypeTokenExchange = "urn:ietf:params:oauth:grant-type:token-exchange" //nolint:gosec // this is not a credential + + // ScopeOpenID is name of the openid scope defined by the OIDC spec. + ScopeOpenID = "openid" + + // ScopeOfflineAccess is name of the offline access scope defined by the OIDC spec, used for requesting refresh + // tokens. + ScopeOfflineAccess = "offline_access" + + // ScopeEmail is name of the email scope defined by the OIDC spec. + ScopeEmail = "email" + + // ScopeProfile is name of the profile scope defined by the OIDC spec. + ScopeProfile = "profile" + + // ScopeUsername is the name of a custom scope that determines whether the username claim will be returned inside + // ID tokens. + ScopeUsername = "username" + + // ScopeGroups is the name of a custom scope that determines whether the groups claim will be returned inside + // ID tokens. + ScopeGroups = "groups" + + // ScopeRequestAudience is the name of a custom scope that determines whether a RFC8693 token exchange is allowed to + // be used to request a different audience. + ScopeRequestAudience = "pinniped:request-audience" + + // ClientIDPinnipedCLI is the client ID of the statically defined public OIDC client which is used by the CLI. + ClientIDPinnipedCLI = "pinniped-cli" + + // ClientIDRequiredOIDCClientPrefix is the required prefix for the metadata.name of OIDCClient CRs. + ClientIDRequiredOIDCClientPrefix = "client.oauth.pinniped.dev-" ) diff --git a/generated/1.18/apis/supervisor/oidc/types_supervisor_oidc.go b/generated/1.18/apis/supervisor/oidc/types_supervisor_oidc.go index b35aafcb..cb6fe627 100644 --- a/generated/1.18/apis/supervisor/oidc/types_supervisor_oidc.go +++ b/generated/1.18/apis/supervisor/oidc/types_supervisor_oidc.go @@ -15,11 +15,68 @@ const ( // or an LDAPIdentityProvider. AuthorizePasswordHeaderName = "Pinniped-Password" //nolint:gosec // this is not a credential - // AuthorizeUpstreamIDPNameParamName is the name of the HTTP request parameter which can be used to help select which - // identity provider should be used for authentication by sending the name of the desired identity provider. + // AuthorizeUpstreamIDPNameParamName is the name of the HTTP request parameter which can be used to help select + // which identity provider should be used for authentication by sending the name of the desired identity provider. AuthorizeUpstreamIDPNameParamName = "pinniped_idp_name" - // AuthorizeUpstreamIDPTypeParamName is the name of the HTTP request parameter which can be used to help select which - // identity provider should be used for authentication by sending the type of the desired identity provider. + // AuthorizeUpstreamIDPTypeParamName is the name of the HTTP request parameter which can be used to help select + // which identity provider should be used for authentication by sending the type of the desired identity provider. AuthorizeUpstreamIDPTypeParamName = "pinniped_idp_type" + + // IDTokenClaimIssuer is name of the issuer claim defined by the OIDC spec. + IDTokenClaimIssuer = "iss" + + // IDTokenClaimSubject is name of the subject claim defined by the OIDC spec. + IDTokenClaimSubject = "sub" + + // IDTokenClaimAuthorizedParty is name of the authorized party claim defined by the OIDC spec. + IDTokenClaimAuthorizedParty = "azp" + + // IDTokenClaimUsername is the name of a custom claim in the downstream ID token whose value will contain the user's + // username which was mapped from the upstream identity provider. + IDTokenClaimUsername = "username" + + // IDTokenClaimGroups is the name of a custom claim in the downstream ID token whose value will contain the user's + // group names which were mapped from the upstream identity provider. + IDTokenClaimGroups = "groups" + + // GrantTypeAuthorizationCode is the name of the grant type for authorization code flows defined by the OIDC spec. + GrantTypeAuthorizationCode = "authorization_code" + + // GrantTypeRefreshToken is the name of the grant type for refresh flow defined by the OIDC spec. + GrantTypeRefreshToken = "refresh_token" + + // GrantTypeTokenExchange is the name of a custom grant type for RFC8693 token exchanges. + GrantTypeTokenExchange = "urn:ietf:params:oauth:grant-type:token-exchange" //nolint:gosec // this is not a credential + + // ScopeOpenID is name of the openid scope defined by the OIDC spec. + ScopeOpenID = "openid" + + // ScopeOfflineAccess is name of the offline access scope defined by the OIDC spec, used for requesting refresh + // tokens. + ScopeOfflineAccess = "offline_access" + + // ScopeEmail is name of the email scope defined by the OIDC spec. + ScopeEmail = "email" + + // ScopeProfile is name of the profile scope defined by the OIDC spec. + ScopeProfile = "profile" + + // ScopeUsername is the name of a custom scope that determines whether the username claim will be returned inside + // ID tokens. + ScopeUsername = "username" + + // ScopeGroups is the name of a custom scope that determines whether the groups claim will be returned inside + // ID tokens. + ScopeGroups = "groups" + + // ScopeRequestAudience is the name of a custom scope that determines whether a RFC8693 token exchange is allowed to + // be used to request a different audience. + ScopeRequestAudience = "pinniped:request-audience" + + // ClientIDPinnipedCLI is the client ID of the statically defined public OIDC client which is used by the CLI. + ClientIDPinnipedCLI = "pinniped-cli" + + // ClientIDRequiredOIDCClientPrefix is the required prefix for the metadata.name of OIDCClient CRs. + ClientIDRequiredOIDCClientPrefix = "client.oauth.pinniped.dev-" ) diff --git a/generated/1.19/apis/supervisor/oidc/types_supervisor_oidc.go b/generated/1.19/apis/supervisor/oidc/types_supervisor_oidc.go index b35aafcb..cb6fe627 100644 --- a/generated/1.19/apis/supervisor/oidc/types_supervisor_oidc.go +++ b/generated/1.19/apis/supervisor/oidc/types_supervisor_oidc.go @@ -15,11 +15,68 @@ const ( // or an LDAPIdentityProvider. AuthorizePasswordHeaderName = "Pinniped-Password" //nolint:gosec // this is not a credential - // AuthorizeUpstreamIDPNameParamName is the name of the HTTP request parameter which can be used to help select which - // identity provider should be used for authentication by sending the name of the desired identity provider. + // AuthorizeUpstreamIDPNameParamName is the name of the HTTP request parameter which can be used to help select + // which identity provider should be used for authentication by sending the name of the desired identity provider. AuthorizeUpstreamIDPNameParamName = "pinniped_idp_name" - // AuthorizeUpstreamIDPTypeParamName is the name of the HTTP request parameter which can be used to help select which - // identity provider should be used for authentication by sending the type of the desired identity provider. + // AuthorizeUpstreamIDPTypeParamName is the name of the HTTP request parameter which can be used to help select + // which identity provider should be used for authentication by sending the type of the desired identity provider. AuthorizeUpstreamIDPTypeParamName = "pinniped_idp_type" + + // IDTokenClaimIssuer is name of the issuer claim defined by the OIDC spec. + IDTokenClaimIssuer = "iss" + + // IDTokenClaimSubject is name of the subject claim defined by the OIDC spec. + IDTokenClaimSubject = "sub" + + // IDTokenClaimAuthorizedParty is name of the authorized party claim defined by the OIDC spec. + IDTokenClaimAuthorizedParty = "azp" + + // IDTokenClaimUsername is the name of a custom claim in the downstream ID token whose value will contain the user's + // username which was mapped from the upstream identity provider. + IDTokenClaimUsername = "username" + + // IDTokenClaimGroups is the name of a custom claim in the downstream ID token whose value will contain the user's + // group names which were mapped from the upstream identity provider. + IDTokenClaimGroups = "groups" + + // GrantTypeAuthorizationCode is the name of the grant type for authorization code flows defined by the OIDC spec. + GrantTypeAuthorizationCode = "authorization_code" + + // GrantTypeRefreshToken is the name of the grant type for refresh flow defined by the OIDC spec. + GrantTypeRefreshToken = "refresh_token" + + // GrantTypeTokenExchange is the name of a custom grant type for RFC8693 token exchanges. + GrantTypeTokenExchange = "urn:ietf:params:oauth:grant-type:token-exchange" //nolint:gosec // this is not a credential + + // ScopeOpenID is name of the openid scope defined by the OIDC spec. + ScopeOpenID = "openid" + + // ScopeOfflineAccess is name of the offline access scope defined by the OIDC spec, used for requesting refresh + // tokens. + ScopeOfflineAccess = "offline_access" + + // ScopeEmail is name of the email scope defined by the OIDC spec. + ScopeEmail = "email" + + // ScopeProfile is name of the profile scope defined by the OIDC spec. + ScopeProfile = "profile" + + // ScopeUsername is the name of a custom scope that determines whether the username claim will be returned inside + // ID tokens. + ScopeUsername = "username" + + // ScopeGroups is the name of a custom scope that determines whether the groups claim will be returned inside + // ID tokens. + ScopeGroups = "groups" + + // ScopeRequestAudience is the name of a custom scope that determines whether a RFC8693 token exchange is allowed to + // be used to request a different audience. + ScopeRequestAudience = "pinniped:request-audience" + + // ClientIDPinnipedCLI is the client ID of the statically defined public OIDC client which is used by the CLI. + ClientIDPinnipedCLI = "pinniped-cli" + + // ClientIDRequiredOIDCClientPrefix is the required prefix for the metadata.name of OIDCClient CRs. + ClientIDRequiredOIDCClientPrefix = "client.oauth.pinniped.dev-" ) diff --git a/generated/1.20/apis/supervisor/oidc/types_supervisor_oidc.go b/generated/1.20/apis/supervisor/oidc/types_supervisor_oidc.go index b35aafcb..cb6fe627 100644 --- a/generated/1.20/apis/supervisor/oidc/types_supervisor_oidc.go +++ b/generated/1.20/apis/supervisor/oidc/types_supervisor_oidc.go @@ -15,11 +15,68 @@ const ( // or an LDAPIdentityProvider. AuthorizePasswordHeaderName = "Pinniped-Password" //nolint:gosec // this is not a credential - // AuthorizeUpstreamIDPNameParamName is the name of the HTTP request parameter which can be used to help select which - // identity provider should be used for authentication by sending the name of the desired identity provider. + // AuthorizeUpstreamIDPNameParamName is the name of the HTTP request parameter which can be used to help select + // which identity provider should be used for authentication by sending the name of the desired identity provider. AuthorizeUpstreamIDPNameParamName = "pinniped_idp_name" - // AuthorizeUpstreamIDPTypeParamName is the name of the HTTP request parameter which can be used to help select which - // identity provider should be used for authentication by sending the type of the desired identity provider. + // AuthorizeUpstreamIDPTypeParamName is the name of the HTTP request parameter which can be used to help select + // which identity provider should be used for authentication by sending the type of the desired identity provider. AuthorizeUpstreamIDPTypeParamName = "pinniped_idp_type" + + // IDTokenClaimIssuer is name of the issuer claim defined by the OIDC spec. + IDTokenClaimIssuer = "iss" + + // IDTokenClaimSubject is name of the subject claim defined by the OIDC spec. + IDTokenClaimSubject = "sub" + + // IDTokenClaimAuthorizedParty is name of the authorized party claim defined by the OIDC spec. + IDTokenClaimAuthorizedParty = "azp" + + // IDTokenClaimUsername is the name of a custom claim in the downstream ID token whose value will contain the user's + // username which was mapped from the upstream identity provider. + IDTokenClaimUsername = "username" + + // IDTokenClaimGroups is the name of a custom claim in the downstream ID token whose value will contain the user's + // group names which were mapped from the upstream identity provider. + IDTokenClaimGroups = "groups" + + // GrantTypeAuthorizationCode is the name of the grant type for authorization code flows defined by the OIDC spec. + GrantTypeAuthorizationCode = "authorization_code" + + // GrantTypeRefreshToken is the name of the grant type for refresh flow defined by the OIDC spec. + GrantTypeRefreshToken = "refresh_token" + + // GrantTypeTokenExchange is the name of a custom grant type for RFC8693 token exchanges. + GrantTypeTokenExchange = "urn:ietf:params:oauth:grant-type:token-exchange" //nolint:gosec // this is not a credential + + // ScopeOpenID is name of the openid scope defined by the OIDC spec. + ScopeOpenID = "openid" + + // ScopeOfflineAccess is name of the offline access scope defined by the OIDC spec, used for requesting refresh + // tokens. + ScopeOfflineAccess = "offline_access" + + // ScopeEmail is name of the email scope defined by the OIDC spec. + ScopeEmail = "email" + + // ScopeProfile is name of the profile scope defined by the OIDC spec. + ScopeProfile = "profile" + + // ScopeUsername is the name of a custom scope that determines whether the username claim will be returned inside + // ID tokens. + ScopeUsername = "username" + + // ScopeGroups is the name of a custom scope that determines whether the groups claim will be returned inside + // ID tokens. + ScopeGroups = "groups" + + // ScopeRequestAudience is the name of a custom scope that determines whether a RFC8693 token exchange is allowed to + // be used to request a different audience. + ScopeRequestAudience = "pinniped:request-audience" + + // ClientIDPinnipedCLI is the client ID of the statically defined public OIDC client which is used by the CLI. + ClientIDPinnipedCLI = "pinniped-cli" + + // ClientIDRequiredOIDCClientPrefix is the required prefix for the metadata.name of OIDCClient CRs. + ClientIDRequiredOIDCClientPrefix = "client.oauth.pinniped.dev-" ) diff --git a/generated/1.21/apis/supervisor/oidc/types_supervisor_oidc.go b/generated/1.21/apis/supervisor/oidc/types_supervisor_oidc.go index b35aafcb..cb6fe627 100644 --- a/generated/1.21/apis/supervisor/oidc/types_supervisor_oidc.go +++ b/generated/1.21/apis/supervisor/oidc/types_supervisor_oidc.go @@ -15,11 +15,68 @@ const ( // or an LDAPIdentityProvider. AuthorizePasswordHeaderName = "Pinniped-Password" //nolint:gosec // this is not a credential - // AuthorizeUpstreamIDPNameParamName is the name of the HTTP request parameter which can be used to help select which - // identity provider should be used for authentication by sending the name of the desired identity provider. + // AuthorizeUpstreamIDPNameParamName is the name of the HTTP request parameter which can be used to help select + // which identity provider should be used for authentication by sending the name of the desired identity provider. AuthorizeUpstreamIDPNameParamName = "pinniped_idp_name" - // AuthorizeUpstreamIDPTypeParamName is the name of the HTTP request parameter which can be used to help select which - // identity provider should be used for authentication by sending the type of the desired identity provider. + // AuthorizeUpstreamIDPTypeParamName is the name of the HTTP request parameter which can be used to help select + // which identity provider should be used for authentication by sending the type of the desired identity provider. AuthorizeUpstreamIDPTypeParamName = "pinniped_idp_type" + + // IDTokenClaimIssuer is name of the issuer claim defined by the OIDC spec. + IDTokenClaimIssuer = "iss" + + // IDTokenClaimSubject is name of the subject claim defined by the OIDC spec. + IDTokenClaimSubject = "sub" + + // IDTokenClaimAuthorizedParty is name of the authorized party claim defined by the OIDC spec. + IDTokenClaimAuthorizedParty = "azp" + + // IDTokenClaimUsername is the name of a custom claim in the downstream ID token whose value will contain the user's + // username which was mapped from the upstream identity provider. + IDTokenClaimUsername = "username" + + // IDTokenClaimGroups is the name of a custom claim in the downstream ID token whose value will contain the user's + // group names which were mapped from the upstream identity provider. + IDTokenClaimGroups = "groups" + + // GrantTypeAuthorizationCode is the name of the grant type for authorization code flows defined by the OIDC spec. + GrantTypeAuthorizationCode = "authorization_code" + + // GrantTypeRefreshToken is the name of the grant type for refresh flow defined by the OIDC spec. + GrantTypeRefreshToken = "refresh_token" + + // GrantTypeTokenExchange is the name of a custom grant type for RFC8693 token exchanges. + GrantTypeTokenExchange = "urn:ietf:params:oauth:grant-type:token-exchange" //nolint:gosec // this is not a credential + + // ScopeOpenID is name of the openid scope defined by the OIDC spec. + ScopeOpenID = "openid" + + // ScopeOfflineAccess is name of the offline access scope defined by the OIDC spec, used for requesting refresh + // tokens. + ScopeOfflineAccess = "offline_access" + + // ScopeEmail is name of the email scope defined by the OIDC spec. + ScopeEmail = "email" + + // ScopeProfile is name of the profile scope defined by the OIDC spec. + ScopeProfile = "profile" + + // ScopeUsername is the name of a custom scope that determines whether the username claim will be returned inside + // ID tokens. + ScopeUsername = "username" + + // ScopeGroups is the name of a custom scope that determines whether the groups claim will be returned inside + // ID tokens. + ScopeGroups = "groups" + + // ScopeRequestAudience is the name of a custom scope that determines whether a RFC8693 token exchange is allowed to + // be used to request a different audience. + ScopeRequestAudience = "pinniped:request-audience" + + // ClientIDPinnipedCLI is the client ID of the statically defined public OIDC client which is used by the CLI. + ClientIDPinnipedCLI = "pinniped-cli" + + // ClientIDRequiredOIDCClientPrefix is the required prefix for the metadata.name of OIDCClient CRs. + ClientIDRequiredOIDCClientPrefix = "client.oauth.pinniped.dev-" ) diff --git a/generated/1.22/apis/supervisor/oidc/types_supervisor_oidc.go b/generated/1.22/apis/supervisor/oidc/types_supervisor_oidc.go index b35aafcb..cb6fe627 100644 --- a/generated/1.22/apis/supervisor/oidc/types_supervisor_oidc.go +++ b/generated/1.22/apis/supervisor/oidc/types_supervisor_oidc.go @@ -15,11 +15,68 @@ const ( // or an LDAPIdentityProvider. AuthorizePasswordHeaderName = "Pinniped-Password" //nolint:gosec // this is not a credential - // AuthorizeUpstreamIDPNameParamName is the name of the HTTP request parameter which can be used to help select which - // identity provider should be used for authentication by sending the name of the desired identity provider. + // AuthorizeUpstreamIDPNameParamName is the name of the HTTP request parameter which can be used to help select + // which identity provider should be used for authentication by sending the name of the desired identity provider. AuthorizeUpstreamIDPNameParamName = "pinniped_idp_name" - // AuthorizeUpstreamIDPTypeParamName is the name of the HTTP request parameter which can be used to help select which - // identity provider should be used for authentication by sending the type of the desired identity provider. + // AuthorizeUpstreamIDPTypeParamName is the name of the HTTP request parameter which can be used to help select + // which identity provider should be used for authentication by sending the type of the desired identity provider. AuthorizeUpstreamIDPTypeParamName = "pinniped_idp_type" + + // IDTokenClaimIssuer is name of the issuer claim defined by the OIDC spec. + IDTokenClaimIssuer = "iss" + + // IDTokenClaimSubject is name of the subject claim defined by the OIDC spec. + IDTokenClaimSubject = "sub" + + // IDTokenClaimAuthorizedParty is name of the authorized party claim defined by the OIDC spec. + IDTokenClaimAuthorizedParty = "azp" + + // IDTokenClaimUsername is the name of a custom claim in the downstream ID token whose value will contain the user's + // username which was mapped from the upstream identity provider. + IDTokenClaimUsername = "username" + + // IDTokenClaimGroups is the name of a custom claim in the downstream ID token whose value will contain the user's + // group names which were mapped from the upstream identity provider. + IDTokenClaimGroups = "groups" + + // GrantTypeAuthorizationCode is the name of the grant type for authorization code flows defined by the OIDC spec. + GrantTypeAuthorizationCode = "authorization_code" + + // GrantTypeRefreshToken is the name of the grant type for refresh flow defined by the OIDC spec. + GrantTypeRefreshToken = "refresh_token" + + // GrantTypeTokenExchange is the name of a custom grant type for RFC8693 token exchanges. + GrantTypeTokenExchange = "urn:ietf:params:oauth:grant-type:token-exchange" //nolint:gosec // this is not a credential + + // ScopeOpenID is name of the openid scope defined by the OIDC spec. + ScopeOpenID = "openid" + + // ScopeOfflineAccess is name of the offline access scope defined by the OIDC spec, used for requesting refresh + // tokens. + ScopeOfflineAccess = "offline_access" + + // ScopeEmail is name of the email scope defined by the OIDC spec. + ScopeEmail = "email" + + // ScopeProfile is name of the profile scope defined by the OIDC spec. + ScopeProfile = "profile" + + // ScopeUsername is the name of a custom scope that determines whether the username claim will be returned inside + // ID tokens. + ScopeUsername = "username" + + // ScopeGroups is the name of a custom scope that determines whether the groups claim will be returned inside + // ID tokens. + ScopeGroups = "groups" + + // ScopeRequestAudience is the name of a custom scope that determines whether a RFC8693 token exchange is allowed to + // be used to request a different audience. + ScopeRequestAudience = "pinniped:request-audience" + + // ClientIDPinnipedCLI is the client ID of the statically defined public OIDC client which is used by the CLI. + ClientIDPinnipedCLI = "pinniped-cli" + + // ClientIDRequiredOIDCClientPrefix is the required prefix for the metadata.name of OIDCClient CRs. + ClientIDRequiredOIDCClientPrefix = "client.oauth.pinniped.dev-" ) diff --git a/generated/1.23/apis/supervisor/oidc/types_supervisor_oidc.go b/generated/1.23/apis/supervisor/oidc/types_supervisor_oidc.go index b35aafcb..cb6fe627 100644 --- a/generated/1.23/apis/supervisor/oidc/types_supervisor_oidc.go +++ b/generated/1.23/apis/supervisor/oidc/types_supervisor_oidc.go @@ -15,11 +15,68 @@ const ( // or an LDAPIdentityProvider. AuthorizePasswordHeaderName = "Pinniped-Password" //nolint:gosec // this is not a credential - // AuthorizeUpstreamIDPNameParamName is the name of the HTTP request parameter which can be used to help select which - // identity provider should be used for authentication by sending the name of the desired identity provider. + // AuthorizeUpstreamIDPNameParamName is the name of the HTTP request parameter which can be used to help select + // which identity provider should be used for authentication by sending the name of the desired identity provider. AuthorizeUpstreamIDPNameParamName = "pinniped_idp_name" - // AuthorizeUpstreamIDPTypeParamName is the name of the HTTP request parameter which can be used to help select which - // identity provider should be used for authentication by sending the type of the desired identity provider. + // AuthorizeUpstreamIDPTypeParamName is the name of the HTTP request parameter which can be used to help select + // which identity provider should be used for authentication by sending the type of the desired identity provider. AuthorizeUpstreamIDPTypeParamName = "pinniped_idp_type" + + // IDTokenClaimIssuer is name of the issuer claim defined by the OIDC spec. + IDTokenClaimIssuer = "iss" + + // IDTokenClaimSubject is name of the subject claim defined by the OIDC spec. + IDTokenClaimSubject = "sub" + + // IDTokenClaimAuthorizedParty is name of the authorized party claim defined by the OIDC spec. + IDTokenClaimAuthorizedParty = "azp" + + // IDTokenClaimUsername is the name of a custom claim in the downstream ID token whose value will contain the user's + // username which was mapped from the upstream identity provider. + IDTokenClaimUsername = "username" + + // IDTokenClaimGroups is the name of a custom claim in the downstream ID token whose value will contain the user's + // group names which were mapped from the upstream identity provider. + IDTokenClaimGroups = "groups" + + // GrantTypeAuthorizationCode is the name of the grant type for authorization code flows defined by the OIDC spec. + GrantTypeAuthorizationCode = "authorization_code" + + // GrantTypeRefreshToken is the name of the grant type for refresh flow defined by the OIDC spec. + GrantTypeRefreshToken = "refresh_token" + + // GrantTypeTokenExchange is the name of a custom grant type for RFC8693 token exchanges. + GrantTypeTokenExchange = "urn:ietf:params:oauth:grant-type:token-exchange" //nolint:gosec // this is not a credential + + // ScopeOpenID is name of the openid scope defined by the OIDC spec. + ScopeOpenID = "openid" + + // ScopeOfflineAccess is name of the offline access scope defined by the OIDC spec, used for requesting refresh + // tokens. + ScopeOfflineAccess = "offline_access" + + // ScopeEmail is name of the email scope defined by the OIDC spec. + ScopeEmail = "email" + + // ScopeProfile is name of the profile scope defined by the OIDC spec. + ScopeProfile = "profile" + + // ScopeUsername is the name of a custom scope that determines whether the username claim will be returned inside + // ID tokens. + ScopeUsername = "username" + + // ScopeGroups is the name of a custom scope that determines whether the groups claim will be returned inside + // ID tokens. + ScopeGroups = "groups" + + // ScopeRequestAudience is the name of a custom scope that determines whether a RFC8693 token exchange is allowed to + // be used to request a different audience. + ScopeRequestAudience = "pinniped:request-audience" + + // ClientIDPinnipedCLI is the client ID of the statically defined public OIDC client which is used by the CLI. + ClientIDPinnipedCLI = "pinniped-cli" + + // ClientIDRequiredOIDCClientPrefix is the required prefix for the metadata.name of OIDCClient CRs. + ClientIDRequiredOIDCClientPrefix = "client.oauth.pinniped.dev-" ) diff --git a/generated/1.24/apis/supervisor/oidc/types_supervisor_oidc.go b/generated/1.24/apis/supervisor/oidc/types_supervisor_oidc.go index b35aafcb..cb6fe627 100644 --- a/generated/1.24/apis/supervisor/oidc/types_supervisor_oidc.go +++ b/generated/1.24/apis/supervisor/oidc/types_supervisor_oidc.go @@ -15,11 +15,68 @@ const ( // or an LDAPIdentityProvider. AuthorizePasswordHeaderName = "Pinniped-Password" //nolint:gosec // this is not a credential - // AuthorizeUpstreamIDPNameParamName is the name of the HTTP request parameter which can be used to help select which - // identity provider should be used for authentication by sending the name of the desired identity provider. + // AuthorizeUpstreamIDPNameParamName is the name of the HTTP request parameter which can be used to help select + // which identity provider should be used for authentication by sending the name of the desired identity provider. AuthorizeUpstreamIDPNameParamName = "pinniped_idp_name" - // AuthorizeUpstreamIDPTypeParamName is the name of the HTTP request parameter which can be used to help select which - // identity provider should be used for authentication by sending the type of the desired identity provider. + // AuthorizeUpstreamIDPTypeParamName is the name of the HTTP request parameter which can be used to help select + // which identity provider should be used for authentication by sending the type of the desired identity provider. AuthorizeUpstreamIDPTypeParamName = "pinniped_idp_type" + + // IDTokenClaimIssuer is name of the issuer claim defined by the OIDC spec. + IDTokenClaimIssuer = "iss" + + // IDTokenClaimSubject is name of the subject claim defined by the OIDC spec. + IDTokenClaimSubject = "sub" + + // IDTokenClaimAuthorizedParty is name of the authorized party claim defined by the OIDC spec. + IDTokenClaimAuthorizedParty = "azp" + + // IDTokenClaimUsername is the name of a custom claim in the downstream ID token whose value will contain the user's + // username which was mapped from the upstream identity provider. + IDTokenClaimUsername = "username" + + // IDTokenClaimGroups is the name of a custom claim in the downstream ID token whose value will contain the user's + // group names which were mapped from the upstream identity provider. + IDTokenClaimGroups = "groups" + + // GrantTypeAuthorizationCode is the name of the grant type for authorization code flows defined by the OIDC spec. + GrantTypeAuthorizationCode = "authorization_code" + + // GrantTypeRefreshToken is the name of the grant type for refresh flow defined by the OIDC spec. + GrantTypeRefreshToken = "refresh_token" + + // GrantTypeTokenExchange is the name of a custom grant type for RFC8693 token exchanges. + GrantTypeTokenExchange = "urn:ietf:params:oauth:grant-type:token-exchange" //nolint:gosec // this is not a credential + + // ScopeOpenID is name of the openid scope defined by the OIDC spec. + ScopeOpenID = "openid" + + // ScopeOfflineAccess is name of the offline access scope defined by the OIDC spec, used for requesting refresh + // tokens. + ScopeOfflineAccess = "offline_access" + + // ScopeEmail is name of the email scope defined by the OIDC spec. + ScopeEmail = "email" + + // ScopeProfile is name of the profile scope defined by the OIDC spec. + ScopeProfile = "profile" + + // ScopeUsername is the name of a custom scope that determines whether the username claim will be returned inside + // ID tokens. + ScopeUsername = "username" + + // ScopeGroups is the name of a custom scope that determines whether the groups claim will be returned inside + // ID tokens. + ScopeGroups = "groups" + + // ScopeRequestAudience is the name of a custom scope that determines whether a RFC8693 token exchange is allowed to + // be used to request a different audience. + ScopeRequestAudience = "pinniped:request-audience" + + // ClientIDPinnipedCLI is the client ID of the statically defined public OIDC client which is used by the CLI. + ClientIDPinnipedCLI = "pinniped-cli" + + // ClientIDRequiredOIDCClientPrefix is the required prefix for the metadata.name of OIDCClient CRs. + ClientIDRequiredOIDCClientPrefix = "client.oauth.pinniped.dev-" ) diff --git a/generated/latest/apis/supervisor/oidc/types_supervisor_oidc.go b/generated/latest/apis/supervisor/oidc/types_supervisor_oidc.go index b35aafcb..cb6fe627 100644 --- a/generated/latest/apis/supervisor/oidc/types_supervisor_oidc.go +++ b/generated/latest/apis/supervisor/oidc/types_supervisor_oidc.go @@ -15,11 +15,68 @@ const ( // or an LDAPIdentityProvider. AuthorizePasswordHeaderName = "Pinniped-Password" //nolint:gosec // this is not a credential - // AuthorizeUpstreamIDPNameParamName is the name of the HTTP request parameter which can be used to help select which - // identity provider should be used for authentication by sending the name of the desired identity provider. + // AuthorizeUpstreamIDPNameParamName is the name of the HTTP request parameter which can be used to help select + // which identity provider should be used for authentication by sending the name of the desired identity provider. AuthorizeUpstreamIDPNameParamName = "pinniped_idp_name" - // AuthorizeUpstreamIDPTypeParamName is the name of the HTTP request parameter which can be used to help select which - // identity provider should be used for authentication by sending the type of the desired identity provider. + // AuthorizeUpstreamIDPTypeParamName is the name of the HTTP request parameter which can be used to help select + // which identity provider should be used for authentication by sending the type of the desired identity provider. AuthorizeUpstreamIDPTypeParamName = "pinniped_idp_type" + + // IDTokenClaimIssuer is name of the issuer claim defined by the OIDC spec. + IDTokenClaimIssuer = "iss" + + // IDTokenClaimSubject is name of the subject claim defined by the OIDC spec. + IDTokenClaimSubject = "sub" + + // IDTokenClaimAuthorizedParty is name of the authorized party claim defined by the OIDC spec. + IDTokenClaimAuthorizedParty = "azp" + + // IDTokenClaimUsername is the name of a custom claim in the downstream ID token whose value will contain the user's + // username which was mapped from the upstream identity provider. + IDTokenClaimUsername = "username" + + // IDTokenClaimGroups is the name of a custom claim in the downstream ID token whose value will contain the user's + // group names which were mapped from the upstream identity provider. + IDTokenClaimGroups = "groups" + + // GrantTypeAuthorizationCode is the name of the grant type for authorization code flows defined by the OIDC spec. + GrantTypeAuthorizationCode = "authorization_code" + + // GrantTypeRefreshToken is the name of the grant type for refresh flow defined by the OIDC spec. + GrantTypeRefreshToken = "refresh_token" + + // GrantTypeTokenExchange is the name of a custom grant type for RFC8693 token exchanges. + GrantTypeTokenExchange = "urn:ietf:params:oauth:grant-type:token-exchange" //nolint:gosec // this is not a credential + + // ScopeOpenID is name of the openid scope defined by the OIDC spec. + ScopeOpenID = "openid" + + // ScopeOfflineAccess is name of the offline access scope defined by the OIDC spec, used for requesting refresh + // tokens. + ScopeOfflineAccess = "offline_access" + + // ScopeEmail is name of the email scope defined by the OIDC spec. + ScopeEmail = "email" + + // ScopeProfile is name of the profile scope defined by the OIDC spec. + ScopeProfile = "profile" + + // ScopeUsername is the name of a custom scope that determines whether the username claim will be returned inside + // ID tokens. + ScopeUsername = "username" + + // ScopeGroups is the name of a custom scope that determines whether the groups claim will be returned inside + // ID tokens. + ScopeGroups = "groups" + + // ScopeRequestAudience is the name of a custom scope that determines whether a RFC8693 token exchange is allowed to + // be used to request a different audience. + ScopeRequestAudience = "pinniped:request-audience" + + // ClientIDPinnipedCLI is the client ID of the statically defined public OIDC client which is used by the CLI. + ClientIDPinnipedCLI = "pinniped-cli" + + // ClientIDRequiredOIDCClientPrefix is the required prefix for the metadata.name of OIDCClient CRs. + ClientIDRequiredOIDCClientPrefix = "client.oauth.pinniped.dev-" ) diff --git a/internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go b/internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go index c73a351d..ad71a100 100644 --- a/internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go +++ b/internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go @@ -21,6 +21,7 @@ import ( "k8s.io/klog/v2" auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" + oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc" authinformers "go.pinniped.dev/generated/latest/client/concierge/informers/externalversions/authentication/v1alpha1" pinnipedcontroller "go.pinniped.dev/internal/controller" pinnipedauthenticator "go.pinniped.dev/internal/controller/authenticator" @@ -32,8 +33,8 @@ import ( // These default values come from the way that the Supervisor issues and signs tokens. We make these // the defaults for a JWTAuthenticator so that they can easily integrate with the Supervisor. const ( - defaultUsernameClaim = "username" - defaultGroupsClaim = "groups" + defaultUsernameClaim = oidcapi.IDTokenClaimUsername + defaultGroupsClaim = oidcapi.IDTokenClaimGroups ) // defaultSupportedSigningAlgos returns the default signing algos that this JWTAuthenticator diff --git a/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go b/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go index 041e5c94..69e513c6 100644 --- a/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go +++ b/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go @@ -15,6 +15,7 @@ import ( corev1informers "k8s.io/client-go/informers/core/v1" "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" + oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc" pinnipedclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" configInformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/config/v1alpha1" pinnipedcontroller "go.pinniped.dev/internal/controller" @@ -27,7 +28,7 @@ import ( const ( secretTypeToObserve = "storage.pinniped.dev/oidc-client-secret" //nolint:gosec // this is not a credential - oidcClientPrefixToObserve = "client.oauth.pinniped.dev-" //nolint:gosec // this is not a credential + oidcClientPrefixToObserve = oidcapi.ClientIDRequiredOIDCClientPrefix ) type oidcClientWatcherController struct { diff --git a/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher.go b/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher.go index 599d7400..c9f22602 100644 --- a/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher.go +++ b/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher.go @@ -14,7 +14,7 @@ import ( "strings" "time" - "github.com/coreos/go-oidc/v3/oidc" + coreosoidc "github.com/coreos/go-oidc/v3/oidc" "github.com/go-logr/logr" "golang.org/x/oauth2" corev1 "k8s.io/api/core/v1" @@ -26,6 +26,7 @@ import ( corev1informers "k8s.io/client-go/informers/core/v1" "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" + oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc" pinnipedclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" idpinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/idp/v1alpha1" "go.pinniped.dev/internal/constable" @@ -97,11 +98,11 @@ type UpstreamOIDCIdentityProviderICache interface { type lruValidatorCache struct{ cache *cache.Expiring } type lruValidatorCacheEntry struct { - provider *oidc.Provider + provider *coreosoidc.Provider client *http.Client } -func (c *lruValidatorCache) getProvider(spec *v1alpha1.OIDCIdentityProviderSpec) (*oidc.Provider, *http.Client) { +func (c *lruValidatorCache) getProvider(spec *v1alpha1.OIDCIdentityProviderSpec) (*coreosoidc.Provider, *http.Client) { if result, ok := c.cache.Get(c.cacheKey(spec)); ok { entry := result.(*lruValidatorCacheEntry) return entry.provider, entry.client @@ -109,7 +110,7 @@ func (c *lruValidatorCache) getProvider(spec *v1alpha1.OIDCIdentityProviderSpec) return nil, nil } -func (c *lruValidatorCache) putProvider(spec *v1alpha1.OIDCIdentityProviderSpec, provider *oidc.Provider, client *http.Client) { +func (c *lruValidatorCache) putProvider(spec *v1alpha1.OIDCIdentityProviderSpec, provider *coreosoidc.Provider, client *http.Client) { c.cache.Set(c.cacheKey(spec), &lruValidatorCacheEntry{provider: provider, client: client}, oidcValidatorCacheTTL) } @@ -129,8 +130,8 @@ type oidcWatcherController struct { oidcIdentityProviderInformer idpinformers.OIDCIdentityProviderInformer secretInformer corev1informers.SecretInformer validatorCache interface { - getProvider(*v1alpha1.OIDCIdentityProviderSpec) (*oidc.Provider, *http.Client) - putProvider(*v1alpha1.OIDCIdentityProviderSpec, *oidc.Provider, *http.Client) + getProvider(*v1alpha1.OIDCIdentityProviderSpec) (*coreosoidc.Provider, *http.Client) + putProvider(*v1alpha1.OIDCIdentityProviderSpec, *coreosoidc.Provider, *http.Client) } } @@ -329,7 +330,7 @@ func (c *oidcWatcherController) validateIssuer(ctx context.Context, upstream *v1 return issuerURLCondition } - discoveredProvider, err = oidc.NewProvider(oidc.ClientContext(ctx, httpClient), upstream.Spec.Issuer) + discoveredProvider, err = coreosoidc.NewProvider(coreosoidc.ClientContext(ctx, httpClient), upstream.Spec.Issuer) if err != nil { c.log.V(plog.KlogLevelTrace).WithValues( "namespace", upstream.Namespace, @@ -457,12 +458,12 @@ func defaultClientShortTimeout(rootCAs *x509.CertPool) *http.Client { func computeScopes(additionalScopes []string) []string { // If none are set then provide a reasonable default which only tries to use scopes defined in the OIDC spec. if len(additionalScopes) == 0 { - return []string{"openid", "offline_access", "email", "profile"} + return []string{oidcapi.ScopeOpenID, oidcapi.ScopeOfflineAccess, oidcapi.ScopeEmail, oidcapi.ScopeProfile} } // Otherwise, first compute the unique set of scopes, including "openid" (de-duplicate). set := sets.NewString() - set.Insert("openid") + set.Insert(oidcapi.ScopeOpenID) for _, s := range additionalScopes { set.Insert(s) } diff --git a/internal/controller/supervisorstorage/garbage_collector.go b/internal/controller/supervisorstorage/garbage_collector.go index 1c38a1d0..c11aa8c3 100644 --- a/internal/controller/supervisorstorage/garbage_collector.go +++ b/internal/controller/supervisorstorage/garbage_collector.go @@ -9,7 +9,6 @@ import ( "fmt" "time" - coreosoidc "github.com/coreos/go-oidc/v3/oidc" v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" @@ -17,8 +16,8 @@ import ( "k8s.io/client-go/kubernetes" "k8s.io/utils/clock" clocktesting "k8s.io/utils/clock/testing" - "k8s.io/utils/strings/slices" + oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc" pinnipedcontroller "go.pinniped.dev/internal/controller" "go.pinniped.dev/internal/controllerlib" "go.pinniped.dev/internal/crud" @@ -204,7 +203,7 @@ func (c *garbageCollectorController) maybeRevokeUpstreamOIDCToken(ctx context.Co return err } pinnipedSession := accessTokenSession.Request.Session.(*psession.PinnipedSession) - if slices.Contains(accessTokenSession.Request.GetGrantedScopes(), coreosoidc.ScopeOfflineAccess) { + if accessTokenSession.Request.GetGrantedScopes().Has(oidcapi.ScopeOfflineAccess) { return nil } return c.tryRevokeUpstreamOIDCToken(ctx, pinnipedSession.Custom, secret) diff --git a/internal/controller/supervisorstorage/garbage_collector_test.go b/internal/controller/supervisorstorage/garbage_collector_test.go index 5ddc6953..e6bbe7b3 100644 --- a/internal/controller/supervisorstorage/garbage_collector_test.go +++ b/internal/controller/supervisorstorage/garbage_collector_test.go @@ -263,13 +263,14 @@ func TestGarbageCollectorControllerSync(t *testing.T) { when("there are valid, expired authcode secrets which contain upstream refresh tokens", func() { it.Before(func() { activeOIDCAuthcodeSession := &authorizationcode.Session{ - Version: "2", + Version: "3", Active: true, Request: &fosite.Request{ ID: "request-id-1", Client: &clientregistry.Client{}, Session: &psession.PinnipedSession{ Custom: &psession.CustomSessionData{ + Username: "should be ignored by garbage collector", ProviderUID: "upstream-oidc-provider-uid", ProviderName: "upstream-oidc-provider-name", ProviderType: psession.ProviderTypeOIDC, @@ -307,13 +308,14 @@ func TestGarbageCollectorControllerSync(t *testing.T) { r.NoError(kubeClient.Tracker().Add(activeOIDCAuthcodeSessionSecret)) inactiveOIDCAuthcodeSession := &authorizationcode.Session{ - Version: "2", + Version: "3", Active: false, Request: &fosite.Request{ ID: "request-id-2", Client: &clientregistry.Client{}, Session: &psession.PinnipedSession{ Custom: &psession.CustomSessionData{ + Username: "should be ignored by garbage collector", ProviderUID: "upstream-oidc-provider-uid", ProviderName: "upstream-oidc-provider-name", ProviderType: psession.ProviderTypeOIDC, @@ -385,13 +387,14 @@ func TestGarbageCollectorControllerSync(t *testing.T) { when("there are valid, expired authcode secrets which contain upstream access tokens", func() { it.Before(func() { activeOIDCAuthcodeSession := &authorizationcode.Session{ - Version: "2", + Version: "3", Active: true, Request: &fosite.Request{ ID: "request-id-1", Client: &clientregistry.Client{}, Session: &psession.PinnipedSession{ Custom: &psession.CustomSessionData{ + Username: "should be ignored by garbage collector", ProviderUID: "upstream-oidc-provider-uid", ProviderName: "upstream-oidc-provider-name", ProviderType: psession.ProviderTypeOIDC, @@ -429,13 +432,14 @@ func TestGarbageCollectorControllerSync(t *testing.T) { r.NoError(kubeClient.Tracker().Add(activeOIDCAuthcodeSessionSecret)) inactiveOIDCAuthcodeSession := &authorizationcode.Session{ - Version: "2", + Version: "3", Active: false, Request: &fosite.Request{ ID: "request-id-2", Client: &clientregistry.Client{}, Session: &psession.PinnipedSession{ Custom: &psession.CustomSessionData{ + Username: "should be ignored by garbage collector", ProviderUID: "upstream-oidc-provider-uid", ProviderName: "upstream-oidc-provider-name", ProviderType: psession.ProviderTypeOIDC, @@ -507,13 +511,14 @@ func TestGarbageCollectorControllerSync(t *testing.T) { when("there is an invalid, expired authcode secret", func() { it.Before(func() { invalidOIDCAuthcodeSession := &authorizationcode.Session{ - Version: "2", + Version: "3", Active: true, Request: &fosite.Request{ ID: "", // it is invalid for there to be a missing request ID Client: &clientregistry.Client{}, Session: &psession.PinnipedSession{ Custom: &psession.CustomSessionData{ + Username: "should be ignored by garbage collector", ProviderUID: "upstream-oidc-provider-uid", ProviderName: "upstream-oidc-provider-name", ProviderType: psession.ProviderTypeOIDC, @@ -575,13 +580,14 @@ func TestGarbageCollectorControllerSync(t *testing.T) { when("there is a valid, expired authcode secret but its upstream name does not match any existing upstream", func() { it.Before(func() { wrongProviderNameOIDCAuthcodeSession := &authorizationcode.Session{ - Version: "2", + Version: "3", Active: true, Request: &fosite.Request{ ID: "request-id-1", Client: &clientregistry.Client{}, Session: &psession.PinnipedSession{ Custom: &psession.CustomSessionData{ + Username: "should be ignored by garbage collector", ProviderUID: "upstream-oidc-provider-uid", ProviderName: "upstream-oidc-provider-name-will-not-match", ProviderType: psession.ProviderTypeOIDC, @@ -645,13 +651,14 @@ func TestGarbageCollectorControllerSync(t *testing.T) { when("there is a valid, expired authcode secret but its upstream UID does not match any existing upstream", func() { it.Before(func() { wrongProviderNameOIDCAuthcodeSession := &authorizationcode.Session{ - Version: "2", + Version: "3", Active: true, Request: &fosite.Request{ ID: "request-id-1", Client: &clientregistry.Client{}, Session: &psession.PinnipedSession{ Custom: &psession.CustomSessionData{ + Username: "should be ignored by garbage collector", ProviderUID: "upstream-oidc-provider-uid-will-not-match", ProviderName: "upstream-oidc-provider-name", ProviderType: psession.ProviderTypeOIDC, @@ -715,13 +722,14 @@ func TestGarbageCollectorControllerSync(t *testing.T) { when("there is a valid, recently expired authcode secret but the upstream revocation fails", func() { it.Before(func() { activeOIDCAuthcodeSession := &authorizationcode.Session{ - Version: "2", + Version: "3", Active: true, Request: &fosite.Request{ ID: "request-id-1", Client: &clientregistry.Client{}, Session: &psession.PinnipedSession{ Custom: &psession.CustomSessionData{ + Username: "should be ignored by garbage collector", ProviderUID: "upstream-oidc-provider-uid", ProviderName: "upstream-oidc-provider-name", ProviderType: psession.ProviderTypeOIDC, @@ -819,13 +827,14 @@ func TestGarbageCollectorControllerSync(t *testing.T) { when("there is a valid, long-since expired authcode secret but the upstream revocation fails", func() { it.Before(func() { activeOIDCAuthcodeSession := &authorizationcode.Session{ - Version: "2", + Version: "3", Active: true, Request: &fosite.Request{ ID: "request-id-1", Client: &clientregistry.Client{}, Session: &psession.PinnipedSession{ Custom: &psession.CustomSessionData{ + Username: "should be ignored by garbage collector", ProviderUID: "upstream-oidc-provider-uid", ProviderName: "upstream-oidc-provider-name", ProviderType: psession.ProviderTypeOIDC, @@ -897,13 +906,14 @@ func TestGarbageCollectorControllerSync(t *testing.T) { when("there are valid, expired access token secrets which contain upstream refresh tokens", func() { it.Before(func() { offlineAccessGrantedOIDCAccessTokenSession := &accesstoken.Session{ - Version: "2", + Version: "3", Request: &fosite.Request{ GrantedScope: fosite.Arguments{"scope1", "scope2", "offline_access"}, ID: "request-id-1", Client: &clientregistry.Client{}, Session: &psession.PinnipedSession{ Custom: &psession.CustomSessionData{ + Username: "should be ignored by garbage collector", ProviderUID: "upstream-oidc-provider-uid", ProviderName: "upstream-oidc-provider-name", ProviderType: psession.ProviderTypeOIDC, @@ -941,13 +951,14 @@ func TestGarbageCollectorControllerSync(t *testing.T) { r.NoError(kubeClient.Tracker().Add(offlineAccessGrantedOIDCAccessTokenSessionSecret)) offlineAccessNotGrantedOIDCAccessTokenSession := &accesstoken.Session{ - Version: "2", + Version: "3", Request: &fosite.Request{ GrantedScope: fosite.Arguments{"scope1", "scope2"}, ID: "request-id-2", Client: &clientregistry.Client{}, Session: &psession.PinnipedSession{ Custom: &psession.CustomSessionData{ + Username: "should be ignored by garbage collector", ProviderUID: "upstream-oidc-provider-uid", ProviderName: "upstream-oidc-provider-name", ProviderType: psession.ProviderTypeOIDC, @@ -1019,13 +1030,14 @@ func TestGarbageCollectorControllerSync(t *testing.T) { when("there are valid, expired access token secrets which contain upstream access tokens", func() { it.Before(func() { offlineAccessGrantedOIDCAccessTokenSession := &accesstoken.Session{ - Version: "2", + Version: "3", Request: &fosite.Request{ GrantedScope: fosite.Arguments{"scope1", "scope2", "offline_access"}, ID: "request-id-1", Client: &clientregistry.Client{}, Session: &psession.PinnipedSession{ Custom: &psession.CustomSessionData{ + Username: "should be ignored by garbage collector", ProviderUID: "upstream-oidc-provider-uid", ProviderName: "upstream-oidc-provider-name", ProviderType: psession.ProviderTypeOIDC, @@ -1063,13 +1075,14 @@ func TestGarbageCollectorControllerSync(t *testing.T) { r.NoError(kubeClient.Tracker().Add(offlineAccessGrantedOIDCAccessTokenSessionSecret)) offlineAccessNotGrantedOIDCAccessTokenSession := &accesstoken.Session{ - Version: "2", + Version: "3", Request: &fosite.Request{ GrantedScope: fosite.Arguments{"scope1", "scope2"}, ID: "request-id-2", Client: &clientregistry.Client{}, Session: &psession.PinnipedSession{ Custom: &psession.CustomSessionData{ + Username: "should be ignored by garbage collector", ProviderUID: "upstream-oidc-provider-uid", ProviderName: "upstream-oidc-provider-name", ProviderType: psession.ProviderTypeOIDC, @@ -1141,12 +1154,13 @@ func TestGarbageCollectorControllerSync(t *testing.T) { when("there are valid, expired refresh secrets which contain upstream refresh tokens", func() { it.Before(func() { oidcRefreshSession := &refreshtoken.Session{ - Version: "2", + Version: "3", Request: &fosite.Request{ ID: "request-id-1", Client: &clientregistry.Client{}, Session: &psession.PinnipedSession{ Custom: &psession.CustomSessionData{ + Username: "should be ignored by garbage collector", ProviderUID: "upstream-oidc-provider-uid", ProviderName: "upstream-oidc-provider-name", ProviderType: psession.ProviderTypeOIDC, @@ -1217,12 +1231,13 @@ func TestGarbageCollectorControllerSync(t *testing.T) { when("there are valid, expired refresh secrets which contain upstream access tokens", func() { it.Before(func() { oidcRefreshSession := &refreshtoken.Session{ - Version: "2", + Version: "3", Request: &fosite.Request{ ID: "request-id-1", Client: &clientregistry.Client{}, Session: &psession.PinnipedSession{ Custom: &psession.CustomSessionData{ + Username: "should be ignored by garbage collector", ProviderUID: "upstream-oidc-provider-uid", ProviderName: "upstream-oidc-provider-name", ProviderType: psession.ProviderTypeOIDC, diff --git a/internal/fositestorage/accesstoken/accesstoken.go b/internal/fositestorage/accesstoken/accesstoken.go index 792b76e7..606b75d2 100644 --- a/internal/fositestorage/accesstoken/accesstoken.go +++ b/internal/fositestorage/accesstoken/accesstoken.go @@ -1,4 +1,4 @@ -// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package accesstoken @@ -29,7 +29,8 @@ const ( // Version 1 was the initial release of storage. // Version 2 is when we switched to storing psession.PinnipedSession inside the fosite request. - accessTokenStorageVersion = "2" + // Version 3 is when we added the Username field to the psession.CustomSessionData. + accessTokenStorageVersion = "3" ) type RevocationStorage interface { diff --git a/internal/fositestorage/accesstoken/accesstoken_test.go b/internal/fositestorage/accesstoken/accesstoken_test.go index ddf30727..a0f818a0 100644 --- a/internal/fositestorage/accesstoken/accesstoken_test.go +++ b/internal/fositestorage/accesstoken/accesstoken_test.go @@ -53,7 +53,7 @@ func TestAccessTokenStorage(t *testing.T) { }, }, Data: map[string][]byte{ - "pinniped-storage-data": []byte(`{"request":{"id":"abcd-1","requestedAt":"0001-01-01T00:00:00Z","client":{"id":"pinny","redirect_uris":null,"grant_types":null,"response_types":null,"scopes":null,"audience":null,"public":true,"jwks_uri":"where","jwks":null,"token_endpoint_auth_method":"something","request_uris":null,"request_object_signing_alg":"","token_endpoint_auth_signing_alg":""},"scopes":null,"grantedScopes":null,"form":{"key":["val"]},"session":{"fosite":{"Claims":null,"Headers":null,"ExpiresAt":null,"Username":"snorlax","Subject":"panda"},"custom":{"providerUID":"fake-provider-uid","providerName":"fake-provider-name","providerType":"fake-provider-type","warnings":null,"oidc":{"upstreamRefreshToken":"fake-upstream-refresh-token","upstreamAccessToken":"","upstreamSubject":"some-subject","upstreamIssuer":"some-issuer"}}},"requestedAudience":null,"grantedAudience":null},"version":"2"}`), + "pinniped-storage-data": []byte(`{"request":{"id":"abcd-1","requestedAt":"0001-01-01T00:00:00Z","client":{"id":"pinny","redirect_uris":null,"grant_types":null,"response_types":null,"scopes":null,"audience":null,"public":true,"jwks_uri":"where","jwks":null,"token_endpoint_auth_method":"something","request_uris":null,"request_object_signing_alg":"","token_endpoint_auth_signing_alg":""},"scopes":null,"grantedScopes":null,"form":{"key":["val"]},"session":{"fosite":{"Claims":null,"Headers":null,"ExpiresAt":null,"Username":"snorlax","Subject":"panda"},"custom":{"username":"fake-username","providerUID":"fake-provider-uid","providerName":"fake-provider-name","providerType":"fake-provider-type","warnings":null,"oidc":{"upstreamRefreshToken":"fake-upstream-refresh-token","upstreamAccessToken":"","upstreamSubject":"some-subject","upstreamIssuer":"some-issuer"}}},"requestedAudience":null,"grantedAudience":null},"version":"3"}`), "pinniped-storage-version": []byte("1"), }, Type: "storage.pinniped.dev/access-token", @@ -122,7 +122,7 @@ func TestAccessTokenStorageRevocation(t *testing.T) { }, }, Data: map[string][]byte{ - "pinniped-storage-data": []byte(`{"request":{"id":"abcd-1","requestedAt":"0001-01-01T00:00:00Z","client":{"id":"pinny","redirect_uris":null,"grant_types":null,"response_types":null,"scopes":null,"audience":null,"public":true,"jwks_uri":"where","jwks":null,"token_endpoint_auth_method":"something","request_uris":null,"request_object_signing_alg":"","token_endpoint_auth_signing_alg":""},"scopes":null,"grantedScopes":null,"form":{"key":["val"]},"session":{"fosite":{"Claims":null,"Headers":null,"ExpiresAt":null,"Username":"snorlax","Subject":"panda"},"custom":{"providerUID":"fake-provider-uid","providerName":"fake-provider-name","providerType":"fake-provider-type","warnings":null,"oidc":{"upstreamRefreshToken":"fake-upstream-refresh-token","upstreamAccessToken":"","upstreamSubject":"some-subject","upstreamIssuer":"some-issuer"}}},"requestedAudience":null,"grantedAudience":null},"version":"2"}`), + "pinniped-storage-data": []byte(`{"request":{"id":"abcd-1","requestedAt":"0001-01-01T00:00:00Z","client":{"id":"pinny","redirect_uris":null,"grant_types":null,"response_types":null,"scopes":null,"audience":null,"public":true,"jwks_uri":"where","jwks":null,"token_endpoint_auth_method":"something","request_uris":null,"request_object_signing_alg":"","token_endpoint_auth_signing_alg":""},"scopes":null,"grantedScopes":null,"form":{"key":["val"]},"session":{"fosite":{"Claims":null,"Headers":null,"ExpiresAt":null,"Username":"snorlax","Subject":"panda"},"custom":{"username":"fake-username","providerUID":"fake-provider-uid","providerName":"fake-provider-name","providerType":"fake-provider-type","warnings":null,"oidc":{"upstreamRefreshToken":"fake-upstream-refresh-token","upstreamAccessToken":"","upstreamSubject":"some-subject","upstreamIssuer":"some-issuer"}}},"requestedAudience":null,"grantedAudience":null},"version":"3"}`), "pinniped-storage-version": []byte("1"), }, Type: "storage.pinniped.dev/access-token", @@ -195,7 +195,7 @@ func TestWrongVersion(t *testing.T) { _, err = storage.GetAccessTokenSession(ctx, "fancy-signature", nil) - require.EqualError(t, err, "access token request data has wrong version: access token session for fancy-signature has version not-the-right-version instead of 2") + require.EqualError(t, err, "access token request data has wrong version: access token session for fancy-signature has version not-the-right-version instead of 3") } func TestNilSessionRequest(t *testing.T) { @@ -213,7 +213,7 @@ func TestNilSessionRequest(t *testing.T) { }, }, Data: map[string][]byte{ - "pinniped-storage-data": []byte(`{"nonsense-key": "nonsense-value","version":"2"}`), + "pinniped-storage-data": []byte(`{"nonsense-key": "nonsense-value","version":"3"}`), "pinniped-storage-version": []byte("1"), }, Type: "storage.pinniped.dev/access-token", @@ -297,13 +297,13 @@ func TestReadFromSecret(t *testing.T) { }, }, Data: map[string][]byte{ - "pinniped-storage-data": []byte(`{"request":{"id":"abcd-1","session":{"fosite":{"Claims":null,"Headers":null,"ExpiresAt":null,"Username":"snorlax","Subject":"panda"},"custom":{"providerUID":"fake-provider-uid","providerName":"fake-provider-name","providerType":"fake-provider-type","oidc":{"upstreamRefreshToken":"fake-upstream-refresh-token"}}}},"version":"2","active": true}`), + "pinniped-storage-data": []byte(`{"request":{"id":"abcd-1","session":{"fosite":{"Claims":null,"Headers":null,"ExpiresAt":null,"Username":"snorlax","Subject":"panda"},"custom":{"username":"fake-username","providerUID":"fake-provider-uid","providerName":"fake-provider-name","providerType":"fake-provider-type","oidc":{"upstreamRefreshToken":"fake-upstream-refresh-token"}}}},"version":"3","active": true}`), "pinniped-storage-version": []byte("1"), }, Type: "storage.pinniped.dev/access-token", }, wantSession: &Session{ - Version: "2", + Version: "3", Request: &fosite.Request{ ID: "abcd-1", Client: &clientregistry.Client{}, @@ -313,6 +313,7 @@ func TestReadFromSecret(t *testing.T) { Subject: "panda", }, Custom: &psession.CustomSessionData{ + Username: "fake-username", ProviderUID: "fake-provider-uid", ProviderName: "fake-provider-name", ProviderType: "fake-provider-type", @@ -335,7 +336,7 @@ func TestReadFromSecret(t *testing.T) { }, }, Data: map[string][]byte{ - "pinniped-storage-data": []byte(`{"request":{"id":"abcd-1"},"version":"2","active": true}`), + "pinniped-storage-data": []byte(`{"request":{"id":"abcd-1"},"version":"3","active": true}`), "pinniped-storage-version": []byte("1"), }, Type: "storage.pinniped.dev/not-access-token", @@ -358,7 +359,7 @@ func TestReadFromSecret(t *testing.T) { }, Type: "storage.pinniped.dev/access-token", }, - wantErr: "access token request data has wrong version: access token session has version wrong-version-here instead of 2", + wantErr: "access token request data has wrong version: access token session has version wrong-version-here instead of 3", }, { name: "missing request", @@ -371,7 +372,7 @@ func TestReadFromSecret(t *testing.T) { }, }, Data: map[string][]byte{ - "pinniped-storage-data": []byte(`{"version":"2","active": true}`), + "pinniped-storage-data": []byte(`{"version":"3","active": true}`), "pinniped-storage-version": []byte("1"), }, Type: "storage.pinniped.dev/access-token", diff --git a/internal/fositestorage/authorizationcode/authorizationcode.go b/internal/fositestorage/authorizationcode/authorizationcode.go index ecfad7be..e1e3a45a 100644 --- a/internal/fositestorage/authorizationcode/authorizationcode.go +++ b/internal/fositestorage/authorizationcode/authorizationcode.go @@ -30,7 +30,8 @@ const ( // Version 1 was the initial release of storage. // Version 2 is when we switched to storing psession.PinnipedSession inside the fosite request. - authorizeCodeStorageVersion = "2" + // Version 3 is when we added the Username field to the psession.CustomSessionData. + authorizeCodeStorageVersion = "3" ) var _ oauth2.AuthorizeCodeStorage = &authorizeCodeStorage{} @@ -366,45 +367,43 @@ const ExpectedAuthorizeCodeSessionJSONFromFuzzing = `{ "Subject": "\u0026¥潝邎Ȗ莅ŝǔ盕戙鵮碡ʯiŬŽ" }, "custom": { - "providerUID": "Ĝ眧Ĭ", - "providerName": "ʼn2ƋŢ觛ǂ焺nŐǛ", - "providerType": "ɥ闣ʬ橳(ý綃ʃʚƟ覣k眐4", + "username": "Ĝ眧Ĭ", + "providerUID": "ʼn2ƋŢ觛ǂ焺nŐǛ", + "providerName": "ɥ闣ʬ橳(ý綃ʃʚƟ覣k眐4", + "providerType": "ȣ掘ʃƸ澺淗a紽ǒ|鰽", "warnings": [ - "掘ʃƸ澺淗a紽ǒ|鰽ŋ猊", - "毇妬\u003e6鉢緋uƴŤȱʀļÂ?" + "t毇妬\u003e6鉢緋uƴŤȱʀļÂ", + "虝27就伒犘c钡ɏȫ齁š" ], "oidc": { - "upstreamRefreshToken": "\u003cƬb", - "upstreamAccessToken": "犘c钡ɏȫ", - "upstreamSubject": "鬌", - "upstreamIssuer": "%OpKȱ藚ɏ¬Ê蒭堜" + "upstreamRefreshToken": "OpKȱ藚ɏ¬Ê蒭堜]ȗ韚ʫ繕ȫ碰+ʫ", + "upstreamAccessToken": "k9帴", + "upstreamSubject": "磊ůď逳鞪?3)藵睋邔\u0026Ű惫蜀Ģ", + "upstreamIssuer": "4İ" }, "ldap": { - "userDN": "ȗ韚ʫ繕ȫ碰+", + "userDN": "×", "extraRefreshAttributes": { - "+î艔垎0": "ĝ", - "4İ": "墀jMʥ", - "k9帴": "磊ůď逳鞪?3)藵睋邔\u0026Ű惫蜀Ģ" + "ʥ笿0D": "s" } }, "activedirectory": { - "userDN": "%Ä摱ìÓȐĨf跞@)¿,ɭS隑i", + "userDN": "ĝ", "extraRefreshAttributes": { - " 皦pSǬŝ社Vƅȭǝ*擦28Dž": "vư", - "艱iYn面@yȝƋ鬯犦獢9c5¤.岵": "浛a齙\\蹼偦歛" + "IȽ齤士bEǎ": "跞@)¿,ɭS隑ip偶宾儮猷V麹", + "ȝƋ鬯犦獢9c5¤.岵": "浛a齙\\蹼偦歛" } } } }, "requestedAudience": [ - "置b", - "筫MN\u0026錝D肁Ŷɽ蔒PR}Ųʓl{" + " 皦pSǬŝ社Vƅȭǝ*擦28Dž", + "vư" ], "grantedAudience": [ - "jÃ轘屔挝", - "Œų崓ļ憽-蹐È_¸]fś", - "ɵʮGɃɫ囤1+,Ȳ" + "置b", + "筫MN\u0026錝D肁Ŷɽ蔒PR}Ųʓl{" ] }, - "version": "2" + "version": "3" }` diff --git a/internal/fositestorage/authorizationcode/authorizationcode_test.go b/internal/fositestorage/authorizationcode/authorizationcode_test.go index dd007317..9e2fbe4a 100644 --- a/internal/fositestorage/authorizationcode/authorizationcode_test.go +++ b/internal/fositestorage/authorizationcode/authorizationcode_test.go @@ -65,7 +65,7 @@ func TestAuthorizationCodeStorage(t *testing.T) { }, }, Data: map[string][]byte{ - "pinniped-storage-data": []byte(`{"active":true,"request":{"id":"abcd-1","requestedAt":"0001-01-01T00:00:00Z","client":{"id":"pinny","redirect_uris":null,"grant_types":null,"response_types":null,"scopes":null,"audience":null,"public":true,"jwks_uri":"where","jwks":null,"token_endpoint_auth_method":"something","request_uris":null,"request_object_signing_alg":"","token_endpoint_auth_signing_alg":""},"scopes":null,"grantedScopes":null,"form":{"key":["val"]},"session":{"fosite":{"Claims":null,"Headers":null,"ExpiresAt":null,"Username":"snorlax","Subject":"panda"},"custom":{"providerUID":"fake-provider-uid","providerName":"fake-provider-name","providerType":"fake-provider-type","warnings":null,"oidc":{"upstreamRefreshToken":"fake-upstream-refresh-token","upstreamAccessToken":"","upstreamSubject":"some-subject","upstreamIssuer":"some-issuer"}}},"requestedAudience":null,"grantedAudience":null},"version":"2"}`), + "pinniped-storage-data": []byte(`{"active":true,"request":{"id":"abcd-1","requestedAt":"0001-01-01T00:00:00Z","client":{"id":"pinny","redirect_uris":null,"grant_types":null,"response_types":null,"scopes":null,"audience":null,"public":true,"jwks_uri":"where","jwks":null,"token_endpoint_auth_method":"something","request_uris":null,"request_object_signing_alg":"","token_endpoint_auth_signing_alg":""},"scopes":null,"grantedScopes":null,"form":{"key":["val"]},"session":{"fosite":{"Claims":null,"Headers":null,"ExpiresAt":null,"Username":"snorlax","Subject":"panda"},"custom":{"username":"fake-username","providerUID":"fake-provider-uid","providerName":"fake-provider-name","providerType":"fake-provider-type","warnings":null,"oidc":{"upstreamRefreshToken":"fake-upstream-refresh-token","upstreamAccessToken":"","upstreamSubject":"some-subject","upstreamIssuer":"some-issuer"}}},"requestedAudience":null,"grantedAudience":null},"version":"3"}`), "pinniped-storage-version": []byte("1"), }, Type: "storage.pinniped.dev/authcode", @@ -84,7 +84,7 @@ func TestAuthorizationCodeStorage(t *testing.T) { }, }, Data: map[string][]byte{ - "pinniped-storage-data": []byte(`{"active":false,"request":{"id":"abcd-1","requestedAt":"0001-01-01T00:00:00Z","client":{"id":"pinny","redirect_uris":null,"grant_types":null,"response_types":null,"scopes":null,"audience":null,"public":true,"jwks_uri":"where","jwks":null,"token_endpoint_auth_method":"something","request_uris":null,"request_object_signing_alg":"","token_endpoint_auth_signing_alg":""},"scopes":null,"grantedScopes":null,"form":{"key":["val"]},"session":{"fosite":{"Claims":null,"Headers":null,"ExpiresAt":null,"Username":"snorlax","Subject":"panda"},"custom":{"providerUID":"fake-provider-uid","providerName":"fake-provider-name","providerType":"fake-provider-type","warnings":null,"oidc":{"upstreamRefreshToken":"fake-upstream-refresh-token","upstreamAccessToken":"","upstreamSubject":"some-subject","upstreamIssuer":"some-issuer"}}},"requestedAudience":null,"grantedAudience":null},"version":"2"}`), + "pinniped-storage-data": []byte(`{"active":false,"request":{"id":"abcd-1","requestedAt":"0001-01-01T00:00:00Z","client":{"id":"pinny","redirect_uris":null,"grant_types":null,"response_types":null,"scopes":null,"audience":null,"public":true,"jwks_uri":"where","jwks":null,"token_endpoint_auth_method":"something","request_uris":null,"request_object_signing_alg":"","token_endpoint_auth_signing_alg":""},"scopes":null,"grantedScopes":null,"form":{"key":["val"]},"session":{"fosite":{"Claims":null,"Headers":null,"ExpiresAt":null,"Username":"snorlax","Subject":"panda"},"custom":{"username":"fake-username","providerUID":"fake-provider-uid","providerName":"fake-provider-name","providerType":"fake-provider-type","warnings":null,"oidc":{"upstreamRefreshToken":"fake-upstream-refresh-token","upstreamAccessToken":"","upstreamSubject":"some-subject","upstreamIssuer":"some-issuer"}}},"requestedAudience":null,"grantedAudience":null},"version":"3"}`), "pinniped-storage-version": []byte("1"), }, Type: "storage.pinniped.dev/authcode", @@ -202,7 +202,7 @@ func TestWrongVersion(t *testing.T) { _, err = storage.GetAuthorizeCodeSession(ctx, "fancy-signature", nil) - require.EqualError(t, err, "authorization request data has wrong version: authorization code session for fancy-signature has version not-the-right-version instead of 2") + require.EqualError(t, err, "authorization request data has wrong version: authorization code session for fancy-signature has version not-the-right-version instead of 3") } func TestNilSessionRequest(t *testing.T) { @@ -217,7 +217,7 @@ func TestNilSessionRequest(t *testing.T) { }, }, Data: map[string][]byte{ - "pinniped-storage-data": []byte(`{"nonsense-key": "nonsense-value", "version":"2", "active": true}`), + "pinniped-storage-data": []byte(`{"nonsense-key": "nonsense-value", "version":"3", "active": true}`), "pinniped-storage-version": []byte("1"), }, Type: "storage.pinniped.dev/authcode", @@ -384,7 +384,7 @@ func TestFuzzAndJSONNewValidEmptyAuthorizeCodeSession(t *testing.T) { // set these to match CreateAuthorizeCodeSession so that .JSONEq works validSession.Active = true - validSession.Version = "2" + validSession.Version = "3" validSessionJSONBytes, err := json.MarshalIndent(validSession, "", "\t") require.NoError(t, err) @@ -419,13 +419,13 @@ func TestReadFromSecret(t *testing.T) { }, }, Data: map[string][]byte{ - "pinniped-storage-data": []byte(`{"request":{"id":"abcd-1","session":{"fosite":{"Claims":null,"Headers":null,"ExpiresAt":null,"Username":"snorlax","Subject":"panda"},"custom":{"providerUID":"fake-provider-uid","providerName":"fake-provider-name","providerType":"fake-provider-type","oidc":{"upstreamRefreshToken":"fake-upstream-refresh-token"}}}},"version":"2","active": true}`), + "pinniped-storage-data": []byte(`{"request":{"id":"abcd-1","session":{"fosite":{"Claims":null,"Headers":null,"ExpiresAt":null,"Username":"snorlax","Subject":"panda"},"custom":{"username":"fake-username","providerUID":"fake-provider-uid","providerName":"fake-provider-name","providerType":"fake-provider-type","oidc":{"upstreamRefreshToken":"fake-upstream-refresh-token"}}}},"version":"3","active": true}`), "pinniped-storage-version": []byte("1"), }, Type: "storage.pinniped.dev/authcode", }, wantSession: &Session{ - Version: "2", + Version: "3", Active: true, Request: &fosite.Request{ ID: "abcd-1", @@ -436,6 +436,7 @@ func TestReadFromSecret(t *testing.T) { Subject: "panda", }, Custom: &psession.CustomSessionData{ + Username: "fake-username", ProviderUID: "fake-provider-uid", ProviderName: "fake-provider-name", ProviderType: "fake-provider-type", @@ -458,7 +459,7 @@ func TestReadFromSecret(t *testing.T) { }, }, Data: map[string][]byte{ - "pinniped-storage-data": []byte(`{"request":{"id":"abcd-1"},"version":"2","active": true}`), + "pinniped-storage-data": []byte(`{"request":{"id":"abcd-1"},"version":"3","active": true}`), "pinniped-storage-version": []byte("1"), }, Type: "storage.pinniped.dev/not-authcode", @@ -481,7 +482,7 @@ func TestReadFromSecret(t *testing.T) { }, Type: "storage.pinniped.dev/authcode", }, - wantErr: "authorization request data has wrong version: authorization code session has version wrong-version-here instead of 2", + wantErr: "authorization request data has wrong version: authorization code session has version wrong-version-here instead of 3", }, { name: "missing request", @@ -494,7 +495,7 @@ func TestReadFromSecret(t *testing.T) { }, }, Data: map[string][]byte{ - "pinniped-storage-data": []byte(`{"version":"2","active": true}`), + "pinniped-storage-data": []byte(`{"version":"3","active": true}`), "pinniped-storage-version": []byte("1"), }, Type: "storage.pinniped.dev/authcode", diff --git a/internal/fositestorage/openidconnect/openidconnect.go b/internal/fositestorage/openidconnect/openidconnect.go index 81699410..605ac523 100644 --- a/internal/fositestorage/openidconnect/openidconnect.go +++ b/internal/fositestorage/openidconnect/openidconnect.go @@ -1,4 +1,4 @@ -// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package openidconnect @@ -30,7 +30,8 @@ const ( // Version 1 was the initial release of storage. // Version 2 is when we switched to storing psession.PinnipedSession inside the fosite request. - oidcStorageVersion = "2" + // Version 3 is when we added the Username field to the psession.CustomSessionData. + oidcStorageVersion = "3" ) var _ openid.OpenIDConnectRequestStorage = &openIDConnectRequestStorage{} diff --git a/internal/fositestorage/openidconnect/openidconnect_test.go b/internal/fositestorage/openidconnect/openidconnect_test.go index 10979e9c..cbfd16ea 100644 --- a/internal/fositestorage/openidconnect/openidconnect_test.go +++ b/internal/fositestorage/openidconnect/openidconnect_test.go @@ -52,7 +52,7 @@ func TestOpenIdConnectStorage(t *testing.T) { }, }, Data: map[string][]byte{ - "pinniped-storage-data": []byte(`{"request":{"id":"abcd-1","requestedAt":"0001-01-01T00:00:00Z","client":{"id":"pinny","redirect_uris":null,"grant_types":null,"response_types":null,"scopes":null,"audience":null,"public":true,"jwks_uri":"where","jwks":null,"token_endpoint_auth_method":"something","request_uris":null,"request_object_signing_alg":"","token_endpoint_auth_signing_alg":""},"scopes":null,"grantedScopes":null,"form":{"key":["val"]},"session":{"fosite":{"Claims":null,"Headers":null,"ExpiresAt":null,"Username":"snorlax","Subject":"panda"},"custom":{"providerUID":"fake-provider-uid","providerName":"fake-provider-name","providerType":"fake-provider-type","warnings":null,"oidc":{"upstreamRefreshToken":"fake-upstream-refresh-token","upstreamAccessToken":"","upstreamSubject":"some-subject","upstreamIssuer":"some-issuer"}}},"requestedAudience":null,"grantedAudience":null},"version":"2"}`), + "pinniped-storage-data": []byte(`{"request":{"id":"abcd-1","requestedAt":"0001-01-01T00:00:00Z","client":{"id":"pinny","redirect_uris":null,"grant_types":null,"response_types":null,"scopes":null,"audience":null,"public":true,"jwks_uri":"where","jwks":null,"token_endpoint_auth_method":"something","request_uris":null,"request_object_signing_alg":"","token_endpoint_auth_signing_alg":""},"scopes":null,"grantedScopes":null,"form":{"key":["val"]},"session":{"fosite":{"Claims":null,"Headers":null,"ExpiresAt":null,"Username":"snorlax","Subject":"panda"},"custom":{"username":"fake-username","providerUID":"fake-provider-uid","providerName":"fake-provider-name","providerType":"fake-provider-type","warnings":null,"oidc":{"upstreamRefreshToken":"fake-upstream-refresh-token","upstreamAccessToken":"","upstreamSubject":"some-subject","upstreamIssuer":"some-issuer"}}},"requestedAudience":null,"grantedAudience":null},"version":"3"}`), "pinniped-storage-version": []byte("1"), }, Type: "storage.pinniped.dev/oidc", @@ -137,7 +137,7 @@ func TestWrongVersion(t *testing.T) { _, err = storage.GetOpenIDConnectSession(ctx, "fancy-code.fancy-signature", nil) - require.EqualError(t, err, "oidc request data has wrong version: oidc session for fancy-signature has version not-the-right-version instead of 2") + require.EqualError(t, err, "oidc request data has wrong version: oidc session for fancy-signature has version not-the-right-version instead of 3") } func TestNilSessionRequest(t *testing.T) { @@ -152,7 +152,7 @@ func TestNilSessionRequest(t *testing.T) { }, }, Data: map[string][]byte{ - "pinniped-storage-data": []byte(`{"nonsense-key": "nonsense-value","version":"2"}`), + "pinniped-storage-data": []byte(`{"nonsense-key": "nonsense-value","version":"3"}`), "pinniped-storage-version": []byte("1"), }, Type: "storage.pinniped.dev/oidc", diff --git a/internal/fositestorage/pkce/pkce.go b/internal/fositestorage/pkce/pkce.go index cbe566bd..f84b01da 100644 --- a/internal/fositestorage/pkce/pkce.go +++ b/internal/fositestorage/pkce/pkce.go @@ -1,4 +1,4 @@ -// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package pkce @@ -28,7 +28,8 @@ const ( // Version 1 was the initial release of storage. // Version 2 is when we switched to storing psession.PinnipedSession inside the fosite request. - pkceStorageVersion = "2" + // Version 3 is when we added the Username field to the psession.CustomSessionData. + pkceStorageVersion = "3" ) var _ pkce.PKCERequestStorage = &pkceStorage{} diff --git a/internal/fositestorage/pkce/pkce_test.go b/internal/fositestorage/pkce/pkce_test.go index 06e3db6b..47e6cef0 100644 --- a/internal/fositestorage/pkce/pkce_test.go +++ b/internal/fositestorage/pkce/pkce_test.go @@ -52,7 +52,7 @@ func TestPKCEStorage(t *testing.T) { }, }, Data: map[string][]byte{ - "pinniped-storage-data": []byte(`{"request":{"id":"abcd-1","requestedAt":"0001-01-01T00:00:00Z","client":{"id":"pinny","redirect_uris":null,"grant_types":null,"response_types":null,"scopes":null,"audience":null,"public":true,"jwks_uri":"where","jwks":null,"token_endpoint_auth_method":"something","request_uris":null,"request_object_signing_alg":"","token_endpoint_auth_signing_alg":""},"scopes":null,"grantedScopes":null,"form":{"key":["val"]},"session":{"fosite":{"Claims":null,"Headers":null,"ExpiresAt":null,"Username":"snorlax","Subject":"panda"},"custom":{"providerUID":"fake-provider-uid","providerName":"fake-provider-name","providerType":"fake-provider-type","warnings":null,"oidc":{"upstreamRefreshToken":"fake-upstream-refresh-token","upstreamAccessToken":"","upstreamSubject":"some-subject","upstreamIssuer":"some-issuer"}}},"requestedAudience":null,"grantedAudience":null},"version":"2"}`), + "pinniped-storage-data": []byte(`{"request":{"id":"abcd-1","requestedAt":"0001-01-01T00:00:00Z","client":{"id":"pinny","redirect_uris":null,"grant_types":null,"response_types":null,"scopes":null,"audience":null,"public":true,"jwks_uri":"where","jwks":null,"token_endpoint_auth_method":"something","request_uris":null,"request_object_signing_alg":"","token_endpoint_auth_signing_alg":""},"scopes":null,"grantedScopes":null,"form":{"key":["val"]},"session":{"fosite":{"Claims":null,"Headers":null,"ExpiresAt":null,"Username":"snorlax","Subject":"panda"},"custom":{"username":"fake-username","providerUID":"fake-provider-uid","providerName":"fake-provider-name","providerType":"fake-provider-type","warnings":null,"oidc":{"upstreamRefreshToken":"fake-upstream-refresh-token","upstreamAccessToken":"","upstreamSubject":"some-subject","upstreamIssuer":"some-issuer"}}},"requestedAudience":null,"grantedAudience":null},"version":"3"}`), "pinniped-storage-version": []byte("1"), }, Type: "storage.pinniped.dev/pkce", @@ -140,7 +140,7 @@ func TestWrongVersion(t *testing.T) { _, err = storage.GetPKCERequestSession(ctx, "fancy-signature", nil) - require.EqualError(t, err, "pkce request data has wrong version: pkce session for fancy-signature has version not-the-right-version instead of 2") + require.EqualError(t, err, "pkce request data has wrong version: pkce session for fancy-signature has version not-the-right-version instead of 3") } func TestNilSessionRequest(t *testing.T) { @@ -158,7 +158,7 @@ func TestNilSessionRequest(t *testing.T) { }, }, Data: map[string][]byte{ - "pinniped-storage-data": []byte(`{"nonsense-key": "nonsense-value","version":"2"}`), + "pinniped-storage-data": []byte(`{"nonsense-key": "nonsense-value","version":"3"}`), "pinniped-storage-version": []byte("1"), }, Type: "storage.pinniped.dev/pkce", diff --git a/internal/fositestorage/refreshtoken/refreshtoken.go b/internal/fositestorage/refreshtoken/refreshtoken.go index a2a2fe89..7f1147fb 100644 --- a/internal/fositestorage/refreshtoken/refreshtoken.go +++ b/internal/fositestorage/refreshtoken/refreshtoken.go @@ -29,7 +29,8 @@ const ( // Version 1 was the initial release of storage. // Version 2 is when we switched to storing psession.PinnipedSession inside the fosite request. - refreshTokenStorageVersion = "2" + // Version 3 is when we added the Username field to the psession.CustomSessionData. + refreshTokenStorageVersion = "3" ) type RevocationStorage interface { diff --git a/internal/fositestorage/refreshtoken/refreshtoken_test.go b/internal/fositestorage/refreshtoken/refreshtoken_test.go index 15ad5e78..54fc24a4 100644 --- a/internal/fositestorage/refreshtoken/refreshtoken_test.go +++ b/internal/fositestorage/refreshtoken/refreshtoken_test.go @@ -52,7 +52,7 @@ func TestRefreshTokenStorage(t *testing.T) { }, }, Data: map[string][]byte{ - "pinniped-storage-data": []byte(`{"request":{"id":"abcd-1","requestedAt":"0001-01-01T00:00:00Z","client":{"id":"pinny","redirect_uris":null,"grant_types":null,"response_types":null,"scopes":null,"audience":null,"public":true,"jwks_uri":"where","jwks":null,"token_endpoint_auth_method":"something","request_uris":null,"request_object_signing_alg":"","token_endpoint_auth_signing_alg":""},"scopes":null,"grantedScopes":null,"form":{"key":["val"]},"session":{"fosite":{"Claims":null,"Headers":null,"ExpiresAt":null,"Username":"snorlax","Subject":"panda"},"custom":{"providerUID":"fake-provider-uid","providerName":"fake-provider-name","providerType":"fake-provider-type","warnings":null,"oidc":{"upstreamRefreshToken":"fake-upstream-refresh-token","upstreamAccessToken":"","upstreamSubject":"some-subject","upstreamIssuer":"some-issuer"}}},"requestedAudience":null,"grantedAudience":null},"version":"2"}`), + "pinniped-storage-data": []byte(`{"request":{"id":"abcd-1","requestedAt":"0001-01-01T00:00:00Z","client":{"id":"pinny","redirect_uris":null,"grant_types":null,"response_types":null,"scopes":null,"audience":null,"public":true,"jwks_uri":"where","jwks":null,"token_endpoint_auth_method":"something","request_uris":null,"request_object_signing_alg":"","token_endpoint_auth_signing_alg":""},"scopes":null,"grantedScopes":null,"form":{"key":["val"]},"session":{"fosite":{"Claims":null,"Headers":null,"ExpiresAt":null,"Username":"snorlax","Subject":"panda"},"custom":{"username":"fake-username","providerUID":"fake-provider-uid","providerName":"fake-provider-name","providerType":"fake-provider-type","warnings":null,"oidc":{"upstreamRefreshToken":"fake-upstream-refresh-token","upstreamAccessToken":"","upstreamSubject":"some-subject","upstreamIssuer":"some-issuer"}}},"requestedAudience":null,"grantedAudience":null},"version":"3"}`), "pinniped-storage-version": []byte("1"), }, Type: "storage.pinniped.dev/refresh-token", @@ -122,7 +122,7 @@ func TestRefreshTokenStorageRevocation(t *testing.T) { }, }, Data: map[string][]byte{ - "pinniped-storage-data": []byte(`{"request":{"id":"abcd-1","requestedAt":"0001-01-01T00:00:00Z","client":{"id":"pinny","redirect_uris":null,"grant_types":null,"response_types":null,"scopes":null,"audience":null,"public":true,"jwks_uri":"where","jwks":null,"token_endpoint_auth_method":"something","request_uris":null,"request_object_signing_alg":"","token_endpoint_auth_signing_alg":""},"scopes":null,"grantedScopes":null,"form":{"key":["val"]},"session":{"fosite":{"Claims":null,"Headers":null,"ExpiresAt":null,"Username":"snorlax","Subject":"panda"},"custom":{"providerUID":"fake-provider-uid","providerName":"fake-provider-name","providerType":"fake-provider-type","warnings":null,"oidc":{"upstreamRefreshToken":"fake-upstream-refresh-token","upstreamAccessToken":"","upstreamSubject":"some-subject","upstreamIssuer":"some-issuer"}}},"requestedAudience":null,"grantedAudience":null},"version":"2"}`), + "pinniped-storage-data": []byte(`{"request":{"id":"abcd-1","requestedAt":"0001-01-01T00:00:00Z","client":{"id":"pinny","redirect_uris":null,"grant_types":null,"response_types":null,"scopes":null,"audience":null,"public":true,"jwks_uri":"where","jwks":null,"token_endpoint_auth_method":"something","request_uris":null,"request_object_signing_alg":"","token_endpoint_auth_signing_alg":""},"scopes":null,"grantedScopes":null,"form":{"key":["val"]},"session":{"fosite":{"Claims":null,"Headers":null,"ExpiresAt":null,"Username":"snorlax","Subject":"panda"},"custom":{"username":"fake-username","providerUID":"fake-provider-uid","providerName":"fake-provider-name","providerType":"fake-provider-type","warnings":null,"oidc":{"upstreamRefreshToken":"fake-upstream-refresh-token","upstreamAccessToken":"","upstreamSubject":"some-subject","upstreamIssuer":"some-issuer"}}},"requestedAudience":null,"grantedAudience":null},"version":"3"}`), "pinniped-storage-version": []byte("1"), }, Type: "storage.pinniped.dev/refresh-token", @@ -177,7 +177,7 @@ func TestRefreshTokenStorageRevokeRefreshTokenMaybeGracePeriod(t *testing.T) { }, }, Data: map[string][]byte{ - "pinniped-storage-data": []byte(`{"request":{"id":"abcd-1","requestedAt":"0001-01-01T00:00:00Z","client":{"id":"pinny","redirect_uris":null,"grant_types":null,"response_types":null,"scopes":null,"audience":null,"public":true,"jwks_uri":"where","jwks":null,"token_endpoint_auth_method":"something","request_uris":null,"request_object_signing_alg":"","token_endpoint_auth_signing_alg":""},"scopes":null,"grantedScopes":null,"form":{"key":["val"]},"session":{"fosite":{"Claims":null,"Headers":null,"ExpiresAt":null,"Username":"snorlax","Subject":"panda"},"custom":{"providerUID":"fake-provider-uid","providerName":"fake-provider-name","providerType":"fake-provider-type","warnings":null,"oidc":{"upstreamRefreshToken":"fake-upstream-refresh-token","upstreamAccessToken":"","upstreamSubject":"some-subject","upstreamIssuer":"some-issuer"}}},"requestedAudience":null,"grantedAudience":null},"version":"2"}`), + "pinniped-storage-data": []byte(`{"request":{"id":"abcd-1","requestedAt":"0001-01-01T00:00:00Z","client":{"id":"pinny","redirect_uris":null,"grant_types":null,"response_types":null,"scopes":null,"audience":null,"public":true,"jwks_uri":"where","jwks":null,"token_endpoint_auth_method":"something","request_uris":null,"request_object_signing_alg":"","token_endpoint_auth_signing_alg":""},"scopes":null,"grantedScopes":null,"form":{"key":["val"]},"session":{"fosite":{"Claims":null,"Headers":null,"ExpiresAt":null,"Username":"snorlax","Subject":"panda"},"custom":{"username":"fake-username","providerUID":"fake-provider-uid","providerName":"fake-provider-name","providerType":"fake-provider-type","warnings":null,"oidc":{"upstreamRefreshToken":"fake-upstream-refresh-token","upstreamAccessToken":"","upstreamSubject":"some-subject","upstreamIssuer":"some-issuer"}}},"requestedAudience":null,"grantedAudience":null},"version":"3"}`), "pinniped-storage-version": []byte("1"), }, Type: "storage.pinniped.dev/refresh-token", @@ -251,7 +251,7 @@ func TestWrongVersion(t *testing.T) { _, err = storage.GetRefreshTokenSession(ctx, "fancy-signature", nil) - require.EqualError(t, err, "refresh token request data has wrong version: refresh token session for fancy-signature has version not-the-right-version instead of 2") + require.EqualError(t, err, "refresh token request data has wrong version: refresh token session for fancy-signature has version not-the-right-version instead of 3") } func TestNilSessionRequest(t *testing.T) { @@ -269,7 +269,7 @@ func TestNilSessionRequest(t *testing.T) { }, }, Data: map[string][]byte{ - "pinniped-storage-data": []byte(`{"nonsense-key": "nonsense-value","version":"2"}`), + "pinniped-storage-data": []byte(`{"nonsense-key": "nonsense-value","version":"3"}`), "pinniped-storage-version": []byte("1"), }, Type: "storage.pinniped.dev/refresh-token", @@ -353,13 +353,13 @@ func TestReadFromSecret(t *testing.T) { }, }, Data: map[string][]byte{ - "pinniped-storage-data": []byte(`{"request":{"id":"abcd-1","session":{"fosite":{"Claims":null,"Headers":null,"ExpiresAt":null,"Username":"snorlax","Subject":"panda"},"custom":{"providerUID":"fake-provider-uid","providerName":"fake-provider-name","providerType":"fake-provider-type","oidc":{"upstreamRefreshToken":"fake-upstream-refresh-token"}}}},"version":"2","active": true}`), + "pinniped-storage-data": []byte(`{"request":{"id":"abcd-1","session":{"fosite":{"Claims":null,"Headers":null,"ExpiresAt":null,"Username":"snorlax","Subject":"panda"},"custom":{"username":"fake-username","providerUID":"fake-provider-uid","providerName":"fake-provider-name","providerType":"fake-provider-type","oidc":{"upstreamRefreshToken":"fake-upstream-refresh-token"}}}},"version":"3","active": true}`), "pinniped-storage-version": []byte("1"), }, Type: "storage.pinniped.dev/refresh-token", }, wantSession: &Session{ - Version: "2", + Version: "3", Request: &fosite.Request{ ID: "abcd-1", Client: &clientregistry.Client{}, @@ -369,6 +369,7 @@ func TestReadFromSecret(t *testing.T) { Subject: "panda", }, Custom: &psession.CustomSessionData{ + Username: "fake-username", ProviderUID: "fake-provider-uid", ProviderName: "fake-provider-name", ProviderType: "fake-provider-type", @@ -391,7 +392,7 @@ func TestReadFromSecret(t *testing.T) { }, }, Data: map[string][]byte{ - "pinniped-storage-data": []byte(`{"request":{"id":"abcd-1"},"version":"2","active": true}`), + "pinniped-storage-data": []byte(`{"request":{"id":"abcd-1"},"version":"3","active": true}`), "pinniped-storage-version": []byte("1"), }, Type: "storage.pinniped.dev/not-refresh-token", @@ -414,7 +415,7 @@ func TestReadFromSecret(t *testing.T) { }, Type: "storage.pinniped.dev/refresh-token", }, - wantErr: "refresh token request data has wrong version: refresh token session has version wrong-version-here instead of 2", + wantErr: "refresh token request data has wrong version: refresh token session has version wrong-version-here instead of 3", }, { name: "missing request", @@ -427,7 +428,7 @@ func TestReadFromSecret(t *testing.T) { }, }, Data: map[string][]byte{ - "pinniped-storage-data": []byte(`{"version":"2","active": true}`), + "pinniped-storage-data": []byte(`{"version":"3","active": true}`), "pinniped-storage-version": []byte("1"), }, Type: "storage.pinniped.dev/refresh-token", diff --git a/internal/oidc/auth/auth_handler.go b/internal/oidc/auth/auth_handler.go index 370f8baa..bf7e1764 100644 --- a/internal/oidc/auth/auth_handler.go +++ b/internal/oidc/auth/auth_handler.go @@ -10,17 +10,15 @@ import ( "net/url" "time" - coreosoidc "github.com/coreos/go-oidc/v3/oidc" "github.com/ory/fosite" "github.com/ory/fosite/handler/openid" "github.com/ory/fosite/token/jwt" "golang.org/x/oauth2" - supervisoroidc "go.pinniped.dev/generated/latest/apis/supervisor/oidc" + oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc" "go.pinniped.dev/internal/httputil/httperr" "go.pinniped.dev/internal/httputil/securityheader" "go.pinniped.dev/internal/oidc" - "go.pinniped.dev/internal/oidc/clientregistry" "go.pinniped.dev/internal/oidc/csrftoken" "go.pinniped.dev/internal/oidc/downstreamsession" "go.pinniped.dev/internal/oidc/login" @@ -56,12 +54,12 @@ func NewHandler( return httperr.Newf(http.StatusMethodNotAllowed, "%s (try GET or POST)", r.Method) } - // Note that the client might have used supervisoroidc.AuthorizeUpstreamIDPNameParamName and - // supervisoroidc.AuthorizeUpstreamIDPTypeParamName query params to request a certain upstream IDP. + // Note that the client might have used oidcapi.AuthorizeUpstreamIDPNameParamName and + // oidcapi.AuthorizeUpstreamIDPTypeParamName query params to request a certain upstream IDP. // The Pinniped CLI has been sending these params since v0.9.0. // Currently, these are ignored because the Supervisor does not yet support logins when multiple IDPs // are configured. However, these params should be honored in the future when choosing an upstream - // here, e.g. by calling supervisoroidc.FindUpstreamIDPByNameAndType() when the params are present. + // here, e.g. by calling oidcapi.FindUpstreamIDPByNameAndType() when the params are present. oidcUpstream, ldapUpstream, idpType, err := chooseUpstreamIDP(idpLister) if err != nil { plog.WarningErr("authorize upstream config", err) @@ -69,8 +67,8 @@ func NewHandler( } if idpType == psession.ProviderTypeOIDC { - if len(r.Header.Values(supervisoroidc.AuthorizeUsernameHeaderName)) > 0 || - len(r.Header.Values(supervisoroidc.AuthorizePasswordHeaderName)) > 0 { + if len(r.Header.Values(oidcapi.AuthorizeUsernameHeaderName)) > 0 || + len(r.Header.Values(oidcapi.AuthorizePasswordHeaderName)) > 0 { // The client set a username header, so they are trying to log in with a username/password. return handleAuthRequestForOIDCUpstreamPasswordGrant(r, w, oauthHelperWithStorage, oidcUpstream) } @@ -85,8 +83,8 @@ func NewHandler( } // We know it's an AD/LDAP upstream. - if len(r.Header.Values(supervisoroidc.AuthorizeUsernameHeaderName)) > 0 || - len(r.Header.Values(supervisoroidc.AuthorizePasswordHeaderName)) > 0 { + if len(r.Header.Values(oidcapi.AuthorizeUsernameHeaderName)) > 0 || + len(r.Header.Values(oidcapi.AuthorizePasswordHeaderName)) > 0 { // The client set a username header, so they are trying to log in with a username/password. return handleAuthRequestForLDAPUpstreamCLIFlow(r, w, oauthHelperWithStorage, @@ -150,7 +148,7 @@ func handleAuthRequestForLDAPUpstreamCLIFlow( subject := downstreamsession.DownstreamSubjectFromUpstreamLDAP(ldapUpstream, authenticateResponse) username = authenticateResponse.User.GetName() groups := authenticateResponse.User.GetGroups() - customSessionData := downstreamsession.MakeDownstreamLDAPOrADCustomSessionData(ldapUpstream, idpType, authenticateResponse) + customSessionData := downstreamsession.MakeDownstreamLDAPOrADCustomSessionData(ldapUpstream, idpType, authenticateResponse, username) openIDSession := downstreamsession.MakeDownstreamSession(subject, username, groups, authorizeRequester.GetGrantedScopes(), customSessionData) oidc.PerformAuthcodeRedirect(r, w, oauthHelper, authorizeRequester, openIDSession, true) @@ -244,7 +242,7 @@ func handleAuthRequestForOIDCUpstreamPasswordGrant( return nil } - customSessionData, err := downstreamsession.MakeDownstreamOIDCCustomSessionData(oidcUpstream, token) + customSessionData, err := downstreamsession.MakeDownstreamOIDCCustomSessionData(oidcUpstream, token, username) if err != nil { oidc.WriteAuthorizeError(w, oauthHelper, authorizeRequester, fosite.ErrAccessDenied.WithHintf("Reason: %s.", err.Error()), true, @@ -322,7 +320,7 @@ func handleAuthRequestForOIDCUpstreamBrowserFlow( } func requireStaticClientForUsernameAndPasswordHeaders(w http.ResponseWriter, oauthHelper fosite.OAuth2Provider, authorizeRequester fosite.AuthorizeRequester) bool { - isStaticClient := authorizeRequester.GetClient().GetID() == clientregistry.PinnipedCLIClientID + isStaticClient := authorizeRequester.GetClient().GetID() == oidcapi.ClientIDPinnipedCLI if !isStaticClient { oidc.WriteAuthorizeError(w, oauthHelper, authorizeRequester, fosite.ErrAccessDenied.WithHintf("This client is not allowed to submit username or password headers to this endpoint."), true) @@ -331,8 +329,8 @@ func requireStaticClientForUsernameAndPasswordHeaders(w http.ResponseWriter, oau } func requireNonEmptyUsernameAndPasswordHeaders(r *http.Request, w http.ResponseWriter, oauthHelper fosite.OAuth2Provider, authorizeRequester fosite.AuthorizeRequester) (string, string, bool) { - username := r.Header.Get(supervisoroidc.AuthorizeUsernameHeaderName) - password := r.Header.Get(supervisoroidc.AuthorizePasswordHeaderName) + username := r.Header.Get(oidcapi.AuthorizeUsernameHeaderName) + password := r.Header.Get(oidcapi.AuthorizePasswordHeaderName) if username == "" || password == "" { oidc.WriteAuthorizeError(w, oauthHelper, authorizeRequester, fosite.ErrAccessDenied.WithHintf("Missing or blank username or password."), true) @@ -348,13 +346,13 @@ func newAuthorizeRequest(r *http.Request, w http.ResponseWriter, oauthHelper fos return nil, false } - // Automatically grant the openid, offline_access, pinniped:request-audience, and groups scopes, but only if they were requested. + // Automatically grant certain scopes, but only if they were requested. // Grant the openid scope (for now) if they asked for it so that `NewAuthorizeResponse` will perform its OIDC validations. // There don't seem to be any validations inside `NewAuthorizeResponse` related to the offline_access scope // at this time, however we will temporarily grant the scope just in case that changes in a future release of fosite. // This is instead of asking the user to approve these scopes. Note that `NewAuthorizeRequest` would have returned // an error if the client requested a scope that they are not allowed to request, so we don't need to worry about that here. - downstreamsession.GrantScopesIfRequested(authorizeRequester, []string{coreosoidc.ScopeOpenID, coreosoidc.ScopeOfflineAccess, oidc.RequestAudienceScope, oidc.DownstreamGroupsScope}) + downstreamsession.AutoApproveScopes(authorizeRequester) return authorizeRequester, true } @@ -487,7 +485,7 @@ func handleBrowserFlowAuthRequest( } promptParam := r.Form.Get(promptParamName) - if promptParam == promptParamNone && oidc.ScopeWasRequested(authorizeRequester, coreosoidc.ScopeOpenID) { + if promptParam == promptParamNone && oidc.ScopeWasRequested(authorizeRequester, oidcapi.ScopeOpenID) { oidc.WriteAuthorizeError(w, oauthHelper, authorizeRequester, fosite.ErrLoginRequired, false) return nil, nil // already wrote the error response, don't return error } @@ -538,8 +536,8 @@ func upstreamStateParam( encoder oidc.Encoder, ) (string, error) { stateParamData := oidc.UpstreamStateParamData{ - // The auth params might have included supervisoroidc.AuthorizeUpstreamIDPNameParamName and - // supervisoroidc.AuthorizeUpstreamIDPTypeParamName, but those can be ignored by other handlers + // The auth params might have included oidcapi.AuthorizeUpstreamIDPNameParamName and + // oidcapi.AuthorizeUpstreamIDPTypeParamName, but those can be ignored by other handlers // that are reading from the encoded upstream state param being built here. // The UpstreamName and UpstreamType struct fields can be used instead. // Remove those params here to avoid potential confusion about which should be used later. @@ -565,8 +563,8 @@ func removeCustomIDPParams(params url.Values) url.Values { p[k] = v } // Remove the unnecessary params. - delete(p, supervisoroidc.AuthorizeUpstreamIDPNameParamName) - delete(p, supervisoroidc.AuthorizeUpstreamIDPTypeParamName) + delete(p, oidcapi.AuthorizeUpstreamIDPNameParamName) + delete(p, oidcapi.AuthorizeUpstreamIDPTypeParamName) return p } diff --git a/internal/oidc/auth/auth_handler_test.go b/internal/oidc/auth/auth_handler_test.go index 6f8e7598..6d19b9c7 100644 --- a/internal/oidc/auth/auth_handler_test.go +++ b/internal/oidc/auth/auth_handler_test.go @@ -34,6 +34,7 @@ import ( "go.pinniped.dev/internal/oidc" "go.pinniped.dev/internal/oidc/csrftoken" "go.pinniped.dev/internal/oidc/jwks" + "go.pinniped.dev/internal/oidc/oidcclientvalidator" "go.pinniped.dev/internal/oidc/provider" "go.pinniped.dev/internal/psession" "go.pinniped.dev/internal/testutil" @@ -391,8 +392,8 @@ func TestAuthorizationEndpoint(t *testing.T) { return urlToReturn } - happyDownstreamScopesRequested := []string{"openid", "profile", "email", "groups"} - happyDownstreamScopesGranted := []string{"openid", "groups"} + happyDownstreamScopesRequested := []string{"openid", "profile", "email", "username", "groups"} + happyDownstreamScopesGranted := []string{"openid", "username", "groups"} happyGetRequestQueryMap := map[string]string{ "response_type": "code", @@ -465,6 +466,7 @@ func TestAuthorizationEndpoint(t *testing.T) { } expectedHappyActiveDirectoryUpstreamCustomSession := &psession.CustomSessionData{ + Username: happyLDAPUsernameFromAuthenticator, ProviderUID: activeDirectoryUpstreamResourceUID, ProviderName: activeDirectoryUpstreamName, ProviderType: psession.ProviderTypeActiveDirectory, @@ -477,6 +479,7 @@ func TestAuthorizationEndpoint(t *testing.T) { } expectedHappyLDAPUpstreamCustomSession := &psession.CustomSessionData{ + Username: happyLDAPUsernameFromAuthenticator, ProviderUID: ldapUpstreamResourceUID, ProviderName: ldapUpstreamName, ProviderType: psession.ProviderTypeLDAP, @@ -489,6 +492,7 @@ func TestAuthorizationEndpoint(t *testing.T) { } expectedHappyOIDCPasswordGrantCustomSession := &psession.CustomSessionData{ + Username: oidcUpstreamUsername, ProviderUID: oidcPasswordGrantUpstreamResourceUID, ProviderName: oidcPasswordGrantUpstreamName, ProviderType: psession.ProviderTypeOIDC, @@ -499,7 +503,16 @@ func TestAuthorizationEndpoint(t *testing.T) { }, } + expectedHappyOIDCPasswordGrantCustomSessionWithUsername := func(wantUsername string) *psession.CustomSessionData { + copyOfCustomSession := *expectedHappyOIDCPasswordGrantCustomSession + copyOfOIDC := *(expectedHappyOIDCPasswordGrantCustomSession.OIDC) + copyOfCustomSession.OIDC = ©OfOIDC + copyOfCustomSession.Username = wantUsername + return ©OfCustomSession + } + expectedHappyOIDCPasswordGrantCustomSessionWithAccessToken := &psession.CustomSessionData{ + Username: oidcUpstreamUsername, ProviderUID: oidcPasswordGrantUpstreamResourceUID, ProviderName: oidcPasswordGrantUpstreamName, ProviderType: psession.ProviderTypeOIDC, @@ -512,13 +525,14 @@ func TestAuthorizationEndpoint(t *testing.T) { addFullyCapableDynamicClientAndSecretToKubeResources := func(t *testing.T, supervisorClient *supervisorfake.Clientset, kubeClient *fake.Clientset) { oidcClient, secret := testutil.FullyCapableOIDCClientAndStorageSecret(t, - "some-namespace", dynamicClientID, dynamicClientUID, downstreamRedirectURI, []string{testutil.HashedPassword1AtGoMinCost}) + "some-namespace", dynamicClientID, dynamicClientUID, downstreamRedirectURI, + []string{testutil.HashedPassword1AtGoMinCost}, oidcclientvalidator.Validate) require.NoError(t, supervisorClient.Tracker().Add(oidcClient)) require.NoError(t, kubeClient.Tracker().Add(secret)) } // Note that fosite puts the granted scopes as a param in the redirect URI even though the spec doesn't seem to require it - happyAuthcodeDownstreamRedirectLocationRegexp := downstreamRedirectURI + `\?code=([^&]+)&scope=openid\+groups&state=` + happyState + happyAuthcodeDownstreamRedirectLocationRegexp := downstreamRedirectURI + `\?code=([^&]+)&scope=openid\+username\+groups&state=` + happyState incomingCookieCSRFValue := "csrf-value-from-cookie" encodedIncomingCookieCSRFValue, err := happyCookieEncoder.Encode("csrf", incomingCookieCSRFValue) @@ -528,6 +542,7 @@ func TestAuthorizationEndpoint(t *testing.T) { name string idps *oidctestutil.UpstreamIDPListerBuilder + kubeResources func(t *testing.T, supervisorClient *supervisorfake.Clientset, kubeClient *fake.Clientset) generateCSRF func() (csrftoken.CSRFToken, error) generatePKCE func() (pkce.Code, error) generateNonce func() (nonce.Nonce, error) @@ -540,7 +555,6 @@ func TestAuthorizationEndpoint(t *testing.T) { csrfCookie string customUsernameHeader *string // nil means do not send header, empty means send header with empty value customPasswordHeader *string // nil means do not send header, empty means send header with empty value - kubeResources func(t *testing.T, supervisorClient *supervisorfake.Clientset, kubeClient *fake.Clientset) wantStatus int wantContentType string @@ -1122,7 +1136,7 @@ func TestAuthorizationEndpoint(t *testing.T) { wantPasswordGrantCall: happyUpstreamPasswordGrantMockExpectation, wantStatus: http.StatusFound, wantContentType: htmlContentType, - wantRedirectLocationRegexp: downstreamRedirectURIWithDifferentPort + `\?code=([^&]+)&scope=openid\+groups&state=` + happyState, + wantRedirectLocationRegexp: downstreamRedirectURIWithDifferentPort + `\?code=([^&]+)&scope=openid\+username\+groups&state=` + happyState, wantDownstreamIDTokenSubject: oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped, wantDownstreamIDTokenUsername: oidcUpstreamUsername, wantDownstreamIDTokenGroups: oidcUpstreamGroupMembership, @@ -1145,7 +1159,7 @@ func TestAuthorizationEndpoint(t *testing.T) { customPasswordHeader: pointer.StringPtr(happyLDAPPassword), wantStatus: http.StatusFound, wantContentType: htmlContentType, - wantRedirectLocationRegexp: downstreamRedirectURIWithDifferentPort + `\?code=([^&]+)&scope=openid\+groups&state=` + happyState, + wantRedirectLocationRegexp: downstreamRedirectURIWithDifferentPort + `\?code=([^&]+)&scope=openid\+username\+groups&state=` + happyState, wantDownstreamIDTokenSubject: upstreamLDAPURL + "&sub=" + happyLDAPUID, wantDownstreamIDTokenUsername: happyLDAPUsernameFromAuthenticator, wantDownstreamIDTokenGroups: happyLDAPGroups, @@ -1219,6 +1233,7 @@ func TestAuthorizationEndpoint(t *testing.T) { wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamCustomSessionData: &psession.CustomSessionData{ + Username: oidcUpstreamUsername, ProviderUID: oidcPasswordGrantUpstreamResourceUID, ProviderName: oidcPasswordGrantUpstreamName, ProviderType: psession.ProviderTypeOIDC, @@ -2373,13 +2388,13 @@ func TestAuthorizationEndpoint(t *testing.T) { wantPasswordGrantCall: happyUpstreamPasswordGrantMockExpectation, wantStatus: http.StatusFound, wantContentType: htmlContentType, - wantRedirectLocationRegexp: downstreamRedirectURI + `\?code=([^&]+)&scope=&state=` + happyState, // no scopes granted + wantRedirectLocationRegexp: downstreamRedirectURI + `\?code=([^&]+)&scope=username\+groups&state=` + happyState, // username and groups scopes were not requested, but are granted anyway for backwards compatibility wantDownstreamIDTokenSubject: oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped, - wantDownstreamIDTokenUsername: oidcUpstreamUsername, - wantDownstreamIDTokenGroups: oidcUpstreamGroupMembership, - wantDownstreamRequestedScopes: []string{"email"}, // only email was requested + wantDownstreamIDTokenUsername: oidcUpstreamUsername, // username scope was not requested, but is granted anyway for backwards compatibility + wantDownstreamIDTokenGroups: oidcUpstreamGroupMembership, // groups scope was not requested, but is granted anyway for backwards compatibility + wantDownstreamRequestedScopes: []string{"email"}, // only email was requested wantDownstreamRedirectURI: downstreamRedirectURI, - wantDownstreamGrantedScopes: []string{}, // no scopes granted + wantDownstreamGrantedScopes: []string{"username", "groups"}, // username and groups scopes were not requested, but are granted anyway for backwards compatibility wantDownstreamNonce: downstreamNonce, wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, @@ -2395,13 +2410,13 @@ func TestAuthorizationEndpoint(t *testing.T) { customPasswordHeader: pointer.StringPtr(happyLDAPPassword), wantStatus: http.StatusFound, wantContentType: htmlContentType, - wantRedirectLocationRegexp: downstreamRedirectURI + `\?code=([^&]+)&scope=&state=` + happyState, // no scopes granted + wantRedirectLocationRegexp: downstreamRedirectURI + `\?code=([^&]+)&scope=username\+groups&state=` + happyState, // username and groups scopes were not requested, but are granted anyway for backwards compatibility wantDownstreamIDTokenSubject: upstreamLDAPURL + "&sub=" + happyLDAPUID, - wantDownstreamIDTokenUsername: happyLDAPUsernameFromAuthenticator, - wantDownstreamIDTokenGroups: happyLDAPGroups, - wantDownstreamRequestedScopes: []string{"email"}, // only email was requested + wantDownstreamIDTokenUsername: happyLDAPUsernameFromAuthenticator, // username scope was not requested, but is granted anyway for backwards compatibility + wantDownstreamIDTokenGroups: happyLDAPGroups, // groups scope was not requested, but is granted anyway for backwards compatibility + wantDownstreamRequestedScopes: []string{"email"}, // only email was requested wantDownstreamRedirectURI: downstreamRedirectURI, - wantDownstreamGrantedScopes: []string{}, // no scopes granted + wantDownstreamGrantedScopes: []string{"username", "groups"}, // username and groups scopes were not requested, but are granted anyway for backwards compatibility wantDownstreamNonce: downstreamNonce, wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, @@ -2429,7 +2444,7 @@ func TestAuthorizationEndpoint(t *testing.T) { wantDownstreamNonce: downstreamNonce, wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, - wantDownstreamCustomSessionData: expectedHappyOIDCPasswordGrantCustomSession, + wantDownstreamCustomSessionData: expectedHappyOIDCPasswordGrantCustomSessionWithUsername(oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped), }, { name: "OIDC upstream password grant: upstream IDP configures username claim as special claim `email` and `email_verified` upstream claim is missing", @@ -2455,7 +2470,7 @@ func TestAuthorizationEndpoint(t *testing.T) { wantDownstreamNonce: downstreamNonce, wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, - wantDownstreamCustomSessionData: expectedHappyOIDCPasswordGrantCustomSession, + wantDownstreamCustomSessionData: expectedHappyOIDCPasswordGrantCustomSessionWithUsername("joe@whitehouse.gov"), }, { name: "OIDC upstream password grant: upstream IDP configures username claim as special claim `email` and `email_verified` upstream claim is present with true value", @@ -2482,7 +2497,7 @@ func TestAuthorizationEndpoint(t *testing.T) { wantDownstreamNonce: downstreamNonce, wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, - wantDownstreamCustomSessionData: expectedHappyOIDCPasswordGrantCustomSession, + wantDownstreamCustomSessionData: expectedHappyOIDCPasswordGrantCustomSessionWithUsername("joe@whitehouse.gov"), }, { name: "OIDC upstream password grant: upstream IDP configures username claim as anything other than special claim `email` and `email_verified` upstream claim is present with false value", @@ -2510,7 +2525,7 @@ func TestAuthorizationEndpoint(t *testing.T) { wantDownstreamNonce: downstreamNonce, wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, - wantDownstreamCustomSessionData: expectedHappyOIDCPasswordGrantCustomSession, + wantDownstreamCustomSessionData: expectedHappyOIDCPasswordGrantCustomSessionWithUsername("joe"), }, { name: "OIDC upstream password grant: upstream IDP configures username claim as special claim `email` and `email_verified` upstream claim is present with illegal value", @@ -2570,7 +2585,7 @@ func TestAuthorizationEndpoint(t *testing.T) { wantDownstreamNonce: downstreamNonce, wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, - wantDownstreamCustomSessionData: expectedHappyOIDCPasswordGrantCustomSession, + wantDownstreamCustomSessionData: expectedHappyOIDCPasswordGrantCustomSessionWithUsername(oidcUpstreamSubject), }, { name: "OIDC upstream password grant: upstream IDP's configured groups claim in the ID token has a non-array value", diff --git a/internal/oidc/callback/callback_handler.go b/internal/oidc/callback/callback_handler.go index 88b94392..f3a37b9d 100644 --- a/internal/oidc/callback/callback_handler.go +++ b/internal/oidc/callback/callback_handler.go @@ -8,7 +8,6 @@ import ( "net/http" "net/url" - coreosoidc "github.com/coreos/go-oidc/v3/oidc" "github.com/ory/fosite" "go.pinniped.dev/internal/httputil/httperr" @@ -53,10 +52,10 @@ func NewHandler( return httperr.New(http.StatusBadRequest, "error using state downstream auth params") } - // Automatically grant the openid, offline_access, pinniped:request-audience, and groups scopes, but only if they were requested. + // Automatically grant certain scopes, but only if they were requested. // This is instead of asking the user to approve these scopes. Note that `NewAuthorizeRequest` would have returned // an error if the client requested a scope that they are not allowed to request, so we don't need to worry about that here. - downstreamsession.GrantScopesIfRequested(authorizeRequester, []string{coreosoidc.ScopeOpenID, coreosoidc.ScopeOfflineAccess, oidc.RequestAudienceScope, oidc.DownstreamGroupsScope}) + downstreamsession.AutoApproveScopes(authorizeRequester) token, err := upstreamIDPConfig.ExchangeAuthcodeAndValidateTokens( r.Context(), @@ -75,7 +74,7 @@ func NewHandler( return httperr.Wrap(http.StatusUnprocessableEntity, err.Error(), err) } - customSessionData, err := downstreamsession.MakeDownstreamOIDCCustomSessionData(upstreamIDPConfig, token) + customSessionData, err := downstreamsession.MakeDownstreamOIDCCustomSessionData(upstreamIDPConfig, token, username) if err != nil { return httperr.Wrap(http.StatusUnprocessableEntity, err.Error(), err) } diff --git a/internal/oidc/callback/callback_handler_test.go b/internal/oidc/callback/callback_handler_test.go index 57dcfcd5..44794ea5 100644 --- a/internal/oidc/callback/callback_handler_test.go +++ b/internal/oidc/callback/callback_handler_test.go @@ -19,9 +19,11 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/kubernetes/fake" + configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" supervisorfake "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/fake" "go.pinniped.dev/internal/oidc" "go.pinniped.dev/internal/oidc/jwks" + "go.pinniped.dev/internal/oidc/oidcclientvalidator" "go.pinniped.dev/internal/psession" "go.pinniped.dev/internal/testutil" "go.pinniped.dev/internal/testutil/oidctestutil" @@ -66,8 +68,8 @@ const ( var ( oidcUpstreamGroupMembership = []string{"test-pinniped-group-0", "test-pinniped-group-1"} - happyDownstreamScopesRequested = []string{"openid", "groups"} - happyDownstreamScopesGranted = []string{"openid", "groups"} + happyDownstreamScopesRequested = []string{"openid", "username", "groups"} + happyDownstreamScopesGranted = []string{"openid", "username", "groups"} happyDownstreamRequestParamsQuery = url.Values{ "response_type": []string{"code"}, @@ -81,11 +83,13 @@ var ( } happyDownstreamRequestParams = happyDownstreamRequestParamsQuery.Encode() - happyDownstreamRequestParamsForDynamicClient = shallowCopyAndModifyQuery(happyDownstreamRequestParamsQuery, + happyDownstreamRequestParamsQueryForDynamicClient = shallowCopyAndModifyQuery(happyDownstreamRequestParamsQuery, map[string]string{"client_id": downstreamDynamicClientID}, - ).Encode() + ) + happyDownstreamRequestParamsForDynamicClient = happyDownstreamRequestParamsQueryForDynamicClient.Encode() happyDownstreamCustomSessionData = &psession.CustomSessionData{ + Username: oidcUpstreamUsername, ProviderUID: happyUpstreamIDPResourceUID, ProviderName: happyUpstreamIDPName, ProviderType: psession.ProviderTypeOIDC, @@ -95,7 +99,15 @@ var ( UpstreamSubject: oidcUpstreamSubject, }, } + happyDownstreamCustomSessionDataWithUsername = func(wantUsername string) *psession.CustomSessionData { + copyOfCustomSession := *happyDownstreamCustomSessionData + copyOfOIDC := *(happyDownstreamCustomSessionData.OIDC) + copyOfCustomSession.OIDC = ©OfOIDC + copyOfCustomSession.Username = wantUsername + return ©OfCustomSession + } happyDownstreamAccessTokenCustomSessionData = &psession.CustomSessionData{ + Username: oidcUpstreamUsername, ProviderUID: happyUpstreamIDPResourceUID, ProviderName: happyUpstreamIDPName, ProviderType: psession.ProviderTypeOIDC, @@ -143,11 +155,12 @@ func TestCallbackEndpoint(t *testing.T) { } // Note that fosite puts the granted scopes as a param in the redirect URI even though the spec doesn't seem to require it - happyDownstreamRedirectLocationRegexp := downstreamRedirectURI + `\?code=([^&]+)&scope=openid\+groups&state=` + happyDownstreamState + happyDownstreamRedirectLocationRegexp := downstreamRedirectURI + `\?code=([^&]+)&scope=openid\+username\+groups&state=` + happyDownstreamState addFullyCapableDynamicClientAndSecretToKubeResources := func(t *testing.T, supervisorClient *supervisorfake.Clientset, kubeClient *fake.Clientset) { oidcClient, secret := testutil.FullyCapableOIDCClientAndStorageSecret(t, - "some-namespace", downstreamDynamicClientID, downstreamDynamicClientUID, downstreamRedirectURI, []string{testutil.HashedPassword1AtGoMinCost}) + "some-namespace", downstreamDynamicClientID, downstreamDynamicClientUID, downstreamRedirectURI, + []string{testutil.HashedPassword1AtGoMinCost}, oidcclientvalidator.Validate) require.NoError(t, supervisorClient.Tracker().Add(oidcClient)) require.NoError(t, kubeClient.Tracker().Add(secret)) } @@ -284,7 +297,7 @@ func TestCallbackEndpoint(t *testing.T) { }, }, { - name: "form_post happy path with no groups scope requested", + name: "form_post happy path without username or groups scopes requested", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyUpstream().Build()), method: http.MethodGet, path: newRequestPath().WithState( @@ -298,14 +311,16 @@ func TestCallbackEndpoint(t *testing.T) { ).Encode(), ).Build(t, happyStateCodec), ).String(), - csrfCookie: happyCSRFCookie, - wantStatus: http.StatusOK, - wantContentType: "text/html;charset=UTF-8", - wantBodyFormResponseRegexp: `(.+)`, - wantDownstreamIDTokenSubject: oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped, - wantDownstreamIDTokenUsername: oidcUpstreamUsername, - wantDownstreamRequestedScopes: []string{"openid"}, - wantDownstreamGrantedScopes: []string{"openid"}, + csrfCookie: happyCSRFCookie, + wantStatus: http.StatusOK, + wantContentType: "text/html;charset=UTF-8", + wantBodyFormResponseRegexp: `(.+)`, + wantDownstreamIDTokenSubject: oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped, + wantDownstreamIDTokenUsername: oidcUpstreamUsername, + wantDownstreamRequestedScopes: []string{"openid"}, + wantDownstreamIDTokenGroups: oidcUpstreamGroupMembership, + // username and groups scopes were not requested but are granted anyway for the pinniped-cli client for backwards compatibility + wantDownstreamGrantedScopes: []string{"openid", "username", "groups"}, wantDownstreamNonce: downstreamNonce, wantDownstreamClientID: downstreamPinnipedClientID, wantDownstreamPKCEChallenge: downstreamPKCEChallenge, @@ -335,6 +350,7 @@ func TestCallbackEndpoint(t *testing.T) { wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamCustomSessionData: &psession.CustomSessionData{ + Username: oidcUpstreamUsername, ProviderUID: happyUpstreamIDPResourceUID, ProviderName: happyUpstreamIDPName, ProviderType: psession.ProviderTypeOIDC, @@ -370,7 +386,7 @@ func TestCallbackEndpoint(t *testing.T) { wantDownstreamClientID: downstreamPinnipedClientID, wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, - wantDownstreamCustomSessionData: happyDownstreamCustomSessionData, + wantDownstreamCustomSessionData: happyDownstreamCustomSessionDataWithUsername(oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped), wantAuthcodeExchangeCall: &expectedAuthcodeExchange{ performedByUpstreamName: happyUpstreamIDPName, args: happyExchangeAndValidateTokensArgs, @@ -396,7 +412,7 @@ func TestCallbackEndpoint(t *testing.T) { wantDownstreamClientID: downstreamPinnipedClientID, wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, - wantDownstreamCustomSessionData: happyDownstreamCustomSessionData, + wantDownstreamCustomSessionData: happyDownstreamCustomSessionDataWithUsername("joe@whitehouse.gov"), wantAuthcodeExchangeCall: &expectedAuthcodeExchange{ performedByUpstreamName: happyUpstreamIDPName, args: happyExchangeAndValidateTokensArgs, @@ -424,7 +440,7 @@ func TestCallbackEndpoint(t *testing.T) { wantDownstreamClientID: downstreamPinnipedClientID, wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, - wantDownstreamCustomSessionData: happyDownstreamCustomSessionData, + wantDownstreamCustomSessionData: happyDownstreamCustomSessionDataWithUsername("joe@whitehouse.gov"), wantAuthcodeExchangeCall: &expectedAuthcodeExchange{ performedByUpstreamName: happyUpstreamIDPName, args: happyExchangeAndValidateTokensArgs, @@ -453,7 +469,7 @@ func TestCallbackEndpoint(t *testing.T) { wantDownstreamClientID: downstreamPinnipedClientID, wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, - wantDownstreamCustomSessionData: happyDownstreamCustomSessionData, + wantDownstreamCustomSessionData: happyDownstreamCustomSessionDataWithUsername("joe"), wantAuthcodeExchangeCall: &expectedAuthcodeExchange{ performedByUpstreamName: happyUpstreamIDPName, args: happyExchangeAndValidateTokensArgs, @@ -584,7 +600,7 @@ func TestCallbackEndpoint(t *testing.T) { wantDownstreamClientID: downstreamPinnipedClientID, wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, - wantDownstreamCustomSessionData: happyDownstreamCustomSessionData, + wantDownstreamCustomSessionData: happyDownstreamCustomSessionDataWithUsername(oidcUpstreamSubject), wantAuthcodeExchangeCall: &expectedAuthcodeExchange{ performedByUpstreamName: happyUpstreamIDPName, args: happyExchangeAndValidateTokensArgs, @@ -642,6 +658,152 @@ func TestCallbackEndpoint(t *testing.T) { args: happyExchangeAndValidateTokensArgs, }, }, + { + name: "using dynamic client which is allowed to request username scope, but does not actually request username scope in authorize request, does not get username in ID token", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyUpstream().Build()), + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + method: http.MethodGet, + path: newRequestPath().WithState( + happyUpstreamStateParamForDynamicClient(). + WithAuthorizeRequestParams(shallowCopyAndModifyQuery(happyDownstreamRequestParamsQueryForDynamicClient, + map[string]string{"scope": "openid groups offline_access"}).Encode()). + Build(t, happyStateCodec), + ).String(), + csrfCookie: happyCSRFCookie, + wantStatus: http.StatusSeeOther, + wantRedirectLocationRegexp: downstreamRedirectURI + `\?code=([^&]+)&scope=openid\+offline_access\+groups&state=` + happyDownstreamState, + wantBody: "", + wantDownstreamIDTokenSubject: oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped, + wantDownstreamIDTokenUsername: "", // username scope was not requested + wantDownstreamIDTokenGroups: oidcUpstreamGroupMembership, + wantDownstreamRequestedScopes: []string{"openid", "groups", "offline_access"}, + wantDownstreamGrantedScopes: []string{"openid", "groups", "offline_access"}, + wantDownstreamNonce: downstreamNonce, + wantDownstreamClientID: downstreamDynamicClientID, + wantDownstreamPKCEChallenge: downstreamPKCEChallenge, + wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, + wantDownstreamCustomSessionData: happyDownstreamCustomSessionData, + wantAuthcodeExchangeCall: &expectedAuthcodeExchange{ + performedByUpstreamName: happyUpstreamIDPName, + args: happyExchangeAndValidateTokensArgs, + }, + }, + { + name: "using dynamic client which is allowed to request groups scope, but does not actually request groups scope in authorize request, does not get groups in ID token", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyUpstream().Build()), + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + method: http.MethodGet, + path: newRequestPath().WithState( + happyUpstreamStateParamForDynamicClient(). + WithAuthorizeRequestParams(shallowCopyAndModifyQuery(happyDownstreamRequestParamsQueryForDynamicClient, + map[string]string{"scope": "openid username offline_access"}).Encode()). + Build(t, happyStateCodec), + ).String(), + csrfCookie: happyCSRFCookie, + wantStatus: http.StatusSeeOther, + wantRedirectLocationRegexp: downstreamRedirectURI + `\?code=([^&]+)&scope=openid\+offline_access\+username&state=` + happyDownstreamState, + wantBody: "", + wantDownstreamIDTokenSubject: oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped, + wantDownstreamIDTokenUsername: oidcUpstreamUsername, + wantDownstreamIDTokenGroups: nil, // groups scope was not requested + wantDownstreamRequestedScopes: []string{"openid", "username", "offline_access"}, + wantDownstreamGrantedScopes: []string{"openid", "username", "offline_access"}, + wantDownstreamNonce: downstreamNonce, + wantDownstreamClientID: downstreamDynamicClientID, + wantDownstreamPKCEChallenge: downstreamPKCEChallenge, + wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, + wantDownstreamCustomSessionData: happyDownstreamCustomSessionData, + wantAuthcodeExchangeCall: &expectedAuthcodeExchange{ + performedByUpstreamName: happyUpstreamIDPName, + args: happyExchangeAndValidateTokensArgs, + }, + }, + { + name: "using dynamic client which is not allowed to request username scope, and does not actually request username scope in authorize request, does not get username in ID token", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyUpstream().Build()), + kubeResources: func(t *testing.T, supervisorClient *supervisorfake.Clientset, kubeClient *fake.Clientset) { + oidcClient, secret := testutil.OIDCClientAndStorageSecret(t, + "some-namespace", downstreamDynamicClientID, downstreamDynamicClientUID, + []configv1alpha1.GrantType{"authorization_code", "refresh_token"}, // token exchange not allowed (required to exclude username scope) + []configv1alpha1.Scope{"openid", "offline_access", "groups"}, // username not allowed + downstreamRedirectURI, []string{testutil.HashedPassword1AtGoMinCost}, oidcclientvalidator.Validate) + require.NoError(t, supervisorClient.Tracker().Add(oidcClient)) + require.NoError(t, kubeClient.Tracker().Add(secret)) + }, + method: http.MethodGet, + path: newRequestPath().WithState( + happyUpstreamStateParam().WithAuthorizeRequestParams( + shallowCopyAndModifyQuery( + happyDownstreamRequestParamsQuery, + map[string]string{ + "client_id": downstreamDynamicClientID, + "scope": "openid offline_access groups", + }, + ).Encode(), + ).Build(t, happyStateCodec), + ).String(), + csrfCookie: happyCSRFCookie, + wantStatus: http.StatusSeeOther, + wantRedirectLocationRegexp: downstreamRedirectURI + `\?code=([^&]+)&scope=openid\+offline_access\+groups&state=` + happyDownstreamState, + wantBody: "", + wantDownstreamIDTokenSubject: oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped, + wantDownstreamIDTokenUsername: "", // username scope was not requested + wantDownstreamIDTokenGroups: oidcUpstreamGroupMembership, + wantDownstreamRequestedScopes: []string{"openid", "groups", "offline_access"}, + wantDownstreamGrantedScopes: []string{"openid", "groups", "offline_access"}, + wantDownstreamNonce: downstreamNonce, + wantDownstreamClientID: downstreamDynamicClientID, + wantDownstreamPKCEChallenge: downstreamPKCEChallenge, + wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, + wantDownstreamCustomSessionData: happyDownstreamCustomSessionData, + wantAuthcodeExchangeCall: &expectedAuthcodeExchange{ + performedByUpstreamName: happyUpstreamIDPName, + args: happyExchangeAndValidateTokensArgs, + }, + }, + { + name: "using dynamic client which is not allowed to request groups scope, and does not actually request groups scope in authorize request, does not get groups in ID token", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyUpstream().Build()), + kubeResources: func(t *testing.T, supervisorClient *supervisorfake.Clientset, kubeClient *fake.Clientset) { + oidcClient, secret := testutil.OIDCClientAndStorageSecret(t, + "some-namespace", downstreamDynamicClientID, downstreamDynamicClientUID, + []configv1alpha1.GrantType{"authorization_code", "refresh_token"}, // token exchange not allowed (required to exclude groups scope) + []configv1alpha1.Scope{"openid", "offline_access", "username"}, // groups not allowed + downstreamRedirectURI, []string{testutil.HashedPassword1AtGoMinCost}, oidcclientvalidator.Validate) + require.NoError(t, supervisorClient.Tracker().Add(oidcClient)) + require.NoError(t, kubeClient.Tracker().Add(secret)) + }, + method: http.MethodGet, + path: newRequestPath().WithState( + happyUpstreamStateParam().WithAuthorizeRequestParams( + shallowCopyAndModifyQuery( + happyDownstreamRequestParamsQuery, + map[string]string{ + "client_id": downstreamDynamicClientID, + "scope": "openid offline_access username", + }, + ).Encode(), + ).Build(t, happyStateCodec), + ).String(), + csrfCookie: happyCSRFCookie, + wantStatus: http.StatusSeeOther, + wantRedirectLocationRegexp: downstreamRedirectURI + `\?code=([^&]+)&scope=openid\+offline_access\+username&state=` + happyDownstreamState, + wantBody: "", + wantDownstreamIDTokenSubject: oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped, + wantDownstreamIDTokenUsername: oidcUpstreamUsername, + wantDownstreamIDTokenGroups: nil, // groups scope was not requested + wantDownstreamRequestedScopes: []string{"openid", "username", "offline_access"}, + wantDownstreamGrantedScopes: []string{"openid", "username", "offline_access"}, + wantDownstreamNonce: downstreamNonce, + wantDownstreamClientID: downstreamDynamicClientID, + wantDownstreamPKCEChallenge: downstreamPKCEChallenge, + wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, + wantDownstreamCustomSessionData: happyDownstreamCustomSessionData, + wantAuthcodeExchangeCall: &expectedAuthcodeExchange{ + performedByUpstreamName: happyUpstreamIDPName, + args: happyExchangeAndValidateTokensArgs, + }, + }, // Pre-upstream-exchange verification { @@ -718,7 +880,8 @@ func TestCallbackEndpoint(t *testing.T) { method: http.MethodGet, path: newRequestPath().WithState( happyUpstreamStateParam(). - WithAuthorizeRequestParams(shallowCopyAndModifyQuery(happyDownstreamRequestParamsQuery, map[string]string{"prompt": "none login"}).Encode()). + WithAuthorizeRequestParams(shallowCopyAndModifyQuery(happyDownstreamRequestParamsQuery, + map[string]string{"prompt": "none login"}).Encode()). Build(t, happyStateCodec), ).String(), csrfCookie: happyCSRFCookie, @@ -759,7 +922,8 @@ func TestCallbackEndpoint(t *testing.T) { method: http.MethodGet, path: newRequestPath().WithState( happyUpstreamStateParam(). - WithAuthorizeRequestParams(shallowCopyAndModifyQuery(happyDownstreamRequestParamsQuery, map[string]string{"client_id": ""}).Encode()). + WithAuthorizeRequestParams(shallowCopyAndModifyQuery(happyDownstreamRequestParamsQuery, + map[string]string{"client_id": ""}).Encode()). Build(t, happyStateCodec), ).String(), csrfCookie: happyCSRFCookie, @@ -773,7 +937,8 @@ func TestCallbackEndpoint(t *testing.T) { method: http.MethodGet, path: newRequestPath().WithState( happyUpstreamStateParam(). - WithAuthorizeRequestParams(shallowCopyAndModifyQuery(happyDownstreamRequestParamsQuery, map[string]string{"client_id": "bogus"}).Encode()). + WithAuthorizeRequestParams(shallowCopyAndModifyQuery(happyDownstreamRequestParamsQuery, + map[string]string{"client_id": "bogus"}).Encode()). Build(t, happyStateCodec), ).String(), csrfCookie: happyCSRFCookie, @@ -803,6 +968,64 @@ func TestCallbackEndpoint(t *testing.T) { wantContentType: htmlContentType, wantBody: "Bad Request: error using state downstream auth params\n", }, + { + name: "using dynamic client which is not allowed to request username scope in authorize request but requests it anyway", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyUpstream().Build()), + kubeResources: func(t *testing.T, supervisorClient *supervisorfake.Clientset, kubeClient *fake.Clientset) { + oidcClient, secret := testutil.OIDCClientAndStorageSecret(t, + "some-namespace", downstreamDynamicClientID, downstreamDynamicClientUID, + []configv1alpha1.GrantType{"authorization_code", "refresh_token"}, // token exchange not allowed (required to exclude username scope) + []configv1alpha1.Scope{"openid", "offline_access", "groups"}, // username not allowed + downstreamRedirectURI, []string{testutil.HashedPassword1AtGoMinCost}, oidcclientvalidator.Validate) + require.NoError(t, supervisorClient.Tracker().Add(oidcClient)) + require.NoError(t, kubeClient.Tracker().Add(secret)) + }, + method: http.MethodGet, + path: newRequestPath().WithState( + happyUpstreamStateParam().WithAuthorizeRequestParams( + shallowCopyAndModifyQuery( + happyDownstreamRequestParamsQuery, + map[string]string{ + "client_id": downstreamDynamicClientID, + "scope": "openid username", + }, + ).Encode(), + ).Build(t, happyStateCodec), + ).String(), + csrfCookie: happyCSRFCookie, + wantStatus: http.StatusBadRequest, + wantContentType: htmlContentType, + wantBody: "Bad Request: error using state downstream auth params\n", + }, + { + name: "using dynamic client which is not allowed to request groups scope in authorize request but requests it anyway", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyUpstream().Build()), + kubeResources: func(t *testing.T, supervisorClient *supervisorfake.Clientset, kubeClient *fake.Clientset) { + oidcClient, secret := testutil.OIDCClientAndStorageSecret(t, + "some-namespace", downstreamDynamicClientID, downstreamDynamicClientUID, + []configv1alpha1.GrantType{"authorization_code", "refresh_token"}, // token exchange not allowed (required to exclude groups scope) + []configv1alpha1.Scope{"openid", "offline_access", "username"}, // groups not allowed + downstreamRedirectURI, []string{testutil.HashedPassword1AtGoMinCost}, oidcclientvalidator.Validate) + require.NoError(t, supervisorClient.Tracker().Add(oidcClient)) + require.NoError(t, kubeClient.Tracker().Add(secret)) + }, + method: http.MethodGet, + path: newRequestPath().WithState( + happyUpstreamStateParam().WithAuthorizeRequestParams( + shallowCopyAndModifyQuery( + happyDownstreamRequestParamsQuery, + map[string]string{ + "client_id": downstreamDynamicClientID, + "scope": "openid groups", + }, + ).Encode(), + ).Build(t, happyStateCodec), + ).String(), + csrfCookie: happyCSRFCookie, + wantStatus: http.StatusBadRequest, + wantContentType: htmlContentType, + wantBody: "Bad Request: error using state downstream auth params\n", + }, { name: "state's downstream auth params does not contain openid scope", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyUpstream().Build()), @@ -810,16 +1033,17 @@ func TestCallbackEndpoint(t *testing.T) { path: newRequestPath(). WithState( happyUpstreamStateParam(). - WithAuthorizeRequestParams(shallowCopyAndModifyQuery(happyDownstreamRequestParamsQuery, map[string]string{"scope": "profile email groups"}).Encode()). + WithAuthorizeRequestParams(shallowCopyAndModifyQuery(happyDownstreamRequestParamsQuery, + map[string]string{"scope": "profile username email groups"}).Encode()). Build(t, happyStateCodec), ).String(), csrfCookie: happyCSRFCookie, wantStatus: http.StatusSeeOther, - wantRedirectLocationRegexp: downstreamRedirectURI + `\?code=([^&]+)&scope=groups&state=` + happyDownstreamState, + wantRedirectLocationRegexp: downstreamRedirectURI + `\?code=([^&]+)&scope=username\+groups&state=` + happyDownstreamState, wantDownstreamIDTokenUsername: oidcUpstreamUsername, wantDownstreamIDTokenSubject: oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped, - wantDownstreamRequestedScopes: []string{"profile", "email", "groups"}, - wantDownstreamGrantedScopes: []string{"groups"}, + wantDownstreamRequestedScopes: []string{"profile", "email", "username", "groups"}, + wantDownstreamGrantedScopes: []string{"username", "groups"}, wantDownstreamIDTokenGroups: oidcUpstreamGroupMembership, wantDownstreamNonce: downstreamNonce, wantDownstreamClientID: downstreamPinnipedClientID, @@ -832,22 +1056,25 @@ func TestCallbackEndpoint(t *testing.T) { }, }, { - name: "state's downstream auth params does not contain openid or groups scope", + name: "state's downstream auth params does not contain openid, username, or groups scope", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyUpstream().Build()), method: http.MethodGet, path: newRequestPath(). WithState( happyUpstreamStateParam(). - WithAuthorizeRequestParams(shallowCopyAndModifyQuery(happyDownstreamRequestParamsQuery, map[string]string{"scope": "profile email"}).Encode()). + WithAuthorizeRequestParams(shallowCopyAndModifyQuery(happyDownstreamRequestParamsQuery, + map[string]string{"scope": "profile email"}).Encode()). Build(t, happyStateCodec), ).String(), - csrfCookie: happyCSRFCookie, - wantStatus: http.StatusSeeOther, - wantRedirectLocationRegexp: downstreamRedirectURI + `\?code=([^&]+)&scope=&state=` + happyDownstreamState, - wantDownstreamIDTokenUsername: oidcUpstreamUsername, - wantDownstreamIDTokenSubject: oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped, - wantDownstreamRequestedScopes: []string{"profile", "email"}, - wantDownstreamGrantedScopes: []string{}, + csrfCookie: happyCSRFCookie, + wantStatus: http.StatusSeeOther, + wantRedirectLocationRegexp: downstreamRedirectURI + `\?code=([^&]+)&scope=username\+groups&state=` + happyDownstreamState, + wantDownstreamIDTokenUsername: oidcUpstreamUsername, + wantDownstreamIDTokenGroups: oidcUpstreamGroupMembership, + wantDownstreamIDTokenSubject: oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped, + wantDownstreamRequestedScopes: []string{"profile", "email"}, + // username and groups scopes were not requested but are granted anyway for the pinniped-cli client for backwards compatibility + wantDownstreamGrantedScopes: []string{"username", "groups"}, wantDownstreamNonce: downstreamNonce, wantDownstreamClientID: downstreamPinnipedClientID, wantDownstreamPKCEChallenge: downstreamPKCEChallenge, @@ -865,16 +1092,17 @@ func TestCallbackEndpoint(t *testing.T) { path: newRequestPath(). WithState( happyUpstreamStateParam(). - WithAuthorizeRequestParams(shallowCopyAndModifyQuery(happyDownstreamRequestParamsQuery, map[string]string{"scope": "openid offline_access groups"}).Encode()). + WithAuthorizeRequestParams(shallowCopyAndModifyQuery(happyDownstreamRequestParamsQuery, + map[string]string{"scope": "openid offline_access username groups"}).Encode()). Build(t, happyStateCodec), ).String(), csrfCookie: happyCSRFCookie, wantStatus: http.StatusSeeOther, - wantRedirectLocationRegexp: downstreamRedirectURI + `\?code=([^&]+)&scope=openid\+offline_access\+groups&state=` + happyDownstreamState, + wantRedirectLocationRegexp: downstreamRedirectURI + `\?code=([^&]+)&scope=openid\+offline_access\+username\+groups&state=` + happyDownstreamState, wantDownstreamIDTokenUsername: oidcUpstreamUsername, wantDownstreamIDTokenSubject: oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped, - wantDownstreamRequestedScopes: []string{"openid", "offline_access", "groups"}, - wantDownstreamGrantedScopes: []string{"openid", "offline_access", "groups"}, + wantDownstreamRequestedScopes: []string{"openid", "offline_access", "username", "groups"}, + wantDownstreamGrantedScopes: []string{"openid", "offline_access", "username", "groups"}, wantDownstreamIDTokenGroups: oidcUpstreamGroupMembership, wantDownstreamNonce: downstreamNonce, wantDownstreamClientID: downstreamPinnipedClientID, diff --git a/internal/oidc/clientregistry/clientregistry.go b/internal/oidc/clientregistry/clientregistry.go index 90451784..e1d87abb 100644 --- a/internal/oidc/clientregistry/clientregistry.go +++ b/internal/oidc/clientregistry/clientregistry.go @@ -10,25 +10,19 @@ import ( "strings" "time" - "github.com/coreos/go-oidc/v3/oidc" + coreosoidc "github.com/coreos/go-oidc/v3/oidc" "github.com/ory/fosite" "k8s.io/apimachinery/pkg/api/errors" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" + oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc" supervisorclient "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1" "go.pinniped.dev/internal/oidc/oidcclientvalidator" "go.pinniped.dev/internal/oidcclientsecretstorage" "go.pinniped.dev/internal/plog" ) -const ( - // PinnipedCLIClientID is the client ID of the statically defined public OIDC client which is used by the CLI. - PinnipedCLIClientID = "pinniped-cli" - - requiredOIDCClientPrefix = "client.oauth.pinniped.dev-" -) - // Client represents a Pinniped OAuth/OIDC client. It can be the static pinniped-cli client // or a dynamic client defined by an OIDCClient CR. type Client struct { @@ -43,7 +37,7 @@ var ( ) func (c *Client) GetResponseModes() []fosite.ResponseModeType { - if c.ID == PinnipedCLIClientID { + if c.ID == oidcapi.ClientIDPinnipedCLI { // The pinniped-cli client supports "" (unspecified), "query", and "form_post" response modes. return []fosite.ResponseModeType{fosite.ResponseModeDefault, fosite.ResponseModeQuery, fosite.ResponseModeFormPost} } @@ -78,12 +72,12 @@ func NewClientManager( // Other errors returned are plain errors, because fosite will wrap them into a new ErrInvalidClient error and // use the plain error's text as that error's debug message (see client_authentication.go in fosite). func (m *ClientManager) GetClient(ctx context.Context, id string) (fosite.Client, error) { - if id == PinnipedCLIClientID { + if id == oidcapi.ClientIDPinnipedCLI { // Return the static client. No lookups needed. return PinnipedCLI(), nil } - if !strings.HasPrefix(id, requiredOIDCClientPrefix) { + if !strings.HasPrefix(id, oidcapi.ClientIDRequiredOIDCClientPrefix) { // It shouldn't really be possible to find this OIDCClient because the OIDCClient CRD validates the name prefix // upon create, but just in case, don't even try to lookup clients which lack the required name prefix. return nil, fosite.ErrNotFound.WithDescription("no such client") @@ -143,22 +137,23 @@ func PinnipedCLI() *Client { return &Client{ DefaultOpenIDConnectClient: fosite.DefaultOpenIDConnectClient{ DefaultClient: &fosite.DefaultClient{ - ID: PinnipedCLIClientID, + ID: oidcapi.ClientIDPinnipedCLI, Secret: nil, RedirectURIs: []string{"http://127.0.0.1/callback"}, GrantTypes: fosite.Arguments{ - "authorization_code", - "refresh_token", - "urn:ietf:params:oauth:grant-type:token-exchange", + oidcapi.GrantTypeAuthorizationCode, + oidcapi.GrantTypeRefreshToken, + oidcapi.GrantTypeTokenExchange, }, ResponseTypes: []string{"code"}, Scopes: fosite.Arguments{ - oidc.ScopeOpenID, - oidc.ScopeOfflineAccess, - "profile", - "email", - "pinniped:request-audience", - "groups", + oidcapi.ScopeOpenID, + oidcapi.ScopeOfflineAccess, + oidcapi.ScopeProfile, + oidcapi.ScopeEmail, + oidcapi.ScopeRequestAudience, + oidcapi.ScopeUsername, + oidcapi.ScopeGroups, }, Audience: nil, Public: true, @@ -167,7 +162,7 @@ func PinnipedCLI() *Client { JSONWebKeys: nil, JSONWebKeysURI: "", RequestObjectSigningAlgorithm: "", - TokenEndpointAuthSigningAlgorithm: oidc.RS256, + TokenEndpointAuthSigningAlgorithm: coreosoidc.RS256, TokenEndpointAuthMethod: "none", }, } @@ -194,7 +189,7 @@ func oidcClientCRToFositeClient(oidcClient *configv1alpha1.OIDCClient, clientSec JSONWebKeys: nil, JSONWebKeysURI: "", RequestObjectSigningAlgorithm: "", - TokenEndpointAuthSigningAlgorithm: oidc.RS256, + TokenEndpointAuthSigningAlgorithm: coreosoidc.RS256, TokenEndpointAuthMethod: "client_secret_basic", }, } diff --git a/internal/oidc/clientregistry/clientregistry_test.go b/internal/oidc/clientregistry/clientregistry_test.go index b0b2e01e..5367d511 100644 --- a/internal/oidc/clientregistry/clientregistry_test.go +++ b/internal/oidc/clientregistry/clientregistry_test.go @@ -269,7 +269,7 @@ func requireEqualsPinnipedCLI(t *testing.T, c *Client) { require.Equal(t, []string{"http://127.0.0.1/callback"}, c.GetRedirectURIs()) require.Equal(t, fosite.Arguments{"authorization_code", "refresh_token", "urn:ietf:params:oauth:grant-type:token-exchange"}, c.GetGrantTypes()) require.Equal(t, fosite.Arguments{"code"}, c.GetResponseTypes()) - require.Equal(t, fosite.Arguments{oidc.ScopeOpenID, oidc.ScopeOfflineAccess, "profile", "email", "pinniped:request-audience", "groups"}, c.GetScopes()) + require.Equal(t, fosite.Arguments{oidc.ScopeOpenID, oidc.ScopeOfflineAccess, "profile", "email", "pinniped:request-audience", "username", "groups"}, c.GetScopes()) require.True(t, c.IsPublic()) require.Nil(t, c.GetAudience()) require.Nil(t, c.GetRequestURIs()) @@ -302,6 +302,7 @@ func requireEqualsPinnipedCLI(t *testing.T, c *Client) { "profile", "email", "pinniped:request-audience", + "username", "groups" ], "audience": null, diff --git a/internal/oidc/discovery/discovery_handler.go b/internal/oidc/discovery/discovery_handler.go index f1fb9f82..7c4b9e53 100644 --- a/internal/oidc/discovery/discovery_handler.go +++ b/internal/oidc/discovery/discovery_handler.go @@ -10,6 +10,7 @@ import ( "net/http" "go.pinniped.dev/generated/latest/apis/supervisor/idpdiscovery/v1alpha1" + oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc" "go.pinniped.dev/internal/oidc" ) @@ -68,8 +69,8 @@ func NewHandler(issuerURL string) http.Handler { IDTokenSigningAlgValuesSupported: []string{"ES256"}, TokenEndpointAuthMethodsSupported: []string{"client_secret_basic"}, CodeChallengeMethodsSupported: []string{"S256"}, - ScopesSupported: []string{"openid", "offline"}, - ClaimsSupported: []string{"groups"}, + ScopesSupported: []string{oidcapi.ScopeOpenID, oidcapi.ScopeOfflineAccess, oidcapi.ScopeRequestAudience, oidcapi.ScopeUsername, oidcapi.ScopeGroups}, + ClaimsSupported: []string{oidcapi.IDTokenClaimUsername, oidcapi.IDTokenClaimGroups}, } var b bytes.Buffer diff --git a/internal/oidc/discovery/discovery_handler_test.go b/internal/oidc/discovery/discovery_handler_test.go index f8d8303f..94592e7c 100644 --- a/internal/oidc/discovery/discovery_handler_test.go +++ b/internal/oidc/discovery/discovery_handler_test.go @@ -45,9 +45,9 @@ func TestDiscovery(t *testing.T) { "subject_types_supported": ["public"], "id_token_signing_alg_values_supported": ["ES256"], "token_endpoint_auth_methods_supported": ["client_secret_basic"], - "scopes_supported": ["openid", "offline"], + "scopes_supported": ["openid", "offline_access", "pinniped:request-audience", "username", "groups"], "code_challenge_methods_supported": ["S256"], - "claims_supported": ["groups"], + "claims_supported": ["username", "groups"], "discovery.supervisor.pinniped.dev/v1alpha1": { "pinniped_identity_providers_endpoint": "https://some-issuer.com/some/path/v1alpha1/pinniped_identity_providers" } diff --git a/internal/oidc/downstreamsession/downstream_session.go b/internal/oidc/downstreamsession/downstream_session.go index fbb0ca52..cec13d1e 100644 --- a/internal/oidc/downstreamsession/downstream_session.go +++ b/internal/oidc/downstreamsession/downstream_session.go @@ -16,6 +16,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/utils/strings/slices" + oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc" "go.pinniped.dev/internal/authenticators" "go.pinniped.dev/internal/constable" "go.pinniped.dev/internal/oidc" @@ -27,7 +28,7 @@ import ( const ( // The name of the email claim from https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims - emailClaimName = "email" + emailClaimName = oidcapi.ScopeEmail // The name of the email_verified claim from https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims emailVerifiedClaimName = "email_verified" @@ -55,11 +56,12 @@ func MakeDownstreamSession(subject string, username string, groups []string, gra if groups == nil { groups = []string{} } - openIDSession.IDTokenClaims().Extra = map[string]interface{}{ - oidc.DownstreamUsernameClaim: username, + openIDSession.IDTokenClaims().Extra = map[string]interface{}{} + if slices.Contains(grantedScopes, oidcapi.ScopeUsername) { + openIDSession.IDTokenClaims().Extra[oidcapi.IDTokenClaimUsername] = username } - if slices.Contains(grantedScopes, oidc.DownstreamGroupsScope) { - openIDSession.IDTokenClaims().Extra[oidc.DownstreamGroupsClaim] = groups + if slices.Contains(grantedScopes, oidcapi.ScopeGroups) { + openIDSession.IDTokenClaims().Extra[oidcapi.IDTokenClaimGroups] = groups } return openIDSession } @@ -68,8 +70,10 @@ func MakeDownstreamLDAPOrADCustomSessionData( ldapUpstream provider.UpstreamLDAPIdentityProviderI, idpType psession.ProviderType, authenticateResponse *authenticators.Response, + username string, ) *psession.CustomSessionData { customSessionData := &psession.CustomSessionData{ + Username: username, ProviderUID: ldapUpstream.GetResourceUID(), ProviderName: ldapUpstream.GetName(), ProviderType: idpType, @@ -92,17 +96,22 @@ func MakeDownstreamLDAPOrADCustomSessionData( return customSessionData } -func MakeDownstreamOIDCCustomSessionData(oidcUpstream provider.UpstreamOIDCIdentityProviderI, token *oidctypes.Token) (*psession.CustomSessionData, error) { - upstreamSubject, err := ExtractStringClaimValue(oidc.IDTokenSubjectClaim, oidcUpstream.GetName(), token.IDToken.Claims) +func MakeDownstreamOIDCCustomSessionData( + oidcUpstream provider.UpstreamOIDCIdentityProviderI, + token *oidctypes.Token, + username string, +) (*psession.CustomSessionData, error) { + upstreamSubject, err := ExtractStringClaimValue(oidcapi.IDTokenClaimSubject, oidcUpstream.GetName(), token.IDToken.Claims) if err != nil { return nil, err } - upstreamIssuer, err := ExtractStringClaimValue(oidc.IDTokenIssuerClaim, oidcUpstream.GetName(), token.IDToken.Claims) + upstreamIssuer, err := ExtractStringClaimValue(oidcapi.IDTokenClaimIssuer, oidcUpstream.GetName(), token.IDToken.Claims) if err != nil { return nil, err } customSessionData := &psession.CustomSessionData{ + Username: username, ProviderUID: oidcUpstream.GetResourceUID(), ProviderName: oidcUpstream.GetName(), ProviderType: psession.ProviderTypeOIDC, @@ -148,11 +157,30 @@ func MakeDownstreamOIDCCustomSessionData(oidcUpstream provider.UpstreamOIDCIdent return customSessionData, nil } -// GrantScopesIfRequested auto-grants the scopes for which we do not require end-user approval, if they were requested. -func GrantScopesIfRequested(authorizeRequester fosite.AuthorizeRequester, scopes []string) { - for _, scope := range scopes { +// AutoApproveScopes auto-grants the scopes which we support and for which we do not require end-user approval, +// if they were requested. This should only be called after it has been validated that the client is allowed to request +// the scopes that it requested (which is a check performed by fosite). +func AutoApproveScopes(authorizeRequester fosite.AuthorizeRequester) { + for _, scope := range []string{ + oidcapi.ScopeOpenID, + oidcapi.ScopeOfflineAccess, + oidcapi.ScopeRequestAudience, + oidcapi.ScopeUsername, + oidcapi.ScopeGroups, + } { oidc.GrantScopeIfRequested(authorizeRequester, scope) } + + // For backwards-compatibility with old pinniped CLI binaries which never request the username and groups scopes + // (because those scopes did not exist yet when those CLIs were released), grant/approve the username and groups + // scopes even if the CLI did not request them. Basically, pretend that the CLI requested them and auto-approve + // them. Newer versions of the CLI binaries will request these scopes, so after enough time has passed that + // we can assume the old versions of the CLI are no longer in use in the wild, then we can remove this code and + // just let the above logic handle all clients. + if authorizeRequester.GetClient().GetID() == oidcapi.ClientIDPinnipedCLI { + authorizeRequester.GrantScope(oidcapi.ScopeUsername) + authorizeRequester.GrantScope(oidcapi.ScopeGroups) + } } // GetDownstreamIdentityFromUpstreamIDToken returns the mapped subject, username, and group names, in that order. @@ -179,11 +207,11 @@ func getSubjectAndUsernameFromUpstreamIDToken( ) (string, string, error) { // The spec says the "sub" claim is only unique per issuer, // so we will prepend the issuer string to make it globally unique. - upstreamIssuer, err := ExtractStringClaimValue(oidc.IDTokenIssuerClaim, upstreamIDPConfig.GetName(), idTokenClaims) + upstreamIssuer, err := ExtractStringClaimValue(oidcapi.IDTokenClaimIssuer, upstreamIDPConfig.GetName(), idTokenClaims) if err != nil { return "", "", err } - upstreamSubject, err := ExtractStringClaimValue(oidc.IDTokenSubjectClaim, upstreamIDPConfig.GetName(), idTokenClaims) + upstreamSubject, err := ExtractStringClaimValue(oidcapi.IDTokenClaimSubject, upstreamIDPConfig.GetName(), idTokenClaims) if err != nil { return "", "", err } @@ -266,13 +294,13 @@ func DownstreamSubjectFromUpstreamLDAP(ldapUpstream provider.UpstreamLDAPIdentit func DownstreamLDAPSubject(uid string, ldapURL url.URL) string { q := ldapURL.Query() - q.Set(oidc.IDTokenSubjectClaim, uid) + q.Set(oidcapi.IDTokenClaimSubject, uid) ldapURL.RawQuery = q.Encode() return ldapURL.String() } func downstreamSubjectFromUpstreamOIDC(upstreamIssuerAsString string, upstreamSubject string) string { - return fmt.Sprintf("%s?%s=%s", upstreamIssuerAsString, oidc.IDTokenSubjectClaim, url.QueryEscape(upstreamSubject)) + return fmt.Sprintf("%s?%s=%s", upstreamIssuerAsString, oidcapi.IDTokenClaimSubject, url.QueryEscape(upstreamSubject)) } // GetGroupsFromUpstreamIDToken returns mapped group names coerced into a slice of strings. diff --git a/internal/oidc/login/post_login_handler.go b/internal/oidc/login/post_login_handler.go index 4c214452..a9fe251a 100644 --- a/internal/oidc/login/post_login_handler.go +++ b/internal/oidc/login/post_login_handler.go @@ -7,7 +7,6 @@ import ( "net/http" "net/url" - coreosoidc "github.com/coreos/go-oidc/v3/oidc" "github.com/ory/fosite" "go.pinniped.dev/internal/httputil/httperr" @@ -46,10 +45,10 @@ func NewPostHandler(issuerURL string, upstreamIDPs oidc.UpstreamIdentityProvider return httperr.New(http.StatusBadRequest, "error using state downstream auth params") } - // Automatically grant the openid, offline_access, pinniped:request-audience and groups scopes, but only if they were requested. + // Automatically grant certain scopes, but only if they were requested. // This is instead of asking the user to approve these scopes. Note that `NewAuthorizeRequest` would have returned // an error if the client requested a scope that they are not allowed to request, so we don't need to worry about that here. - downstreamsession.GrantScopesIfRequested(authorizeRequester, []string{coreosoidc.ScopeOpenID, coreosoidc.ScopeOfflineAccess, oidc.RequestAudienceScope, oidc.DownstreamGroupsScope}) + downstreamsession.AutoApproveScopes(authorizeRequester) // Get the username and password form params from the POST body. username := r.PostFormValue(usernameParamName) @@ -83,7 +82,7 @@ func NewPostHandler(issuerURL string, upstreamIDPs oidc.UpstreamIdentityProvider subject := downstreamsession.DownstreamSubjectFromUpstreamLDAP(ldapUpstream, authenticateResponse) username = authenticateResponse.User.GetName() groups := authenticateResponse.User.GetGroups() - customSessionData := downstreamsession.MakeDownstreamLDAPOrADCustomSessionData(ldapUpstream, idpType, authenticateResponse) + customSessionData := downstreamsession.MakeDownstreamLDAPOrADCustomSessionData(ldapUpstream, idpType, authenticateResponse, username) openIDSession := downstreamsession.MakeDownstreamSession(subject, username, groups, authorizeRequester.GetGrantedScopes(), customSessionData) oidc.PerformAuthcodeRedirect(r, w, oauthHelper, authorizeRequester, openIDSession, false) diff --git a/internal/oidc/login/post_login_handler_test.go b/internal/oidc/login/post_login_handler_test.go index 80931ee9..72bce69a 100644 --- a/internal/oidc/login/post_login_handler_test.go +++ b/internal/oidc/login/post_login_handler_test.go @@ -17,10 +17,12 @@ import ( "k8s.io/apiserver/pkg/authentication/user" "k8s.io/client-go/kubernetes/fake" + configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" supervisorfake "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/fake" "go.pinniped.dev/internal/authenticators" "go.pinniped.dev/internal/oidc" "go.pinniped.dev/internal/oidc/jwks" + "go.pinniped.dev/internal/oidc/oidcclientvalidator" "go.pinniped.dev/internal/psession" "go.pinniped.dev/internal/testutil" "go.pinniped.dev/internal/testutil/oidctestutil" @@ -86,8 +88,8 @@ func TestPostLoginEndpoint(t *testing.T) { } ) - happyDownstreamScopesRequested := []string{"openid", "groups"} - happyDownstreamScopesGranted := []string{"openid", "groups"} + happyDownstreamScopesRequested := []string{"openid", "username", "groups"} + happyDownstreamScopesGranted := []string{"openid", "username", "groups"} happyDownstreamRequestParamsQuery := url.Values{ "response_type": []string{"code"}, @@ -192,6 +194,7 @@ func TestPostLoginEndpoint(t *testing.T) { } expectedHappyActiveDirectoryUpstreamCustomSession := &psession.CustomSessionData{ + Username: happyLDAPUsernameFromAuthenticator, ProviderUID: activeDirectoryUpstreamResourceUID, ProviderName: activeDirectoryUpstreamName, ProviderType: psession.ProviderTypeActiveDirectory, @@ -204,6 +207,7 @@ func TestPostLoginEndpoint(t *testing.T) { } expectedHappyLDAPUpstreamCustomSession := &psession.CustomSessionData{ + Username: happyLDAPUsernameFromAuthenticator, ProviderUID: ldapUpstreamResourceUID, ProviderName: ldapUpstreamName, ProviderType: psession.ProviderTypeLDAP, @@ -216,7 +220,7 @@ func TestPostLoginEndpoint(t *testing.T) { } // Note that fosite puts the granted scopes as a param in the redirect URI even though the spec doesn't seem to require it - happyAuthcodeDownstreamRedirectLocationRegexp := downstreamRedirectURI + `\?code=([^&]+)&scope=openid\+groups&state=` + happyDownstreamState + happyAuthcodeDownstreamRedirectLocationRegexp := downstreamRedirectURI + `\?code=([^&]+)&scope=openid\+username\+groups&state=` + happyDownstreamState happyUsernamePasswordFormParams := url.Values{userParam: []string{happyLDAPUsername}, passParam: []string{happyLDAPPassword}} @@ -237,7 +241,8 @@ func TestPostLoginEndpoint(t *testing.T) { addFullyCapableDynamicClientAndSecretToKubeResources := func(t *testing.T, supervisorClient *supervisorfake.Clientset, kubeClient *fake.Clientset) { oidcClient, secret := testutil.FullyCapableOIDCClientAndStorageSecret(t, - "some-namespace", downstreamDynamicClientID, downstreamDynamicClientUID, downstreamRedirectURI, []string{testutil.HashedPassword1AtGoMinCost}) + "some-namespace", downstreamDynamicClientID, downstreamDynamicClientUID, downstreamRedirectURI, + []string{testutil.HashedPassword1AtGoMinCost}, oidcclientvalidator.Validate) require.NoError(t, supervisorClient.Tracker().Add(oidcClient)) require.NoError(t, kubeClient.Tracker().Add(secret)) } @@ -413,7 +418,7 @@ func TestPostLoginEndpoint(t *testing.T) { wantStatus: http.StatusSeeOther, wantContentType: htmlContentType, wantBodyString: "", - wantRedirectLocationRegexp: "http://127.0.0.1:4242/callback" + `\?code=([^&]+)&scope=openid\+groups&state=` + happyDownstreamState, + wantRedirectLocationRegexp: "http://127.0.0.1:4242/callback" + `\?code=([^&]+)&scope=openid\+username\+groups&state=` + happyDownstreamState, wantDownstreamIDTokenSubject: upstreamLDAPURL + "&sub=" + happyLDAPUID, wantDownstreamIDTokenUsername: happyLDAPUsernameFromAuthenticator, wantDownstreamIDTokenGroups: happyLDAPGroups, @@ -439,7 +444,7 @@ func TestPostLoginEndpoint(t *testing.T) { wantStatus: http.StatusSeeOther, wantContentType: htmlContentType, wantBodyString: "", - wantRedirectLocationRegexp: "http://127.0.0.1:4242/callback" + `\?code=([^&]+)&scope=openid\+groups&state=` + happyDownstreamState, + wantRedirectLocationRegexp: "http://127.0.0.1:4242/callback" + `\?code=([^&]+)&scope=openid\+username\+groups&state=` + happyDownstreamState, wantDownstreamIDTokenSubject: upstreamLDAPURL + "&sub=" + happyLDAPUID, wantDownstreamIDTokenUsername: happyLDAPUsernameFromAuthenticator, wantDownstreamIDTokenGroups: happyLDAPGroups, @@ -460,17 +465,18 @@ func TestPostLoginEndpoint(t *testing.T) { map[string]string{"scope": "openid offline_access pinniped:request-audience"}, ).Encode() }), - formParams: happyUsernamePasswordFormParams, - wantStatus: http.StatusSeeOther, - wantContentType: htmlContentType, - wantBodyString: "", - wantRedirectLocationRegexp: downstreamRedirectURI + `\?code=([^&]+)&scope=openid\+offline_access\+pinniped%3Arequest-audience&state=` + happyDownstreamState, + formParams: happyUsernamePasswordFormParams, + wantStatus: http.StatusSeeOther, + wantContentType: htmlContentType, + wantBodyString: "", + // username and groups scopes were not requested but are granted anyway for the pinniped-cli client for backwards compatibility + wantRedirectLocationRegexp: downstreamRedirectURI + `\?code=([^&]+)&scope=openid\+offline_access\+pinniped%3Arequest-audience\+username\+groups&state=` + happyDownstreamState, wantDownstreamIDTokenSubject: upstreamLDAPURL + "&sub=" + happyLDAPUID, wantDownstreamIDTokenUsername: happyLDAPUsernameFromAuthenticator, wantDownstreamIDTokenGroups: happyLDAPGroups, wantDownstreamRequestedScopes: []string{"openid", "offline_access", "pinniped:request-audience"}, wantDownstreamRedirectURI: downstreamRedirectURI, - wantDownstreamGrantedScopes: []string{"openid", "offline_access", "pinniped:request-audience"}, + wantDownstreamGrantedScopes: []string{"openid", "offline_access", "pinniped:request-audience", "username", "groups"}, wantDownstreamNonce: downstreamNonce, wantDownstreamClient: downstreamPinnipedCLIClientID, wantDownstreamPKCEChallenge: downstreamPKCEChallenge, @@ -478,7 +484,7 @@ func TestPostLoginEndpoint(t *testing.T) { wantDownstreamCustomSessionData: expectedHappyLDAPUpstreamCustomSession, }, { - name: "happy LDAP login when there are additional allowed downstream requested scopes with dynamic client", + name: "happy LDAP login when there are additional allowed downstream requested scopes with dynamic client, when dynamic client is allowed to request username and groups but does not request them", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider), kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, decodedState: modifyHappyLDAPDecodedState(func(data *oidc.UpstreamStateParamData) { @@ -492,8 +498,8 @@ func TestPostLoginEndpoint(t *testing.T) { wantBodyString: "", wantRedirectLocationRegexp: downstreamRedirectURI + `\?code=([^&]+)&scope=openid\+offline_access\+pinniped%3Arequest-audience&state=` + happyDownstreamState, wantDownstreamIDTokenSubject: upstreamLDAPURL + "&sub=" + happyLDAPUID, - wantDownstreamIDTokenUsername: happyLDAPUsernameFromAuthenticator, - wantDownstreamIDTokenGroups: happyLDAPGroups, + wantDownstreamIDTokenUsername: "", // username scope was not requested, so there should be no username in the ID token + wantDownstreamIDTokenGroups: []string{}, // groups scope was not requested, so there should be no groups in the ID token wantDownstreamRequestedScopes: []string{"openid", "offline_access", "pinniped:request-audience"}, wantDownstreamRedirectURI: downstreamRedirectURI, wantDownstreamGrantedScopes: []string{"openid", "offline_access", "pinniped:request-audience"}, @@ -503,6 +509,74 @@ func TestPostLoginEndpoint(t *testing.T) { wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamCustomSessionData: expectedHappyLDAPUpstreamCustomSession, }, + { + name: "happy LDAP login when there are additional allowed downstream requested scopes with dynamic client, when dynamic client is not allowed to request username and does not request username", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider), + kubeResources: func(t *testing.T, supervisorClient *supervisorfake.Clientset, kubeClient *fake.Clientset) { + oidcClient, secret := testutil.OIDCClientAndStorageSecret(t, + "some-namespace", downstreamDynamicClientID, downstreamDynamicClientUID, + []configv1alpha1.GrantType{"authorization_code", "refresh_token"}, // token exchange not allowed (required to exclude username scope) + []configv1alpha1.Scope{"openid", "offline_access", "groups"}, // username not allowed + downstreamRedirectURI, []string{testutil.HashedPassword1AtGoMinCost}, oidcclientvalidator.Validate) + require.NoError(t, supervisorClient.Tracker().Add(oidcClient)) + require.NoError(t, kubeClient.Tracker().Add(secret)) + }, + decodedState: modifyHappyLDAPDecodedState(func(data *oidc.UpstreamStateParamData) { + data.AuthParams = shallowCopyAndModifyQuery(happyDownstreamRequestParamsQueryForDynamicClient, + map[string]string{"scope": "openid groups offline_access"}, + ).Encode() + }), + formParams: happyUsernamePasswordFormParams, + wantStatus: http.StatusSeeOther, + wantContentType: htmlContentType, + wantBodyString: "", + wantRedirectLocationRegexp: downstreamRedirectURI + `\?code=([^&]+)&scope=openid\+offline_access\+groups&state=` + happyDownstreamState, + wantDownstreamIDTokenSubject: upstreamLDAPURL + "&sub=" + happyLDAPUID, + wantDownstreamIDTokenUsername: "", // username scope was not requested, so there should be no username in the ID token + wantDownstreamIDTokenGroups: happyLDAPGroups, + wantDownstreamRequestedScopes: []string{"openid", "offline_access", "groups"}, + wantDownstreamRedirectURI: downstreamRedirectURI, + wantDownstreamGrantedScopes: []string{"openid", "offline_access", "groups"}, + wantDownstreamNonce: downstreamNonce, + wantDownstreamClient: downstreamDynamicClientID, + wantDownstreamPKCEChallenge: downstreamPKCEChallenge, + wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, + wantDownstreamCustomSessionData: expectedHappyLDAPUpstreamCustomSession, + }, + { + name: "happy LDAP login when there are additional allowed downstream requested scopes with dynamic client, when dynamic client is not allowed to request groups and does not request groups", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider), + kubeResources: func(t *testing.T, supervisorClient *supervisorfake.Clientset, kubeClient *fake.Clientset) { + oidcClient, secret := testutil.OIDCClientAndStorageSecret(t, + "some-namespace", downstreamDynamicClientID, downstreamDynamicClientUID, + []configv1alpha1.GrantType{"authorization_code", "refresh_token"}, // token exchange not allowed (required to exclude groups scope) + []configv1alpha1.Scope{"openid", "offline_access", "username"}, // groups not allowed + downstreamRedirectURI, []string{testutil.HashedPassword1AtGoMinCost}, oidcclientvalidator.Validate) + require.NoError(t, supervisorClient.Tracker().Add(oidcClient)) + require.NoError(t, kubeClient.Tracker().Add(secret)) + }, + decodedState: modifyHappyLDAPDecodedState(func(data *oidc.UpstreamStateParamData) { + data.AuthParams = shallowCopyAndModifyQuery(happyDownstreamRequestParamsQueryForDynamicClient, + map[string]string{"scope": "openid username offline_access"}, + ).Encode() + }), + formParams: happyUsernamePasswordFormParams, + wantStatus: http.StatusSeeOther, + wantContentType: htmlContentType, + wantBodyString: "", + wantRedirectLocationRegexp: downstreamRedirectURI + `\?code=([^&]+)&scope=openid\+offline_access\+username&state=` + happyDownstreamState, + wantDownstreamIDTokenSubject: upstreamLDAPURL + "&sub=" + happyLDAPUID, + wantDownstreamIDTokenUsername: happyLDAPUsernameFromAuthenticator, + wantDownstreamIDTokenGroups: []string{}, // groups scope was not requested, so there should be no groups in the ID token + wantDownstreamRequestedScopes: []string{"openid", "offline_access", "username"}, + wantDownstreamRedirectURI: downstreamRedirectURI, + wantDownstreamGrantedScopes: []string{"openid", "offline_access", "username"}, + wantDownstreamNonce: downstreamNonce, + wantDownstreamClient: downstreamDynamicClientID, + wantDownstreamPKCEChallenge: downstreamPKCEChallenge, + wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, + wantDownstreamCustomSessionData: expectedHappyLDAPUpstreamCustomSession, + }, { name: "happy LDAP when downstream OIDC validations are skipped because the openid scope was not requested", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider), @@ -515,17 +589,18 @@ func TestPostLoginEndpoint(t *testing.T) { }, ).Encode() }), - formParams: happyUsernamePasswordFormParams, - wantStatus: http.StatusSeeOther, - wantContentType: htmlContentType, - wantBodyString: "", - wantRedirectLocationRegexp: downstreamRedirectURI + `\?code=([^&]+)&scope=&state=` + happyDownstreamState, // no scopes granted + formParams: happyUsernamePasswordFormParams, + wantStatus: http.StatusSeeOther, + wantContentType: htmlContentType, + wantBodyString: "", + // username and groups scopes were not requested but are granted anyway for the pinniped-cli client for backwards compatibility + wantRedirectLocationRegexp: downstreamRedirectURI + `\?code=([^&]+)&scope=username\+groups&state=` + happyDownstreamState, wantDownstreamIDTokenSubject: upstreamLDAPURL + "&sub=" + happyLDAPUID, wantDownstreamIDTokenUsername: happyLDAPUsernameFromAuthenticator, wantDownstreamIDTokenGroups: happyLDAPGroups, wantDownstreamRequestedScopes: []string{"email"}, // only email was requested wantDownstreamRedirectURI: downstreamRedirectURI, - wantDownstreamGrantedScopes: []string{}, // no scopes granted + wantDownstreamGrantedScopes: []string{"username", "groups"}, wantDownstreamNonce: downstreamNonce, wantDownstreamClient: downstreamPinnipedCLIClientID, wantDownstreamPKCEChallenge: downstreamPKCEChallenge, @@ -533,7 +608,7 @@ func TestPostLoginEndpoint(t *testing.T) { wantDownstreamCustomSessionData: expectedHappyLDAPUpstreamCustomSession, }, { - name: "happy LDAP login when groups scope is not requested", + name: "happy LDAP login when username and groups scopes are not requested", idps: oidctestutil.NewUpstreamIDPListerBuilder(). WithLDAP(&upstreamLDAPIdentityProvider). // should pick this one WithActiveDirectory(&erroringUpstreamLDAPIdentityProvider), @@ -542,16 +617,18 @@ func TestPostLoginEndpoint(t *testing.T) { map[string]string{"scope": "openid"}, ).Encode() }), - formParams: happyUsernamePasswordFormParams, - wantStatus: http.StatusSeeOther, - wantContentType: htmlContentType, - wantBodyString: "", - wantRedirectLocationRegexp: downstreamRedirectURI + `\?code=([^&]+)&scope=openid&state=` + happyDownstreamState, + formParams: happyUsernamePasswordFormParams, + wantStatus: http.StatusSeeOther, + wantContentType: htmlContentType, + wantBodyString: "", + // username and groups scopes were not requested but are granted anyway for the pinniped-cli client for backwards compatibility + wantRedirectLocationRegexp: downstreamRedirectURI + `\?code=([^&]+)&scope=openid\+username\+groups&state=` + happyDownstreamState, wantDownstreamIDTokenSubject: upstreamLDAPURL + "&sub=" + happyLDAPUID, wantDownstreamIDTokenUsername: happyLDAPUsernameFromAuthenticator, + wantDownstreamIDTokenGroups: happyLDAPGroups, wantDownstreamRequestedScopes: []string{"openid"}, wantDownstreamRedirectURI: downstreamRedirectURI, - wantDownstreamGrantedScopes: []string{"openid"}, + wantDownstreamGrantedScopes: []string{"openid", "username", "groups"}, wantDownstreamNonce: downstreamNonce, wantDownstreamClient: downstreamPinnipedCLIClientID, wantDownstreamPKCEChallenge: downstreamPKCEChallenge, @@ -810,6 +887,46 @@ func TestPostLoginEndpoint(t *testing.T) { formParams: happyUsernamePasswordFormParams, wantErr: "error using state downstream auth params", }, + { + name: "using dynamic client which is not allowed to request username scope in authorize request but requests it anyway", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider), + kubeResources: func(t *testing.T, supervisorClient *supervisorfake.Clientset, kubeClient *fake.Clientset) { + oidcClient, secret := testutil.OIDCClientAndStorageSecret(t, + "some-namespace", downstreamDynamicClientID, downstreamDynamicClientUID, + []configv1alpha1.GrantType{"authorization_code", "refresh_token"}, // token exchange not allowed (required to exclude username scope) + []configv1alpha1.Scope{"openid", "offline_access", "groups"}, // username not allowed + downstreamRedirectURI, []string{testutil.HashedPassword1AtGoMinCost}, oidcclientvalidator.Validate) + require.NoError(t, supervisorClient.Tracker().Add(oidcClient)) + require.NoError(t, kubeClient.Tracker().Add(secret)) + }, + decodedState: modifyHappyLDAPDecodedState(func(data *oidc.UpstreamStateParamData) { + data.AuthParams = shallowCopyAndModifyQuery(happyDownstreamRequestParamsQueryForDynamicClient, + map[string]string{"scope": "openid username offline_access"}, + ).Encode() + }), + formParams: happyUsernamePasswordFormParams, + wantErr: "error using state downstream auth params", + }, + { + name: "using dynamic client which is not allowed to request groups scope in authorize request but requests it anyway", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider), + kubeResources: func(t *testing.T, supervisorClient *supervisorfake.Clientset, kubeClient *fake.Clientset) { + oidcClient, secret := testutil.OIDCClientAndStorageSecret(t, + "some-namespace", downstreamDynamicClientID, downstreamDynamicClientUID, + []configv1alpha1.GrantType{"authorization_code", "refresh_token"}, // token exchange not allowed (required to exclude groups scope) + []configv1alpha1.Scope{"openid", "offline_access", "username"}, // groups not allowed + downstreamRedirectURI, []string{testutil.HashedPassword1AtGoMinCost}, oidcclientvalidator.Validate) + require.NoError(t, supervisorClient.Tracker().Add(oidcClient)) + require.NoError(t, kubeClient.Tracker().Add(secret)) + }, + decodedState: modifyHappyLDAPDecodedState(func(data *oidc.UpstreamStateParamData) { + data.AuthParams = shallowCopyAndModifyQuery(happyDownstreamRequestParamsQueryForDynamicClient, + map[string]string{"scope": "openid groups offline_access"}, + ).Encode() + }), + formParams: happyUsernamePasswordFormParams, + wantErr: "error using state downstream auth params", + }, { name: "downstream scopes do not match what is configured for client with dynamic client", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider), diff --git a/internal/oidc/oidc.go b/internal/oidc/oidc.go index 11218e58..ad87a3ec 100644 --- a/internal/oidc/oidc.go +++ b/internal/oidc/oidc.go @@ -11,13 +11,13 @@ import ( "net/http" "time" - coreosoidc "github.com/coreos/go-oidc/v3/oidc" "github.com/felixge/httpsnoop" "github.com/ory/fosite" "github.com/ory/fosite/compose" errorsx "github.com/pkg/errors" "go.pinniped.dev/generated/latest/apis/supervisor/idpdiscovery/v1alpha1" + oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc" "go.pinniped.dev/internal/httputil/httperr" "go.pinniped.dev/internal/oidc/csrftoken" "go.pinniped.dev/internal/oidc/jwks" @@ -40,16 +40,17 @@ const ( ) const ( - // Just in case we need to make a breaking change to the format of the upstream state param, - // we are including a format version number. This gives the opportunity for a future version of Pinniped - // to have the consumer of this format decide to reject versions that it doesn't understand. + // UpstreamStateParamFormatVersion exists just in case we need to make a breaking change to the format of the + // upstream state param, we are including a format version number. This gives the opportunity for a future version + // of Pinniped to have the consumer of this format decide to reject versions that it doesn't understand. // // Version 1 was the original version. // Version 2 added the UpstreamType field to the UpstreamStateParamData struct. UpstreamStateParamFormatVersion = "2" - // The `name` passed to the encoder for encoding the upstream state param value. This name is short - // because it will be encoded into the upstream state param value and we're trying to keep that small. + // UpstreamStateParamEncodingName is the `name` passed to the encoder for encoding the upstream state param value. + // This name is short because it will be encoded into the upstream state param value, and we're trying to keep that + // small. UpstreamStateParamEncodingName = "s" // CSRFCookieName is the name of the browser cookie which shall hold our CSRF value. @@ -61,29 +62,6 @@ const ( // cookie contents. CSRFCookieEncodingName = "csrf" - // The name of the issuer claim specified in the OIDC spec. - IDTokenIssuerClaim = "iss" - - // The name of the subject claim specified in the OIDC spec. - IDTokenSubjectClaim = "sub" - - // DownstreamUsernameClaim is a custom claim in the downstream ID token - // whose value is mapped from a claim in the upstream token. - // By default the value is the same as the downstream subject claim's. - DownstreamUsernameClaim = "username" - - // DownstreamGroupsClaim is what we will use to encode the groups in the downstream OIDC ID token - // information. - DownstreamGroupsClaim = "groups" - - // DownstreamGroupsScope is a custom scope that determines whether the - // groups claim will be returned in ID tokens. - DownstreamGroupsScope = "groups" - - // RequestAudienceScope is a custom scope that determines whether a RFC8693 token - // exchange is allowed to request a different audience. - RequestAudienceScope = "pinniped:request-audience" - // CSRFCookieLifespan is the length of time that the CSRF cookie is valid. After this time, the // Supervisor's authorization endpoint should give the browser a new CSRF cookie. We set it to // a week so that it is unlikely to expire during a login. @@ -229,7 +207,7 @@ func FositeOauth2Helper( EnforcePKCE: true, // "offline_access" as per https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess - RefreshTokenScopes: []string{coreosoidc.ScopeOfflineAccess}, + RefreshTokenScopes: []string{oidcapi.ScopeOfflineAccess}, // The default is to support all prompt values from the spec. // See https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest diff --git a/internal/oidc/oidcclientvalidator/oidcclientvalidator.go b/internal/oidc/oidcclientvalidator/oidcclientvalidator.go index 9a374de8..fd09894c 100644 --- a/internal/oidc/oidcclientvalidator/oidcclientvalidator.go +++ b/internal/oidc/oidcclientvalidator/oidcclientvalidator.go @@ -7,11 +7,11 @@ import ( "fmt" "strings" - "github.com/coreos/go-oidc/v3/oidc" "golang.org/x/crypto/bcrypt" v1 "k8s.io/api/core/v1" "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" + oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc" "go.pinniped.dev/internal/oidcclientsecretstorage" ) @@ -27,16 +27,6 @@ const ( reasonNoClientSecretFound = "NoClientSecretFound" reasonInvalidClientSecretFound = "InvalidClientSecretFound" - authorizationCodeGrantTypeName = "authorization_code" - refreshTokenGrantTypeName = "refresh_token" - tokenExchangeGrantTypeName = "urn:ietf:params:oauth:grant-type:token-exchange" //nolint:gosec // this is not a credential - - openidScopeName = oidc.ScopeOpenID - offlineAccessScopeName = oidc.ScopeOfflineAccess - requestAudienceScopeName = "pinniped:request-audience" - usernameScopeName = "username" - groupsScopeName = "groups" - allowedGrantTypesFieldName = "allowedGrantTypes" allowedScopesFieldName = "allowedScopes" ) @@ -67,21 +57,21 @@ func Validate(oidcClient *v1alpha1.OIDCClient, secret *v1.Secret, minBcryptCost func validateAllowedScopes(oidcClient *v1alpha1.OIDCClient, conditions []*v1alpha1.Condition) []*v1alpha1.Condition { m := make([]string, 0, 4) - if !allowedScopesContains(oidcClient, openidScopeName) { - m = append(m, fmt.Sprintf("%q must always be included in %q", openidScopeName, allowedScopesFieldName)) + if !allowedScopesContains(oidcClient, oidcapi.ScopeOpenID) { + m = append(m, fmt.Sprintf("%q must always be included in %q", oidcapi.ScopeOpenID, allowedScopesFieldName)) } - if allowedGrantTypesContains(oidcClient, refreshTokenGrantTypeName) && !allowedScopesContains(oidcClient, offlineAccessScopeName) { + if allowedGrantTypesContains(oidcClient, oidcapi.GrantTypeRefreshToken) && !allowedScopesContains(oidcClient, oidcapi.ScopeOfflineAccess) { m = append(m, fmt.Sprintf("%q must be included in %q when %q is included in %q", - offlineAccessScopeName, allowedScopesFieldName, refreshTokenGrantTypeName, allowedGrantTypesFieldName)) + oidcapi.ScopeOfflineAccess, allowedScopesFieldName, oidcapi.GrantTypeRefreshToken, allowedGrantTypesFieldName)) } - if allowedScopesContains(oidcClient, requestAudienceScopeName) && - (!allowedScopesContains(oidcClient, usernameScopeName) || !allowedScopesContains(oidcClient, groupsScopeName)) { + if allowedScopesContains(oidcClient, oidcapi.ScopeRequestAudience) && + (!allowedScopesContains(oidcClient, oidcapi.ScopeUsername) || !allowedScopesContains(oidcClient, oidcapi.ScopeGroups)) { m = append(m, fmt.Sprintf("%q and %q must be included in %q when %q is included in %q", - usernameScopeName, groupsScopeName, allowedScopesFieldName, requestAudienceScopeName, allowedScopesFieldName)) + oidcapi.ScopeUsername, oidcapi.ScopeGroups, allowedScopesFieldName, oidcapi.ScopeRequestAudience, allowedScopesFieldName)) } - if allowedGrantTypesContains(oidcClient, tokenExchangeGrantTypeName) && !allowedScopesContains(oidcClient, requestAudienceScopeName) { + if allowedGrantTypesContains(oidcClient, oidcapi.GrantTypeTokenExchange) && !allowedScopesContains(oidcClient, oidcapi.ScopeRequestAudience) { m = append(m, fmt.Sprintf("%q must be included in %q when %q is included in %q", - requestAudienceScopeName, allowedScopesFieldName, tokenExchangeGrantTypeName, allowedGrantTypesFieldName)) + oidcapi.ScopeRequestAudience, allowedScopesFieldName, oidcapi.GrantTypeTokenExchange, allowedGrantTypesFieldName)) } if len(m) == 0 { @@ -107,17 +97,17 @@ func validateAllowedScopes(oidcClient *v1alpha1.OIDCClient, conditions []*v1alph func validateAllowedGrantTypes(oidcClient *v1alpha1.OIDCClient, conditions []*v1alpha1.Condition) []*v1alpha1.Condition { m := make([]string, 0, 3) - if !allowedGrantTypesContains(oidcClient, authorizationCodeGrantTypeName) { + if !allowedGrantTypesContains(oidcClient, oidcapi.GrantTypeAuthorizationCode) { m = append(m, fmt.Sprintf("%q must always be included in %q", - authorizationCodeGrantTypeName, allowedGrantTypesFieldName)) + oidcapi.GrantTypeAuthorizationCode, allowedGrantTypesFieldName)) } - if allowedScopesContains(oidcClient, offlineAccessScopeName) && !allowedGrantTypesContains(oidcClient, refreshTokenGrantTypeName) { + if allowedScopesContains(oidcClient, oidcapi.ScopeOfflineAccess) && !allowedGrantTypesContains(oidcClient, oidcapi.GrantTypeRefreshToken) { m = append(m, fmt.Sprintf("%q must be included in %q when %q is included in %q", - refreshTokenGrantTypeName, allowedGrantTypesFieldName, offlineAccessScopeName, allowedScopesFieldName)) + oidcapi.GrantTypeRefreshToken, allowedGrantTypesFieldName, oidcapi.ScopeOfflineAccess, allowedScopesFieldName)) } - if allowedScopesContains(oidcClient, requestAudienceScopeName) && !allowedGrantTypesContains(oidcClient, tokenExchangeGrantTypeName) { + if allowedScopesContains(oidcClient, oidcapi.ScopeRequestAudience) && !allowedGrantTypesContains(oidcClient, oidcapi.GrantTypeTokenExchange) { m = append(m, fmt.Sprintf("%q must be included in %q when %q is included in %q", - tokenExchangeGrantTypeName, allowedGrantTypesFieldName, requestAudienceScopeName, allowedScopesFieldName)) + oidcapi.GrantTypeTokenExchange, allowedGrantTypesFieldName, oidcapi.ScopeRequestAudience, allowedScopesFieldName)) } if len(m) == 0 { diff --git a/internal/oidc/provider/manager/manager_test.go b/internal/oidc/provider/manager/manager_test.go index 272387e9..919f139c 100644 --- a/internal/oidc/provider/manager/manager_test.go +++ b/internal/oidc/provider/manager/manager_test.go @@ -171,7 +171,7 @@ func TestManager(t *testing.T) { r.NoError(err) actualLocationQueryParams := parsedLocation.Query() r.Contains(actualLocationQueryParams, "code") - r.Equal("openid", actualLocationQueryParams.Get("scope")) + r.Equal("openid username groups", actualLocationQueryParams.Get("scope")) r.Equal("some-state-value-with-enough-bytes-to-exceed-min-allowed", actualLocationQueryParams.Get("state")) // Make sure that we wired up the callback endpoint to use kube storage for fosite sessions. @@ -343,7 +343,7 @@ func TestManager(t *testing.T) { authRequestParams := "?" + url.Values{ "response_type": []string{"code"}, - "scope": []string{"openid profile email"}, + "scope": []string{"openid profile email username groups"}, "client_id": []string{downstreamClientID}, "state": []string{"some-state-value-with-enough-bytes-to-exceed-min-allowed"}, "nonce": []string{"some-nonce-value-with-enough-bytes-to-exceed-min-allowed"}, diff --git a/internal/oidc/token/token_handler.go b/internal/oidc/token/token_handler.go index c0044fc5..ebd7307d 100644 --- a/internal/oidc/token/token_handler.go +++ b/internal/oidc/token/token_handler.go @@ -17,6 +17,7 @@ import ( "k8s.io/apiserver/pkg/warning" "k8s.io/utils/strings/slices" + oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc" "go.pinniped.dev/internal/httputil/httperr" "go.pinniped.dev/internal/oidc" "go.pinniped.dev/internal/oidc/downstreamsession" @@ -39,7 +40,7 @@ func NewHandler( } // Check if we are performing a refresh grant. - if accessRequest.GetGrantTypes().ExactOne("refresh_token") { + if accessRequest.GetGrantTypes().ExactOne(oidcapi.GrantTypeRefreshToken) { // The above call to NewAccessRequest has loaded the session from storage into the accessRequest variable. // The session, requested scopes, and requested audience from the original authorize request was retrieved // from the Kube storage layer and added to the accessRequest. Additionally, the audience and scopes may @@ -54,7 +55,7 @@ func NewHandler( // When we are in the authorization code flow, check if we have any warnings that previous handlers want us // to send to the client to be printed on the CLI. - if accessRequest.GetGrantTypes().ExactOne("authorization_code") { + if accessRequest.GetGrantTypes().ExactOne(oidcapi.GrantTypeAuthorizationCode) { storedSession := accessRequest.GetSession().(*psession.PinnipedSession) customSessionData := storedSession.Custom if customSessionData != nil { @@ -108,20 +109,27 @@ func upstreamRefresh(ctx context.Context, accessRequest fosite.AccessRequester, } grantedScopes := accessRequest.GetGrantedScopes() + clientID := accessRequest.GetClient().GetID() switch customSessionData.ProviderType { case psession.ProviderTypeOIDC: - return upstreamOIDCRefresh(ctx, session, providerCache, grantedScopes) + return upstreamOIDCRefresh(ctx, session, providerCache, grantedScopes, clientID) case psession.ProviderTypeLDAP: - return upstreamLDAPRefresh(ctx, providerCache, session, grantedScopes) + return upstreamLDAPRefresh(ctx, providerCache, session, grantedScopes, clientID) case psession.ProviderTypeActiveDirectory: - return upstreamLDAPRefresh(ctx, providerCache, session, grantedScopes) + return upstreamLDAPRefresh(ctx, providerCache, session, grantedScopes, clientID) default: return errorsx.WithStack(errMissingUpstreamSessionInternalError()) } } -func upstreamOIDCRefresh(ctx context.Context, session *psession.PinnipedSession, providerCache oidc.UpstreamIdentityProvidersLister, grantedScopes []string) error { +func upstreamOIDCRefresh( + ctx context.Context, + session *psession.PinnipedSession, + providerCache oidc.UpstreamIdentityProvidersLister, + grantedScopes []string, + clientID string, +) error { s := session.Custom if s.OIDC == nil { return errorsx.WithStack(errMissingUpstreamSessionInternalError()) @@ -180,7 +188,7 @@ func upstreamOIDCRefresh(ctx context.Context, session *psession.PinnipedSession, return err } - groupsScope := slices.Contains(grantedScopes, oidc.DownstreamGroupsScope) + groupsScope := slices.Contains(grantedScopes, oidcapi.ScopeGroups) if groupsScope { //nolint:nestif // If possible, update the user's group memberships. The configured groups claim name (if there is one) may or // may not be included in the newly fetched and merged claims. It could be missing due to a misconfiguration of the @@ -204,8 +212,8 @@ func upstreamOIDCRefresh(ctx context.Context, session *psession.PinnipedSession, if err != nil { return err } - warnIfGroupsChanged(ctx, oldGroups, refreshedGroups, username) - session.Fosite.Claims.Extra[oidc.DownstreamGroupsClaim] = refreshedGroups + warnIfGroupsChanged(ctx, oldGroups, refreshedGroups, username, clientID) + session.Fosite.Claims.Extra[oidcapi.IDTokenClaimGroups] = refreshedGroups } } @@ -240,7 +248,7 @@ func validateIdentityUnchangedSinceInitialLogin(mergedClaims map[string]interfac return nil } - newSub, hasSub := getString(mergedClaims, oidc.IDTokenSubjectClaim) + newSub, hasSub := getString(mergedClaims, oidcapi.IDTokenClaimSubject) if !hasSub { return errUpstreamRefreshError().WithHintf( "Upstream refresh failed.").WithTrace(errors.New("subject in upstream refresh not found")). @@ -253,7 +261,10 @@ func validateIdentityUnchangedSinceInitialLogin(mergedClaims map[string]interfac } newUsername, hasUsername := getString(mergedClaims, usernameClaimName) - oldUsername := session.Fosite.Claims.Extra[oidc.DownstreamUsernameClaim] + oldUsername, err := getDownstreamUsernameFromPinnipedSession(session) + if err != nil { + return err + } // It's possible that a username wasn't returned by the upstream provider during refresh, // but if it is, verify that it hasn't changed. if hasUsername && oldUsername != newUsername { @@ -262,7 +273,7 @@ func validateIdentityUnchangedSinceInitialLogin(mergedClaims map[string]interfac WithDebugf("provider name: %q, provider type: %q", s.ProviderName, s.ProviderType) } - newIssuer, hasIssuer := getString(mergedClaims, oidc.IDTokenIssuerClaim) + newIssuer, hasIssuer := getString(mergedClaims, oidcapi.IDTokenClaimIssuer) // It's possible that an issuer wasn't returned by the upstream provider during refresh, // but if it is, verify that it hasn't changed. if hasIssuer && s.OIDC.UpstreamIssuer != newIssuer { @@ -297,14 +308,20 @@ func findOIDCProviderByNameAndValidateUID( WithDebugf("provider name: %q, provider type: %q", s.ProviderName, s.ProviderType)) } -func upstreamLDAPRefresh(ctx context.Context, providerCache oidc.UpstreamIdentityProvidersLister, session *psession.PinnipedSession, grantedScopes []string) error { +func upstreamLDAPRefresh( + ctx context.Context, + providerCache oidc.UpstreamIdentityProvidersLister, + session *psession.PinnipedSession, + grantedScopes []string, + clientID string, +) error { username, err := getDownstreamUsernameFromPinnipedSession(session) if err != nil { return err } subject := session.Fosite.Claims.Subject var oldGroups []string - if slices.Contains(grantedScopes, oidc.DownstreamGroupsScope) { + if slices.Contains(grantedScopes, oidcapi.ScopeGroups) { oldGroups, err = getDownstreamGroupsFromPinnipedSession(session) if err != nil { return err @@ -349,12 +366,11 @@ func upstreamLDAPRefresh(ctx context.Context, providerCache oidc.UpstreamIdentit "Upstream refresh failed.").WithTrace(err). WithDebugf("provider name: %q, provider type: %q", s.ProviderName, s.ProviderType) } - groupsScope := slices.Contains(grantedScopes, oidc.DownstreamGroupsScope) + groupsScope := slices.Contains(grantedScopes, oidcapi.ScopeGroups) if groupsScope { + warnIfGroupsChanged(ctx, oldGroups, groups, username, clientID) // Replace the old value with the new value. - session.Fosite.Claims.Extra[oidc.DownstreamGroupsClaim] = groups - - warnIfGroupsChanged(ctx, oldGroups, groups, username) + session.Fosite.Claims.Extra[oidcapi.IDTokenClaimGroups] = groups } return nil @@ -391,16 +407,8 @@ func findLDAPProviderByNameAndValidateUID( } func getDownstreamUsernameFromPinnipedSession(session *psession.PinnipedSession) (string, error) { - extra := session.Fosite.Claims.Extra - if extra == nil { - return "", errorsx.WithStack(errMissingUpstreamSessionInternalError()) - } - downstreamUsernameInterface := extra[oidc.DownstreamUsernameClaim] - if downstreamUsernameInterface == nil { - return "", errorsx.WithStack(errMissingUpstreamSessionInternalError()) - } - downstreamUsername, ok := downstreamUsernameInterface.(string) - if !ok || len(downstreamUsername) == 0 { + downstreamUsername := session.Custom.Username + if len(downstreamUsername) == 0 { return "", errorsx.WithStack(errMissingUpstreamSessionInternalError()) } return downstreamUsername, nil @@ -411,7 +419,7 @@ func getDownstreamGroupsFromPinnipedSession(session *psession.PinnipedSession) ( if extra == nil { return nil, errorsx.WithStack(errMissingUpstreamSessionInternalError()) } - downstreamGroupsInterface := extra[oidc.DownstreamGroupsClaim] + downstreamGroupsInterface := extra[oidcapi.IDTokenClaimGroups] if downstreamGroupsInterface == nil { return nil, errorsx.WithStack(errMissingUpstreamSessionInternalError()) } @@ -431,8 +439,17 @@ func getDownstreamGroupsFromPinnipedSession(session *psession.PinnipedSession) ( return downstreamGroups, nil } -func warnIfGroupsChanged(ctx context.Context, oldGroups, newGroups []string, username string) { +func warnIfGroupsChanged(ctx context.Context, oldGroups, newGroups []string, username string, clientID string) { + if clientID != oidcapi.ClientIDPinnipedCLI { + // Only send these warnings to the CLI client. They are intended for kubectl to print to the screen. + // A webapp using a dynamic client wouldn't know to look for these special warning headers, and + // if the dynamic client lacked the username scope, then these warning messages would be leaking + // the user's username to the client within the text of the warning. + return + } + added, removed := diffSortedGroups(oldGroups, newGroups) + if len(added) > 0 { warning.AddWarning(ctx, "", fmt.Sprintf("User %q has been added to the following groups: %q", username, added)) } diff --git a/internal/oidc/token/token_handler_test.go b/internal/oidc/token/token_handler_test.go index b22e8ad4..efecad95 100644 --- a/internal/oidc/token/token_handler_test.go +++ b/internal/oidc/token/token_handler_test.go @@ -36,6 +36,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/types" + "k8s.io/apiserver/pkg/warning" "k8s.io/client-go/kubernetes/fake" v1 "k8s.io/client-go/kubernetes/typed/core/v1" @@ -52,6 +53,7 @@ import ( "go.pinniped.dev/internal/httputil/httperr" "go.pinniped.dev/internal/oidc" "go.pinniped.dev/internal/oidc/jwks" + "go.pinniped.dev/internal/oidc/oidcclientvalidator" "go.pinniped.dev/internal/oidc/provider" "go.pinniped.dev/internal/oidcclientsecretstorage" "go.pinniped.dev/internal/psession" @@ -236,7 +238,7 @@ var ( happyAuthRequest = &http.Request{ Form: url.Values{ "response_type": {"code"}, - "scope": {"openid profile email groups"}, + "scope": {"openid profile email username groups"}, "client_id": {pinnipedCLIClientID}, "state": {"some-state-value-with-enough-bytes-to-exceed-min-allowed"}, "nonce": {goodNonce}, @@ -277,10 +279,12 @@ type tokenEndpointResponseExpectedValues struct { wantClientID string wantRequestedScopes []string wantGrantedScopes []string + wantUsername string wantGroups []string wantUpstreamRefreshCall *expectedUpstreamRefresh wantUpstreamOIDCValidateTokenCall *expectedUpstreamValidateTokens wantCustomSessionDataStored *psession.CustomSessionData + wantWarnings []RecordedWarning } type authcodeExchangeInputs struct { @@ -303,6 +307,7 @@ func addFullyCapableDynamicClientAndSecretToKubeResources(t *testing.T, supervis dynamicClientUID, goodRedirectURI, []string{testutil.HashedPassword1AtGoMinCost, testutil.HashedPassword2AtGoMinCost}, + oidcclientvalidator.Validate, ) require.NoError(t, supervisorClient.Tracker().Add(oidcClient)) require.NoError(t, kubeClient.Tracker().Add(secret)) @@ -327,13 +332,14 @@ func TestTokenEndpointAuthcodeExchange(t *testing.T) { { name: "request is valid and tokens are issued", authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid profile email groups") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid profile email username groups") }, want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "scope", "expires_in"}, // no refresh token - wantRequestedScopes: []string{"openid", "profile", "email", "groups"}, - wantGrantedScopes: []string{"openid", "groups"}, + wantRequestedScopes: []string{"openid", "profile", "email", "username", "groups"}, + wantGrantedScopes: []string{"openid", "username", "groups"}, + wantUsername: goodUsername, wantGroups: goodGroups, }, }, @@ -344,15 +350,16 @@ func TestTokenEndpointAuthcodeExchange(t *testing.T) { authcodeExchange: authcodeExchangeInputs{ modifyAuthRequest: func(r *http.Request) { addDynamicClientIDToFormPostBody(r) - r.Form.Set("scope", "openid pinniped:request-audience groups") + r.Form.Set("scope", "openid pinniped:request-audience username groups") }, modifyTokenRequest: modifyAuthcodeTokenRequestWithDynamicClientAuth, want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, wantClientID: dynamicClientID, wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "scope", "expires_in"}, // no refresh token - wantRequestedScopes: []string{"openid", "pinniped:request-audience", "groups"}, - wantGrantedScopes: []string{"openid", "pinniped:request-audience", "groups"}, + wantRequestedScopes: []string{"openid", "pinniped:request-audience", "username", "groups"}, + wantGrantedScopes: []string{"openid", "pinniped:request-audience", "username", "groups"}, + wantUsername: goodUsername, wantGroups: goodGroups, }, }, @@ -366,8 +373,9 @@ func TestTokenEndpointAuthcodeExchange(t *testing.T) { wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"access_token", "token_type", "scope", "expires_in"}, // no id or refresh tokens wantRequestedScopes: []string{"profile", "email"}, - wantGrantedScopes: []string{}, - wantGroups: nil, + wantGrantedScopes: []string{"username", "groups"}, // username and groups were not requested, but granted anyway for backwards compatibility + wantUsername: goodUsername, + wantGroups: goodGroups, }, }, }, @@ -377,21 +385,22 @@ func TestTokenEndpointAuthcodeExchange(t *testing.T) { authcodeExchange: authcodeExchangeInputs{ modifyAuthRequest: func(r *http.Request) { addDynamicClientIDToFormPostBody(r) - r.Form.Set("scope", "pinniped:request-audience groups") + r.Form.Set("scope", "pinniped:request-audience username groups") }, modifyTokenRequest: modifyAuthcodeTokenRequestWithDynamicClientAuth, want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, wantClientID: dynamicClientID, wantSuccessBodyFields: []string{"access_token", "token_type", "scope", "expires_in"}, // no id or refresh tokens - wantRequestedScopes: []string{"pinniped:request-audience", "groups"}, - wantGrantedScopes: []string{"pinniped:request-audience", "groups"}, - wantGroups: nil, + wantRequestedScopes: []string{"pinniped:request-audience", "username", "groups"}, + wantGrantedScopes: []string{"pinniped:request-audience", "username", "groups"}, + wantUsername: goodUsername, + wantGroups: goodGroups, }, }, }, { - name: "offline_access and openid scopes were requested and granted from authorize endpoint (no groups)", + name: "offline_access and openid scopes were requested and granted from authorize endpoint (no username or groups requested)", authcodeExchange: authcodeExchangeInputs{ modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, want: tokenEndpointResponseExpectedValues{ @@ -399,30 +408,52 @@ func TestTokenEndpointAuthcodeExchange(t *testing.T) { wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "scope", "expires_in", "refresh_token"}, // all possible tokens wantRequestedScopes: []string{"openid", "offline_access"}, - wantGrantedScopes: []string{"openid", "offline_access"}, - wantGroups: nil, + wantGrantedScopes: []string{"openid", "offline_access", "username", "groups"}, // username and groups were not requested, but granted anyway for backwards compatibility + wantUsername: goodUsername, + wantGroups: goodGroups, }, }, }, { - name: "offline_access and openid scopes were requested and granted from authorize endpoint for dynamic client (no groups)", + name: "openid, offline_access, and username scopes (no groups) were requested and granted from authorize endpoint for dynamic client", kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, authcodeExchange: authcodeExchangeInputs{ modifyAuthRequest: func(r *http.Request) { addDynamicClientIDToFormPostBody(r) - r.Form.Set("scope", "openid offline_access") + r.Form.Set("scope", "openid offline_access username") }, modifyTokenRequest: modifyAuthcodeTokenRequestWithDynamicClientAuth, want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, wantClientID: dynamicClientID, wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "scope", "expires_in", "refresh_token"}, // all possible tokens - wantRequestedScopes: []string{"openid", "offline_access"}, - wantGrantedScopes: []string{"openid", "offline_access"}, + wantRequestedScopes: []string{"openid", "offline_access", "username"}, + wantGrantedScopes: []string{"openid", "offline_access", "username"}, + wantUsername: goodUsername, wantGroups: nil, }, }, }, + { + name: "openid, offline_access, and groups scopes (no username) were requested and granted from authorize endpoint for dynamic client", + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + authcodeExchange: authcodeExchangeInputs{ + modifyAuthRequest: func(r *http.Request) { + addDynamicClientIDToFormPostBody(r) + r.Form.Set("scope", "openid offline_access groups") + }, + modifyTokenRequest: modifyAuthcodeTokenRequestWithDynamicClientAuth, + want: tokenEndpointResponseExpectedValues{ + wantStatus: http.StatusOK, + wantClientID: dynamicClientID, + wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "scope", "expires_in", "refresh_token"}, // all possible tokens + wantRequestedScopes: []string{"openid", "offline_access", "groups"}, + wantGrantedScopes: []string{"openid", "offline_access", "groups"}, + wantUsername: "", + wantGroups: goodGroups, + }, + }, + }, { name: "offline_access (without openid scope) was requested and granted from authorize endpoint", authcodeExchange: authcodeExchangeInputs{ @@ -432,13 +463,14 @@ func TestTokenEndpointAuthcodeExchange(t *testing.T) { wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"access_token", "token_type", "scope", "expires_in", "refresh_token"}, // no id token wantRequestedScopes: []string{"offline_access"}, - wantGrantedScopes: []string{"offline_access"}, - wantGroups: nil, + wantGrantedScopes: []string{"offline_access", "username", "groups"}, // username and groups were not requested, but granted anyway for backwards compatibility + wantUsername: goodUsername, + wantGroups: goodGroups, }, }, }, { - name: "offline_access (without openid scope) was requested and granted from authorize endpoint for dynamic client", + name: "offline_access (without openid, username, groups scopes) was requested and granted from authorize endpoint for dynamic client", kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, authcodeExchange: authcodeExchangeInputs{ modifyAuthRequest: func(r *http.Request) { @@ -452,20 +484,22 @@ func TestTokenEndpointAuthcodeExchange(t *testing.T) { wantSuccessBodyFields: []string{"access_token", "token_type", "scope", "expires_in", "refresh_token"}, // no id token wantRequestedScopes: []string{"offline_access"}, wantGrantedScopes: []string{"offline_access"}, + wantUsername: "", wantGroups: nil, }, }, }, { - name: "groups scope is requested", + name: "username and groups scopes are requested", authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid profile email groups") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid profile email username groups") }, want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "scope", "expires_in"}, // no refresh token - wantRequestedScopes: []string{"openid", "profile", "email", "groups"}, - wantGrantedScopes: []string{"openid", "groups"}, + wantRequestedScopes: []string{"openid", "profile", "email", "username", "groups"}, + wantGrantedScopes: []string{"openid", "username", "groups"}, + wantUsername: goodUsername, wantGroups: goodGroups, }, }, @@ -783,13 +817,14 @@ func TestTokenEndpointWhenAuthcodeIsUsedTwice(t *testing.T) { { name: "authcode exchange succeeds once and then fails when the same authcode is used again", authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access profile email groups") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access profile email username groups") }, want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"id_token", "refresh_token", "access_token", "token_type", "expires_in", "scope"}, - wantRequestedScopes: []string{"openid", "offline_access", "profile", "email", "groups"}, - wantGrantedScopes: []string{"openid", "offline_access", "groups"}, + wantRequestedScopes: []string{"openid", "offline_access", "profile", "email", "username", "groups"}, + wantGrantedScopes: []string{"openid", "offline_access", "username", "groups"}, + wantUsername: goodUsername, wantGroups: goodGroups, }, }, @@ -832,9 +867,10 @@ func TestTokenEndpointWhenAuthcodeIsUsedTwice(t *testing.T) { // Note that customSessionData is only relevant to refresh grant, so we leave it as nil for this // authcode exchange test, even though in practice it would actually be in the session. requireValidOIDCStorage(t, parsedResponseBody, authCode, oauthStore, - test.authcodeExchange.want.wantClientID, test.authcodeExchange.want.wantRequestedScopes, - test.authcodeExchange.want.wantGrantedScopes, test.authcodeExchange.want.wantGroups, nil, - approxRequestTime) + test.authcodeExchange.want.wantClientID, + test.authcodeExchange.want.wantRequestedScopes, test.authcodeExchange.want.wantGrantedScopes, + test.authcodeExchange.want.wantUsername, test.authcodeExchange.want.wantGroups, + nil, approxRequestTime) // Check that the access token and refresh token storage were both deleted, and the number of other storage objects did not change. testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: authorizationcode.TypeLabelValue}, 1) @@ -853,8 +889,9 @@ func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn wantStatus: http.StatusOK, wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "expires_in", "scope"}, - wantRequestedScopes: []string{"openid", "pinniped:request-audience", "groups"}, - wantGrantedScopes: []string{"openid", "pinniped:request-audience", "groups"}, + wantRequestedScopes: []string{"openid", "pinniped:request-audience", "username", "groups"}, + wantGrantedScopes: []string{"openid", "pinniped:request-audience", "username", "groups"}, + wantUsername: goodUsername, wantGroups: goodGroups, } @@ -862,14 +899,15 @@ func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn wantStatus: http.StatusOK, wantClientID: dynamicClientID, wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "expires_in", "scope"}, - wantRequestedScopes: []string{"openid", "pinniped:request-audience", "groups"}, - wantGrantedScopes: []string{"openid", "pinniped:request-audience", "groups"}, + wantRequestedScopes: []string{"openid", "pinniped:request-audience", "username", "groups"}, + wantGrantedScopes: []string{"openid", "pinniped:request-audience", "username", "groups"}, + wantUsername: goodUsername, wantGroups: goodGroups, } doValidAuthCodeExchange := authcodeExchangeInputs{ modifyAuthRequest: func(authRequest *http.Request) { - authRequest.Form.Set("scope", "openid pinniped:request-audience groups") + authRequest.Form.Set("scope", "openid pinniped:request-audience username groups") }, want: successfulAuthCodeExchange, } @@ -877,7 +915,7 @@ func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn doValidAuthCodeExchangeUsingDynamicClient := authcodeExchangeInputs{ modifyAuthRequest: func(authRequest *http.Request) { addDynamicClientIDToFormPostBody(authRequest) - authRequest.Form.Set("scope", "openid pinniped:request-audience groups") + authRequest.Form.Set("scope", "openid pinniped:request-audience username groups") }, modifyTokenRequest: modifyAuthcodeTokenRequestWithDynamicClientAuth, want: successfulAuthCodeExchangeUsingDynamicClient, @@ -902,6 +940,25 @@ func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn requestedAudience: "some-workload-cluster", wantStatus: http.StatusOK, }, + { + name: "happy path without requesting username and groups scopes", + authcodeExchange: authcodeExchangeInputs{ + modifyAuthRequest: func(authRequest *http.Request) { + authRequest.Form.Set("scope", "openid pinniped:request-audience") + }, + want: tokenEndpointResponseExpectedValues{ + wantStatus: http.StatusOK, + wantClientID: pinnipedCLIClientID, + wantSuccessBodyFields: []string{"access_token", "token_type", "expires_in", "scope", "id_token"}, + wantRequestedScopes: []string{"openid", "pinniped:request-audience"}, + wantGrantedScopes: []string{"openid", "pinniped:request-audience", "username", "groups"}, // username and groups were not requested, but granted anyway for backwards compatibility + wantUsername: goodUsername, + wantGroups: goodGroups, + }, + }, + requestedAudience: "some-workload-cluster", + wantStatus: http.StatusOK, + }, { name: "happy path with dynamic client", kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, @@ -915,6 +972,34 @@ func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn requestedAudience: "some-workload-cluster", wantStatus: http.StatusOK, }, + { + name: "happy path with dynamic client without requesting groups, so gets no groups in ID tokens", + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + authcodeExchange: authcodeExchangeInputs{ + modifyAuthRequest: func(authRequest *http.Request) { + addDynamicClientIDToFormPostBody(authRequest) + authRequest.Form.Set("scope", "openid pinniped:request-audience username") // don't request groups scope + }, + modifyTokenRequest: modifyAuthcodeTokenRequestWithDynamicClientAuth, + want: tokenEndpointResponseExpectedValues{ + wantStatus: http.StatusOK, + wantClientID: dynamicClientID, + wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "expires_in", "scope"}, + wantRequestedScopes: []string{"openid", "pinniped:request-audience", "username"}, // don't want groups scope + wantGrantedScopes: []string{"openid", "pinniped:request-audience", "username"}, // don't want groups scope + wantUsername: goodUsername, + wantGroups: nil, + }, + }, + modifyRequestParams: func(t *testing.T, params url.Values) { + params.Del("client_id") // client auth for dynamic clients must be in basic auth header + }, + modifyRequestHeaders: func(r *http.Request) { + r.SetBasicAuth(dynamicClientID, testutil.PlaintextPassword1) + }, + requestedAudience: "some-workload-cluster", + wantStatus: http.StatusOK, + }, { name: "dynamic client lacks the required urn:ietf:params:oauth:grant-type:token-exchange grant type", kubeResources: func(t *testing.T, supervisorClient *supervisorfake.Clientset, kubeClient *fake.Clientset) { @@ -934,15 +1019,16 @@ func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn authcodeExchange: authcodeExchangeInputs{ modifyAuthRequest: func(authRequest *http.Request) { addDynamicClientIDToFormPostBody(authRequest) - authRequest.Form.Set("scope", "openid groups") // don't request pinniped:request-audience scope + authRequest.Form.Set("scope", "openid username groups") // don't request pinniped:request-audience scope }, modifyTokenRequest: modifyAuthcodeTokenRequestWithDynamicClientAuth, want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, wantClientID: dynamicClientID, wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "expires_in", "scope"}, - wantRequestedScopes: []string{"openid", "groups"}, // don't want pinniped:request-audience scope - wantGrantedScopes: []string{"openid", "groups"}, // don't want pinniped:request-audience scope + wantRequestedScopes: []string{"openid", "username", "groups"}, // don't want pinniped:request-audience scope + wantGrantedScopes: []string{"openid", "username", "groups"}, // don't want pinniped:request-audience scope + wantUsername: goodUsername, wantGroups: goodGroups, }, }, @@ -962,15 +1048,16 @@ func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn authcodeExchange: authcodeExchangeInputs{ modifyAuthRequest: func(authRequest *http.Request) { addDynamicClientIDToFormPostBody(authRequest) - authRequest.Form.Set("scope", "openid groups") // don't request pinniped:request-audience scope + authRequest.Form.Set("scope", "openid username groups") // don't request pinniped:request-audience scope }, modifyTokenRequest: modifyAuthcodeTokenRequestWithDynamicClientAuth, want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, wantClientID: dynamicClientID, wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "expires_in", "scope"}, - wantRequestedScopes: []string{"openid", "groups"}, // don't want pinniped:request-audience scope - wantGrantedScopes: []string{"openid", "groups"}, // don't want pinniped:request-audience scope + wantRequestedScopes: []string{"openid", "username", "groups"}, // don't want pinniped:request-audience scope + wantGrantedScopes: []string{"openid", "username", "groups"}, // don't want pinniped:request-audience scope + wantUsername: goodUsername, wantGroups: goodGroups, }, }, @@ -990,16 +1077,17 @@ func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn authcodeExchange: authcodeExchangeInputs{ modifyAuthRequest: func(authRequest *http.Request) { addDynamicClientIDToFormPostBody(authRequest) - authRequest.Form.Set("scope", "pinniped:request-audience groups") // don't request openid scope + authRequest.Form.Set("scope", "pinniped:request-audience username groups") // don't request openid scope }, modifyTokenRequest: modifyAuthcodeTokenRequestWithDynamicClientAuth, want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, wantClientID: dynamicClientID, wantSuccessBodyFields: []string{"access_token", "token_type", "expires_in", "scope"}, // no id token - wantRequestedScopes: []string{"pinniped:request-audience", "groups"}, // don't want openid scope - wantGrantedScopes: []string{"pinniped:request-audience", "groups"}, // don't want openid scope - wantGroups: nil, + wantRequestedScopes: []string{"pinniped:request-audience", "username", "groups"}, // don't want openid scope + wantGrantedScopes: []string{"pinniped:request-audience", "username", "groups"}, // don't want openid scope + wantUsername: goodUsername, + wantGroups: goodGroups, }, }, modifyRequestParams: func(t *testing.T, params url.Values) { @@ -1012,6 +1100,35 @@ func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn wantStatus: http.StatusForbidden, wantResponseBodyContains: `The resource owner or authorization server denied the request. missing the 'openid' scope`, }, + { + name: "dynamic client did not ask for the username scope in the original authorization request, so the session during token exchange has no username associated with it", + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + authcodeExchange: authcodeExchangeInputs{ + modifyAuthRequest: func(authRequest *http.Request) { + addDynamicClientIDToFormPostBody(authRequest) + authRequest.Form.Set("scope", "openid pinniped:request-audience groups") // don't request username scope + }, + modifyTokenRequest: modifyAuthcodeTokenRequestWithDynamicClientAuth, + want: tokenEndpointResponseExpectedValues{ + wantStatus: http.StatusOK, + wantClientID: dynamicClientID, + wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "expires_in", "scope"}, + wantRequestedScopes: []string{"openid", "pinniped:request-audience", "groups"}, // no username scope + wantGrantedScopes: []string{"openid", "pinniped:request-audience", "groups"}, // no username scope + wantUsername: "", + wantGroups: goodGroups, + }, + }, + modifyRequestParams: func(t *testing.T, params url.Values) { + params.Del("client_id") // client auth for dynamic clients must be in basic auth header + }, + modifyRequestHeaders: func(r *http.Request) { + r.SetBasicAuth(dynamicClientID, testutil.PlaintextPassword1) + }, + requestedAudience: "some-workload-cluster", + wantStatus: http.StatusForbidden, + wantResponseBodyContains: `The resource owner or authorization server denied the request. No username found in session. Ensure that the 'username' scope was requested and granted at the authorization endpoint.`, + }, { name: "missing audience", authcodeExchange: doValidAuthCodeExchange, @@ -1160,14 +1277,15 @@ func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn name: "access token missing pinniped:request-audience scope", authcodeExchange: authcodeExchangeInputs{ modifyAuthRequest: func(authRequest *http.Request) { - authRequest.Form.Set("scope", "openid groups") + authRequest.Form.Set("scope", "openid username groups") }, want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "expires_in", "scope"}, - wantRequestedScopes: []string{"openid", "groups"}, - wantGrantedScopes: []string{"openid", "groups"}, + wantRequestedScopes: []string{"openid", "username", "groups"}, + wantGrantedScopes: []string{"openid", "username", "groups"}, + wantUsername: goodUsername, wantGroups: goodGroups, }, }, @@ -1179,44 +1297,27 @@ func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn name: "access token missing openid scope", authcodeExchange: authcodeExchangeInputs{ modifyAuthRequest: func(authRequest *http.Request) { - authRequest.Form.Set("scope", "pinniped:request-audience groups") + authRequest.Form.Set("scope", "pinniped:request-audience username groups") }, want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"access_token", "token_type", "expires_in", "scope"}, - wantRequestedScopes: []string{"pinniped:request-audience", "groups"}, - wantGrantedScopes: []string{"pinniped:request-audience", "groups"}, - wantGroups: nil, + wantRequestedScopes: []string{"pinniped:request-audience", "username", "groups"}, + wantGrantedScopes: []string{"pinniped:request-audience", "username", "groups"}, + wantUsername: goodUsername, + wantGroups: goodGroups, }, }, requestedAudience: "some-workload-cluster", wantStatus: http.StatusForbidden, wantResponseBodyContains: `missing the 'openid' scope`, }, - { - name: "access token missing groups scope", - authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(authRequest *http.Request) { - authRequest.Form.Set("scope", "openid pinniped:request-audience") - }, - want: tokenEndpointResponseExpectedValues{ - wantStatus: http.StatusOK, - wantClientID: pinnipedCLIClientID, - wantSuccessBodyFields: []string{"access_token", "token_type", "expires_in", "scope", "id_token"}, - wantRequestedScopes: []string{"openid", "pinniped:request-audience"}, - wantGrantedScopes: []string{"openid", "pinniped:request-audience"}, - wantGroups: nil, - }, - }, - requestedAudience: "some-workload-cluster", - wantStatus: http.StatusOK, - }, { name: "token minting failure", authcodeExchange: authcodeExchangeInputs{ modifyAuthRequest: func(authRequest *http.Request) { - authRequest.Form.Set("scope", "openid pinniped:request-audience groups") + authRequest.Form.Set("scope", "openid pinniped:request-audience username groups") }, // Fail to fetch a JWK signing key after the authcode exchange has happened. makeOathHelper: makeOauthHelperWithJWTKeyThatWorksOnlyOnce, @@ -1313,7 +1414,11 @@ func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn require.Contains(t, tokenClaims["aud"], test.requestedAudience) require.Equal(t, goodSubject, tokenClaims["sub"]) require.Equal(t, goodIssuer, tokenClaims["iss"]) - require.Equal(t, goodUsername, tokenClaims["username"]) + if test.authcodeExchange.want.wantUsername != "" { + require.Equal(t, test.authcodeExchange.want.wantUsername, tokenClaims["username"]) + } else { + require.Nil(t, tokenClaims["username"]) + } if test.authcodeExchange.want.wantGroups != nil { require.Equal(t, toSliceOfInterface(test.authcodeExchange.want.wantGroups), tokenClaims["groups"]) } else { @@ -1381,6 +1486,7 @@ func TestRefreshGrant(t *testing.T) { initialUpstreamOIDCRefreshTokenCustomSessionData := func() *psession.CustomSessionData { return &psession.CustomSessionData{ + Username: goodUsername, ProviderName: oidcUpstreamName, ProviderUID: oidcUpstreamResourceUID, ProviderType: oidcUpstreamType, @@ -1394,6 +1500,7 @@ func TestRefreshGrant(t *testing.T) { initialUpstreamOIDCAccessTokenCustomSessionData := func() *psession.CustomSessionData { return &psession.CustomSessionData{ + Username: goodUsername, ProviderName: oidcUpstreamName, ProviderUID: oidcUpstreamResourceUID, ProviderType: oidcUpstreamType, @@ -1463,9 +1570,10 @@ func TestRefreshGrant(t *testing.T) { wantStatus: http.StatusOK, wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"id_token", "refresh_token", "access_token", "token_type", "expires_in", "scope"}, - wantRequestedScopes: []string{"openid", "offline_access", "groups"}, - wantGrantedScopes: []string{"openid", "offline_access", "groups"}, + wantRequestedScopes: []string{"openid", "offline_access", "username", "groups"}, + wantGrantedScopes: []string{"openid", "offline_access", "username", "groups"}, wantCustomSessionDataStored: wantCustomSessionDataStored, + wantUsername: goodUsername, wantGroups: goodGroups, } return want @@ -1526,6 +1634,7 @@ func TestRefreshGrant(t *testing.T) { } happyActiveDirectoryCustomSessionData := &psession.CustomSessionData{ + Username: goodUsername, ProviderUID: activeDirectoryUpstreamResourceUID, ProviderName: activeDirectoryUpstreamName, ProviderType: activeDirectoryUpstreamType, @@ -1533,7 +1642,9 @@ func TestRefreshGrant(t *testing.T) { UserDN: activeDirectoryUpstreamDN, }, } + happyLDAPCustomSessionData := &psession.CustomSessionData{ + Username: goodUsername, ProviderUID: ldapUpstreamResourceUID, ProviderName: ldapUpstreamName, ProviderType: ldapUpstreamType, @@ -1541,6 +1652,21 @@ func TestRefreshGrant(t *testing.T) { UserDN: ldapUpstreamDN, }, } + + happyAuthcodeExchangeInputsForOIDCUpstream := authcodeExchangeInputs{ + customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access username groups") }, + want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData()), + } + + happyAuthcodeExchangeInputsForLDAPUpstream := authcodeExchangeInputs{ + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access username groups") }, + customSessionData: happyLDAPCustomSessionData, + want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( + happyLDAPCustomSessionData, + ), + } + tests := []struct { name string idps *oidctestutil.UpstreamIDPListerBuilder @@ -1559,11 +1685,7 @@ func TestRefreshGrant(t *testing.T) { }, }, }).WithRefreshedTokens(refreshedUpstreamTokensWithIDAndRefreshTokens()).Build()), - authcodeExchange: authcodeExchangeInputs{ - customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, - want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData()), - }, + authcodeExchange: happyAuthcodeExchangeInputsForOIDCUpstream, refreshRequest: refreshRequestInputs{ want: happyRefreshTokenResponseForOpenIDAndOfflineAccess( upstreamOIDCCustomSessionDataWithNewRefreshToken(oidcUpstreamRefreshedRefreshToken), @@ -1586,7 +1708,7 @@ func TestRefreshGrant(t *testing.T) { customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), modifyAuthRequest: func(r *http.Request) { addDynamicClientIDToFormPostBody(r) - r.Form.Set("scope", "openid offline_access groups") + r.Form.Set("scope", "openid offline_access username groups") }, modifyTokenRequest: modifyAuthcodeTokenRequestWithDynamicClientAuth, want: withWantDynamicClientID(happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData())), @@ -1599,6 +1721,53 @@ func TestRefreshGrant(t *testing.T) { )), }, }, + { + name: "happy path refresh grant with upstream username claim but without downstream username scope granted, using dynamic client", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC( + upstreamOIDCIdentityProviderBuilder().WithUsernameClaim("username-claim").WithValidatedAndMergedWithUserInfoTokens(&oidctypes.Token{ + IDToken: &oidctypes.IDToken{ + Claims: map[string]interface{}{ + "some-claim": "some-value", + "sub": goodUpstreamSubject, + "username-claim": goodUsername, + }, + }, + }).WithRefreshedTokens(refreshedUpstreamTokensWithIDAndRefreshTokens()).Build()), + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + authcodeExchange: authcodeExchangeInputs{ + customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), + modifyAuthRequest: func(r *http.Request) { + addDynamicClientIDToFormPostBody(r) + r.Form.Set("scope", "openid offline_access groups") + }, + modifyTokenRequest: modifyAuthcodeTokenRequestWithDynamicClientAuth, + want: withWantDynamicClientID(tokenEndpointResponseExpectedValues{ + wantStatus: http.StatusOK, + wantClientID: dynamicClientID, + wantSuccessBodyFields: []string{"id_token", "refresh_token", "access_token", "token_type", "expires_in", "scope"}, + wantRequestedScopes: []string{"openid", "offline_access", "groups"}, + wantGrantedScopes: []string{"openid", "offline_access", "groups"}, + wantCustomSessionDataStored: initialUpstreamOIDCRefreshTokenCustomSessionData(), + wantUsername: "", + wantGroups: goodGroups, + }), + }, + refreshRequest: refreshRequestInputs{ + modifyTokenRequest: modifyRefreshTokenRequestWithDynamicClientAuth, + want: withWantDynamicClientID(tokenEndpointResponseExpectedValues{ + wantStatus: http.StatusOK, + wantClientID: dynamicClientID, + wantSuccessBodyFields: []string{"id_token", "refresh_token", "access_token", "token_type", "expires_in", "scope"}, + wantRequestedScopes: []string{"openid", "offline_access", "groups"}, + wantGrantedScopes: []string{"openid", "offline_access", "groups"}, + wantCustomSessionDataStored: upstreamOIDCCustomSessionDataWithNewRefreshToken(oidcUpstreamRefreshedRefreshToken), + wantUsername: "", + wantGroups: goodGroups, + wantUpstreamRefreshCall: happyOIDCUpstreamRefreshCall(), + wantUpstreamOIDCValidateTokenCall: happyUpstreamValidateTokenCall(refreshedUpstreamTokensWithIDAndRefreshTokens(), true), + }), + }, + }, { name: "refresh grant with unchanged username claim", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC( @@ -1611,11 +1780,7 @@ func TestRefreshGrant(t *testing.T) { }, }, }).WithRefreshedTokens(refreshedUpstreamTokensWithIDAndRefreshTokens()).Build()), - authcodeExchange: authcodeExchangeInputs{ - customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, - want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData()), - }, + authcodeExchange: happyAuthcodeExchangeInputsForOIDCUpstream, refreshRequest: refreshRequestInputs{ want: happyRefreshTokenResponseForOpenIDAndOfflineAccess( upstreamOIDCCustomSessionDataWithNewRefreshToken(oidcUpstreamRefreshedRefreshToken), @@ -1641,7 +1806,7 @@ func TestRefreshGrant(t *testing.T) { }).WithRefreshedTokens(refreshedUpstreamTokensWithIDAndRefreshTokens()).Build()), authcodeExchange: authcodeExchangeInputs{ customSessionData: initialUpstreamOIDCAccessTokenCustomSessionData(), - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access username groups") }, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCAccessTokenCustomSessionData()), }, refreshRequest: refreshRequestInputs{ @@ -1649,8 +1814,9 @@ func TestRefreshGrant(t *testing.T) { wantStatus: http.StatusOK, wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"refresh_token", "id_token", "access_token", "token_type", "expires_in", "scope"}, - wantRequestedScopes: []string{"openid", "offline_access", "groups"}, - wantGrantedScopes: []string{"openid", "offline_access", "groups"}, + wantRequestedScopes: []string{"openid", "offline_access", "username", "groups"}, + wantGrantedScopes: []string{"openid", "offline_access", "username", "groups"}, + wantUsername: goodUsername, wantGroups: goodGroups, wantUpstreamOIDCValidateTokenCall: &expectedUpstreamValidateTokens{ oidcUpstreamName, @@ -1682,8 +1848,10 @@ func TestRefreshGrant(t *testing.T) { wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"refresh_token", "access_token", "token_type", "expires_in", "scope"}, wantRequestedScopes: []string{"offline_access"}, - wantGrantedScopes: []string{"offline_access"}, + wantGrantedScopes: []string{"offline_access", "username", "groups"}, // username and groups were not requested, but granted anyway for backwards compatibility wantCustomSessionDataStored: initialUpstreamOIDCRefreshTokenCustomSessionData(), + wantUsername: goodUsername, + wantGroups: goodGroups, }, }, refreshRequest: refreshRequestInputs{ @@ -1692,10 +1860,12 @@ func TestRefreshGrant(t *testing.T) { wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"refresh_token", "access_token", "token_type", "expires_in", "scope"}, wantRequestedScopes: []string{"offline_access"}, - wantGrantedScopes: []string{"offline_access"}, + wantGrantedScopes: []string{"offline_access", "username", "groups"}, wantUpstreamRefreshCall: happyOIDCUpstreamRefreshCall(), wantUpstreamOIDCValidateTokenCall: happyUpstreamValidateTokenCall(refreshedUpstreamTokensWithRefreshTokenWithoutIDToken(), false), wantCustomSessionDataStored: upstreamOIDCCustomSessionDataWithNewRefreshToken(oidcUpstreamRefreshedRefreshToken), + wantUsername: goodUsername, + wantGroups: goodGroups, }, }, }, @@ -1707,18 +1877,15 @@ func TestRefreshGrant(t *testing.T) { Claims: map[string]interface{}{}, }, }).WithRefreshedTokens(refreshedUpstreamTokensWithRefreshTokenWithoutIDToken()).Build()), - authcodeExchange: authcodeExchangeInputs{ - customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, - want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData()), - }, + authcodeExchange: happyAuthcodeExchangeInputsForOIDCUpstream, refreshRequest: refreshRequestInputs{ want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"refresh_token", "access_token", "id_token", "token_type", "expires_in", "scope"}, - wantRequestedScopes: []string{"openid", "offline_access", "groups"}, - wantGrantedScopes: []string{"openid", "offline_access", "groups"}, + wantRequestedScopes: []string{"openid", "offline_access", "username", "groups"}, + wantGrantedScopes: []string{"openid", "offline_access", "username", "groups"}, + wantUsername: goodUsername, wantGroups: goodGroups, wantUpstreamRefreshCall: happyOIDCUpstreamRefreshCall(), wantUpstreamOIDCValidateTokenCall: happyUpstreamValidateTokenCall(refreshedUpstreamTokensWithRefreshTokenWithoutIDToken(), false), @@ -1737,22 +1904,61 @@ func TestRefreshGrant(t *testing.T) { }, }, }).WithRefreshedTokens(refreshedUpstreamTokensWithIDAndRefreshTokens()).Build()), - authcodeExchange: authcodeExchangeInputs{ - customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, - want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData()), - }, + authcodeExchange: happyAuthcodeExchangeInputsForOIDCUpstream, refreshRequest: refreshRequestInputs{ want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"refresh_token", "access_token", "id_token", "token_type", "expires_in", "scope"}, - wantRequestedScopes: []string{"openid", "offline_access", "groups"}, - wantGrantedScopes: []string{"openid", "offline_access", "groups"}, + wantRequestedScopes: []string{"openid", "offline_access", "username", "groups"}, + wantGrantedScopes: []string{"openid", "offline_access", "username", "groups"}, + wantUsername: goodUsername, wantGroups: []string{"new-group1", "new-group2", "new-group3"}, wantUpstreamRefreshCall: happyOIDCUpstreamRefreshCall(), wantUpstreamOIDCValidateTokenCall: happyUpstreamValidateTokenCall(refreshedUpstreamTokensWithIDAndRefreshTokens(), true), wantCustomSessionDataStored: upstreamOIDCCustomSessionDataWithNewRefreshToken(oidcUpstreamRefreshedRefreshToken), + wantWarnings: []RecordedWarning{ + {Text: `User "some-username" has been added to the following groups: ["new-group1" "new-group2" "new-group3"]`}, + {Text: `User "some-username" has been removed from the following groups: ["group1" "groups2"]`}, + }, + }, + }, + }, + { + name: "happy path refresh grant when the upstream refresh returns new group memberships (as strings) from the merged ID token and userinfo results, it updates groups, using dynamic client - updates groups without outputting warnings", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC( + upstreamOIDCIdentityProviderBuilder().WithGroupsClaim("my-groups-claim").WithValidatedAndMergedWithUserInfoTokens(&oidctypes.Token{ + IDToken: &oidctypes.IDToken{ + Claims: map[string]interface{}{ + "sub": goodUpstreamSubject, + "my-groups-claim": []string{"new-group1", "new-group2", "new-group3"}, // refreshed claims includes updated groups + }, + }, + }).WithRefreshedTokens(refreshedUpstreamTokensWithIDAndRefreshTokens()).Build()), + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + authcodeExchange: authcodeExchangeInputs{ + customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), + modifyAuthRequest: func(r *http.Request) { + addDynamicClientIDToFormPostBody(r) + r.Form.Set("scope", "openid offline_access username groups") + }, + modifyTokenRequest: modifyAuthcodeTokenRequestWithDynamicClientAuth, + want: withWantDynamicClientID(happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData())), + }, + refreshRequest: refreshRequestInputs{ + modifyTokenRequest: modifyRefreshTokenRequestWithDynamicClientAuth, + want: tokenEndpointResponseExpectedValues{ + wantStatus: http.StatusOK, + wantClientID: dynamicClientID, + wantSuccessBodyFields: []string{"refresh_token", "access_token", "id_token", "token_type", "expires_in", "scope"}, + wantRequestedScopes: []string{"openid", "offline_access", "username", "groups"}, + wantGrantedScopes: []string{"openid", "offline_access", "username", "groups"}, + wantUsername: goodUsername, + wantGroups: []string{"new-group1", "new-group2", "new-group3"}, + wantUpstreamRefreshCall: happyOIDCUpstreamRefreshCall(), + wantUpstreamOIDCValidateTokenCall: happyUpstreamValidateTokenCall(refreshedUpstreamTokensWithIDAndRefreshTokens(), true), + wantCustomSessionDataStored: upstreamOIDCCustomSessionDataWithNewRefreshToken(oidcUpstreamRefreshedRefreshToken), + wantWarnings: nil, // dynamic clients should not get these warnings which are intended for the pinniped-cli client }, }, }, @@ -1767,22 +1973,23 @@ func TestRefreshGrant(t *testing.T) { }, }, }).WithRefreshedTokens(refreshedUpstreamTokensWithIDAndRefreshTokens()).Build()), - authcodeExchange: authcodeExchangeInputs{ - customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, - want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData()), - }, + authcodeExchange: happyAuthcodeExchangeInputsForOIDCUpstream, refreshRequest: refreshRequestInputs{ want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"refresh_token", "access_token", "id_token", "token_type", "expires_in", "scope"}, - wantRequestedScopes: []string{"openid", "offline_access", "groups"}, - wantGrantedScopes: []string{"openid", "offline_access", "groups"}, + wantRequestedScopes: []string{"openid", "offline_access", "username", "groups"}, + wantGrantedScopes: []string{"openid", "offline_access", "username", "groups"}, + wantUsername: goodUsername, wantGroups: []string{"new-group1", "new-group2", "new-group3"}, wantUpstreamRefreshCall: happyOIDCUpstreamRefreshCall(), wantUpstreamOIDCValidateTokenCall: happyUpstreamValidateTokenCall(refreshedUpstreamTokensWithIDAndRefreshTokens(), true), wantCustomSessionDataStored: upstreamOIDCCustomSessionDataWithNewRefreshToken(oidcUpstreamRefreshedRefreshToken), + wantWarnings: []RecordedWarning{ + {Text: `User "some-username" has been added to the following groups: ["new-group1" "new-group2" "new-group3"]`}, + {Text: `User "some-username" has been removed from the following groups: ["group1" "groups2"]`}, + }, }, }, }, @@ -1797,22 +2004,22 @@ func TestRefreshGrant(t *testing.T) { }, }, }).WithRefreshedTokens(refreshedUpstreamTokensWithIDAndRefreshTokens()).Build()), - authcodeExchange: authcodeExchangeInputs{ - customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, - want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData()), - }, + authcodeExchange: happyAuthcodeExchangeInputsForOIDCUpstream, refreshRequest: refreshRequestInputs{ want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"refresh_token", "access_token", "id_token", "token_type", "expires_in", "scope"}, - wantRequestedScopes: []string{"openid", "offline_access", "groups"}, - wantGrantedScopes: []string{"openid", "offline_access", "groups"}, + wantRequestedScopes: []string{"openid", "offline_access", "username", "groups"}, + wantGrantedScopes: []string{"openid", "offline_access", "username", "groups"}, + wantUsername: goodUsername, wantGroups: []string{}, // the user no longer belongs to any groups wantUpstreamRefreshCall: happyOIDCUpstreamRefreshCall(), wantUpstreamOIDCValidateTokenCall: happyUpstreamValidateTokenCall(refreshedUpstreamTokensWithIDAndRefreshTokens(), true), wantCustomSessionDataStored: upstreamOIDCCustomSessionDataWithNewRefreshToken(oidcUpstreamRefreshedRefreshToken), + wantWarnings: []RecordedWarning{ + {Text: `User "some-username" has been removed from the following groups: ["group1" "groups2"]`}, + }, }, }, }, @@ -1827,18 +2034,15 @@ func TestRefreshGrant(t *testing.T) { }, }, }).WithRefreshedTokens(refreshedUpstreamTokensWithIDAndRefreshTokens()).Build()), - authcodeExchange: authcodeExchangeInputs{ - customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, - want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData()), - }, + authcodeExchange: happyAuthcodeExchangeInputsForOIDCUpstream, refreshRequest: refreshRequestInputs{ want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"refresh_token", "access_token", "id_token", "token_type", "expires_in", "scope"}, - wantRequestedScopes: []string{"openid", "offline_access", "groups"}, - wantGrantedScopes: []string{"openid", "offline_access", "groups"}, + wantRequestedScopes: []string{"openid", "offline_access", "username", "groups"}, + wantGrantedScopes: []string{"openid", "offline_access", "username", "groups"}, + wantUsername: goodUsername, wantGroups: goodGroups, // the same groups as from the initial login wantUpstreamRefreshCall: happyOIDCUpstreamRefreshCall(), wantUpstreamOIDCValidateTokenCall: happyUpstreamValidateTokenCall(refreshedUpstreamTokensWithIDAndRefreshTokens(), true), @@ -1854,23 +2058,56 @@ func TestRefreshGrant(t *testing.T) { URL: ldapUpstreamURL, PerformRefreshGroups: []string{"new-group1", "new-group2", "new-group3"}, }), - authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, - customSessionData: happyLDAPCustomSessionData, - want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( - happyLDAPCustomSessionData, - ), - }, + authcodeExchange: happyAuthcodeExchangeInputsForLDAPUpstream, refreshRequest: refreshRequestInputs{ want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"refresh_token", "access_token", "id_token", "token_type", "expires_in", "scope"}, - wantRequestedScopes: []string{"openid", "offline_access", "groups"}, - wantGrantedScopes: []string{"openid", "offline_access", "groups"}, + wantRequestedScopes: []string{"openid", "offline_access", "username", "groups"}, + wantGrantedScopes: []string{"openid", "offline_access", "username", "groups"}, + wantUsername: goodUsername, wantGroups: []string{"new-group1", "new-group2", "new-group3"}, wantUpstreamRefreshCall: happyLDAPUpstreamRefreshCall(), wantCustomSessionDataStored: happyLDAPCustomSessionData, + wantWarnings: []RecordedWarning{ + {Text: `User "some-username" has been added to the following groups: ["new-group1" "new-group2" "new-group3"]`}, + {Text: `User "some-username" has been removed from the following groups: ["group1" "groups2"]`}, + }, + }, + }, + }, + { + name: "happy path refresh grant when the upstream refresh returns new group memberships from LDAP, it updates groups, using dynamic client - updates groups without outputting warnings", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&oidctestutil.TestUpstreamLDAPIdentityProvider{ + Name: ldapUpstreamName, + ResourceUID: ldapUpstreamResourceUID, + URL: ldapUpstreamURL, + PerformRefreshGroups: []string{"new-group1", "new-group2", "new-group3"}, + }), + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + authcodeExchange: authcodeExchangeInputs{ + customSessionData: happyLDAPCustomSessionData, + modifyAuthRequest: func(r *http.Request) { + addDynamicClientIDToFormPostBody(r) + r.Form.Set("scope", "openid offline_access username groups") + }, + modifyTokenRequest: modifyAuthcodeTokenRequestWithDynamicClientAuth, + want: withWantDynamicClientID(happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(happyLDAPCustomSessionData)), + }, + refreshRequest: refreshRequestInputs{ + modifyTokenRequest: modifyRefreshTokenRequestWithDynamicClientAuth, + want: tokenEndpointResponseExpectedValues{ + wantStatus: http.StatusOK, + wantClientID: dynamicClientID, + wantSuccessBodyFields: []string{"refresh_token", "access_token", "id_token", "token_type", "expires_in", "scope"}, + wantRequestedScopes: []string{"openid", "offline_access", "username", "groups"}, + wantGrantedScopes: []string{"openid", "offline_access", "username", "groups"}, + wantUsername: goodUsername, + wantGroups: []string{"new-group1", "new-group2", "new-group3"}, + wantUpstreamRefreshCall: happyLDAPUpstreamRefreshCall(), + wantCustomSessionDataStored: happyLDAPCustomSessionData, + wantWarnings: nil, // dynamic clients should not get these warnings which are intended for the pinniped-cli client }, }, }, @@ -1882,33 +2119,31 @@ func TestRefreshGrant(t *testing.T) { URL: ldapUpstreamURL, PerformRefreshGroups: []string{}, }), - authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, - customSessionData: happyLDAPCustomSessionData, - want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( - happyLDAPCustomSessionData, - ), - }, + authcodeExchange: happyAuthcodeExchangeInputsForLDAPUpstream, refreshRequest: refreshRequestInputs{ want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"refresh_token", "access_token", "id_token", "token_type", "expires_in", "scope"}, - wantRequestedScopes: []string{"openid", "offline_access", "groups"}, - wantGrantedScopes: []string{"openid", "offline_access", "groups"}, + wantRequestedScopes: []string{"openid", "offline_access", "username", "groups"}, + wantGrantedScopes: []string{"openid", "offline_access", "username", "groups"}, + wantUsername: goodUsername, wantGroups: []string{}, wantUpstreamRefreshCall: happyLDAPUpstreamRefreshCall(), wantCustomSessionDataStored: happyLDAPCustomSessionData, + wantWarnings: []RecordedWarning{ + {Text: `User "some-username" has been removed from the following groups: ["group1" "groups2"]`}, + }, }, }, }, { - name: "ldap refresh grant when the upstream refresh when groups scope not requested on original request or refresh", + name: "ldap refresh grant when the upstream refresh when username and groups scopes are not requested on original request or refresh", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&oidctestutil.TestUpstreamLDAPIdentityProvider{ Name: ldapUpstreamName, ResourceUID: ldapUpstreamResourceUID, URL: ldapUpstreamURL, - PerformRefreshGroups: []string{}, + PerformRefreshGroups: []string{"new-group1", "new-group2", "new-group3"}, }), authcodeExchange: authcodeExchangeInputs{ modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access") }, @@ -1918,9 +2153,10 @@ func TestRefreshGrant(t *testing.T) { wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"id_token", "refresh_token", "access_token", "token_type", "expires_in", "scope"}, wantRequestedScopes: []string{"openid", "offline_access"}, - wantGrantedScopes: []string{"openid", "offline_access"}, + wantGrantedScopes: []string{"openid", "offline_access", "username", "groups"}, // username and groups were not requested, but granted anyway for backwards compatibility wantCustomSessionDataStored: happyLDAPCustomSessionData, - wantGroups: nil, + wantUsername: goodUsername, + wantGroups: goodGroups, }, }, refreshRequest: refreshRequestInputs{ @@ -1932,15 +2168,20 @@ func TestRefreshGrant(t *testing.T) { wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"refresh_token", "access_token", "id_token", "token_type", "expires_in", "scope"}, wantRequestedScopes: []string{"openid", "offline_access"}, - wantGrantedScopes: []string{"openid", "offline_access"}, - wantGroups: nil, + wantGrantedScopes: []string{"openid", "offline_access", "username", "groups"}, // username and groups were not requested, but granted anyway for backwards compatibility + wantUsername: goodUsername, + wantGroups: []string{"new-group1", "new-group2", "new-group3"}, wantUpstreamRefreshCall: happyLDAPUpstreamRefreshCall(), wantCustomSessionDataStored: happyLDAPCustomSessionData, + wantWarnings: []RecordedWarning{ + {Text: `User "some-username" has been added to the following groups: ["new-group1" "new-group2" "new-group3"]`}, + {Text: `User "some-username" has been removed from the following groups: ["group1" "groups2"]`}, + }, }, }, }, { - name: "oidc refresh grant when the upstream refresh when groups scope not requested on original request or refresh", + name: "oidc refresh grant when the upstream refresh when username and groups scopes are not requested on original request or refresh", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC( upstreamOIDCIdentityProviderBuilder().WithGroupsClaim("my-groups-claim").WithValidatedAndMergedWithUserInfoTokens(&oidctypes.Token{ IDToken: &oidctypes.IDToken{ @@ -1958,9 +2199,10 @@ func TestRefreshGrant(t *testing.T) { wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"id_token", "refresh_token", "access_token", "token_type", "expires_in", "scope"}, wantRequestedScopes: []string{"openid", "offline_access"}, - wantGrantedScopes: []string{"openid", "offline_access"}, + wantGrantedScopes: []string{"openid", "offline_access", "username", "groups"}, // username and groups were not requested, but granted anyway for backwards compatibility wantCustomSessionDataStored: initialUpstreamOIDCRefreshTokenCustomSessionData(), - wantGroups: nil, + wantUsername: goodUsername, + wantGroups: goodGroups, }, }, refreshRequest: refreshRequestInputs{ @@ -1972,11 +2214,16 @@ func TestRefreshGrant(t *testing.T) { wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"refresh_token", "access_token", "id_token", "token_type", "expires_in", "scope"}, wantRequestedScopes: []string{"openid", "offline_access"}, - wantGrantedScopes: []string{"openid", "offline_access"}, - wantGroups: nil, + wantGrantedScopes: []string{"openid", "offline_access", "username", "groups"}, // username and groups were not requested, but granted anyway for backwards compatibility + wantUsername: goodUsername, + wantGroups: []string{"new-group1", "new-group2", "new-group3"}, wantUpstreamRefreshCall: happyOIDCUpstreamRefreshCall(), wantUpstreamOIDCValidateTokenCall: happyUpstreamValidateTokenCall(refreshedUpstreamTokensWithIDAndRefreshTokens(), true), wantCustomSessionDataStored: upstreamOIDCCustomSessionDataWithNewRefreshToken(oidcUpstreamRefreshedRefreshToken), + wantWarnings: []RecordedWarning{ + {Text: `User "some-username" has been added to the following groups: ["new-group1" "new-group2" "new-group3"]`}, + {Text: `User "some-username" has been removed from the following groups: ["group1" "groups2"]`}, + }, }, }, }, @@ -1995,7 +2242,7 @@ func TestRefreshGrant(t *testing.T) { authcodeExchange: authcodeExchangeInputs{ modifyAuthRequest: func(r *http.Request) { addDynamicClientIDToFormPostBody(r) - r.Form.Set("scope", "openid offline_access") + r.Form.Set("scope", "openid offline_access username") }, modifyTokenRequest: modifyAuthcodeTokenRequestWithDynamicClientAuth, customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), @@ -2003,23 +2250,25 @@ func TestRefreshGrant(t *testing.T) { wantStatus: http.StatusOK, wantClientID: dynamicClientID, wantSuccessBodyFields: []string{"id_token", "refresh_token", "access_token", "token_type", "expires_in", "scope"}, - wantRequestedScopes: []string{"openid", "offline_access"}, - wantGrantedScopes: []string{"openid", "offline_access"}, + wantRequestedScopes: []string{"openid", "offline_access", "username"}, + wantGrantedScopes: []string{"openid", "offline_access", "username"}, wantCustomSessionDataStored: initialUpstreamOIDCRefreshTokenCustomSessionData(), + wantUsername: goodUsername, wantGroups: nil, }, }, refreshRequest: refreshRequestInputs{ modifyTokenRequest: func(r *http.Request, refreshToken string, accessToken string) { - r.Body = happyRefreshRequestBody(refreshToken).WithClientID("").WithScope("openid offline_access").ReadCloser() + r.Body = happyRefreshRequestBody(refreshToken).WithClientID("").WithScope("openid offline_access username").ReadCloser() r.SetBasicAuth(dynamicClientID, testutil.PlaintextPassword1) // Use basic auth header instead. }, want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, wantClientID: dynamicClientID, wantSuccessBodyFields: []string{"refresh_token", "access_token", "id_token", "token_type", "expires_in", "scope"}, - wantRequestedScopes: []string{"openid", "offline_access"}, - wantGrantedScopes: []string{"openid", "offline_access"}, + wantRequestedScopes: []string{"openid", "offline_access", "username"}, + wantGrantedScopes: []string{"openid", "offline_access", "username"}, + wantUsername: goodUsername, wantGroups: nil, wantUpstreamRefreshCall: happyOIDCUpstreamRefreshCall(), wantUpstreamOIDCValidateTokenCall: happyUpstreamValidateTokenCall(refreshedUpstreamTokensWithIDAndRefreshTokens(), true), @@ -2038,15 +2287,16 @@ func TestRefreshGrant(t *testing.T) { PerformRefreshGroups: []string{"new-group1", "new-group2", "new-group3"}, }), authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access username groups") }, customSessionData: happyLDAPCustomSessionData, want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"id_token", "refresh_token", "access_token", "token_type", "expires_in", "scope"}, - wantRequestedScopes: []string{"openid", "offline_access", "groups"}, - wantGrantedScopes: []string{"openid", "offline_access", "groups"}, + wantRequestedScopes: []string{"openid", "offline_access", "username", "groups"}, + wantGrantedScopes: []string{"openid", "offline_access", "username", "groups"}, wantCustomSessionDataStored: happyLDAPCustomSessionData, + wantUsername: goodUsername, wantGroups: goodGroups, }, }, @@ -2058,11 +2308,16 @@ func TestRefreshGrant(t *testing.T) { wantStatus: http.StatusOK, wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"refresh_token", "access_token", "id_token", "token_type", "expires_in", "scope"}, - wantRequestedScopes: []string{"openid", "offline_access", "groups"}, - wantGrantedScopes: []string{"openid", "offline_access", "groups"}, + wantRequestedScopes: []string{"openid", "offline_access", "username", "groups"}, + wantGrantedScopes: []string{"openid", "offline_access", "username", "groups"}, + wantUsername: goodUsername, wantGroups: []string{"new-group1", "new-group2", "new-group3"}, // groups are updated even though the scope was not included wantUpstreamRefreshCall: happyLDAPUpstreamRefreshCall(), wantCustomSessionDataStored: happyLDAPCustomSessionData, + wantWarnings: []RecordedWarning{ + {Text: `User "some-username" has been added to the following groups: ["new-group1" "new-group2" "new-group3"]`}, + {Text: `User "some-username" has been removed from the following groups: ["group1" "groups2"]`}, + }, }, }, }, @@ -2077,11 +2332,7 @@ func TestRefreshGrant(t *testing.T) { }, }, }).WithRefreshedTokens(refreshedUpstreamTokensWithIDAndRefreshTokens()).Build()), - authcodeExchange: authcodeExchangeInputs{ - customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, - want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData()), - }, + authcodeExchange: happyAuthcodeExchangeInputsForOIDCUpstream, refreshRequest: refreshRequestInputs{ want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusUnauthorized, @@ -2101,11 +2352,7 @@ func TestRefreshGrant(t *testing.T) { }, }, }).WithRefreshedTokens(refreshedUpstreamTokensWithIDTokenWithoutRefreshToken()).Build()), - authcodeExchange: authcodeExchangeInputs{ - customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, - want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData()), - }, + authcodeExchange: happyAuthcodeExchangeInputsForOIDCUpstream, refreshRequest: refreshRequestInputs{ want: happyRefreshTokenResponseForOpenIDAndOfflineAccess( initialUpstreamOIDCRefreshTokenCustomSessionData(), // still has the initial refresh token stored @@ -2123,11 +2370,7 @@ func TestRefreshGrant(t *testing.T) { }, }, }).WithRefreshedTokens(refreshedUpstreamTokensWithIDAndRefreshTokens()).Build()), - authcodeExchange: authcodeExchangeInputs{ - customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, - want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData()), - }, + authcodeExchange: happyAuthcodeExchangeInputsForOIDCUpstream, refreshRequest: refreshRequestInputs{ modifyTokenRequest: func(r *http.Request, refreshToken string, accessToken string) { r.Body = happyRefreshRequestBody(refreshToken).WithScope("openid some-other-scope-not-from-auth-request").ReadCloser() @@ -2150,13 +2393,16 @@ func TestRefreshGrant(t *testing.T) { }).WithRefreshedTokens(refreshedUpstreamTokensWithIDAndRefreshTokens()).Build()), authcodeExchange: authcodeExchangeInputs{ customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access pinniped:request-audience groups") }, + modifyAuthRequest: func(r *http.Request) { + r.Form.Set("scope", "openid offline_access pinniped:request-audience username groups") + }, want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"id_token", "refresh_token", "access_token", "token_type", "expires_in", "scope"}, - wantRequestedScopes: []string{"openid", "offline_access", "pinniped:request-audience", "groups"}, - wantGrantedScopes: []string{"openid", "offline_access", "pinniped:request-audience", "groups"}, + wantRequestedScopes: []string{"openid", "offline_access", "pinniped:request-audience", "username", "groups"}, + wantGrantedScopes: []string{"openid", "offline_access", "pinniped:request-audience", "username", "groups"}, + wantUsername: goodUsername, wantGroups: goodGroups, wantCustomSessionDataStored: initialUpstreamOIDCRefreshTokenCustomSessionData(), }, @@ -2169,8 +2415,9 @@ func TestRefreshGrant(t *testing.T) { wantStatus: http.StatusOK, wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"id_token", "refresh_token", "access_token", "token_type", "expires_in", "scope"}, - wantRequestedScopes: []string{"openid", "offline_access", "pinniped:request-audience", "groups"}, - wantGrantedScopes: []string{"openid", "offline_access", "pinniped:request-audience", "groups"}, + wantRequestedScopes: []string{"openid", "offline_access", "pinniped:request-audience", "username", "groups"}, + wantGrantedScopes: []string{"openid", "offline_access", "pinniped:request-audience", "username", "groups"}, + wantUsername: goodUsername, wantGroups: goodGroups, wantUpstreamRefreshCall: happyOIDCUpstreamRefreshCall(), wantUpstreamOIDCValidateTokenCall: happyUpstreamValidateTokenCall(refreshedUpstreamTokensWithIDAndRefreshTokens(), true), @@ -2188,11 +2435,7 @@ func TestRefreshGrant(t *testing.T) { }, }, }).WithRefreshedTokens(refreshedUpstreamTokensWithIDAndRefreshTokens()).Build()), - authcodeExchange: authcodeExchangeInputs{ - customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, - want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData()), - }, + authcodeExchange: happyAuthcodeExchangeInputsForOIDCUpstream, refreshRequest: refreshRequestInputs{ modifyTokenRequest: func(r *http.Request, refreshToken string, accessToken string) { r.Body = happyRefreshRequestBody(refreshToken).WithScope("").ReadCloser() @@ -2208,14 +2451,16 @@ func TestRefreshGrant(t *testing.T) { idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(upstreamOIDCIdentityProviderBuilder().Build()), authcodeExchange: authcodeExchangeInputs{ customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "offline_access username groups") }, want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"refresh_token", "access_token", "token_type", "expires_in", "scope"}, - wantRequestedScopes: []string{"offline_access"}, - wantGrantedScopes: []string{"offline_access"}, + wantRequestedScopes: []string{"offline_access", "username", "groups"}, + wantGrantedScopes: []string{"offline_access", "username", "groups"}, wantCustomSessionDataStored: initialUpstreamOIDCRefreshTokenCustomSessionData(), + wantUsername: goodUsername, + wantGroups: goodGroups, }, }, refreshRequest: refreshRequestInputs{ @@ -2233,14 +2478,16 @@ func TestRefreshGrant(t *testing.T) { idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(upstreamOIDCIdentityProviderBuilder().Build()), authcodeExchange: authcodeExchangeInputs{ customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "offline_access username groups") }, want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"refresh_token", "access_token", "token_type", "expires_in", "scope"}, - wantRequestedScopes: []string{"offline_access"}, - wantGrantedScopes: []string{"offline_access"}, + wantRequestedScopes: []string{"offline_access", "username", "groups"}, + wantGrantedScopes: []string{"offline_access", "username", "groups"}, wantCustomSessionDataStored: initialUpstreamOIDCRefreshTokenCustomSessionData(), + wantUsername: goodUsername, + wantGroups: goodGroups, }, }, refreshRequest: refreshRequestInputs{ @@ -2258,14 +2505,16 @@ func TestRefreshGrant(t *testing.T) { idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(upstreamOIDCIdentityProviderBuilder().Build()), authcodeExchange: authcodeExchangeInputs{ customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "offline_access") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "offline_access username groups") }, want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusOK, wantClientID: pinnipedCLIClientID, wantSuccessBodyFields: []string{"refresh_token", "access_token", "token_type", "expires_in", "scope"}, - wantRequestedScopes: []string{"offline_access"}, - wantGrantedScopes: []string{"offline_access"}, + wantRequestedScopes: []string{"offline_access", "username", "groups"}, + wantGrantedScopes: []string{"offline_access", "username", "groups"}, wantCustomSessionDataStored: initialUpstreamOIDCRefreshTokenCustomSessionData(), + wantUsername: goodUsername, + wantGroups: goodGroups, }, }, refreshRequest: refreshRequestInputs{ @@ -2288,15 +2537,8 @@ func TestRefreshGrant(t *testing.T) { }, }, }).WithRefreshedTokens(refreshedUpstreamTokensWithIDAndRefreshTokens()).Build()), - kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, - authcodeExchange: authcodeExchangeInputs{ - // Make the auth request and authcode exchange request using the pinniped-cli client. - customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), - modifyAuthRequest: func(r *http.Request) { - r.Form.Set("scope", "openid offline_access groups") - }, - want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData()), - }, + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + authcodeExchange: happyAuthcodeExchangeInputsForOIDCUpstream, // Make the auth request and authcode exchange request using the pinniped-cli client. refreshRequest: refreshRequestInputs{ // Make the refresh request with the dynamic client. modifyTokenRequest: modifyRefreshTokenRequestWithDynamicClientAuth, @@ -2321,7 +2563,7 @@ func TestRefreshGrant(t *testing.T) { customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), modifyAuthRequest: func(r *http.Request) { addDynamicClientIDToFormPostBody(r) - r.Form.Set("scope", "openid offline_access groups") + r.Form.Set("scope", "openid offline_access username groups") }, modifyTokenRequest: modifyAuthcodeTokenRequestWithDynamicClientAuth, want: withWantDynamicClientID(happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData())), @@ -2352,7 +2594,7 @@ func TestRefreshGrant(t *testing.T) { customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), modifyAuthRequest: func(r *http.Request) { addDynamicClientIDToFormPostBody(r) - r.Form.Set("scope", "openid offline_access groups") + r.Form.Set("scope", "openid offline_access username groups") }, modifyTokenRequest: modifyAuthcodeTokenRequestWithDynamicClientAuth, want: withWantDynamicClientID(happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData())), @@ -2373,7 +2615,7 @@ func TestRefreshGrant(t *testing.T) { idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(upstreamOIDCIdentityProviderBuilder().Build()), authcodeExchange: authcodeExchangeInputs{ customSessionData: nil, // this should not happen in practice - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access username groups") }, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(nil), }, refreshRequest: refreshRequestInputs{ @@ -2393,7 +2635,7 @@ func TestRefreshGrant(t *testing.T) { ProviderType: oidcUpstreamType, OIDC: &psession.OIDCSessionData{UpstreamRefreshToken: oidcUpstreamInitialRefreshToken}, }, - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access username groups") }, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( &psession.CustomSessionData{ // want the initial customSessionData to be unmodified ProviderName: "", // this should not happen in practice @@ -2420,7 +2662,7 @@ func TestRefreshGrant(t *testing.T) { ProviderType: oidcUpstreamType, OIDC: &psession.OIDCSessionData{UpstreamRefreshToken: oidcUpstreamInitialRefreshToken}, }, - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access username groups") }, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( &psession.CustomSessionData{ // want the initial customSessionData to be unmodified ProviderName: oidcUpstreamName, @@ -2447,7 +2689,7 @@ func TestRefreshGrant(t *testing.T) { ProviderType: "", // this should not happen in practice OIDC: &psession.OIDCSessionData{UpstreamRefreshToken: oidcUpstreamInitialRefreshToken}, }, - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access username groups") }, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( &psession.CustomSessionData{ // want the initial customSessionData to be unmodified ProviderName: oidcUpstreamName, @@ -2474,7 +2716,7 @@ func TestRefreshGrant(t *testing.T) { ProviderType: "not-an-allowed-provider-type", // this should not happen in practice OIDC: &psession.OIDCSessionData{UpstreamRefreshToken: oidcUpstreamInitialRefreshToken}, }, - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access username groups") }, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( &psession.CustomSessionData{ // want the initial customSessionData to be unmodified ProviderName: oidcUpstreamName, @@ -2501,7 +2743,7 @@ func TestRefreshGrant(t *testing.T) { ProviderType: oidcUpstreamType, OIDC: nil, // this should not happen in practice }, - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access username groups") }, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( &psession.CustomSessionData{ // want the initial customSessionData to be unmodified ProviderName: oidcUpstreamName, @@ -2531,7 +2773,7 @@ func TestRefreshGrant(t *testing.T) { UpstreamAccessToken: "", }, }, - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access username groups") }, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( &psession.CustomSessionData{ // want the initial customSessionData to be unmodified ProviderName: oidcUpstreamName, @@ -2561,7 +2803,7 @@ func TestRefreshGrant(t *testing.T) { ProviderType: oidcUpstreamType, OIDC: &psession.OIDCSessionData{UpstreamRefreshToken: oidcUpstreamInitialRefreshToken}, }, - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access username groups") }, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( &psession.CustomSessionData{ // want the initial customSessionData to be unmodified ProviderName: "this-name-will-not-be-found", // this could happen if the OIDCIdentityProvider was deleted since original login @@ -2593,7 +2835,7 @@ func TestRefreshGrant(t *testing.T) { ProviderType: oidcUpstreamType, OIDC: &psession.OIDCSessionData{UpstreamRefreshToken: oidcUpstreamInitialRefreshToken}, }, - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access username groups") }, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( &psession.CustomSessionData{ // want the initial customSessionData to be unmodified ProviderName: oidcUpstreamName, @@ -2619,11 +2861,7 @@ func TestRefreshGrant(t *testing.T) { name: "when the upstream refresh fails during the refresh request", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(upstreamOIDCIdentityProviderBuilder(). WithPerformRefreshError(errors.New("some upstream refresh error")).Build()), - authcodeExchange: authcodeExchangeInputs{ - customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, - want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData()), - }, + authcodeExchange: happyAuthcodeExchangeInputsForOIDCUpstream, refreshRequest: refreshRequestInputs{ want: tokenEndpointResponseExpectedValues{ wantUpstreamRefreshCall: happyOIDCUpstreamRefreshCall(), @@ -2644,11 +2882,7 @@ func TestRefreshGrant(t *testing.T) { // This is the current format of the errors returned by the production code version of ValidateTokenAndMergeWithUserInfo, see ValidateTokenAndMergeWithUserInfo in upstreamoidc.go WithValidateTokenAndMergeWithUserInfoError(httperr.Wrap(http.StatusBadRequest, "some validate error", errors.New("some validate cause"))). Build()), - authcodeExchange: authcodeExchangeInputs{ - customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, - want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData()), - }, + authcodeExchange: happyAuthcodeExchangeInputsForOIDCUpstream, refreshRequest: refreshRequestInputs{ want: tokenEndpointResponseExpectedValues{ wantUpstreamRefreshCall: happyOIDCUpstreamRefreshCall(), @@ -2676,11 +2910,7 @@ func TestRefreshGrant(t *testing.T) { }, }). Build()), - authcodeExchange: authcodeExchangeInputs{ - customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, - want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData()), - }, + authcodeExchange: happyAuthcodeExchangeInputsForOIDCUpstream, refreshRequest: refreshRequestInputs{ want: tokenEndpointResponseExpectedValues{ wantUpstreamRefreshCall: happyOIDCUpstreamRefreshCall(), @@ -2705,11 +2935,7 @@ func TestRefreshGrant(t *testing.T) { }, }, }).WithRefreshedTokens(refreshedUpstreamTokensWithIDAndRefreshTokens()).Build()), - authcodeExchange: authcodeExchangeInputs{ - customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, - want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData()), - }, + authcodeExchange: happyAuthcodeExchangeInputsForOIDCUpstream, refreshRequest: refreshRequestInputs{ want: tokenEndpointResponseExpectedValues{ wantUpstreamRefreshCall: happyOIDCUpstreamRefreshCall(), @@ -2736,11 +2962,7 @@ func TestRefreshGrant(t *testing.T) { }, }, }).WithRefreshedTokens(refreshedUpstreamTokensWithIDAndRefreshTokens()).Build()), - authcodeExchange: authcodeExchangeInputs{ - customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, - want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData()), - }, + authcodeExchange: happyAuthcodeExchangeInputsForOIDCUpstream, refreshRequest: refreshRequestInputs{ want: tokenEndpointResponseExpectedValues{ wantUpstreamRefreshCall: happyOIDCUpstreamRefreshCall(), @@ -2767,11 +2989,7 @@ func TestRefreshGrant(t *testing.T) { }, }, }).WithRefreshedTokens(refreshedUpstreamTokensWithIDAndRefreshTokens()).Build()), - authcodeExchange: authcodeExchangeInputs{ - customSessionData: initialUpstreamOIDCRefreshTokenCustomSessionData(), - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, - want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(initialUpstreamOIDCRefreshTokenCustomSessionData()), - }, + authcodeExchange: happyAuthcodeExchangeInputsForOIDCUpstream, refreshRequest: refreshRequestInputs{ want: tokenEndpointResponseExpectedValues{ wantUpstreamRefreshCall: happyOIDCUpstreamRefreshCall(), @@ -2794,19 +3012,78 @@ func TestRefreshGrant(t *testing.T) { URL: ldapUpstreamURL, PerformRefreshGroups: goodGroups, }), - authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, - customSessionData: happyLDAPCustomSessionData, - want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( - happyLDAPCustomSessionData, - ), - }, + authcodeExchange: happyAuthcodeExchangeInputsForLDAPUpstream, refreshRequest: refreshRequestInputs{ want: happyRefreshTokenResponseForLDAP( happyLDAPCustomSessionData, ), }, }, + { + name: "upstream ldap refresh happy path using dynamic client", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&oidctestutil.TestUpstreamLDAPIdentityProvider{ + Name: ldapUpstreamName, + ResourceUID: ldapUpstreamResourceUID, + URL: ldapUpstreamURL, + PerformRefreshGroups: goodGroups, + }), + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + authcodeExchange: authcodeExchangeInputs{ + modifyAuthRequest: func(r *http.Request) { + addDynamicClientIDToFormPostBody(r) + r.Form.Set("scope", "openid offline_access username groups") + }, + modifyTokenRequest: modifyAuthcodeTokenRequestWithDynamicClientAuth, + customSessionData: happyLDAPCustomSessionData, + want: withWantDynamicClientID(happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess(happyLDAPCustomSessionData)), + }, + refreshRequest: refreshRequestInputs{ + modifyTokenRequest: modifyRefreshTokenRequestWithDynamicClientAuth, + want: withWantDynamicClientID(happyRefreshTokenResponseForLDAP(happyLDAPCustomSessionData)), + }, + }, + { + name: "upstream ldap refresh happy path without downstream username scope granted, using dynamic client", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&oidctestutil.TestUpstreamLDAPIdentityProvider{ + Name: ldapUpstreamName, + ResourceUID: ldapUpstreamResourceUID, + URL: ldapUpstreamURL, + PerformRefreshGroups: goodGroups, + }), + kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, + authcodeExchange: authcodeExchangeInputs{ + modifyAuthRequest: func(r *http.Request) { + addDynamicClientIDToFormPostBody(r) + r.Form.Set("scope", "openid offline_access groups") + }, + modifyTokenRequest: modifyAuthcodeTokenRequestWithDynamicClientAuth, + customSessionData: happyLDAPCustomSessionData, + want: withWantDynamicClientID(tokenEndpointResponseExpectedValues{ + wantStatus: http.StatusOK, + wantClientID: dynamicClientID, + wantSuccessBodyFields: []string{"id_token", "refresh_token", "access_token", "token_type", "expires_in", "scope"}, + wantRequestedScopes: []string{"openid", "offline_access", "groups"}, + wantGrantedScopes: []string{"openid", "offline_access", "groups"}, + wantCustomSessionDataStored: happyLDAPCustomSessionData, + wantUsername: "", + wantGroups: goodGroups, + }), + }, + refreshRequest: refreshRequestInputs{ + modifyTokenRequest: modifyRefreshTokenRequestWithDynamicClientAuth, + want: withWantDynamicClientID(tokenEndpointResponseExpectedValues{ + wantStatus: http.StatusOK, + wantClientID: dynamicClientID, + wantSuccessBodyFields: []string{"id_token", "refresh_token", "access_token", "token_type", "expires_in", "scope"}, + wantRequestedScopes: []string{"openid", "offline_access", "groups"}, + wantGrantedScopes: []string{"openid", "offline_access", "groups"}, + wantCustomSessionDataStored: happyLDAPCustomSessionData, + wantUsername: "", + wantGroups: goodGroups, + wantUpstreamRefreshCall: happyLDAPUpstreamRefreshCall(), + }), + }, + }, { name: "upstream active directory refresh happy path", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithActiveDirectory(&oidctestutil.TestUpstreamLDAPIdentityProvider{ @@ -2816,7 +3093,7 @@ func TestRefreshGrant(t *testing.T) { PerformRefreshGroups: goodGroups, }), authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access username groups") }, customSessionData: happyActiveDirectoryCustomSessionData, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( happyActiveDirectoryCustomSessionData, @@ -2836,7 +3113,7 @@ func TestRefreshGrant(t *testing.T) { URL: ldapUpstreamURL, }), authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access username groups") }, customSessionData: &psession.CustomSessionData{ ProviderUID: ldapUpstreamResourceUID, ProviderName: ldapUpstreamName, @@ -2872,7 +3149,7 @@ func TestRefreshGrant(t *testing.T) { URL: ldapUpstreamURL, }), authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access username groups") }, customSessionData: &psession.CustomSessionData{ ProviderUID: activeDirectoryUpstreamResourceUID, ProviderName: activeDirectoryUpstreamName, @@ -2908,7 +3185,7 @@ func TestRefreshGrant(t *testing.T) { URL: ldapUpstreamURL, }), authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access username groups") }, customSessionData: &psession.CustomSessionData{ ProviderUID: ldapUpstreamResourceUID, ProviderName: ldapUpstreamName, @@ -2948,7 +3225,7 @@ func TestRefreshGrant(t *testing.T) { URL: ldapUpstreamURL, }), authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access username groups") }, customSessionData: &psession.CustomSessionData{ ProviderUID: ldapUpstreamResourceUID, ProviderName: ldapUpstreamName, @@ -2988,13 +3265,7 @@ func TestRefreshGrant(t *testing.T) { URL: ldapUpstreamURL, PerformRefreshErr: errors.New("Some error performing upstream refresh"), }), - authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, - customSessionData: happyLDAPCustomSessionData, - want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( - happyLDAPCustomSessionData, - ), - }, + authcodeExchange: happyAuthcodeExchangeInputsForLDAPUpstream, refreshRequest: refreshRequestInputs{ want: tokenEndpointResponseExpectedValues{ wantUpstreamRefreshCall: happyLDAPUpstreamRefreshCall(), @@ -3017,7 +3288,7 @@ func TestRefreshGrant(t *testing.T) { PerformRefreshErr: errors.New("Some error performing upstream refresh"), }), authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access username groups") }, customSessionData: happyActiveDirectoryCustomSessionData, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( happyActiveDirectoryCustomSessionData, @@ -3037,15 +3308,9 @@ func TestRefreshGrant(t *testing.T) { }, }, { - name: "upstream ldap idp not found", - idps: oidctestutil.NewUpstreamIDPListerBuilder(), - authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, - customSessionData: happyLDAPCustomSessionData, - want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( - happyLDAPCustomSessionData, - ), - }, + name: "upstream ldap idp not found", + idps: oidctestutil.NewUpstreamIDPListerBuilder(), + authcodeExchange: happyAuthcodeExchangeInputsForLDAPUpstream, refreshRequest: refreshRequestInputs{ want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusUnauthorized, @@ -3062,7 +3327,7 @@ func TestRefreshGrant(t *testing.T) { name: "upstream active directory idp not found", idps: oidctestutil.NewUpstreamIDPListerBuilder(), authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access username groups") }, customSessionData: happyActiveDirectoryCustomSessionData, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( happyActiveDirectoryCustomSessionData, @@ -3087,13 +3352,7 @@ func TestRefreshGrant(t *testing.T) { ResourceUID: ldapUpstreamResourceUID, URL: ldapUpstreamURL, }), - authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, - customSessionData: happyLDAPCustomSessionData, - want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( - happyLDAPCustomSessionData, - ), - }, + authcodeExchange: happyAuthcodeExchangeInputsForLDAPUpstream, modifyRefreshTokenStorage: func(t *testing.T, oauthStore *oidc.KubeStorage, refreshToken string) { refreshTokenSignature := getFositeDataSignature(t, refreshToken) firstRequester, err := oauthStore.GetRefreshTokenSession(context.Background(), refreshTokenSignature, nil) @@ -3118,16 +3377,15 @@ func TestRefreshGrant(t *testing.T) { }, }, { - name: "username not found in extra field", + name: "groups not found in extra field when the groups scope was granted", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&oidctestutil.TestUpstreamLDAPIdentityProvider{ Name: ldapUpstreamName, ResourceUID: ldapUpstreamResourceUID, URL: ldapUpstreamURL, }), authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access username groups") }, customSessionData: happyLDAPCustomSessionData, - //fositeSessionData: &openid.DefaultSession{}, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( happyLDAPCustomSessionData, ), @@ -3137,11 +3395,7 @@ func TestRefreshGrant(t *testing.T) { firstRequester, err := oauthStore.GetRefreshTokenSession(context.Background(), refreshTokenSignature, nil) require.NoError(t, err) session := firstRequester.GetSession().(*psession.PinnipedSession) - session.Fosite = &openid.DefaultSession{ - Claims: &jwt.IDTokenClaims{ - Extra: map[string]interface{}{}, - }, - } + delete(session.Fosite.Claims.Extra, "groups") err = oauthStore.DeleteRefreshTokenSession(context.Background(), refreshTokenSignature) require.NoError(t, err) err = oauthStore.CreateRefreshTokenSession(context.Background(), refreshTokenSignature, firstRequester) @@ -3160,16 +3414,15 @@ func TestRefreshGrant(t *testing.T) { }, }, { - name: "username in extra is not a string", + name: "username in custom session is empty string during refresh", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&oidctestutil.TestUpstreamLDAPIdentityProvider{ Name: ldapUpstreamName, ResourceUID: ldapUpstreamResourceUID, URL: ldapUpstreamURL, }), authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access username groups") }, customSessionData: happyLDAPCustomSessionData, - //fositeSessionData: &openid.DefaultSession{}, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( happyLDAPCustomSessionData, ), @@ -3179,53 +3432,7 @@ func TestRefreshGrant(t *testing.T) { firstRequester, err := oauthStore.GetRefreshTokenSession(context.Background(), refreshTokenSignature, nil) require.NoError(t, err) session := firstRequester.GetSession().(*psession.PinnipedSession) - session.Fosite = &openid.DefaultSession{ - Claims: &jwt.IDTokenClaims{ - Extra: map[string]interface{}{"username": 123}, - }, - } - err = oauthStore.DeleteRefreshTokenSession(context.Background(), refreshTokenSignature) - require.NoError(t, err) - err = oauthStore.CreateRefreshTokenSession(context.Background(), refreshTokenSignature, firstRequester) - require.NoError(t, err) - }, - refreshRequest: refreshRequestInputs{ - want: tokenEndpointResponseExpectedValues{ - wantStatus: http.StatusInternalServerError, - wantErrorResponseBody: here.Doc(` - { - "error": "error", - "error_description": "There was an internal server error. Required upstream data not found in session." - } - `), - }, - }, - }, - { - name: "username in extra is an empty string", - idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&oidctestutil.TestUpstreamLDAPIdentityProvider{ - Name: ldapUpstreamName, - ResourceUID: ldapUpstreamResourceUID, - URL: ldapUpstreamURL, - }), - authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, - customSessionData: happyLDAPCustomSessionData, - //fositeSessionData: &openid.DefaultSession{}, - want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( - happyLDAPCustomSessionData, - ), - }, - modifyRefreshTokenStorage: func(t *testing.T, oauthStore *oidc.KubeStorage, refreshToken string) { - refreshTokenSignature := getFositeDataSignature(t, refreshToken) - firstRequester, err := oauthStore.GetRefreshTokenSession(context.Background(), refreshTokenSignature, nil) - require.NoError(t, err) - session := firstRequester.GetSession().(*psession.PinnipedSession) - session.Fosite = &openid.DefaultSession{ - Claims: &jwt.IDTokenClaims{ - Extra: map[string]interface{}{"username": ""}, - }, - } + session.Custom.Username = "" err = oauthStore.DeleteRefreshTokenSession(context.Background(), refreshTokenSignature) require.NoError(t, err) err = oauthStore.CreateRefreshTokenSession(context.Background(), refreshTokenSignature, firstRequester) @@ -3250,13 +3457,7 @@ func TestRefreshGrant(t *testing.T) { ResourceUID: "the-wrong-uid", URL: ldapUpstreamURL, }), - authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, - customSessionData: happyLDAPCustomSessionData, - want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( - happyLDAPCustomSessionData, - ), - }, + authcodeExchange: happyAuthcodeExchangeInputsForLDAPUpstream, refreshRequest: refreshRequestInputs{ want: tokenEndpointResponseExpectedValues{ wantStatus: http.StatusUnauthorized, @@ -3277,7 +3478,7 @@ func TestRefreshGrant(t *testing.T) { URL: ldapUpstreamURL, }), authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, + modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access username groups") }, customSessionData: happyActiveDirectoryCustomSessionData, want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( happyActiveDirectoryCustomSessionData, @@ -3295,128 +3496,6 @@ func TestRefreshGrant(t *testing.T) { }, }, }, - { - name: "upstream ldap idp not found", - idps: oidctestutil.NewUpstreamIDPListerBuilder(), - authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, - customSessionData: happyLDAPCustomSessionData, - want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( - happyLDAPCustomSessionData, - ), - }, - refreshRequest: refreshRequestInputs{ - want: tokenEndpointResponseExpectedValues{ - wantStatus: http.StatusUnauthorized, - wantErrorResponseBody: here.Doc(` - { - "error": "error", - "error_description": "Error during upstream refresh. Provider from upstream session data was not found." - } - `), - }, - }, - }, - { - name: "upstream active directory idp not found", - idps: oidctestutil.NewUpstreamIDPListerBuilder(), - authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, - customSessionData: happyActiveDirectoryCustomSessionData, - want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( - happyActiveDirectoryCustomSessionData, - ), - }, - refreshRequest: refreshRequestInputs{ - want: tokenEndpointResponseExpectedValues{ - wantStatus: http.StatusUnauthorized, - wantErrorResponseBody: here.Doc(` - { - "error": "error", - "error_description": "Error during upstream refresh. Provider from upstream session data was not found." - } - `), - }, - }, - }, - { - name: "fosite session is empty", - idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&oidctestutil.TestUpstreamLDAPIdentityProvider{ - Name: ldapUpstreamName, - ResourceUID: ldapUpstreamResourceUID, - URL: ldapUpstreamURL, - }), - authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, - customSessionData: happyLDAPCustomSessionData, - want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( - happyLDAPCustomSessionData, - ), - }, - modifyRefreshTokenStorage: func(t *testing.T, oauthStore *oidc.KubeStorage, refreshToken string) { - refreshTokenSignature := getFositeDataSignature(t, refreshToken) - firstRequester, err := oauthStore.GetRefreshTokenSession(context.Background(), refreshTokenSignature, nil) - require.NoError(t, err) - session := firstRequester.GetSession().(*psession.PinnipedSession) - session.Fosite = &openid.DefaultSession{} - err = oauthStore.DeleteRefreshTokenSession(context.Background(), refreshTokenSignature) - require.NoError(t, err) - err = oauthStore.CreateRefreshTokenSession(context.Background(), refreshTokenSignature, firstRequester) - require.NoError(t, err) - }, - refreshRequest: refreshRequestInputs{ - want: tokenEndpointResponseExpectedValues{ - wantStatus: http.StatusInternalServerError, - wantErrorResponseBody: here.Doc(` - { - "error": "error", - "error_description": "There was an internal server error. Required upstream data not found in session." - } - `), - }, - }, - }, - { - name: "username not found in extra field", - idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&oidctestutil.TestUpstreamLDAPIdentityProvider{ - Name: ldapUpstreamName, - ResourceUID: ldapUpstreamResourceUID, - URL: ldapUpstreamURL, - }), - authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, - customSessionData: happyLDAPCustomSessionData, - want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( - happyLDAPCustomSessionData, - ), - }, - modifyRefreshTokenStorage: func(t *testing.T, oauthStore *oidc.KubeStorage, refreshToken string) { - refreshTokenSignature := getFositeDataSignature(t, refreshToken) - firstRequester, err := oauthStore.GetRefreshTokenSession(context.Background(), refreshTokenSignature, nil) - require.NoError(t, err) - session := firstRequester.GetSession().(*psession.PinnipedSession) - session.Fosite = &openid.DefaultSession{ - Claims: &jwt.IDTokenClaims{ - Extra: map[string]interface{}{}, - }, - } - err = oauthStore.DeleteRefreshTokenSession(context.Background(), refreshTokenSignature) - require.NoError(t, err) - err = oauthStore.CreateRefreshTokenSession(context.Background(), refreshTokenSignature, firstRequester) - require.NoError(t, err) - }, - refreshRequest: refreshRequestInputs{ - want: tokenEndpointResponseExpectedValues{ - wantStatus: http.StatusInternalServerError, - wantErrorResponseBody: here.Doc(` - { - "error": "error", - "error_description": "There was an internal server error. Required upstream data not found in session." - } - `), - }, - }, - }, { name: "auth time is the zero value", // time.Times can never be nil, but it is possible that it would be the zero value which would mean something's wrong idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&oidctestutil.TestUpstreamLDAPIdentityProvider{ @@ -3424,13 +3503,7 @@ func TestRefreshGrant(t *testing.T) { ResourceUID: ldapUpstreamResourceUID, URL: ldapUpstreamURL, }), - authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, - customSessionData: happyLDAPCustomSessionData, - want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( - happyLDAPCustomSessionData, - ), - }, + authcodeExchange: happyAuthcodeExchangeInputsForLDAPUpstream, modifyRefreshTokenStorage: func(t *testing.T, oauthStore *oidc.KubeStorage, refreshToken string) { refreshTokenSignature := getFositeDataSignature(t, refreshToken) firstRequester, err := oauthStore.GetRefreshTokenSession(context.Background(), refreshTokenSignature, nil) @@ -3456,58 +3529,6 @@ func TestRefreshGrant(t *testing.T) { }, }, }, - { - name: "when the ldap provider in the session storage is found but has the wrong resource UID during the refresh request", - idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&oidctestutil.TestUpstreamLDAPIdentityProvider{ - Name: ldapUpstreamName, - ResourceUID: "the-wrong-uid", - URL: ldapUpstreamURL, - }), - authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, - customSessionData: happyLDAPCustomSessionData, - want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( - happyLDAPCustomSessionData, - ), - }, - refreshRequest: refreshRequestInputs{ - want: tokenEndpointResponseExpectedValues{ - wantStatus: http.StatusUnauthorized, - wantErrorResponseBody: here.Doc(` - { - "error": "error", - "error_description": "Error during upstream refresh. Provider from upstream session data has changed its resource UID since authentication." - } - `), - }, - }, - }, - { - name: "when the active directory provider in the session storage is found but has the wrong resource UID during the refresh request", - idps: oidctestutil.NewUpstreamIDPListerBuilder().WithActiveDirectory(&oidctestutil.TestUpstreamLDAPIdentityProvider{ - Name: activeDirectoryUpstreamName, - ResourceUID: "the-wrong-uid", - URL: ldapUpstreamURL, - }), - authcodeExchange: authcodeExchangeInputs{ - modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid offline_access groups") }, - customSessionData: happyActiveDirectoryCustomSessionData, - want: happyAuthcodeExchangeTokenResponseForOpenIDAndOfflineAccess( - happyActiveDirectoryCustomSessionData, - ), - }, - refreshRequest: refreshRequestInputs{ - want: tokenEndpointResponseExpectedValues{ - wantStatus: http.StatusUnauthorized, - wantErrorResponseBody: here.Doc(` - { - "error": "error", - "error_description": "Error during upstream refresh. Provider from upstream session data has changed its resource UID since authentication." - } - `), - }, - }, - }, } for _, test := range tests { test := test @@ -3540,7 +3561,9 @@ func TestRefreshGrant(t *testing.T) { if test.modifyRefreshTokenStorage != nil { test.modifyRefreshTokenStorage(t, oauthStore, firstRefreshToken) } - reqContext := context.WithValue(context.Background(), struct{ name string }{name: "test"}, "request-context") + + reqContextWarningRecorder := &TestWarningRecorder{} + reqContext := warning.WithWarningRecorder(context.WithValue(context.Background(), struct{ name string }{name: "test"}, "request-context"), reqContextWarningRecorder) req := httptest.NewRequest("POST", "/path/shouldn't/matter", happyRefreshRequestBody(firstRefreshToken).ReadCloser()).WithContext(reqContext) req.Header.Set("Content-Type", "application/x-www-form-urlencoded") @@ -3577,6 +3600,13 @@ func TestRefreshGrant(t *testing.T) { test.idps.RequireExactlyZeroCallsToValidateToken(t) } + // Test that the expected warnings were set on the request context. + if test.refreshRequest.want.wantWarnings != nil { + require.Equal(t, test.refreshRequest.want.wantWarnings, reqContextWarningRecorder.Warnings) + } else { + require.Len(t, reqContextWarningRecorder.Warnings, 0, "wanted no warnings on the request context, but found some") + } + // The bug in fosite that prevents at_hash from appearing in the initial ID token does not impact the refreshed ID token wantAtHashClaimInIDToken := true // Refreshed ID tokens do not include the nonce from the original auth request @@ -3584,6 +3614,7 @@ func TestRefreshGrant(t *testing.T) { requireTokenEndpointBehavior(t, test.refreshRequest.want, + test.authcodeExchange.want.wantUsername, // the old username from the initial login test.authcodeExchange.want.wantGroups, // the old groups from the initial login test.authcodeExchange.customSessionData, // the old custom session data from the initial login wantAtHashClaimInIDToken, @@ -3726,6 +3757,7 @@ func exchangeAuthcodeForTokens( requireTokenEndpointBehavior(t, test.want, + test.want.wantUsername, // the old username from the initial login test.want.wantGroups, // the old groups from the initial login test.customSessionData, // the old custom session data from the initial login wantAtHashClaimInIDToken, @@ -3744,6 +3776,7 @@ func exchangeAuthcodeForTokens( func requireTokenEndpointBehavior( t *testing.T, test tokenEndpointResponseExpectedValues, + oldUsername string, oldGroups []string, oldCustomSessionData *psession.CustomSessionData, wantAtHashClaimInIDToken bool, @@ -3769,10 +3802,10 @@ func requireTokenEndpointBehavior( wantRefreshToken := contains(test.wantSuccessBodyFields, "refresh_token") requireInvalidAuthCodeStorage(t, authCode, oauthStore, secrets, requestTime) - requireValidAccessTokenStorage(t, parsedResponseBody, oauthStore, test.wantClientID, test.wantRequestedScopes, test.wantGrantedScopes, test.wantGroups, test.wantCustomSessionDataStored, secrets, requestTime) + requireValidAccessTokenStorage(t, parsedResponseBody, oauthStore, test.wantClientID, test.wantRequestedScopes, test.wantGrantedScopes, test.wantUsername, test.wantGroups, test.wantCustomSessionDataStored, secrets, requestTime) requireInvalidPKCEStorage(t, authCode, oauthStore) - // Performing a refresh does not update the OIDC storage, so after a refresh it should still have the old custom session data and old groups from the initial login. - requireValidOIDCStorage(t, parsedResponseBody, authCode, oauthStore, test.wantClientID, test.wantRequestedScopes, test.wantGrantedScopes, oldGroups, oldCustomSessionData, requestTime) + // Performing a refresh does not update the OIDC storage, so after a refresh it should still have the old custom session data and old username and groups from the initial login. + requireValidOIDCStorage(t, parsedResponseBody, authCode, oauthStore, test.wantClientID, test.wantRequestedScopes, test.wantGrantedScopes, oldUsername, oldGroups, oldCustomSessionData, requestTime) expectedNumberOfRefreshTokenSessionsStored := 0 if wantRefreshToken { @@ -3781,10 +3814,10 @@ func requireTokenEndpointBehavior( expectedNumberOfIDSessionsStored := 0 if wantIDToken { expectedNumberOfIDSessionsStored = 1 - requireValidIDToken(t, parsedResponseBody, jwtSigningKey, test.wantClientID, wantAtHashClaimInIDToken, wantNonceValueInIDToken, test.wantGroups, parsedResponseBody["access_token"].(string), requestTime) + requireValidIDToken(t, parsedResponseBody, jwtSigningKey, test.wantClientID, wantAtHashClaimInIDToken, wantNonceValueInIDToken, test.wantUsername, test.wantGroups, parsedResponseBody["access_token"].(string), requestTime) } if wantRefreshToken { - requireValidRefreshTokenStorage(t, parsedResponseBody, oauthStore, test.wantClientID, test.wantRequestedScopes, test.wantGrantedScopes, test.wantGroups, test.wantCustomSessionDataStored, secrets, requestTime) + requireValidRefreshTokenStorage(t, parsedResponseBody, oauthStore, test.wantClientID, test.wantRequestedScopes, test.wantGrantedScopes, test.wantUsername, test.wantGroups, test.wantCustomSessionDataStored, secrets, requestTime) } testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: authorizationcode.TypeLabelValue}, 1) @@ -3963,12 +3996,10 @@ func simulateAuthEndpointHavingAlreadyRun( Subject: goodSubject, RequestedAt: goodRequestedAtTime, AuthTime: goodAuthTime, - Extra: map[string]interface{}{ - oidc.DownstreamUsernameClaim: goodUsername, - }, + Extra: map[string]interface{}{}, }, - Subject: "", // not used, note that callback_handler.go does not set this - Username: "", // not used, note that callback_handler.go does not set this + Subject: "", // not used, note that the authorization and callback endpoints do not set this + Username: "", // not used, note that the authorization and callback endpoints do not set this }, Custom: initialCustomSessionData, } @@ -3983,10 +4014,19 @@ func simulateAuthEndpointHavingAlreadyRun( if strings.Contains(authRequest.Form.Get("scope"), "pinniped:request-audience") { authRequester.GrantScope("pinniped:request-audience") } - if strings.Contains(authRequest.Form.Get("scope"), "groups") { - authRequester.GrantScope("groups") - session.Fosite.Claims.Extra[oidc.DownstreamGroupsClaim] = goodGroups + + // The authorization endpoint makes a special exception for the pinniped-cli client for backwards compatibility + // and grants the username and groups scopes to that client even if it did not ask for them. Simulate that + // behavior here too. + if strings.Contains(authRequest.Form.Get("scope"), "username") || authRequest.Form.Get("client_id") == pinnipedCLIClientID { + authRequester.GrantScope("username") + session.Fosite.Claims.Extra["username"] = goodUsername } + if strings.Contains(authRequest.Form.Get("scope"), "groups") || authRequest.Form.Get("client_id") == pinnipedCLIClientID { + authRequester.GrantScope("groups") + session.Fosite.Claims.Extra["groups"] = goodGroups + } + authResponder, err := oauthHelper.NewAuthorizeResponse(ctx, authRequester, session) require.NoError(t, err) return authResponder @@ -4032,6 +4072,7 @@ func requireValidRefreshTokenStorage( wantClientID string, wantRequestedScopes []string, wantGrantedScopes []string, + wantUsername string, wantGroups []string, wantCustomSessionData *psession.CustomSessionData, secrets v1.SecretInterface, @@ -4060,6 +4101,7 @@ func requireValidRefreshTokenStorage( wantRequestedScopes, wantGrantedScopes, true, + wantUsername, wantGroups, wantCustomSessionData, requestTime, @@ -4075,6 +4117,7 @@ func requireValidAccessTokenStorage( wantClientID string, wantRequestedScopes []string, wantGrantedScopes []string, + wantUsername string, wantGroups []string, wantCustomSessionData *psession.CustomSessionData, secrets v1.SecretInterface, @@ -4122,6 +4165,7 @@ func requireValidAccessTokenStorage( wantRequestedScopes, wantGrantedScopes, true, + wantUsername, wantGroups, wantCustomSessionData, requestTime, @@ -4167,6 +4211,7 @@ func requireValidOIDCStorage( wantClientID string, wantRequestedScopes []string, wantGrantedScopes []string, + wantUsername string, wantGroups []string, wantCustomSessionData *psession.CustomSessionData, requestTime time.Time, @@ -4193,6 +4238,7 @@ func requireValidOIDCStorage( wantRequestedScopes, wantGrantedScopes, false, + wantUsername, wantGroups, wantCustomSessionData, requestTime, @@ -4211,6 +4257,7 @@ func requireValidStoredRequest( wantRequestedScopes []string, wantGrantedScopes []string, wantAccessTokenExpiresAt bool, + wantUsername string, wantGroups []string, wantCustomSessionData *psession.CustomSessionData, requestTime time.Time, @@ -4231,49 +4278,45 @@ func requireValidStoredRequest( session, ok := request.GetSession().(*psession.PinnipedSession) require.Truef(t, ok, "could not cast %T to %T", request.GetSession(), &psession.PinnipedSession{}) - // Assert that the session claims are what we think they should be, but only if we are doing OIDC. - if contains(wantGrantedScopes, "openid") { - claims := session.Fosite.Claims - require.Empty(t, claims.JTI) // When claims.JTI is empty, Fosite will generate a UUID for this field. - require.Equal(t, goodSubject, claims.Subject) + // Assert that the session claims are what we think they should be. + claims := session.Fosite.Claims + require.Empty(t, claims.JTI) // When claims.JTI is empty, Fosite will generate a UUID for this field. + require.Equal(t, goodSubject, claims.Subject) - // Our custom claims from the authorize endpoint should still be set. - expectedExtra := map[string]interface{}{ - "username": goodUsername, - } - if wantGroups != nil { - expectedExtra["groups"] = toSliceOfInterface(wantGroups) - } - require.Equal(t, expectedExtra, claims.Extra) - - // We are in charge of setting these fields. For the purpose of testing, we ensure that the - // sentinel test value is set correctly. - require.Equal(t, goodRequestedAtTime, claims.RequestedAt) - require.Equal(t, goodAuthTime, claims.AuthTime) - - // These fields will all be given good defaults by fosite at runtime and we only need to use them - // if we want to override the default behaviors. We currently don't need to override these defaults, - // so they do not end up being stored. Fosite sets its defaults at runtime in openid.DefaultStrategy's - // GenerateIDToken() method. - require.Empty(t, claims.Issuer) - require.Empty(t, claims.Audience) - require.Empty(t, claims.Nonce) - require.Zero(t, claims.ExpiresAt) - require.Zero(t, claims.IssuedAt) - - // Fosite unconditionally overwrites claims.AccessTokenHash at runtime in openid.OpenIDConnectExplicitHandler's - // PopulateTokenEndpointResponse() method, just before it calls the same GenerateIDToken() mentioned above, - // so it does not end up saved in storage. - require.Empty(t, claims.AccessTokenHash) - - // At this time, we don't use any of these optional (per the OIDC spec) fields. - require.Empty(t, claims.AuthenticationContextClassReference) - require.Empty(t, claims.AuthenticationMethodsReferences) - require.Empty(t, claims.CodeHash) - } else if wantGroups != nil { - t.Fatal("test did not want the openid scope to be granted, but also wanted groups, " + - "which is a combination that doesn't make sense since you need an ID token to get groups") + // Our custom claims from the authorize endpoint should still be set. + expectedExtra := map[string]interface{}{} + if wantUsername != "" { + expectedExtra["username"] = wantUsername } + if wantGroups != nil { + expectedExtra["groups"] = toSliceOfInterface(wantGroups) + } + require.Equal(t, expectedExtra, claims.Extra) + + // We are in charge of setting these fields. For the purpose of testing, we ensure that the + // sentinel test value is set correctly. + require.Equal(t, goodRequestedAtTime, claims.RequestedAt) + require.Equal(t, goodAuthTime, claims.AuthTime) + + // These fields will all be given good defaults by fosite at runtime and we only need to use them + // if we want to override the default behaviors. We currently don't need to override these defaults, + // so they do not end up being stored. Fosite sets its defaults at runtime in openid.DefaultStrategy's + // GenerateIDToken() method. + require.Empty(t, claims.Issuer) + require.Empty(t, claims.Audience) + require.Empty(t, claims.Nonce) + require.Zero(t, claims.ExpiresAt) + require.Zero(t, claims.IssuedAt) + + // Fosite unconditionally overwrites claims.AccessTokenHash at runtime in openid.OpenIDConnectExplicitHandler's + // PopulateTokenEndpointResponse() method, just before it calls the same GenerateIDToken() mentioned above, + // so it does not end up saved in storage. + require.Empty(t, claims.AccessTokenHash) + + // At this time, we don't use any of these optional (per the OIDC spec) fields. + require.Empty(t, claims.AuthenticationContextClassReference) + require.Empty(t, claims.AuthenticationMethodsReferences) + require.Empty(t, claims.CodeHash) // Assert that the session headers are what we think they should be. headers := session.Fosite.Headers @@ -4336,6 +4379,7 @@ func requireValidIDToken( wantClientID string, wantAtHashClaimInIDToken bool, wantNonceValueInIDToken bool, + wantUsernameInIDToken string, wantGroupsInIDToken []string, actualAccessToken string, requestTime time.Time, @@ -4368,13 +4412,16 @@ func requireValidIDToken( // Note that there is a bug in fosite which prevents the `at_hash` claim from appearing in this ID token // during the initial authcode exchange, but does not prevent `at_hash` from appearing in the refreshed ID token. // We can add a workaround for this later. - idTokenFields := []string{"sub", "aud", "iss", "jti", "auth_time", "exp", "iat", "rat", "username"} + idTokenFields := []string{"sub", "aud", "iss", "jti", "auth_time", "exp", "iat", "rat"} if wantAtHashClaimInIDToken { idTokenFields = append(idTokenFields, "at_hash") } if wantNonceValueInIDToken { idTokenFields = append(idTokenFields, "nonce") } + if wantUsernameInIDToken != "" { + idTokenFields = append(idTokenFields, "username") + } if wantGroupsInIDToken != nil { idTokenFields = append(idTokenFields, "groups") } @@ -4388,7 +4435,7 @@ func requireValidIDToken( err := token.Claims(&claims) require.NoError(t, err) require.Equal(t, goodSubject, claims.Subject) - require.Equal(t, goodUsername, claims.Username) + require.Equal(t, wantUsernameInIDToken, claims.Username) require.Equal(t, wantGroupsInIDToken, claims.Groups) require.Len(t, claims.Audience, 1) require.Equal(t, wantClientID, claims.Audience[0]) @@ -4499,3 +4546,24 @@ func TestDiffSortedGroups(t *testing.T) { }) } } + +type RecordedWarning struct { + Agent string + Text string +} + +type TestWarningRecorder struct { + Warnings []RecordedWarning +} + +var _ warning.Recorder = (*TestWarningRecorder)(nil) + +func (t *TestWarningRecorder) AddWarning(agent, text string) { + if t.Warnings == nil { + t.Warnings = []RecordedWarning{} + } + t.Warnings = append(t.Warnings, RecordedWarning{ + Agent: agent, + Text: text, + }) +} diff --git a/internal/oidc/token_exchange.go b/internal/oidc/token_exchange.go index 9cbf566d..dde15f70 100644 --- a/internal/oidc/token_exchange.go +++ b/internal/oidc/token_exchange.go @@ -8,21 +8,19 @@ import ( "net/url" "strings" - "github.com/coreos/go-oidc/v3/oidc" "github.com/ory/fosite" "github.com/ory/fosite/compose" "github.com/ory/fosite/handler/oauth2" "github.com/ory/fosite/handler/openid" "github.com/pkg/errors" - "go.pinniped.dev/internal/oidc/clientregistry" + oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc" + "go.pinniped.dev/internal/psession" ) const ( - tokenExchangeGrantType = "urn:ietf:params:oauth:grant-type:token-exchange" //nolint: gosec - tokenTypeAccessToken = "urn:ietf:params:oauth:token-type:access_token" //nolint: gosec - tokenTypeJWT = "urn:ietf:params:oauth:token-type:jwt" //nolint: gosec - pinnipedTokenExchangeScope = "pinniped:request-audience" //nolint: gosec + tokenTypeAccessToken = "urn:ietf:params:oauth:token-type:access_token" //nolint: gosec + tokenTypeJWT = "urn:ietf:params:oauth:token-type:jwt" //nolint: gosec ) type stsParams struct { @@ -78,17 +76,22 @@ func (t *TokenExchangeHandler) PopulateTokenEndpointResponse(ctx context.Context } // Check that the client is allowed to perform this grant type. - if !requester.GetClient().GetGrantTypes().Has(tokenExchangeGrantType) { + if !requester.GetClient().GetGrantTypes().Has(oidcapi.GrantTypeTokenExchange) { // This error message is trying to be similar to the analogous one in fosite's flow_authorize_code_token.go. - return errors.WithStack(fosite.ErrUnauthorizedClient.WithHintf(`The OAuth 2.0 Client is not allowed to use token exchange grant "%s".`, tokenExchangeGrantType)) + return errors.WithStack(fosite.ErrUnauthorizedClient.WithHintf(`The OAuth 2.0 Client is not allowed to use token exchange grant "%s".`, oidcapi.GrantTypeTokenExchange)) } // Require that the incoming access token has the pinniped:request-audience and OpenID scopes. - if !originalRequester.GetGrantedScopes().Has(pinnipedTokenExchangeScope) { - return errors.WithStack(fosite.ErrAccessDenied.WithHintf("missing the %q scope", pinnipedTokenExchangeScope)) + if !originalRequester.GetGrantedScopes().Has(oidcapi.ScopeRequestAudience) { + return errors.WithStack(fosite.ErrAccessDenied.WithHintf("missing the %q scope", oidcapi.ScopeRequestAudience)) } - if !originalRequester.GetGrantedScopes().Has(oidc.ScopeOpenID) { - return errors.WithStack(fosite.ErrAccessDenied.WithHintf("missing the %q scope", oidc.ScopeOpenID)) + if !originalRequester.GetGrantedScopes().Has(oidcapi.ScopeOpenID) { + return errors.WithStack(fosite.ErrAccessDenied.WithHintf("missing the %q scope", oidcapi.ScopeOpenID)) + } + + // Check that the stored session meets the minimum requirements for token exchange. + if err := t.validateSession(originalRequester); err != nil { + return errors.WithStack(err) } // Use the original authorize request information, along with the requested audience, to mint a new JWT. @@ -110,6 +113,22 @@ func (t *TokenExchangeHandler) mintJWT(ctx context.Context, requester fosite.Req return t.idTokenStrategy.GenerateIDToken(ctx, downscoped) } +func (t *TokenExchangeHandler) validateSession(requester fosite.Requester) error { + pSession, ok := requester.GetSession().(*psession.PinnipedSession) + if !ok { + // This shouldn't really happen. + return fosite.ErrServerError.WithHint("Invalid session storage.") + } + username, ok := pSession.IDTokenClaims().Extra[oidcapi.IDTokenClaimUsername].(string) + if !ok || username == "" { + // No username was stored in the session's ID token claims (or the stored username was not a string, which + // shouldn't really happen). Usernames will not be stored in the session's ID token claims when the username + // scope was not requested/granted, but otherwise they should be stored. + return fosite.ErrAccessDenied.WithHintf("No username found in session. Ensure that the %q scope was requested and granted at the authorization endpoint.", oidcapi.ScopeUsername) + } + return nil +} + func (t *TokenExchangeHandler) validateParams(params url.Values) (*stsParams, error) { var result stsParams @@ -157,8 +176,8 @@ func (t *TokenExchangeHandler) validateParams(params url.Values) (*stsParams, er if strings.Contains(result.requestedAudience, ".pinniped.dev") { return nil, fosite.ErrInvalidRequest.WithHintf("requested audience cannot contain '.pinniped.dev'") } - if result.requestedAudience == clientregistry.PinnipedCLIClientID { - return nil, fosite.ErrInvalidRequest.WithHintf("requested audience cannot equal '%s'", clientregistry.PinnipedCLIClientID) + if result.requestedAudience == oidcapi.ClientIDPinnipedCLI { + return nil, fosite.ErrInvalidRequest.WithHintf("requested audience cannot equal '%s'", oidcapi.ClientIDPinnipedCLI) } return &result, nil @@ -181,5 +200,5 @@ func (t *TokenExchangeHandler) CanSkipClientAuth(_ fosite.AccessRequester) bool } func (t *TokenExchangeHandler) CanHandleTokenEndpointRequest(requester fosite.AccessRequester) bool { - return requester.GetGrantTypes().ExactOne(tokenExchangeGrantType) + return requester.GetGrantTypes().ExactOne(oidcapi.GrantTypeTokenExchange) } diff --git a/internal/psession/pinniped_session.go b/internal/psession/pinniped_session.go index 665d0a90..136b2312 100644 --- a/internal/psession/pinniped_session.go +++ b/internal/psession/pinniped_session.go @@ -27,6 +27,11 @@ var _ openid.Session = &PinnipedSession{} // CustomSessionData is the custom session data needed by Pinniped. It should be treated as a union type, // where the value of ProviderType decides which other fields to use. type CustomSessionData struct { + // Username will contain the downstream username determined during initial authorization. We store this + // so that we can validate that it does not change upon refresh. This should normally never be empty, since + // all users must have a username. + Username string `json:"username"` + // The Kubernetes resource UID of the identity provider CRD for the upstream IDP used to start this session. // This should be validated again upon downstream refresh to make sure that we are not refreshing against // a different identity provider CRD which just happens to have the same name. diff --git a/internal/testutil/oidcclient.go b/internal/testutil/oidcclient.go index 621aea2e..6b8968d0 100644 --- a/internal/testutil/oidcclient.go +++ b/internal/testutil/oidcclient.go @@ -7,6 +7,8 @@ import ( "strings" "testing" + "github.com/stretchr/testify/require" + "golang.org/x/crypto/bcrypt" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" @@ -41,19 +43,30 @@ func allDynamicClientScopes() []configv1alpha1.Scope { return scopes } -// fullyCapableOIDCClient returns an OIDC client which is allowed to use all grant types and all scopes that -// are supported by the Supervisor for dynamic clients. -func fullyCapableOIDCClient(namespace string, clientID string, clientUID string, redirectURI string) *configv1alpha1.OIDCClient { +func newOIDCClient( + namespace string, + clientID string, + clientUID string, + redirectURI string, + allowedGrantTypes []configv1alpha1.GrantType, + allowedScopes []configv1alpha1.Scope, +) *configv1alpha1.OIDCClient { return &configv1alpha1.OIDCClient{ ObjectMeta: metav1.ObjectMeta{Namespace: namespace, Name: clientID, Generation: 1, UID: types.UID(clientUID)}, Spec: configv1alpha1.OIDCClientSpec{ - AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code", "urn:ietf:params:oauth:grant-type:token-exchange", "refresh_token"}, - AllowedScopes: allDynamicClientScopes(), + AllowedGrantTypes: allowedGrantTypes, + AllowedScopes: allowedScopes, AllowedRedirectURIs: []configv1alpha1.RedirectURI{configv1alpha1.RedirectURI(redirectURI)}, }, } } +// OIDCClientValidatorFunc is an interface-like type that allows these test helpers to avoid having a direct dependency +// on the production code, to avoid circular module dependencies. Implemented by oidcclientvalidator.Validate. +type OIDCClientValidatorFunc func(oidcClient *configv1alpha1.OIDCClient, secret *corev1.Secret, minBcryptCost int) (bool, []*configv1alpha1.Condition, []string) + +// FullyCapableOIDCClientAndStorageSecret returns an OIDC client which is allowed to use all grant types and all scopes +// that are supported by the Supervisor for dynamic clients, along with a corresponding client secret storage Secret. func FullyCapableOIDCClientAndStorageSecret( t *testing.T, namespace string, @@ -61,7 +74,38 @@ func FullyCapableOIDCClientAndStorageSecret( clientUID string, redirectURI string, hashes []string, + validateFunc OIDCClientValidatorFunc, ) (*configv1alpha1.OIDCClient, *corev1.Secret) { - return fullyCapableOIDCClient(namespace, clientID, clientUID, redirectURI), - OIDCClientSecretStorageSecretForUID(t, namespace, clientUID, hashes) + allScopes := allDynamicClientScopes() + + allGrantTypes := []configv1alpha1.GrantType{ + "authorization_code", "urn:ietf:params:oauth:grant-type:token-exchange", "refresh_token", + } + + return OIDCClientAndStorageSecret(t, namespace, clientID, clientUID, allGrantTypes, allScopes, redirectURI, hashes, validateFunc) +} + +// OIDCClientAndStorageSecret returns an OIDC client which is allowed to use the specified grant types and scopes, +// along with a corresponding client secret storage Secret. It also validates the client to make sure that the specified +// combination of grant types and scopes is considered valid before returning the client. +func OIDCClientAndStorageSecret( + t *testing.T, + namespace string, + clientID string, + clientUID string, + allowedGrantTypes []configv1alpha1.GrantType, + allowedScopes []configv1alpha1.Scope, + redirectURI string, + hashes []string, + validateFunc OIDCClientValidatorFunc, +) (*configv1alpha1.OIDCClient, *corev1.Secret) { + oidcClient := newOIDCClient(namespace, clientID, clientUID, redirectURI, allowedGrantTypes, allowedScopes) + secret := OIDCClientSecretStorageSecretForUID(t, namespace, clientUID, hashes) + + // If a test made an invalid OIDCClient then inform the author of the test, so they can fix the test case. + // This is an easy mistake to make when writing tests because there are lots of validations on OIDCClients. + valid, conditions, _ := validateFunc(oidcClient, secret, bcrypt.MinCost) + require.True(t, valid, "Test's OIDCClient should have been valid. See conditions for errors: %s", conditions) + + return oidcClient, secret } diff --git a/internal/testutil/oidctestutil/oidctestutil.go b/internal/testutil/oidctestutil/oidctestutil.go index 23fcc821..2056e2d1 100644 --- a/internal/testutil/oidctestutil/oidctestutil.go +++ b/internal/testutil/oidctestutil/oidctestutil.go @@ -1064,14 +1064,22 @@ func validateAuthcodeStorage( // Check the user's identity, which are put into the downstream ID token's subject, username and groups claims. require.Equal(t, wantDownstreamIDTokenSubject, actualClaims.Subject) - require.Equal(t, wantDownstreamIDTokenUsername, actualClaims.Extra["username"]) + wantDownstreamIDTokenUsernameClaimToExist := 1 + if wantDownstreamIDTokenUsername == "" { + wantDownstreamIDTokenUsernameClaimToExist = 0 + require.NotContains(t, actualClaims.Extra, "username") + } else { + require.Equal(t, wantDownstreamIDTokenUsername, actualClaims.Extra["username"]) + } if slices.Contains(wantDownstreamGrantedScopes, "groups") { - require.Len(t, actualClaims.Extra, 2) + require.Len(t, actualClaims.Extra, wantDownstreamIDTokenUsernameClaimToExist+1) actualDownstreamIDTokenGroups := actualClaims.Extra["groups"] require.NotNil(t, actualDownstreamIDTokenGroups) require.ElementsMatch(t, wantDownstreamIDTokenGroups, actualDownstreamIDTokenGroups) } else { - require.Len(t, actualClaims.Extra, 1) + require.Emptyf(t, wantDownstreamIDTokenGroups, "test case did not want the groups scope to be granted, "+ + "but wanted something in the groups claim, which doesn't make sense. please review the test case's expectations.") + require.Len(t, actualClaims.Extra, wantDownstreamIDTokenUsernameClaimToExist) actualDownstreamIDTokenGroups := actualClaims.Extra["groups"] require.Nil(t, actualDownstreamIDTokenGroups) } diff --git a/internal/testutil/psession.go b/internal/testutil/psession.go index 83aacb13..88eb658b 100644 --- a/internal/testutil/psession.go +++ b/internal/testutil/psession.go @@ -24,6 +24,7 @@ func NewFakePinnipedSession() *psession.PinnipedSession { Subject: "panda", }, Custom: &psession.CustomSessionData{ + Username: "fake-username", ProviderUID: "fake-provider-uid", ProviderType: "fake-provider-type", ProviderName: "fake-provider-name", diff --git a/internal/upstreamldap/upstreamldap.go b/internal/upstreamldap/upstreamldap.go index cfbd437f..9c8dd1d6 100644 --- a/internal/upstreamldap/upstreamldap.go +++ b/internal/upstreamldap/upstreamldap.go @@ -23,10 +23,10 @@ import ( "k8s.io/utils/strings/slices" "k8s.io/utils/trace" + oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc" "go.pinniped.dev/internal/authenticators" "go.pinniped.dev/internal/crypto/ptls" "go.pinniped.dev/internal/endpointaddr" - "go.pinniped.dev/internal/oidc" "go.pinniped.dev/internal/oidc/downstreamsession" "go.pinniped.dev/internal/oidc/provider" "go.pinniped.dev/internal/plog" @@ -241,7 +241,7 @@ func (p *Provider) PerformRefresh(ctx context.Context, storedRefreshAttributes p return storedRefreshAttributes.Groups, nil } // if we were not granted the groups scope, we should not search for groups or return any. - if !slices.Contains(storedRefreshAttributes.GrantedScopes, oidc.DownstreamGroupsScope) { + if !slices.Contains(storedRefreshAttributes.GrantedScopes, oidcapi.ScopeGroups) { return nil, nil } @@ -593,7 +593,7 @@ func (p *Provider) searchAndBindUser(conn Conn, username string, grantedScopes [ } var mappedGroupNames []string - if slices.Contains(grantedScopes, oidc.DownstreamGroupsScope) { + if slices.Contains(grantedScopes, oidcapi.ScopeGroups) { mappedGroupNames, err = p.searchGroupsForUserDN(conn, userEntry.DN) if err != nil { return nil, err diff --git a/internal/upstreamoidc/upstreamoidc.go b/internal/upstreamoidc/upstreamoidc.go index cb480f8b..dfe31137 100644 --- a/internal/upstreamoidc/upstreamoidc.go +++ b/internal/upstreamoidc/upstreamoidc.go @@ -20,8 +20,8 @@ import ( "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/sets" + oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc" "go.pinniped.dev/internal/httputil/httperr" - "go.pinniped.dev/internal/oidc" "go.pinniped.dev/internal/oidc/provider" "go.pinniped.dev/internal/plog" "go.pinniped.dev/pkg/oidcclient/nonce" @@ -286,7 +286,7 @@ func (p *ProviderConfig) ValidateTokenAndMergeWithUserInfo(ctx context.Context, return nil, err } - idTokenSubject, _ := validatedClaims[oidc.IDTokenSubjectClaim].(string) + idTokenSubject, _ := validatedClaims[oidcapi.IDTokenClaimSubject].(string) if len(idTokenSubject) > 0 || !requireIDToken { // only fetch userinfo if the ID token has a subject or if we are ignoring the id token completely. @@ -346,7 +346,7 @@ func (p *ProviderConfig) validateIDToken(ctx context.Context, tok *oauth2.Token, } func (p *ProviderConfig) maybeFetchUserInfoAndMergeClaims(ctx context.Context, tok *oauth2.Token, claims map[string]interface{}, requireIDToken bool, requireUserInfo bool) error { - idTokenSubject, _ := claims[oidc.IDTokenSubjectClaim].(string) + idTokenSubject, _ := claims[oidcapi.IDTokenClaimSubject].(string) userInfo, err := p.maybeFetchUserInfo(ctx, tok, requireUserInfo) if err != nil { @@ -371,7 +371,7 @@ func (p *ProviderConfig) maybeFetchUserInfoAndMergeClaims(ctx context.Context, t } // keep track of the issuer from the ID token - idTokenIssuer := claims["iss"] + idTokenIssuer := claims[oidcapi.IDTokenClaimIssuer] // merge existing claims with user info claims if err := userInfo.Claims(&claims); err != nil { @@ -381,9 +381,9 @@ func (p *ProviderConfig) maybeFetchUserInfoAndMergeClaims(ctx context.Context, t // "If signed, the UserInfo Response SHOULD contain the Claims iss (issuer) and aud (audience) as members. The iss value SHOULD be the OP's Issuer Identifier URL." // See https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse // So we just ignore it and use it the version from the id token, which has stronger guarantees. - delete(claims, "iss") + delete(claims, oidcapi.IDTokenClaimIssuer) if idTokenIssuer != nil { - claims["iss"] = idTokenIssuer + claims[oidcapi.IDTokenClaimIssuer] = idTokenIssuer } maybeLogClaims("claims from ID token and userinfo", p.Name, claims) diff --git a/pkg/oidcclient/login.go b/pkg/oidcclient/login.go index 3ff1b9a4..cfb36784 100644 --- a/pkg/oidcclient/login.go +++ b/pkg/oidcclient/login.go @@ -21,14 +21,14 @@ import ( "sync" "time" - "github.com/coreos/go-oidc/v3/oidc" + coreosoidc "github.com/coreos/go-oidc/v3/oidc" "github.com/go-logr/logr" "github.com/pkg/browser" "golang.org/x/oauth2" "golang.org/x/term" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - supervisoroidc "go.pinniped.dev/generated/latest/apis/supervisor/oidc" + oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc" "go.pinniped.dev/internal/httputil/httperr" "go.pinniped.dev/internal/httputil/securityheader" "go.pinniped.dev/internal/net/phttp" @@ -91,7 +91,7 @@ type handlerState struct { callbackPath string // Generated parameters of a login flow. - provider *oidc.Provider + provider *coreosoidc.Provider oauth2Config *oauth2.Config useFormPost bool state state.State @@ -106,8 +106,8 @@ type handlerState struct { getEnv func(key string) string listen func(string, string) (net.Listener, error) isTTY func(int) bool - getProvider func(*oauth2.Config, *oidc.Provider, *http.Client) provider.UpstreamOIDCIdentityProviderI - validateIDToken func(ctx context.Context, provider *oidc.Provider, audience string, token string) (*oidc.IDToken, error) + getProvider func(*oauth2.Config, *coreosoidc.Provider, *http.Client) provider.UpstreamOIDCIdentityProviderI + validateIDToken func(ctx context.Context, provider *coreosoidc.Provider, audience string, token string) (*coreosoidc.IDToken, error) promptForValue func(ctx context.Context, promptLabel string) (string, error) promptForSecret func(promptLabel string) (string, error) @@ -268,7 +268,7 @@ func Login(issuer string, clientID string, opts ...Option) (*oidctypes.Token, er issuer: issuer, clientID: clientID, listenAddr: "localhost:0", - scopes: []string{oidc.ScopeOfflineAccess, oidc.ScopeOpenID, "email", "profile"}, + scopes: []string{oidcapi.ScopeOfflineAccess, oidcapi.ScopeOpenID, oidcapi.ScopeEmail, oidcapi.ScopeProfile}, cache: &nopCache{}, callbackPath: "/callback", ctx: context.Background(), @@ -285,8 +285,8 @@ func Login(issuer string, clientID string, opts ...Option) (*oidctypes.Token, er listen: net.Listen, isTTY: term.IsTerminal, getProvider: upstreamoidc.New, - validateIDToken: func(ctx context.Context, provider *oidc.Provider, audience string, token string) (*oidc.IDToken, error) { - return provider.Verifier(&oidc.Config{ClientID: audience}).Verify(ctx, token) + validateIDToken: func(ctx context.Context, provider *coreosoidc.Provider, audience string, token string) (*coreosoidc.IDToken, error) { + return provider.Verifier(&coreosoidc.Config{ClientID: audience}).Verify(ctx, token) }, promptForValue: promptForValue, promptForSecret: promptForSecret, @@ -305,7 +305,7 @@ func Login(issuer string, clientID string, opts ...Option) (*oidctypes.Token, er // Always set a long, but non-infinite timeout for this operation. ctx, cancel := context.WithTimeout(h.ctx, overallTimeout) defer cancel() - ctx = oidc.ClientContext(ctx, h.httpClient) + ctx = coreosoidc.ClientContext(ctx, h.httpClient) h.ctx = ctx // Initialize login parameters. @@ -386,10 +386,10 @@ func (h *handlerState) baseLogin() (*oidctypes.Token, error) { } if h.upstreamIdentityProviderName != "" { authorizeOptions = append(authorizeOptions, - oauth2.SetAuthURLParam(supervisoroidc.AuthorizeUpstreamIDPNameParamName, h.upstreamIdentityProviderName), + oauth2.SetAuthURLParam(oidcapi.AuthorizeUpstreamIDPNameParamName, h.upstreamIdentityProviderName), ) authorizeOptions = append(authorizeOptions, - oauth2.SetAuthURLParam(supervisoroidc.AuthorizeUpstreamIDPTypeParamName, h.upstreamIdentityProviderType), + oauth2.SetAuthURLParam(oidcapi.AuthorizeUpstreamIDPTypeParamName, h.upstreamIdentityProviderType), ) } @@ -447,8 +447,8 @@ func (h *handlerState) cliBasedAuth(authorizeOptions *[]oauth2.AuthCodeOption) ( if err != nil { return nil, fmt.Errorf("could not build authorize request: %w", err) } - authReq.Header.Set(supervisoroidc.AuthorizeUsernameHeaderName, username) - authReq.Header.Set(supervisoroidc.AuthorizePasswordHeaderName, password) + authReq.Header.Set(oidcapi.AuthorizeUsernameHeaderName, username) + authReq.Header.Set(oidcapi.AuthorizePasswordHeaderName, password) authRes, err := h.httpClient.Do(authReq) if err != nil { return nil, fmt.Errorf("authorization response error: %w", err) @@ -710,7 +710,7 @@ func (h *handlerState) initOIDCDiscovery() error { h.logger.V(plog.KlogLevelDebug).Info("Pinniped: Performing OIDC discovery", "issuer", h.issuer) var err error - h.provider, err = oidc.NewProvider(h.ctx, h.issuer) + h.provider, err = coreosoidc.NewProvider(h.ctx, h.issuer) if err != nil { return fmt.Errorf("could not perform OIDC discovery for %q: %w", h.issuer, err) } @@ -775,7 +775,7 @@ func (h *handlerState) tokenExchangeRFC8693(baseToken *oidctypes.Token) (*oidcty // Form the HTTP POST request with the parameters specified by RFC8693. reqBody := strings.NewReader(url.Values{ "client_id": []string{h.clientID}, - "grant_type": []string{"urn:ietf:params:oauth:grant-type:token-exchange"}, + "grant_type": []string{oidcapi.GrantTypeTokenExchange}, "audience": []string{h.requestedAudience}, "subject_token": []string{baseToken.AccessToken.Token}, "subject_token_type": []string{"urn:ietf:params:oauth:token-type:access_token"}, diff --git a/pkg/oidcclient/nonce/nonce.go b/pkg/oidcclient/nonce/nonce.go index 6766bec2..28b650dd 100644 --- a/pkg/oidcclient/nonce/nonce.go +++ b/pkg/oidcclient/nonce/nonce.go @@ -1,7 +1,7 @@ -// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -// Package nonce implements +// Package nonce implements helpers for OIDC nonce parameter handling. package nonce import ( @@ -11,7 +11,7 @@ import ( "fmt" "io" - "github.com/coreos/go-oidc/v3/oidc" + coreosoidc "github.com/coreos/go-oidc/v3/oidc" "golang.org/x/oauth2" ) @@ -36,11 +36,11 @@ func (n *Nonce) String() string { // Param returns the OAuth2 auth code parameter for sending the nonce during the authorization request. func (n *Nonce) Param() oauth2.AuthCodeOption { - return oidc.Nonce(string(*n)) + return coreosoidc.Nonce(string(*n)) } // Validate the returned ID token). Returns true iff the nonce matches or the returned JWT does not have a nonce. -func (n *Nonce) Validate(token *oidc.IDToken) error { +func (n *Nonce) Validate(token *coreosoidc.IDToken) error { if subtle.ConstantTimeCompare([]byte(token.Nonce), []byte(*n)) != 1 { return InvalidNonceError{Expected: *n, Got: Nonce(token.Nonce)} } diff --git a/site/content/docs/reference/code-walkthrough.md b/site/content/docs/reference/code-walkthrough.md index 5ce69299..9035ebea 100644 --- a/site/content/docs/reference/code-walkthrough.md +++ b/site/content/docs/reference/code-walkthrough.md @@ -188,7 +188,7 @@ The Supervisor's endpoints are: - And a number of endpoints for each FederationDomain that is configured by the user. Each FederationDomain's endpoints are mounted under the path of the FederationDomain's `spec.issuer`, -if the issuer as a path specified in its URL. If the issuer has no path, then they are mounted under `/`. +if the `spec.issuer` URL has a path component specified. If the issuer has no path, then they are mounted under `/`. These per-FederationDomain endpoint are all mounted by the code in [internal/oidc/provider/manager/manager.go](https://github.com/vmware-tanzu/pinniped/blob/main/internal/oidc/provider/manager/manager.go). @@ -202,6 +202,10 @@ The per-FederationDomain endpoints are: See [internal/oidc/auth/auth_handler.go](https://github.com/vmware-tanzu/pinniped/blob/main/internal/oidc/auth/auth_handler.go). - `/oauth2/token` is the standard OIDC token endpoint. See [internal/oidc/token/token_handler.go](https://github.com/vmware-tanzu/pinniped/blob/main/internal/oidc/token/token_handler.go). + The token endpoint can handle the standard OIDC `authorization_code` and `refresh_token` grant types, and has also been + extended in [internal/oidc/token_exchange.go](https://github.com/vmware-tanzu/pinniped/blob/main/internal/oidc/token_exchange.go) + to handle an additional grant type for [RFC 8693](https://datatracker.ietf.org/doc/html/rfc8693) token exchanges to + reduce the applicable scope (technically, the `aud` claim) of ID tokens. - `/callback` is a special endpoint that is used as the redirect URL when performing an OIDC authcode flow against an upstream OIDC identity provider as configured by an OIDCIdentityProvider custom resource. See [internal/oidc/callback/callback_handler.go](https://github.com/vmware-tanzu/pinniped/blob/main/internal/oidc/callback/callback_handler.go). - `/v1alpha1/pinniped_identity_providers` is a custom discovery endpoint for clients to learn about available upstream identity providers. diff --git a/test/integration/e2e_test.go b/test/integration/e2e_test.go index aaf152f4..b2e95649 100644 --- a/test/integration/e2e_test.go +++ b/test/integration/e2e_test.go @@ -24,7 +24,6 @@ import ( "testing" "time" - coreosoidc "github.com/coreos/go-oidc/v3/oidc" "github.com/creack/pty" "github.com/sclevine/agouti" "github.com/stretchr/testify/require" @@ -40,7 +39,6 @@ import ( "go.pinniped.dev/internal/certauthority" "go.pinniped.dev/internal/crud" "go.pinniped.dev/internal/here" - "go.pinniped.dev/internal/oidc" "go.pinniped.dev/internal/testutil" "go.pinniped.dev/pkg/oidcclient" "go.pinniped.dev/pkg/oidcclient/filesession" @@ -53,6 +51,8 @@ import ( func TestE2EFullIntegration_Browser(t *testing.T) { env := testlib.IntegrationEnv(t) + allScopes := []string{"openid", "offline_access", "pinniped:request-audience", "username", "groups"} + // Avoid allowing PINNIPED_UPSTREAM_IDENTITY_PROVIDER_FLOW to interfere with these tests. originalFlowEnvVarValue, flowOverrideEnvVarSet := os.LookupEnv("PINNIPED_UPSTREAM_IDENTITY_PROVIDER_FLOW") if flowOverrideEnvVarSet { @@ -170,7 +170,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { "--oidc-skip-browser", "--oidc-ca-bundle", testCABundlePath, "--oidc-session-cache", sessionCachePath, - "--oidc-scopes", "offline_access,openid,pinniped:request-audience,groups", + // use default for --oidc-scopes, which is to request all relevant scopes }) // Run "kubectl get namespaces" which should trigger a browser login via the plugin. @@ -193,11 +193,12 @@ func TestE2EFullIntegration_Browser(t *testing.T) { requireKubectlGetNamespaceOutput(t, env, waitForKubectlOutput(t, kubectlOutputChan)) - requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, []string{coreosoidc.ScopeOfflineAccess, coreosoidc.ScopeOpenID, "pinniped:request-audience", "groups"}) + requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes) }) - // If scopes aren't specified, we don't request the groups scope, which means we won't get any groups back in our token. - t.Run("with Supervisor OIDC upstream IDP and browser flow, scopes not specified", func(t *testing.T) { + // If the username and groups scope are not requested by the CLI, then the CLI still gets them, to allow for + // backwards compatibility with old CLIs that did not request those scopes because they did not exist yet. + t.Run("with Supervisor OIDC upstream IDP and browser flow, downstream username and groups scopes not requested", func(t *testing.T) { testCtx, cancel := context.WithTimeout(context.Background(), 5*time.Minute) t.Cleanup(cancel) @@ -249,6 +250,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { "--oidc-skip-browser", "--oidc-ca-bundle", testCABundlePath, "--oidc-session-cache", sessionCachePath, + "--oidc-scopes", "offline_access,openid,pinniped:request-audience", // does not request username or groups }) // Run "kubectl get namespaces" which should trigger a browser login via the plugin. @@ -271,7 +273,12 @@ func TestE2EFullIntegration_Browser(t *testing.T) { requireKubectlGetNamespaceOutput(t, env, waitForKubectlOutput(t, kubectlOutputChan)) - requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, []string{}, []string{coreosoidc.ScopeOfflineAccess, coreosoidc.ScopeOpenID, "pinniped:request-audience"}) + // Note that the list of scopes param here is used to form the cache key for looking up local session storage. + // The scopes portion of the cache key is made up of the requested scopes from the CLI flag, not the granted + // scopes returned by the Supervisor, so list the requested scopes from the CLI flag here. This helper will + // assert that the expected username and groups claims/values are in the downstream ID token. + requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, + pinnipedExe, expectedUsername, []string{}, []string{"offline_access", "openid", "pinniped:request-audience"}) }) t.Run("with Supervisor OIDC upstream IDP and manual authcode copy-paste from browser flow", func(t *testing.T) { @@ -328,7 +335,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { "--oidc-skip-listen", "--oidc-ca-bundle", testCABundlePath, "--oidc-session-cache", sessionCachePath, - "--oidc-scopes", "offline_access,openid,pinniped:request-audience,groups", + // use default for --oidc-scopes, which is to request all relevant scopes }) // Run "kubectl get namespaces" which should trigger a browser login via the plugin. @@ -382,7 +389,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { t.Logf("first kubectl command took %s", time.Since(start).String()) - requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, []string{coreosoidc.ScopeOfflineAccess, coreosoidc.ScopeOpenID, "pinniped:request-audience", "groups"}) + requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes) }) t.Run("access token based refresh with Supervisor OIDC upstream IDP and manual authcode copy-paste from browser flow", func(t *testing.T) { @@ -447,7 +454,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { "--oidc-skip-listen", "--oidc-ca-bundle", testCABundlePath, "--oidc-session-cache", sessionCachePath, - "--oidc-scopes", "offline_access,openid,pinniped:request-audience,groups", + // use default for --oidc-scopes, which is to request all relevant scopes }) // Run "kubectl get namespaces" which should trigger a browser login via the plugin. @@ -518,7 +525,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { t.Logf("first kubectl command took %s", time.Since(start).String()) - requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, []string{coreosoidc.ScopeOfflineAccess, coreosoidc.ScopeOpenID, "pinniped:request-audience", "groups"}) + requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes) }) t.Run("with Supervisor OIDC upstream IDP and CLI password flow without web browser", func(t *testing.T) { @@ -574,7 +581,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { "--upstream-identity-provider-flow", "cli_password", // create a kubeconfig configured to use the cli_password flow "--oidc-ca-bundle", testCABundlePath, "--oidc-session-cache", sessionCachePath, - "--oidc-scopes", "offline_access,openid,pinniped:request-audience,groups", + // use default for --oidc-scopes, which is to request all relevant scopes }) // Run "kubectl get namespaces" which should trigger a browser-less CLI prompt login via the plugin. @@ -601,7 +608,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { t.Logf("first kubectl command took %s", time.Since(start).String()) - requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, []string{coreosoidc.ScopeOfflineAccess, coreosoidc.ScopeOpenID, "pinniped:request-audience", "groups"}) + requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes) }) t.Run("with Supervisor OIDC upstream IDP and CLI password flow when OIDCIdentityProvider disallows it", func(t *testing.T) { @@ -648,7 +655,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { "--upstream-identity-provider-flow", "cli_password", "--oidc-ca-bundle", testCABundlePath, "--oidc-session-cache", sessionCachePath, - "--oidc-scopes", "offline_access,openid,pinniped:request-audience,groups", + // use default for --oidc-scopes, which is to request all relevant scopes }) // Run "kubectl get --raw /healthz" which should trigger a browser-less CLI prompt login via the plugin. @@ -710,7 +717,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { "--concierge-authenticator-type", "jwt", "--concierge-authenticator-name", authenticator.Name, "--oidc-session-cache", sessionCachePath, - "--oidc-scopes", "offline_access,openid,pinniped:request-audience,groups", + // use default for --oidc-scopes, which is to request all relevant scopes }) // Run "kubectl get namespaces" which should trigger an LDAP-style login CLI prompt via the plugin. @@ -737,7 +744,66 @@ func TestE2EFullIntegration_Browser(t *testing.T) { t.Logf("first kubectl command took %s", time.Since(start).String()) - requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, []string{coreosoidc.ScopeOfflineAccess, coreosoidc.ScopeOpenID, "pinniped:request-audience", "groups"}) + requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes) + }) + + // If the username and groups scope are not requested by the CLI, then the CLI still gets them, to allow for + // backwards compatibility with old CLIs that did not request those scopes because they did not exist yet. + t.Run("with Supervisor LDAP upstream IDP using username and password prompts, downstream username and groups scopes not requested", func(t *testing.T) { + testlib.SkipTestWhenLDAPIsUnavailable(t, env) + + testCtx, cancel := context.WithTimeout(context.Background(), 5*time.Minute) + t.Cleanup(cancel) + + tempDir := testutil.TempDir(t) // per-test tmp dir to avoid sharing files between tests + + expectedUsername := env.SupervisorUpstreamLDAP.TestUserMailAttributeValue + expectedGroups := env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs + + setupClusterForEndToEndLDAPTest(t, expectedUsername, env) + + // Use a specific session cache for this test. + sessionCachePath := tempDir + "/test-sessions.yaml" + + kubeconfigPath := runPinnipedGetKubeconfig(t, env, pinnipedExe, tempDir, []string{ + "get", "kubeconfig", + "--concierge-api-group-suffix", env.APIGroupSuffix, + "--concierge-authenticator-type", "jwt", + "--concierge-authenticator-name", authenticator.Name, + "--oidc-session-cache", sessionCachePath, + "--oidc-scopes", "offline_access,openid,pinniped:request-audience", // does not request username or groups + }) + + // Run "kubectl get namespaces" which should trigger an LDAP-style login CLI prompt via the plugin. + start := time.Now() + kubectlCmd := exec.CommandContext(testCtx, "kubectl", "get", "namespace", "--kubeconfig", kubeconfigPath) + kubectlCmd.Env = append(os.Environ(), env.ProxyEnv()...) + ptyFile, err := pty.Start(kubectlCmd) + require.NoError(t, err) + + // Wait for the subprocess to print the username prompt, then type the user's username. + readFromFileUntilStringIsSeen(t, ptyFile, "Username: ") + _, err = ptyFile.WriteString(expectedUsername + "\n") + require.NoError(t, err) + + // Wait for the subprocess to print the password prompt, then type the user's password. + readFromFileUntilStringIsSeen(t, ptyFile, "Password: ") + _, err = ptyFile.WriteString(env.SupervisorUpstreamLDAP.TestUserPassword + "\n") + require.NoError(t, err) + + // Read all output from the subprocess until EOF. + // Ignore any errors returned because there is always an error on linux. + kubectlOutputBytes, _ := ioutil.ReadAll(ptyFile) + requireKubectlGetNamespaceOutput(t, env, string(kubectlOutputBytes)) + + t.Logf("first kubectl command took %s", time.Since(start).String()) + + // Note that the list of scopes param here is used to form the cache key for looking up local session storage. + // The scopes portion of the cache key is made up of the requested scopes from the CLI flag, not the granted + // scopes returned by the Supervisor, so list the requested scopes from the CLI flag here. This helper will + // assert that the expected username and groups claims/values are in the downstream ID token. + requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, + pinnipedExe, expectedUsername, expectedGroups, []string{"offline_access", "openid", "pinniped:request-audience"}) }) // Add an LDAP upstream IDP and try using it to authenticate during kubectl commands @@ -764,7 +830,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { "--concierge-authenticator-type", "jwt", "--concierge-authenticator-name", authenticator.Name, "--oidc-session-cache", sessionCachePath, - "--oidc-scopes", "offline_access,openid,pinniped:request-audience,groups", + // use default for --oidc-scopes, which is to request all relevant scopes }) // Set up the username and password env vars to avoid the interactive prompts. @@ -803,7 +869,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { require.NoError(t, os.Unsetenv(usernameEnvVar)) require.NoError(t, os.Unsetenv(passwordEnvVar)) - requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, []string{coreosoidc.ScopeOfflineAccess, coreosoidc.ScopeOpenID, "pinniped:request-audience", "groups"}) + requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes) }) // Add an Active Directory upstream IDP and try using it to authenticate during kubectl commands @@ -830,7 +896,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { "--concierge-authenticator-type", "jwt", "--concierge-authenticator-name", authenticator.Name, "--oidc-session-cache", sessionCachePath, - "--oidc-scopes", "offline_access,openid,pinniped:request-audience,groups", + // use default for --oidc-scopes, which is to request all relevant scopes }) // Run "kubectl get namespaces" which should trigger an LDAP-style login CLI prompt via the plugin. @@ -857,7 +923,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { t.Logf("first kubectl command took %s", time.Since(start).String()) - requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, []string{coreosoidc.ScopeOfflineAccess, coreosoidc.ScopeOpenID, "pinniped:request-audience", "groups"}) + requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes) }) // Add an ActiveDirectory upstream IDP and try using it to authenticate during kubectl commands @@ -884,7 +950,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { "--concierge-authenticator-type", "jwt", "--concierge-authenticator-name", authenticator.Name, "--oidc-session-cache", sessionCachePath, - "--oidc-scopes", "offline_access,openid,pinniped:request-audience,groups", + // use default for --oidc-scopes, which is to request all relevant scopes }) // Set up the username and password env vars to avoid the interactive prompts. @@ -923,7 +989,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { require.NoError(t, os.Unsetenv(usernameEnvVar)) require.NoError(t, os.Unsetenv(passwordEnvVar)) - requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, []string{coreosoidc.ScopeOfflineAccess, coreosoidc.ScopeOpenID, "pinniped:request-audience", "groups"}) + requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes) }) // Add an LDAP upstream IDP and try using it to authenticate during kubectl commands, using the browser flow. @@ -955,7 +1021,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { "--oidc-ca-bundle", testCABundlePath, "--upstream-identity-provider-flow", "browser_authcode", "--oidc-session-cache", sessionCachePath, - "--oidc-scopes", "offline_access,openid,pinniped:request-audience,groups", + // use default for --oidc-scopes, which is to request all relevant scopes }) // Run "kubectl get namespaces" which should trigger a browser login via the plugin. @@ -973,7 +1039,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { requireKubectlGetNamespaceOutput(t, env, waitForKubectlOutput(t, kubectlOutputChan)) - requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, []string{coreosoidc.ScopeOfflineAccess, coreosoidc.ScopeOpenID, "pinniped:request-audience", "groups"}) + requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes) }) // Add an Active Directory upstream IDP and try using it to authenticate during kubectl commands, using the browser flow. @@ -1005,7 +1071,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { "--oidc-ca-bundle", testCABundlePath, "--upstream-identity-provider-flow", "browser_authcode", "--oidc-session-cache", sessionCachePath, - "--oidc-scopes", "offline_access,openid,pinniped:request-audience,groups", + // use default for --oidc-scopes, which is to request all relevant scopes }) // Run "kubectl get namespaces" which should trigger a browser login via the plugin. @@ -1023,7 +1089,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { requireKubectlGetNamespaceOutput(t, env, waitForKubectlOutput(t, kubectlOutputChan)) - requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, []string{coreosoidc.ScopeOfflineAccess, coreosoidc.ScopeOpenID, "pinniped:request-audience", "groups"}) + requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes) }) // Add an LDAP upstream IDP and try using it to authenticate during kubectl commands, using the env var to choose the browser flow. @@ -1055,7 +1121,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { "--oidc-ca-bundle", testCABundlePath, "--upstream-identity-provider-flow", "cli_password", // put cli_password in the kubeconfig, so we can override it with the env var "--oidc-session-cache", sessionCachePath, - "--oidc-scopes", "offline_access,openid,pinniped:request-audience,groups", + // use default for --oidc-scopes, which is to request all relevant scopes }) // Override the --upstream-identity-provider-flow flag from the kubeconfig using the env var. @@ -1079,7 +1145,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { requireKubectlGetNamespaceOutput(t, env, waitForKubectlOutput(t, kubectlOutputChan)) - requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, []string{coreosoidc.ScopeOfflineAccess, coreosoidc.ScopeOpenID, "pinniped:request-audience", "groups"}) + requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes) }) } @@ -1337,17 +1403,17 @@ func requireUserCanUseKubectlWithoutAuthenticatingAgain( requireGCAnnotationsOnSessionStorage(ctx, t, env.SupervisorNamespace, startTime, token) idTokenClaims := token.IDToken.Claims - require.Equal(t, expectedUsername, idTokenClaims[oidc.DownstreamUsernameClaim]) + require.Equal(t, expectedUsername, idTokenClaims["username"]) if expectedGroups == nil { - require.Nil(t, idTokenClaims[oidc.DownstreamGroupsClaim]) + require.Nil(t, idTokenClaims["groups"]) } else { // The groups claim in the file ends up as an []interface{}, so adjust our expectation to match. expectedGroupsAsEmptyInterfaces := make([]interface{}, 0, len(expectedGroups)) for _, g := range expectedGroups { expectedGroupsAsEmptyInterfaces = append(expectedGroupsAsEmptyInterfaces, g) } - require.ElementsMatch(t, expectedGroupsAsEmptyInterfaces, idTokenClaims[oidc.DownstreamGroupsClaim]) + require.ElementsMatch(t, expectedGroupsAsEmptyInterfaces, idTokenClaims["groups"]) } expectedGroupsPlusAuthenticated := append([]string{}, expectedGroups...) diff --git a/test/integration/supervisor_discovery_test.go b/test/integration/supervisor_discovery_test.go index 2d828e4c..30f96d41 100644 --- a/test/integration/supervisor_discovery_test.go +++ b/test/integration/supervisor_discovery_test.go @@ -502,11 +502,11 @@ func requireWellKnownEndpointIsWorking(t *testing.T, supervisorScheme, superviso "token_endpoint": "%s/oauth2/token", "token_endpoint_auth_methods_supported": ["client_secret_basic"], "jwks_uri": "%s/jwks.json", - "scopes_supported": ["openid", "offline"], + "scopes_supported": ["openid", "offline_access", "pinniped:request-audience", "username", "groups"], "response_types_supported": ["code"], "response_modes_supported": ["query", "form_post"], "code_challenge_methods_supported": ["S256"], - "claims_supported": ["groups"], + "claims_supported": ["username", "groups"], "discovery.supervisor.pinniped.dev/v1alpha1": {"pinniped_identity_providers_endpoint": "%s/v1alpha1/pinniped_identity_providers"}, "subject_types_supported": ["public"], "id_token_signing_alg_values_supported": ["ES256"] diff --git a/test/integration/supervisor_login_test.go b/test/integration/supervisor_login_test.go index b465a17d..069923ff 100644 --- a/test/integration/supervisor_login_test.go +++ b/test/integration/supervisor_login_test.go @@ -207,6 +207,9 @@ func TestSupervisorLogin_Browser(t *testing.T) { // The scopes to request from the authorization endpoint. Defaults will be used when not specified. downstreamScopes []string + // The scopes to want granted from the authorization endpoint. Defaults to the downstreamScopes value when not, + // specified, i.e. by default it expects that all requested scopes were granted. + wantDownstreamScopes []string // When we want the localhost callback to have never happened, then the flow will stop there. The login was // unable to finish so there is nothing to assert about what should have happened with the callback, and there @@ -218,6 +221,7 @@ func TestSupervisorLogin_Browser(t *testing.T) { // The expected ID token subject claim value as a regexp, for the original ID token and the refreshed ID token. wantDownstreamIDTokenSubjectToMatch string // The expected ID token username claim value as a regexp, for the original ID token and the refreshed ID token. + // This function should return an empty string when there should be no username claim in the ID tokens. wantDownstreamIDTokenUsernameToMatch func(username string) string // The expected ID token groups claim value, for the original ID token and the refreshed ID token. wantDownstreamIDTokenGroups []string @@ -240,7 +244,8 @@ func TestSupervisorLogin_Browser(t *testing.T) { wantTokenExchangeResponse func(t *testing.T, status int, body string) // Optionally edit the refresh session data between the initial login and the first refresh, - // which is still expected to succeed after these edits. + // which is still expected to succeed after these edits. Returns the group memberships expected after the + // refresh is performed. editRefreshSessionDataWithoutBreaking func(t *testing.T, sessionData *psession.PinnipedSession, idpName, username string) []string // Optionally either revoke the user's session on the upstream provider, or manipulate the user's session // data in such a way that it should cause the next upstream refresh attempt to fail. @@ -278,8 +283,8 @@ func TestSupervisorLogin_Browser(t *testing.T) { }, requestAuthorization: requestAuthorizationUsingBrowserAuthcodeFlowOIDC, breakRefreshSessionData: func(t *testing.T, pinnipedSession *psession.PinnipedSession, _, _ string) { - fositeSessionData := pinnipedSession.Fosite - fositeSessionData.Claims.Extra["username"] = "some-incorrect-username" + customSessionData := pinnipedSession.Custom + customSessionData.Username = "some-incorrect-username" }, wantDownstreamIDTokenSubjectToMatch: "^" + regexp.QuoteMeta(env.SupervisorUpstreamOIDC.Issuer+"?sub=") + ".+", wantDownstreamIDTokenUsernameToMatch: func(_ string) string { return "^" + regexp.QuoteMeta(env.SupervisorUpstreamOIDC.Username) + "$" }, @@ -321,8 +326,8 @@ func TestSupervisorLogin_Browser(t *testing.T) { }, requestAuthorization: requestAuthorizationUsingBrowserAuthcodeFlowOIDC, breakRefreshSessionData: func(t *testing.T, pinnipedSession *psession.PinnipedSession, _, _ string) { - fositeSessionData := pinnipedSession.Fosite - fositeSessionData.Claims.Extra["username"] = "some-incorrect-username" + customSessionData := pinnipedSession.Custom + customSessionData.Username = "some-incorrect-username" }, wantDownstreamIDTokenSubjectToMatch: "^" + regexp.QuoteMeta(env.SupervisorUpstreamOIDC.Issuer+"?sub=") + ".+", wantDownstreamIDTokenUsernameToMatch: func(_ string) string { return "^" + regexp.QuoteMeta(env.SupervisorUpstreamOIDC.Username) + "$" }, @@ -400,13 +405,14 @@ func TestSupervisorLogin_Browser(t *testing.T) { wantDownstreamIDTokenGroups: env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs, }, { - name: "ldap without requesting groups scope", + name: "ldap without requesting username and groups scope gets them anyway for pinniped-cli for backwards compatibility with old CLIs", maybeSkip: skipLDAPTests, createIDP: func(t *testing.T) string { idp, _ := createLDAPIdentityProvider(t, nil) return idp.Name }, - downstreamScopes: []string{"openid", "pinniped:request-audience", "offline_access"}, + downstreamScopes: []string{"openid", "pinniped:request-audience", "offline_access"}, + wantDownstreamScopes: []string{"openid", "pinniped:request-audience", "offline_access", "username", "groups"}, requestAuthorization: func(t *testing.T, _, downstreamAuthorizeURL, _, _, _ string, httpClient *http.Client) { requestAuthorizationUsingCLIPasswordFlow(t, downstreamAuthorizeURL, @@ -426,10 +432,10 @@ func TestSupervisorLogin_Browser(t *testing.T) { wantDownstreamIDTokenUsernameToMatch: func(_ string) string { return "^" + regexp.QuoteMeta(env.SupervisorUpstreamLDAP.TestUserMailAttributeValue) + "$" }, - wantDownstreamIDTokenGroups: []string{}, + wantDownstreamIDTokenGroups: env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs, }, { - name: "oidc without requesting groups scope", + name: "oidc without requesting username and groups scope gets them anyway for pinniped-cli for backwards compatibility with old CLIs", maybeSkip: skipNever, createIDP: func(t *testing.T) string { spec := basicOIDCIdentityProviderSpec() @@ -443,10 +449,11 @@ func TestSupervisorLogin_Browser(t *testing.T) { return testlib.CreateTestOIDCIdentityProvider(t, spec, idpv1alpha1.PhaseReady).Name }, downstreamScopes: []string{"openid", "pinniped:request-audience", "offline_access"}, + wantDownstreamScopes: []string{"openid", "pinniped:request-audience", "offline_access", "username", "groups"}, requestAuthorization: requestAuthorizationUsingBrowserAuthcodeFlowOIDC, wantDownstreamIDTokenSubjectToMatch: "^" + regexp.QuoteMeta(env.SupervisorUpstreamOIDC.Issuer+"?sub=") + ".+", wantDownstreamIDTokenUsernameToMatch: func(_ string) string { return "^" + regexp.QuoteMeta(env.SupervisorUpstreamOIDC.Username) + "$" }, - wantDownstreamIDTokenGroups: nil, + wantDownstreamIDTokenGroups: env.SupervisorUpstreamOIDC.ExpectedGroups, }, { name: "ldap with browser flow", @@ -649,8 +656,7 @@ func TestSupervisorLogin_Browser(t *testing.T) { customSessionData := pinnipedSession.Custom require.Equal(t, psession.ProviderTypeLDAP, customSessionData.ProviderType) require.NotEmpty(t, customSessionData.LDAP.UserDN) - fositeSessionData := pinnipedSession.Fosite - fositeSessionData.Claims.Extra["username"] = "not-the-same" + customSessionData.Username = "not-the-same" }, // the ID token Subject should be the Host URL plus the value pulled from the requested UserSearch.Attributes.UID attribute wantDownstreamIDTokenSubjectToMatch: "^" + regexp.QuoteMeta( @@ -829,8 +835,7 @@ func TestSupervisorLogin_Browser(t *testing.T) { customSessionData := pinnipedSession.Custom require.Equal(t, psession.ProviderTypeActiveDirectory, customSessionData.ProviderType) require.NotEmpty(t, customSessionData.ActiveDirectory.UserDN) - fositeSessionData := pinnipedSession.Fosite - fositeSessionData.Claims.Extra["username"] = "not-the-same" + customSessionData.Username = "not-the-same" }, // the ID token Subject should be the Host URL plus the value pulled from the requested UserSearch.Attributes.UID attribute wantDownstreamIDTokenSubjectToMatch: "^" + regexp.QuoteMeta( @@ -1284,7 +1289,7 @@ func TestSupervisorLogin_Browser(t *testing.T) { }, }, { - name: "oidc upstream with downstream dynamic client happy path", + name: "oidc upstream with downstream dynamic client happy path, requesting all scopes", maybeSkip: skipNever, createIDP: func(t *testing.T) string { return testlib.CreateTestOIDCIdentityProvider(t, basicOIDCIdentityProviderSpec(), idpv1alpha1.PhaseReady).Name @@ -1301,9 +1306,10 @@ func TestSupervisorLogin_Browser(t *testing.T) { wantDownstreamIDTokenSubjectToMatch: "^" + regexp.QuoteMeta(env.SupervisorUpstreamOIDC.Issuer+"?sub=") + ".+", // the ID token Username should include the upstream user ID after the upstream issuer name wantDownstreamIDTokenUsernameToMatch: func(_ string) string { return "^" + regexp.QuoteMeta(env.SupervisorUpstreamOIDC.Issuer+"?sub=") + ".+" }, + wantDownstreamIDTokenGroups: env.SupervisorUpstreamOIDC.ExpectedGroups, }, { - name: "ldap upstream with downstream dynamic client happy path", + name: "ldap upstream with downstream dynamic client happy path, requesting all scopes", maybeSkip: skipLDAPTests, createIDP: func(t *testing.T) string { idp, _ := createLDAPIdentityProvider(t, nil) @@ -1334,6 +1340,237 @@ func TestSupervisorLogin_Browser(t *testing.T) { }, wantDownstreamIDTokenGroups: env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs, }, + { + name: "ldap upstream with downstream dynamic client when dynamic client is not allowed to use the token exchange grant type, causes token exchange error", + maybeSkip: skipLDAPTests, + createIDP: func(t *testing.T) string { + idp, _ := createLDAPIdentityProvider(t, nil) + return idp.Name + }, + createOIDCClient: func(t *testing.T, callbackURL string) (string, string) { + return testlib.CreateOIDCClient(t, configv1alpha1.OIDCClientSpec{ + AllowedRedirectURIs: []configv1alpha1.RedirectURI{configv1alpha1.RedirectURI(callbackURL)}, + AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code", "refresh_token"}, // token exchange grant type not allowed + AllowedScopes: []configv1alpha1.Scope{"openid", "offline_access", "username", "groups"}, // a validation requires that we also disallow the pinniped:request-audience scope + }, configv1alpha1.PhaseReady) + }, + testUser: func(t *testing.T) (string, string) { + // return the username and password of the existing user that we want to use for this test + return env.SupervisorUpstreamLDAP.TestUserMailAttributeValue, // username to present to server during login + env.SupervisorUpstreamLDAP.TestUserPassword // password to present to server during login + }, + downstreamScopes: []string{"openid", "offline_access", "username", "groups"}, // does not request (or expect) pinniped:request-audience token exchange scope + requestAuthorization: requestAuthorizationUsingBrowserAuthcodeFlowLDAP, + // the ID token Username should have been pulled from the requested UserSearch.Attributes.Username attribute + wantDownstreamIDTokenUsernameToMatch: func(_ string) string { + return "^" + regexp.QuoteMeta(env.SupervisorUpstreamLDAP.TestUserMailAttributeValue) + "$" + }, + wantDownstreamIDTokenGroups: env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs, + wantTokenExchangeResponse: func(t *testing.T, status int, body string) { // can't do token exchanges without the token exchange grant type + require.Equal(t, http.StatusBadRequest, status) + require.Equal(t, + `{"error":"unauthorized_client","error_description":"The client is not authorized to request a token using this method. `+ + `The OAuth 2.0 Client is not allowed to use token exchange grant 'urn:ietf:params:oauth:grant-type:token-exchange'."}`, + body) + }, + }, + { + name: "ldap upstream with downstream dynamic client when dynamic client that does not request the pinniped:request-audience scope, causes token exchange error", + maybeSkip: skipLDAPTests, + createIDP: func(t *testing.T) string { + idp, _ := createLDAPIdentityProvider(t, nil) + return idp.Name + }, + createOIDCClient: func(t *testing.T, callbackURL string) (string, string) { + return testlib.CreateOIDCClient(t, configv1alpha1.OIDCClientSpec{ + AllowedRedirectURIs: []configv1alpha1.RedirectURI{configv1alpha1.RedirectURI(callbackURL)}, + AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code", "urn:ietf:params:oauth:grant-type:token-exchange", "refresh_token"}, + AllowedScopes: []configv1alpha1.Scope{"openid", "offline_access", "pinniped:request-audience", "username", "groups"}, + }, configv1alpha1.PhaseReady) + }, + testUser: func(t *testing.T) (string, string) { + // return the username and password of the existing user that we want to use for this test + return env.SupervisorUpstreamLDAP.TestUserMailAttributeValue, // username to present to server during login + env.SupervisorUpstreamLDAP.TestUserPassword // password to present to server during login + }, + downstreamScopes: []string{"openid", "offline_access", "username", "groups"}, // does not request (or expect) pinniped:request-audience token exchange scope + requestAuthorization: requestAuthorizationUsingBrowserAuthcodeFlowLDAP, + // the ID token Username should have been pulled from the requested UserSearch.Attributes.Username attribute + wantDownstreamIDTokenUsernameToMatch: func(_ string) string { + return "^" + regexp.QuoteMeta(env.SupervisorUpstreamLDAP.TestUserMailAttributeValue) + "$" + }, + wantDownstreamIDTokenGroups: env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs, + wantTokenExchangeResponse: func(t *testing.T, status int, body string) { // can't do token exchanges without the pinniped:request-audience token exchange scope + require.Equal(t, http.StatusForbidden, status) + require.Equal(t, + `{"error":"access_denied","error_description":"The resource owner or authorization server denied the request. `+ + `missing the 'pinniped:request-audience' scope"}`, + body) + }, + }, + { + name: "ldap upstream with downstream dynamic client when dynamic client is not allowed to request username but requests username anyway, causes authorization error", + maybeSkip: skipLDAPTests, + createIDP: func(t *testing.T) string { + idp, _ := createLDAPIdentityProvider(t, nil) + return idp.Name + }, + createOIDCClient: func(t *testing.T, callbackURL string) (string, string) { + return testlib.CreateOIDCClient(t, configv1alpha1.OIDCClientSpec{ + AllowedRedirectURIs: []configv1alpha1.RedirectURI{configv1alpha1.RedirectURI(callbackURL)}, + AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code", "refresh_token"}, // token exchange not allowed (required to exclude groups scope) + AllowedScopes: []configv1alpha1.Scope{"openid", "offline_access", "groups"}, // username not allowed + }, configv1alpha1.PhaseReady) + }, + testUser: func(t *testing.T) (string, string) { + // return the username and password of the existing user that we want to use for this test + return env.SupervisorUpstreamLDAP.TestUserMailAttributeValue, // username to present to server during login + env.SupervisorUpstreamLDAP.TestUserPassword // password to present to server during login + }, + downstreamScopes: []string{"openid", "offline_access", "username"}, // request username, even though the client is not allowed to request it + // Should have been immediately redirected back to the local callback server with an error in this case, + // since we requested a scope that the client is not allowed to request. The login UI page is never shown. + requestAuthorization: requestAuthorizationAndExpectImmediateRedirectToCallback, + wantAuthorizationErrorDescription: "The requested scope is invalid, unknown, or malformed. The OAuth 2.0 Client is not allowed to request scope 'username'.", + wantAuthorizationErrorType: "invalid_scope", + }, + { + name: "ldap upstream with downstream dynamic client when dynamic client is not allowed to request groups but requests groups anyway, causes authorization error", + maybeSkip: skipLDAPTests, + createIDP: func(t *testing.T) string { + idp, _ := createLDAPIdentityProvider(t, nil) + return idp.Name + }, + createOIDCClient: func(t *testing.T, callbackURL string) (string, string) { + return testlib.CreateOIDCClient(t, configv1alpha1.OIDCClientSpec{ + AllowedRedirectURIs: []configv1alpha1.RedirectURI{configv1alpha1.RedirectURI(callbackURL)}, + AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code", "refresh_token"}, // token exchange not allowed (required to exclude groups scope) + AllowedScopes: []configv1alpha1.Scope{"openid", "offline_access", "username"}, // groups not allowed + }, configv1alpha1.PhaseReady) + }, + testUser: func(t *testing.T) (string, string) { + // return the username and password of the existing user that we want to use for this test + return env.SupervisorUpstreamLDAP.TestUserMailAttributeValue, // username to present to server during login + env.SupervisorUpstreamLDAP.TestUserPassword // password to present to server during login + }, + downstreamScopes: []string{"openid", "offline_access", "groups"}, // request groups, even though the client is not allowed to request it + // Should have been immediately redirected back to the local callback server with an error in this case, + // since we requested a scope that the client is not allowed to request. The login UI page is never shown. + requestAuthorization: requestAuthorizationAndExpectImmediateRedirectToCallback, + wantAuthorizationErrorDescription: "The requested scope is invalid, unknown, or malformed. The OAuth 2.0 Client is not allowed to request scope 'groups'.", + wantAuthorizationErrorType: "invalid_scope", + }, + { + name: "ldap upstream with downstream dynamic client when dynamic client does not request groups happy path", + maybeSkip: skipLDAPTests, + createIDP: func(t *testing.T) string { + idp, _ := createLDAPIdentityProvider(t, nil) + return idp.Name + }, + createOIDCClient: func(t *testing.T, callbackURL string) (string, string) { + return testlib.CreateOIDCClient(t, configv1alpha1.OIDCClientSpec{ + AllowedRedirectURIs: []configv1alpha1.RedirectURI{configv1alpha1.RedirectURI(callbackURL)}, + AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code", "urn:ietf:params:oauth:grant-type:token-exchange", "refresh_token"}, + AllowedScopes: []configv1alpha1.Scope{"openid", "offline_access", "pinniped:request-audience", "username", "groups"}, + }, configv1alpha1.PhaseReady) + }, + testUser: func(t *testing.T) (string, string) { + // return the username and password of the existing user that we want to use for this test + return env.SupervisorUpstreamLDAP.TestUserMailAttributeValue, // username to present to server during login + env.SupervisorUpstreamLDAP.TestUserPassword // password to present to server during login + }, + downstreamScopes: []string{"openid", "pinniped:request-audience", "offline_access", "username"}, // do not request (or expect) groups + requestAuthorization: requestAuthorizationUsingBrowserAuthcodeFlowLDAP, + // the ID token Subject should be the Host URL plus the value pulled from the requested UserSearch.Attributes.UID attribute + wantDownstreamIDTokenSubjectToMatch: "^" + regexp.QuoteMeta( + "ldaps://"+env.SupervisorUpstreamLDAP.Host+ + "?base="+url.QueryEscape(env.SupervisorUpstreamLDAP.UserSearchBase)+ + "&sub="+base64.RawURLEncoding.EncodeToString([]byte(env.SupervisorUpstreamLDAP.TestUserUniqueIDAttributeValue)), + ) + "$", + // the ID token Username should have been pulled from the requested UserSearch.Attributes.Username attribute + wantDownstreamIDTokenUsernameToMatch: func(_ string) string { + return "^" + regexp.QuoteMeta(env.SupervisorUpstreamLDAP.TestUserMailAttributeValue) + "$" + }, + wantDownstreamIDTokenGroups: nil, // did not request groups, so should not have got any groups + }, + { + name: "ldap upstream with downstream dynamic client when dynamic client does not request username, is allowed to auth but cannot do token exchange", + maybeSkip: skipLDAPTests, + createIDP: func(t *testing.T) string { + idp, _ := createLDAPIdentityProvider(t, nil) + return idp.Name + }, + createOIDCClient: func(t *testing.T, callbackURL string) (string, string) { + return testlib.CreateOIDCClient(t, configv1alpha1.OIDCClientSpec{ + AllowedRedirectURIs: []configv1alpha1.RedirectURI{configv1alpha1.RedirectURI(callbackURL)}, + AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code", "urn:ietf:params:oauth:grant-type:token-exchange", "refresh_token"}, + AllowedScopes: []configv1alpha1.Scope{"openid", "offline_access", "pinniped:request-audience", "username", "groups"}, + }, configv1alpha1.PhaseReady) + }, + testUser: func(t *testing.T) (string, string) { + // return the username and password of the existing user that we want to use for this test + return env.SupervisorUpstreamLDAP.TestUserMailAttributeValue, // username to present to server during login + env.SupervisorUpstreamLDAP.TestUserPassword // password to present to server during login + }, + downstreamScopes: []string{"openid", "pinniped:request-audience", "offline_access", "groups"}, // do not request (or expect) username + requestAuthorization: requestAuthorizationUsingBrowserAuthcodeFlowLDAP, + // the ID token Subject should be the Host URL plus the value pulled from the requested UserSearch.Attributes.UID attribute + wantDownstreamIDTokenSubjectToMatch: "^" + regexp.QuoteMeta( + "ldaps://"+env.SupervisorUpstreamLDAP.Host+ + "?base="+url.QueryEscape(env.SupervisorUpstreamLDAP.UserSearchBase)+ + "&sub="+base64.RawURLEncoding.EncodeToString([]byte(env.SupervisorUpstreamLDAP.TestUserUniqueIDAttributeValue)), + ) + "$", + wantDownstreamIDTokenUsernameToMatch: func(_ string) string { + return "" // username should not exist as a claim since we did not request it + }, + wantDownstreamIDTokenGroups: env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs, + wantTokenExchangeResponse: func(t *testing.T, status int, body string) { // can't do token exchanges without a username + require.Equal(t, http.StatusForbidden, status) + require.Equal(t, + `{"error":"access_denied","error_description":"The resource owner or authorization server denied the request. `+ + `No username found in session. Ensure that the 'username' scope was requested and granted at the authorization endpoint."}`, + body) + }, + }, + { + name: "ldap upstream with downstream dynamic client when dynamic client is not allowed to request username or groups and does not request them, is allowed to auth but cannot do token exchange", + maybeSkip: skipLDAPTests, + createIDP: func(t *testing.T) string { + idp, _ := createLDAPIdentityProvider(t, nil) + return idp.Name + }, + createOIDCClient: func(t *testing.T, callbackURL string) (string, string) { + return testlib.CreateOIDCClient(t, configv1alpha1.OIDCClientSpec{ + AllowedRedirectURIs: []configv1alpha1.RedirectURI{configv1alpha1.RedirectURI(callbackURL)}, + AllowedGrantTypes: []configv1alpha1.GrantType{"authorization_code", "refresh_token"}, + AllowedScopes: []configv1alpha1.Scope{"openid", "offline_access"}, // validations require that when username/groups are excluded, then token exchange must also not be allowed + }, configv1alpha1.PhaseReady) + }, + testUser: func(t *testing.T) (string, string) { + // return the username and password of the existing user that we want to use for this test + return env.SupervisorUpstreamLDAP.TestUserMailAttributeValue, // username to present to server during login + env.SupervisorUpstreamLDAP.TestUserPassword // password to present to server during login + }, + downstreamScopes: []string{"openid", "offline_access"}, // do not request (or expect) pinniped:request-audience or username or groups + requestAuthorization: requestAuthorizationUsingBrowserAuthcodeFlowLDAP, + // the ID token Subject should be the Host URL plus the value pulled from the requested UserSearch.Attributes.UID attribute + wantDownstreamIDTokenSubjectToMatch: "^" + regexp.QuoteMeta( + "ldaps://"+env.SupervisorUpstreamLDAP.Host+ + "?base="+url.QueryEscape(env.SupervisorUpstreamLDAP.UserSearchBase)+ + "&sub="+base64.RawURLEncoding.EncodeToString([]byte(env.SupervisorUpstreamLDAP.TestUserUniqueIDAttributeValue)), + ) + "$", + wantDownstreamIDTokenUsernameToMatch: func(_ string) string { + return "" // username should not exist as a claim since we did not request it + }, + wantDownstreamIDTokenGroups: nil, // did not request groups, so should not have got any groups + wantTokenExchangeResponse: func(t *testing.T, status int, body string) { // can't do token exchanges without the token exchange grant type + require.Equal(t, http.StatusBadRequest, status) + require.Equal(t, + `{"error":"unauthorized_client","error_description":"The client is not authorized to request a token using this method. `+ + `The OAuth 2.0 Client is not allowed to use token exchange grant 'urn:ietf:params:oauth:grant-type:token-exchange'."}`, + body) + }, + }, { name: "active directory with all default options with downstream dynamic client happy path", maybeSkip: skipActiveDirectoryTests, @@ -1411,6 +1648,7 @@ func TestSupervisorLogin_Browser(t *testing.T) { tt.createOIDCClient, tt.downstreamScopes, tt.requestTokenExchangeAud, + tt.wantDownstreamScopes, tt.wantLocalhostCallbackToNeverHappen, tt.wantDownstreamIDTokenSubjectToMatch, tt.wantDownstreamIDTokenUsernameToMatch, @@ -1552,6 +1790,7 @@ func testSupervisorLogin( createOIDCClient func(t *testing.T, callbackURL string) (string, string), downstreamScopes []string, requestTokenExchangeAud string, + wantDownstreamScopes []string, wantLocalhostCallbackToNeverHappen bool, wantDownstreamIDTokenSubjectToMatch string, wantDownstreamIDTokenUsernameToMatch func(username string) string, @@ -1672,7 +1911,13 @@ func testSupervisorLogin( }, 30*time.Second, 200*time.Millisecond) if downstreamScopes == nil { - downstreamScopes = []string{"openid", "pinniped:request-audience", "offline_access", "groups"} + // By default, tests will request all the relevant groups. + downstreamScopes = []string{"openid", "pinniped:request-audience", "offline_access", "username", "groups"} + } + if wantDownstreamScopes == nil { + // By default, tests will want that all requested scopes were granted. + wantDownstreamScopes = make([]string, len(downstreamScopes)) + copy(wantDownstreamScopes, downstreamScopes) } // Create the OAuth2 configuration. @@ -1728,14 +1973,14 @@ func testSupervisorLogin( if wantAuthorizationErrorType != "" { errorDescription := callback.URL.Query().Get("error_description") errorType := callback.URL.Query().Get("error") - require.Equal(t, errorDescription, wantAuthorizationErrorDescription) - require.Equal(t, errorType, wantAuthorizationErrorType) + require.Equal(t, wantAuthorizationErrorDescription, errorDescription) + require.Equal(t, wantAuthorizationErrorType, errorType) // The authorization has failed, so can't continue the login flow, making this the end of the test case. return } require.Equal(t, stateParam.String(), callback.URL.Query().Get("state")) - require.ElementsMatch(t, downstreamScopes, strings.Split(callback.URL.Query().Get("scope"), " ")) + require.ElementsMatch(t, wantDownstreamScopes, strings.Split(callback.URL.Query().Get("scope"), " ")) authcode := callback.URL.Query().Get("code") require.NotEmpty(t, authcode) @@ -1750,8 +1995,14 @@ func testSupervisorLogin( return } require.NoError(t, err) - expectedIDTokenClaims := []string{"iss", "exp", "sub", "aud", "auth_time", "iat", "jti", "nonce", "rat", "username"} - if slices.Contains(downstreamScopes, "groups") { + + expectedIDTokenClaims := []string{"iss", "exp", "sub", "aud", "auth_time", "iat", "jti", "nonce", "rat"} + if slices.Contains(wantDownstreamScopes, "username") { + // If the test wants the username scope to have been granted, then also expect the claim in the ID token. + expectedIDTokenClaims = append(expectedIDTokenClaims, "username") + } + if slices.Contains(wantDownstreamScopes, "groups") { + // If the test wants the groups scope to have been granted, then also expect the claim in the ID token. expectedIDTokenClaims = append(expectedIDTokenClaims, "groups") } verifyTokenResponse(t, @@ -1764,7 +2015,7 @@ func testSupervisorLogin( } doTokenExchange(t, requestTokenExchangeAud, &downstreamOAuth2Config, tokenResponse, httpClient, discovery, wantTokenExchangeResponse) - refreshedGroups := wantDownstreamIDTokenGroups + wantRefreshedGroups := wantDownstreamIDTokenGroups if editRefreshSessionDataWithoutBreaking != nil { latestRefreshToken := tokenResponse.RefreshToken signatureOfLatestRefreshToken := getFositeDataSignature(t, latestRefreshToken) @@ -1780,7 +2031,7 @@ func testSupervisorLogin( pinnipedSession, ok := storedRefreshSession.GetSession().(*psession.PinnipedSession) require.True(t, ok, "should have been able to cast session data to PinnipedSession") - refreshedGroups = editRefreshSessionDataWithoutBreaking(t, pinnipedSession, idpName, username) + wantRefreshedGroups = editRefreshSessionDataWithoutBreaking(t, pinnipedSession, idpName, username) // Then save the mutated Secret back to Kubernetes. // There is no update function, so delete and create again at the same name. @@ -1793,13 +2044,18 @@ func testSupervisorLogin( require.NoError(t, err) // When refreshing, expect to get an "at_hash" claim, but no "nonce" claim. - expectRefreshedIDTokenClaims := []string{"iss", "exp", "sub", "aud", "auth_time", "iat", "jti", "rat", "username", "at_hash"} - if slices.Contains(downstreamScopes, "groups") { + expectRefreshedIDTokenClaims := []string{"iss", "exp", "sub", "aud", "auth_time", "iat", "jti", "rat", "at_hash"} + if slices.Contains(wantDownstreamScopes, "username") { + // If the test wants the username scope to have been granted, then also expect the claim in the refreshed ID token. + expectRefreshedIDTokenClaims = append(expectRefreshedIDTokenClaims, "username") + } + if slices.Contains(wantDownstreamScopes, "groups") { + // If the test wants the groups scope to have been granted, then also expect the claim in the refreshed ID token. expectRefreshedIDTokenClaims = append(expectRefreshedIDTokenClaims, "groups") } verifyTokenResponse(t, refreshedTokenResponse, discovery, downstreamOAuth2Config, "", - expectRefreshedIDTokenClaims, wantDownstreamIDTokenSubjectToMatch, wantDownstreamIDTokenUsernameToMatch(username), refreshedGroups) + expectRefreshedIDTokenClaims, wantDownstreamIDTokenSubjectToMatch, wantDownstreamIDTokenUsernameToMatch(username), wantRefreshedGroups) require.NotEqual(t, tokenResponse.AccessToken, refreshedTokenResponse.AccessToken) require.NotEqual(t, tokenResponse.RefreshToken, refreshedTokenResponse.RefreshToken) @@ -1892,8 +2148,11 @@ func verifyTokenResponse( } require.ElementsMatch(t, expectedIDTokenClaims, idTokenClaimNames) - // Check username claim of the ID token. - require.Regexp(t, wantDownstreamIDTokenUsernameToMatch, idTokenClaims["username"].(string)) + // Check username claim of the ID token, if one is expected. Asserting on the lack of a username claim is + // handled above where the full list of claims are asserted. + if wantDownstreamIDTokenUsernameToMatch != "" { + require.Regexp(t, wantDownstreamIDTokenUsernameToMatch, idTokenClaims["username"].(string)) + } // Check the groups claim. require.ElementsMatch(t, wantDownstreamIDTokenGroups, idTokenClaims["groups"]) @@ -1912,6 +2171,21 @@ func verifyTokenResponse( require.True(t, strings.HasPrefix(tokenResponse.RefreshToken, "pin_rt_"), "token %q did not have expected prefix 'pin_rt_'", tokenResponse.RefreshToken) } +func requestAuthorizationAndExpectImmediateRedirectToCallback(t *testing.T, _, downstreamAuthorizeURL, downstreamCallbackURL, _, _ string, _ *http.Client) { + t.Helper() + + // Open the web browser and navigate to the downstream authorize URL. + page := browsertest.Open(t) + t.Logf("opening browser to downstream authorize URL %s", testlib.MaskTokens(downstreamAuthorizeURL)) + require.NoError(t, page.Navigate(downstreamAuthorizeURL)) + + // Expect that it immediately redirects back to the callback, which is what happens for certain types of errors + // where it is not worth redirecting to the login UI page. + t.Logf("waiting for redirect to callback") + callbackURLPattern := regexp.MustCompile(`\A` + regexp.QuoteMeta(downstreamCallbackURL) + `\?.+\z`) + browsertest.WaitForURL(t, page, callbackURLPattern) +} + func requestAuthorizationUsingBrowserAuthcodeFlowOIDC(t *testing.T, _, downstreamAuthorizeURL, downstreamCallbackURL, _, _ string, httpClient *http.Client) { t.Helper() env := testlib.IntegrationEnv(t) diff --git a/test/integration/supervisor_warnings_test.go b/test/integration/supervisor_warnings_test.go index 55cbf7dd..dcc05a4c 100644 --- a/test/integration/supervisor_warnings_test.go +++ b/test/integration/supervisor_warnings_test.go @@ -19,7 +19,6 @@ import ( "testing" "time" - coreosoidc "github.com/coreos/go-oidc/v3/oidc" "github.com/creack/pty" "github.com/stretchr/testify/require" authorizationv1 "k8s.io/api/authorization/v1" @@ -173,7 +172,7 @@ func TestSupervisorWarnings_Browser(t *testing.T) { })) // construct the cache key - downstreamScopes := []string{coreosoidc.ScopeOfflineAccess, coreosoidc.ScopeOpenID, "pinniped:request-audience", "groups"} + downstreamScopes := []string{"offline_access", "openid", "pinniped:request-audience", "groups"} sort.Strings(downstreamScopes) sessionCacheKey := oidcclient.SessionCacheKey{ Issuer: downstream.Spec.Issuer, @@ -481,7 +480,7 @@ func TestSupervisorWarnings_Browser(t *testing.T) { })) // construct the cache key - downstreamScopes := []string{coreosoidc.ScopeOfflineAccess, coreosoidc.ScopeOpenID, "pinniped:request-audience", "groups"} + downstreamScopes := []string{"offline_access", "openid", "pinniped:request-audience", "groups"} sort.Strings(downstreamScopes) sessionCacheKey := oidcclient.SessionCacheKey{ Issuer: downstream.Spec.Issuer, From 8a5db99abfb9e691f4cc78be3fcacbd490175b68 Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Tue, 9 Aug 2022 09:12:25 -0700 Subject: [PATCH 40/61] `get kubeconfig` cmd errors on audience values with reserved substring --- cmd/pinniped/cmd/kubeconfig.go | 3 ++ cmd/pinniped/cmd/kubeconfig_test.go | 71 +++++++++++++++++++++++++++++ 2 files changed, 74 insertions(+) diff --git a/cmd/pinniped/cmd/kubeconfig.go b/cmd/pinniped/cmd/kubeconfig.go index e03834d3..32468abf 100644 --- a/cmd/pinniped/cmd/kubeconfig.go +++ b/cmd/pinniped/cmd/kubeconfig.go @@ -331,6 +331,9 @@ func newExecConfig(deps kubeconfigDeps, flags getKubeconfigParams) (*clientcmdap execConfig.Args = append(execConfig.Args, "--debug-session-cache") } if flags.oidc.requestAudience != "" { + if strings.Contains(flags.oidc.requestAudience, ".pinniped.dev") { + return nil, fmt.Errorf("request audience is not allowed to include the substring '.pinniped.dev': %s", flags.oidc.requestAudience) + } execConfig.Args = append(execConfig.Args, "--request-audience="+flags.oidc.requestAudience) } if flags.oidc.upstreamIDPName != "" { diff --git a/cmd/pinniped/cmd/kubeconfig_test.go b/cmd/pinniped/cmd/kubeconfig_test.go index b6c6428f..127cd550 100644 --- a/cmd/pinniped/cmd/kubeconfig_test.go +++ b/cmd/pinniped/cmd/kubeconfig_test.go @@ -639,6 +639,77 @@ func TestGetKubeconfig(t *testing.T) { return `Error: tried to autodiscover --oidc-ca-bundle, but JWTAuthenticator test-authenticator has invalid spec.tls.certificateAuthorityData: illegal base64 data at input byte 7` + "\n" }, }, + { + name: "autodetect JWT authenticator, invalid substring in audience", + args: func(issuerCABundle string, issuerURL string) []string { + return []string{ + "--kubeconfig", "./testdata/kubeconfig.yaml", + } + }, + conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object { + return []runtime.Object{ + credentialIssuer(), + &conciergev1alpha1.JWTAuthenticator{ + ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}, + Spec: conciergev1alpha1.JWTAuthenticatorSpec{ + Issuer: issuerURL, + Audience: "some-test-audience.pinniped.dev-invalid-substring", + TLS: &conciergev1alpha1.TLSSpec{ + CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(issuerCABundle)), + }, + }, + }, + } + }, + oidcDiscoveryResponse: happyOIDCDiscoveryResponse, + wantLogs: func(issuerCABundle string, issuerURL string) []string { + return []string{ + `"level"=0 "msg"="discovered CredentialIssuer" "name"="test-credential-issuer"`, + `"level"=0 "msg"="discovered Concierge operating in TokenCredentialRequest API mode"`, + `"level"=0 "msg"="discovered Concierge endpoint" "endpoint"="https://fake-server-url-value"`, + `"level"=0 "msg"="discovered Concierge certificate authority bundle" "roots"=0`, + `"level"=0 "msg"="discovered JWTAuthenticator" "name"="test-authenticator"`, + fmt.Sprintf(`"level"=0 "msg"="discovered OIDC issuer" "issuer"="%s"`, issuerURL), + `"level"=0 "msg"="discovered OIDC audience" "audience"="some-test-audience.pinniped.dev-invalid-substring"`, + `"level"=0 "msg"="discovered OIDC CA bundle" "roots"=1`, + } + }, + wantError: true, + wantStderr: func(issuerCABundle string, issuerURL string) string { + return `Error: request audience is not allowed to include the substring '.pinniped.dev': some-test-audience.pinniped.dev-invalid-substring` + "\n" + }, + }, + { + name: "autodetect JWT authenticator, override audience value, invalid substring in audience override value", + args: func(issuerCABundle string, issuerURL string) []string { + return []string{ + "--kubeconfig", "./testdata/kubeconfig.yaml", + "--oidc-request-audience", "some-test-audience.pinniped.dev-invalid-substring", + } + }, + conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object { + return []runtime.Object{ + credentialIssuer(), + jwtAuthenticator(issuerCABundle, issuerURL), + } + }, + oidcDiscoveryResponse: happyOIDCDiscoveryResponse, + wantLogs: func(issuerCABundle string, issuerURL string) []string { + return []string{ + `"level"=0 "msg"="discovered CredentialIssuer" "name"="test-credential-issuer"`, + `"level"=0 "msg"="discovered Concierge operating in TokenCredentialRequest API mode"`, + `"level"=0 "msg"="discovered Concierge endpoint" "endpoint"="https://fake-server-url-value"`, + `"level"=0 "msg"="discovered Concierge certificate authority bundle" "roots"=0`, + `"level"=0 "msg"="discovered JWTAuthenticator" "name"="test-authenticator"`, + fmt.Sprintf(`"level"=0 "msg"="discovered OIDC issuer" "issuer"="%s"`, issuerURL), + `"level"=0 "msg"="discovered OIDC CA bundle" "roots"=1`, + } + }, + wantError: true, + wantStderr: func(issuerCABundle string, issuerURL string) string { + return `Error: request audience is not allowed to include the substring '.pinniped.dev': some-test-audience.pinniped.dev-invalid-substring` + "\n" + }, + }, { name: "fail to get self-path", args: func(issuerCABundle string, issuerURL string) []string { From 0bb2c7beb759247ea78e8299574bdd8cded48ba9 Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Tue, 9 Aug 2022 16:07:23 -0700 Subject: [PATCH 41/61] Always add the `azp` claim to ID tokens to show the original client ID When the token exchange grant type is used to get a cluster-scoped ID token, the returned token has a new audience value. The client ID of the client which performed the authorization was lost. This didn't matter before, since the only client was `pinniped-cli`, but now that dynamic clients can be registered, the information would be lost in the cluster-scoped ID token. It could be useful for logging, tracing, or auditing, so preserve the information by putting the client ID into the `azp` claim in every ID token (authcode exchange, clsuter-scoped, and refreshed ID tokens). --- internal/oidc/auth/auth_handler.go | 6 ++++-- internal/oidc/callback/callback_handler.go | 3 ++- .../downstreamsession/downstream_session.go | 19 +++++++++++++++---- internal/oidc/login/post_login_handler.go | 3 ++- internal/oidc/token/token_handler_test.go | 10 ++++++++-- .../testutil/oidctestutil/oidctestutil.go | 12 ++++++++---- test/integration/supervisor_login_test.go | 13 +++++++++++-- 7 files changed, 50 insertions(+), 16 deletions(-) diff --git a/internal/oidc/auth/auth_handler.go b/internal/oidc/auth/auth_handler.go index bf7e1764..a0245fba 100644 --- a/internal/oidc/auth/auth_handler.go +++ b/internal/oidc/auth/auth_handler.go @@ -149,7 +149,8 @@ func handleAuthRequestForLDAPUpstreamCLIFlow( username = authenticateResponse.User.GetName() groups := authenticateResponse.User.GetGroups() customSessionData := downstreamsession.MakeDownstreamLDAPOrADCustomSessionData(ldapUpstream, idpType, authenticateResponse, username) - openIDSession := downstreamsession.MakeDownstreamSession(subject, username, groups, authorizeRequester.GetGrantedScopes(), customSessionData) + openIDSession := downstreamsession.MakeDownstreamSession(subject, username, groups, + authorizeRequester.GetGrantedScopes(), authorizeRequester.GetClient().GetID(), customSessionData) oidc.PerformAuthcodeRedirect(r, w, oauthHelper, authorizeRequester, openIDSession, true) return nil @@ -250,7 +251,8 @@ func handleAuthRequestForOIDCUpstreamPasswordGrant( return nil } - openIDSession := downstreamsession.MakeDownstreamSession(subject, username, groups, authorizeRequester.GetGrantedScopes(), customSessionData) + openIDSession := downstreamsession.MakeDownstreamSession(subject, username, groups, + authorizeRequester.GetGrantedScopes(), authorizeRequester.GetClient().GetID(), customSessionData) oidc.PerformAuthcodeRedirect(r, w, oauthHelper, authorizeRequester, openIDSession, true) diff --git a/internal/oidc/callback/callback_handler.go b/internal/oidc/callback/callback_handler.go index f3a37b9d..0409c252 100644 --- a/internal/oidc/callback/callback_handler.go +++ b/internal/oidc/callback/callback_handler.go @@ -79,7 +79,8 @@ func NewHandler( return httperr.Wrap(http.StatusUnprocessableEntity, err.Error(), err) } - openIDSession := downstreamsession.MakeDownstreamSession(subject, username, groups, authorizeRequester.GetGrantedScopes(), customSessionData) + openIDSession := downstreamsession.MakeDownstreamSession(subject, username, groups, + authorizeRequester.GetGrantedScopes(), authorizeRequester.GetClient().GetID(), customSessionData) authorizeResponder, err := oauthHelper.NewAuthorizeResponse(r.Context(), authorizeRequester, openIDSession) if err != nil { diff --git a/internal/oidc/downstreamsession/downstream_session.go b/internal/oidc/downstreamsession/downstream_session.go index cec13d1e..809a48f4 100644 --- a/internal/oidc/downstreamsession/downstream_session.go +++ b/internal/oidc/downstreamsession/downstream_session.go @@ -41,7 +41,14 @@ const ( ) // MakeDownstreamSession creates a downstream OIDC session. -func MakeDownstreamSession(subject string, username string, groups []string, grantedScopes []string, custom *psession.CustomSessionData) *psession.PinnipedSession { +func MakeDownstreamSession( + subject string, + username string, + groups []string, + grantedScopes []string, + clientID string, + custom *psession.CustomSessionData, +) *psession.PinnipedSession { now := time.Now().UTC() openIDSession := &psession.PinnipedSession{ Fosite: &openid.DefaultSession{ @@ -56,13 +63,17 @@ func MakeDownstreamSession(subject string, username string, groups []string, gra if groups == nil { groups = []string{} } - openIDSession.IDTokenClaims().Extra = map[string]interface{}{} + + extras := map[string]interface{}{} + extras[oidcapi.IDTokenClaimAuthorizedParty] = clientID if slices.Contains(grantedScopes, oidcapi.ScopeUsername) { - openIDSession.IDTokenClaims().Extra[oidcapi.IDTokenClaimUsername] = username + extras[oidcapi.IDTokenClaimUsername] = username } if slices.Contains(grantedScopes, oidcapi.ScopeGroups) { - openIDSession.IDTokenClaims().Extra[oidcapi.IDTokenClaimGroups] = groups + extras[oidcapi.IDTokenClaimGroups] = groups } + openIDSession.IDTokenClaims().Extra = extras + return openIDSession } diff --git a/internal/oidc/login/post_login_handler.go b/internal/oidc/login/post_login_handler.go index a9fe251a..a5a2d04e 100644 --- a/internal/oidc/login/post_login_handler.go +++ b/internal/oidc/login/post_login_handler.go @@ -83,7 +83,8 @@ func NewPostHandler(issuerURL string, upstreamIDPs oidc.UpstreamIdentityProvider username = authenticateResponse.User.GetName() groups := authenticateResponse.User.GetGroups() customSessionData := downstreamsession.MakeDownstreamLDAPOrADCustomSessionData(ldapUpstream, idpType, authenticateResponse, username) - openIDSession := downstreamsession.MakeDownstreamSession(subject, username, groups, authorizeRequester.GetGrantedScopes(), customSessionData) + openIDSession := downstreamsession.MakeDownstreamSession(subject, username, groups, + authorizeRequester.GetGrantedScopes(), authorizeRequester.GetClient().GetID(), customSessionData) oidc.PerformAuthcodeRedirect(r, w, oauthHelper, authorizeRequester, openIDSession, false) return nil diff --git a/internal/oidc/token/token_handler_test.go b/internal/oidc/token/token_handler_test.go index efecad95..5e9ce5c4 100644 --- a/internal/oidc/token/token_handler_test.go +++ b/internal/oidc/token/token_handler_test.go @@ -1398,7 +1398,7 @@ func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn require.NoError(t, json.Unmarshal(parsedJWT.UnsafePayloadWithoutVerification(), &tokenClaims)) // Make sure that these are the only fields in the token. - idTokenFields := []string{"sub", "aud", "iss", "jti", "auth_time", "exp", "iat", "rat", "username"} + idTokenFields := []string{"sub", "aud", "iss", "jti", "auth_time", "exp", "iat", "rat", "username", "azp"} if test.authcodeExchange.want.wantGroups != nil { idTokenFields = append(idTokenFields, "groups") } @@ -1412,6 +1412,7 @@ func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn require.NotEmpty(t, tokenClaims["rat"]) require.Len(t, tokenClaims["aud"], 1) require.Contains(t, tokenClaims["aud"], test.requestedAudience) + require.Equal(t, test.authcodeExchange.want.wantClientID, tokenClaims["azp"]) require.Equal(t, goodSubject, tokenClaims["sub"]) require.Equal(t, goodIssuer, tokenClaims["iss"]) if test.authcodeExchange.want.wantUsername != "" { @@ -4027,6 +4028,9 @@ func simulateAuthEndpointHavingAlreadyRun( session.Fosite.Claims.Extra["groups"] = goodGroups } + // The authorization endpoint sets the authorized party to the client ID of the original requester. + session.Fosite.Claims.Extra["azp"] = authRequester.GetClient().GetID() + authResponder, err := oauthHelper.NewAuthorizeResponse(ctx, authRequester, session) require.NoError(t, err) return authResponder @@ -4291,6 +4295,7 @@ func requireValidStoredRequest( if wantGroups != nil { expectedExtra["groups"] = toSliceOfInterface(wantGroups) } + expectedExtra["azp"] = wantClientID require.Equal(t, expectedExtra, claims.Extra) // We are in charge of setting these fields. For the purpose of testing, we ensure that the @@ -4412,7 +4417,7 @@ func requireValidIDToken( // Note that there is a bug in fosite which prevents the `at_hash` claim from appearing in this ID token // during the initial authcode exchange, but does not prevent `at_hash` from appearing in the refreshed ID token. // We can add a workaround for this later. - idTokenFields := []string{"sub", "aud", "iss", "jti", "auth_time", "exp", "iat", "rat"} + idTokenFields := []string{"sub", "aud", "iss", "jti", "auth_time", "exp", "iat", "rat", "azp"} if wantAtHashClaimInIDToken { idTokenFields = append(idTokenFields, "at_hash") } @@ -4439,6 +4444,7 @@ func requireValidIDToken( require.Equal(t, wantGroupsInIDToken, claims.Groups) require.Len(t, claims.Audience, 1) require.Equal(t, wantClientID, claims.Audience[0]) + require.Equal(t, wantClientID, m["azp"]) require.Equal(t, goodIssuer, claims.Issuer) require.NotEmpty(t, claims.JTI) diff --git a/internal/testutil/oidctestutil/oidctestutil.go b/internal/testutil/oidctestutil/oidctestutil.go index 2056e2d1..f5de96e7 100644 --- a/internal/testutil/oidctestutil/oidctestutil.go +++ b/internal/testutil/oidctestutil/oidctestutil.go @@ -1062,27 +1062,31 @@ func validateAuthcodeStorage( // Now confirm the ID token claims. actualClaims := storedSessionFromAuthcode.Fosite.Claims + // Should always have an azp claim. + require.Equal(t, wantDownstreamClientID, actualClaims.Extra["azp"]) + wantDownstreamIDTokenExtraClaimsCount := 1 // should always have azp claim + // Check the user's identity, which are put into the downstream ID token's subject, username and groups claims. require.Equal(t, wantDownstreamIDTokenSubject, actualClaims.Subject) - wantDownstreamIDTokenUsernameClaimToExist := 1 if wantDownstreamIDTokenUsername == "" { - wantDownstreamIDTokenUsernameClaimToExist = 0 require.NotContains(t, actualClaims.Extra, "username") } else { + wantDownstreamIDTokenExtraClaimsCount++ // should also have username claim require.Equal(t, wantDownstreamIDTokenUsername, actualClaims.Extra["username"]) } if slices.Contains(wantDownstreamGrantedScopes, "groups") { - require.Len(t, actualClaims.Extra, wantDownstreamIDTokenUsernameClaimToExist+1) + wantDownstreamIDTokenExtraClaimsCount++ // should also have groups claim actualDownstreamIDTokenGroups := actualClaims.Extra["groups"] require.NotNil(t, actualDownstreamIDTokenGroups) require.ElementsMatch(t, wantDownstreamIDTokenGroups, actualDownstreamIDTokenGroups) } else { require.Emptyf(t, wantDownstreamIDTokenGroups, "test case did not want the groups scope to be granted, "+ "but wanted something in the groups claim, which doesn't make sense. please review the test case's expectations.") - require.Len(t, actualClaims.Extra, wantDownstreamIDTokenUsernameClaimToExist) actualDownstreamIDTokenGroups := actualClaims.Extra["groups"] require.Nil(t, actualDownstreamIDTokenGroups) } + // Make sure that we asserted on every extra claim. + require.Len(t, actualClaims.Extra, wantDownstreamIDTokenExtraClaimsCount) // Check the rest of the downstream ID token's claims. Fosite wants us to set these (in UTC time). testutil.RequireTimeInDelta(t, time.Now().UTC(), actualClaims.RequestedAt, timeComparisonFudgeFactor) diff --git a/test/integration/supervisor_login_test.go b/test/integration/supervisor_login_test.go index 069923ff..1aee71c1 100644 --- a/test/integration/supervisor_login_test.go +++ b/test/integration/supervisor_login_test.go @@ -1996,7 +1996,7 @@ func testSupervisorLogin( } require.NoError(t, err) - expectedIDTokenClaims := []string{"iss", "exp", "sub", "aud", "auth_time", "iat", "jti", "nonce", "rat"} + expectedIDTokenClaims := []string{"iss", "exp", "sub", "aud", "auth_time", "iat", "jti", "nonce", "rat", "azp"} if slices.Contains(wantDownstreamScopes, "username") { // If the test wants the username scope to have been granted, then also expect the claim in the ID token. expectedIDTokenClaims = append(expectedIDTokenClaims, "username") @@ -2044,7 +2044,7 @@ func testSupervisorLogin( require.NoError(t, err) // When refreshing, expect to get an "at_hash" claim, but no "nonce" claim. - expectRefreshedIDTokenClaims := []string{"iss", "exp", "sub", "aud", "auth_time", "iat", "jti", "rat", "at_hash"} + expectRefreshedIDTokenClaims := []string{"iss", "exp", "sub", "aud", "auth_time", "iat", "jti", "rat", "azp", "at_hash"} if slices.Contains(wantDownstreamScopes, "username") { // If the test wants the username scope to have been granted, then also expect the claim in the refreshed ID token. expectRefreshedIDTokenClaims = append(expectRefreshedIDTokenClaims, "username") @@ -2148,6 +2148,10 @@ func verifyTokenResponse( } require.ElementsMatch(t, expectedIDTokenClaims, idTokenClaimNames) + // There should always be an "azp" claim, and the value should be the client ID of the client which made + // the authorization request. + require.Equal(t, downstreamOAuth2Config.ClientID, idTokenClaims["azp"]) + // Check username claim of the ID token, if one is expected. Asserting on the lack of a username claim is // handled above where the full list of claims are asserted. if wantDownstreamIDTokenUsernameToMatch != "" { @@ -2423,6 +2427,11 @@ func doTokenExchange( indentedClaims, err := json.MarshalIndent(claims, " ", " ") require.NoError(t, err) t.Logf("exchanged token claims:\n%s", string(indentedClaims)) + + // The original client ID should be preserved in the azp claim, therefore preserving this information + // about the original source of the authorization for tracing/auditing purposes, since the "aud" claim + // has been updated to have a new value. + require.Equal(t, config.ClientID, claims["azp"]) } func expectSecurityHeaders(t *testing.T, response *http.Response, expectFositeToOverrideSome bool) { From 02a27e0186a6fe076acf22a033ad726fdc39c7ac Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Thu, 11 Aug 2022 14:35:18 -0700 Subject: [PATCH 42/61] Add docs for dynamic clients --- .../docs/howto/configure-auth-for-webapps.md | 347 ++++++++++++++++++ 1 file changed, 347 insertions(+) create mode 100644 site/content/docs/howto/configure-auth-for-webapps.md diff --git a/site/content/docs/howto/configure-auth-for-webapps.md b/site/content/docs/howto/configure-auth-for-webapps.md new file mode 100644 index 00000000..1eaa13f0 --- /dev/null +++ b/site/content/docs/howto/configure-auth-for-webapps.md @@ -0,0 +1,347 @@ +--- +title: Using the Pinniped Supervisor to provide authentication for web applications +description: Allow your Kubernetes cluster users to authenticate into web apps using the same identities. +cascade: + layout: docs +menu: + docs: + name: Web Application Authentication + weight: 800 + parent: howtos +--- +The Pinniped Supervisor is an [OpenID Connect (OIDC)](https://openid.net/connect/) issuer that can be used to bring +your user identities from an external identity provider into your Kubernetes clusters for all your `kubectl` users. +It can also be used to bring those same identities to web applications that are intended for use by the same users. +For example, a Kubernetes dashboard web application for cluster developers could use the Supervisor as its OIDC +identity provider. + +This guide explains how to use the Supervisor to provide authentication services for a web application. + +## Prerequisites + +This guide assumes that you have installed and configured the Pinniped Supervisor, and configured it with an +external identity provider, as described in the other guides. + +This guide also assumes that you have a web application which supports configuring an OIDC provider for user +authentication, or that you are developing such a web application. From the point of view of the Supervisor, +your webapp is called a "client" ([as defined in the OAuth 2.0 spec](https://www.rfc-editor.org/rfc/rfc6749#section-1.1)). + +Typically, the web application should use the OIDC client support from its web application development +framework (e.g. Spring, Rails, Django, etc.) to implement authentication. The Supervisor requires that: +- Clients must use the [OIDC authorization code flow](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth). + Clients must + use `code` as the [response_type](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationExamples) + at the authorization endpoint. +- Clients must use [PKCE](https://oauth.net/2/pkce/) during the authorization code flow. +- Clients must be confidential clients, meaning that they have a client ID and client secret. + Clients must use [client secret basic auth](https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1) + for authentication at the token endpoint. +- Clients must use `query` as the + [response_mode](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) at the authorization endpoint, + or not specify the `response_mode` param, which defaults to `query`. + +Most web application frameworks offer all these capabilities in their OAuth2/OIDC libraries. + +## Create an OIDCClient + +For each web application, the administrator of the Pinniped Supervisor will create an OIDCClient describing what +that web application is allowed to do: + +```yaml +apiVersion: config.supervisor.pinniped.dev/v1alpha1 +kind: OIDCClient +metadata: + # name must have client.oauth.pinniped.dev- prefix + name: client.oauth.pinniped.dev-my-webapp-client + namespace: supervisor # must be in the same namespace as the Supervisor +spec: + allowedRedirectURIs: + - https://my-webapp.example.com/callback + allowedGrantTypes: + - authorization_code + - refresh_token + - urn:ietf:params:oauth:grant-type:token-exchange + allowedScopes: + - openid + - offline_access + - pinniped:request-audience + - username + - groups +``` + +If you've saved this into a file `my-oidc-client.yaml`, then install it into your cluster using: + +```sh +kubectl apply -f my-oidc-client.yaml +``` + +Do not share OIDCClients between multiple web applications. Each web application should have its own OIDCClient. + +The `name` of the OIDCClient will be the client ID used by the web application in the OIDC flows. + +The `allowedGrantTypes` and `allowedScopes` decides what the web application is allowed to do with respect to +authentication. There are several typical combinations of these settings: + +1. A web application which is allowed to use the Supervisor for authentication, and furthermore is allowed to + authenticate into Kubernetes clusters and perform actions on behalf of the users (using the user's identity): + + ```yaml + allowedGrantTypes: + - authorization_code + - refresh_token + - urn:ietf:params:oauth:grant-type:token-exchange + allowedScopes: + - openid + - offline_access + - pinniped:request-audience + - username + - groups + ``` + +2. A web application which is allowed to use the Supervisor for authentication, but cannot perform actions on + Kubernetes clusters. + + ```yaml + allowedGrantTypes: + - authorization_code + - refresh_token + allowedScopes: + - openid + - offline_access + - username + # "groups" can be excluded from this list when the webapp does + # not need to see the group memberships of the users. + - groups + ``` + +3. A web application which is allowed to use the Supervisor for authentication, but cannot see the username or + group memberships of the authenticated users, and cannot perform actions on Kubernetes clusters. + + ```yaml + allowedGrantTypes: + - authorization_code + - refresh_token + allowedScopes: + - openid + - offline_access + ``` + +## Create a client secret for the OIDCClient + +For each OIDCClient created by the Supervisor administrator, the administrator will also need to generate a client +secret for the client. The client secrets are random strings auto-generated by the Supervisor upon request. +The plaintext secret will only be returned once upon creation. + +```sh +cat <}}) +tutorial, then the next sections will apply. + +### Cluster-scoped ID tokens + +The ID token issued at the end of the authorization code flow contains the user's Kubernetes identity. However, +this ID token is typically not used directly to provide authentication to the Kubernetes clusters' API servers. + +In a typical configuration, the Pinniped Concierge is installed on each workload cluster and is configured with a +JWTAuthenticator resource to validate ID tokens issued by the Pinniped Supervisor. However, typically each workload +cluster's JWTAuthenticator is configured to validate a unique audience value (`aud` claim) of the ID tokens. +This ensures that an ID token which is used to access one workload cluster cannot also be used to access other workload +clusters, to limit the impact of a leaked token. + +In this typical configuration, the client must make an extra API call to the Supervisor after the authorization code +flow before it can access a particular workload cluster, in order to get a cluster-scoped ID token for a specific +workload cluster (technically, for the audience value of that workload cluster).This request is made to the token +endpoint, using parameters described in [RFC 8693](https://datatracker.ietf.org/doc/html/rfc8693). This request +requires that the access token was granted the `username` and `pinniped:request-audience` scopes in the authorization +code flow, and preferably was also granted the `groups` scope. It also requires that the client's OIDCClient +configuration allows it to use the `urn:ietf:params:oauth:grant-type:token-exchange` grant type. + +The client has already called the Supervisor FederationDomain's `/.well-known/openid-configuration` discovery endpoint +at the beginning of the authorization code flow, so the client is already aware of the location of the +FederationDomain's token endpoint. The client makes an HTTPS request to the token endpoint to request a +cluster-scoped ID token. The client sends its client ID and client secret as a basic auth header. It sends the +Supervisor-issued access token as the `subject_token` param to identify the user's active session, along with the +other required parameters. + +``` +POST /federation-domain-path/oauth2/token HTTP/1.1 +Host: my-supervisor.example.com +Content-Type: application/x-www-form-urlencoded +Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW + +grant_type=urn:ietf:params:oauth:grant-type:token-exchange + &subject_token= + &subject_token_type=urn:ietf:params:oauth:token-type:access_token + &requested_token_type=urn:ietf:params:oauth:token-type:jwt + &audience= +``` + +A successful request will result in a `200 OK` response with a JSON body. One of the top-level keys in the returned JSON object +will be `id_token`, and the value at that key will be the cluster-scoped ID token. + +This exchange is typically repeated for each workload cluster, right before the client needs to access the Kubernetes +API of that workload cluster. + +### mTLS client certificates + +Once the client has a cluster-scoped ID token for a particular workload cluster, the next step towards accessing the +Kubernetes API of that workload cluster, in a typical configuration, is to request an mTLS client certificate from +that workload cluster. The client certificate will act as the credential for the Kubernetes API server. + +This is done by making a request to the `/apis/login.concierge.pinniped.dev/v1alpha1/tokencredentialrequests` API of +the Kubernetes API of that cluster. This API is an aggregated API hosted on the Kubernetes API server, but behind the +scenes is actually served by the Pinniped Concierge. It can be accessed just like any other Kubernetes API. It does +not require any authentication on the request. + +The details of the request and response formats are documented in the +[API docs](https://github.com/vmware-tanzu/pinniped/blob/main/generated/{{< latestcodegenversion >}}/README.adoc#tokencredentialrequest). + +Here is a sample YAML representation of a request: + +```yaml +apiVersion: login.concierge.pinniped.dev/v1alpha1 +kind: TokenCredentialRequest +spec: + token: + authenticator: + apiGroup: authentication.concierge.pinniped.dev/v1alpha1 + kind: JWTAuthenticator + name: +``` + +And here is a sample YAML representation of a successful response: + +```yaml +apiVersion: login.concierge.pinniped.dev/v1alpha1 +kind: TokenCredentialRequest +status: + credential: + expirationTimestamp: + clientCertificateData: + clientKeyData: +``` + +The returned mTLS client certificate will contain the user's identity (username and groups) copied from the cluster-scoped +ID token. It may be used to make calls to the Kubernetes API as that user, until it expires. + +These mTLS client certificates are short-lived, typically good for about 5-15 minutes. After it expires, a client which +wishes to make more Kubernetes API calls will need to perform an OIDC refresh request to the Supervisor to get +a new access token, and then repeat the steps described above to get new cluster-scoped ID tokens and mTLS client +certificates. Requiring these steps to be repeated often ensures that the user's session with the external identity +provider is validated often, to ensure any changes to the user's level of access will quickly be reflected in the +Kubernetes clusters. From dc3916259700a6cc9be8563f9f81124a02fe76c1 Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Fri, 26 Aug 2022 12:13:53 -0700 Subject: [PATCH 43/61] Rerun codegen after merging main into dynamic_clients Needed to update the new v1.25 generated code to include the new APIs that were added in the dynamic_clients branch. --- generated/1.25/README.adoc | 218 +++++++++++++++++ .../1.25/apis/supervisor/clientsecret/doc.go | 8 + .../apis/supervisor/clientsecret/register.go | 38 +++ .../types_oidcclientsecretrequest.go | 46 ++++ .../clientsecret/v1alpha1/conversion.go | 4 + .../clientsecret/v1alpha1/defaults.go | 12 + .../supervisor/clientsecret/v1alpha1/doc.go | 11 + .../clientsecret/v1alpha1/register.go | 43 ++++ .../v1alpha1/types_oidcclientsecretrequest.go | 36 +++ .../v1alpha1/zz_generated.conversion.go | 165 +++++++++++++ .../v1alpha1/zz_generated.deepcopy.go | 106 +++++++++ .../v1alpha1/zz_generated.defaults.go | 20 ++ .../clientsecret/zz_generated.deepcopy.go | 106 +++++++++ .../supervisor/config/v1alpha1/register.go | 2 + .../supervisor/config/v1alpha1/types_meta.go | 75 ++++++ .../config/v1alpha1/types_oidcclient.go | 122 ++++++++++ .../config/v1alpha1/zz_generated.deepcopy.go | 132 +++++++++++ .../supervisor/oidc/types_supervisor_oidc.go | 65 +++++- .../clientset/versioned/clientset.go | 17 +- .../versioned/fake/clientset_generated.go | 7 + .../clientset/versioned/fake/register.go | 2 + .../clientset/versioned/scheme/register.go | 2 + .../v1alpha1/clientsecret_client.go | 94 ++++++++ .../typed/clientsecret/v1alpha1/doc.go | 7 + .../typed/clientsecret/v1alpha1/fake/doc.go | 7 + .../v1alpha1/fake/fake_clientsecret_client.go | 27 +++ .../fake/fake_oidcclientsecretrequest.go | 36 +++ .../v1alpha1/generated_expansion.go | 8 + .../v1alpha1/oidcclientsecretrequest.go | 54 +++++ .../typed/config/v1alpha1/config_client.go | 5 + .../v1alpha1/fake/fake_config_client.go | 4 + .../config/v1alpha1/fake/fake_oidcclient.go | 129 ++++++++++ .../config/v1alpha1/generated_expansion.go | 2 + .../typed/config/v1alpha1/oidcclient.go | 182 +++++++++++++++ .../config/v1alpha1/interface.go | 7 + .../config/v1alpha1/oidcclient.go | 77 ++++++ .../informers/externalversions/generic.go | 2 + .../config/v1alpha1/expansion_generated.go | 8 + .../listers/config/v1alpha1/oidcclient.go | 86 +++++++ ...g.supervisor.pinniped.dev_oidcclients.yaml | 221 ++++++++++++++++++ 40 files changed, 2187 insertions(+), 6 deletions(-) create mode 100644 generated/1.25/apis/supervisor/clientsecret/doc.go create mode 100644 generated/1.25/apis/supervisor/clientsecret/register.go create mode 100644 generated/1.25/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go create mode 100644 generated/1.25/apis/supervisor/clientsecret/v1alpha1/conversion.go create mode 100644 generated/1.25/apis/supervisor/clientsecret/v1alpha1/defaults.go create mode 100644 generated/1.25/apis/supervisor/clientsecret/v1alpha1/doc.go create mode 100644 generated/1.25/apis/supervisor/clientsecret/v1alpha1/register.go create mode 100644 generated/1.25/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go create mode 100644 generated/1.25/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go create mode 100644 generated/1.25/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go create mode 100644 generated/1.25/apis/supervisor/clientsecret/v1alpha1/zz_generated.defaults.go create mode 100644 generated/1.25/apis/supervisor/clientsecret/zz_generated.deepcopy.go create mode 100644 generated/1.25/apis/supervisor/config/v1alpha1/types_meta.go create mode 100644 generated/1.25/apis/supervisor/config/v1alpha1/types_oidcclient.go create mode 100644 generated/1.25/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/clientsecret_client.go create mode 100644 generated/1.25/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/doc.go create mode 100644 generated/1.25/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/doc.go create mode 100644 generated/1.25/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_clientsecret_client.go create mode 100644 generated/1.25/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_oidcclientsecretrequest.go create mode 100644 generated/1.25/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/generated_expansion.go create mode 100644 generated/1.25/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/oidcclientsecretrequest.go create mode 100644 generated/1.25/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go create mode 100644 generated/1.25/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go create mode 100644 generated/1.25/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go create mode 100644 generated/1.25/client/supervisor/listers/config/v1alpha1/oidcclient.go create mode 100644 generated/1.25/crds/config.supervisor.pinniped.dev_oidcclients.yaml diff --git a/generated/1.25/README.adoc b/generated/1.25/README.adoc index 6ef73deb..d5345857 100644 --- a/generated/1.25/README.adoc +++ b/generated/1.25/README.adoc @@ -6,6 +6,8 @@ .Packages - xref:{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1[$$authentication.concierge.pinniped.dev/v1alpha1$$] +- xref:{anchor_prefix}-clientsecret-supervisor-pinniped-dev-clientsecret[$$clientsecret.supervisor.pinniped.dev/clientsecret$$] +- xref:{anchor_prefix}-clientsecret-supervisor-pinniped-dev-v1alpha1[$$clientsecret.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-config-concierge-pinniped-dev-v1alpha1[$$config.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-config-supervisor-pinniped-dev-v1alpha1[$$config.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-identity-concierge-pinniped-dev-identity[$$identity.concierge.pinniped.dev/identity$$] @@ -210,6 +212,138 @@ Status of a webhook authenticator. +[id="{anchor_prefix}-clientsecret-supervisor-pinniped-dev-clientsecret"] +=== clientsecret.supervisor.pinniped.dev/clientsecret + +Package clientsecret is the internal version of the Pinniped client secret API. + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-clientsecret-oidcclientsecretrequest"] +==== OIDCClientSecretRequest + +OIDCClientSecretRequest can be used to update the client secrets associated with an OIDCClient. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-clientsecret-oidcclientsecretrequestlist[$$OIDCClientSecretRequestList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-clientsecret-oidcclientsecretrequestspec[$$OIDCClientSecretRequestSpec$$]__ | +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-clientsecret-oidcclientsecretrequeststatus[$$OIDCClientSecretRequestStatus$$]__ | +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-clientsecret-oidcclientsecretrequestspec"] +==== OIDCClientSecretRequestSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-clientsecret-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generateNewSecret`* __boolean__ | Request a new client secret to for the OIDCClient referenced by the metadata.name field. +| *`revokeOldSecrets`* __boolean__ | Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name field. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-clientsecret-oidcclientsecretrequeststatus"] +==== OIDCClientSecretRequestStatus + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-clientsecret-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generatedSecret`* __string__ | The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot be recovered if you lose it. +| *`totalClientSecrets`* __integer__ | The total number of client secrets associated with the OIDCClient referenced by the metadata.name field. +|=== + + + +[id="{anchor_prefix}-clientsecret-supervisor-pinniped-dev-v1alpha1"] +=== clientsecret.supervisor.pinniped.dev/v1alpha1 + +Package v1alpha1 is the v1alpha1 version of the Pinniped client secret API. + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequest"] +==== OIDCClientSecretRequest + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestlist[$$OIDCClientSecretRequestList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestspec[$$OIDCClientSecretRequestSpec$$]__ | +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequeststatus[$$OIDCClientSecretRequestStatus$$]__ | +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestspec"] +==== OIDCClientSecretRequestSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generateNewSecret`* __boolean__ | +| *`revokeOldSecrets`* __boolean__ | +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequeststatus"] +==== OIDCClientSecretRequestStatus + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`generatedSecret`* __string__ | +| *`totalClientSecrets`* __integer__ | +|=== + + + [id="{anchor_prefix}-config-concierge-pinniped-dev-v1alpha1"] === config.concierge.pinniped.dev/v1alpha1 @@ -441,6 +575,28 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor configuratio +[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-condition"] +==== Condition + +Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`type`* __string__ | type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) +| *`status`* __ConditionStatus__ | status of the condition, one of True, False, Unknown. +| *`observedGeneration`* __integer__ | observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. +| *`lastTransitionTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#time-v1-meta[$$Time$$]__ | lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. +| *`reason`* __string__ | reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. +| *`message`* __string__ | message is a human readable message indicating details about the transition. This may be an empty string. +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomain"] ==== FederationDomain @@ -543,6 +699,68 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-oidcclient"] +==== OIDCClient + +OIDCClient describes the configuration of an OIDC client. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-oidcclientlist[$$OIDCClientList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]__ | Spec of the OIDC client. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-oidcclientstatus[$$OIDCClientStatus$$]__ | Status of the OIDC client. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-oidcclientspec"] +==== OIDCClientSpec + +OIDCClientSpec is a struct that describes an OIDCClient. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-oidcclient[$$OIDCClient$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`allowedRedirectURIs`* __RedirectURI array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri. +| *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience. +| *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-oidcclientstatus"] +==== OIDCClientStatus + +OIDCClientStatus is a struct that describes the actual state of an OIDCClient. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-oidcclient[$$OIDCClient$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`phase`* __OIDCClientPhase__ | phase summarizes the overall status of the OIDCClient. +| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-condition[$$Condition$$] array__ | conditions represent the observations of an OIDCClient's current state. +| *`totalClientSecrets`* __integer__ | totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. +|=== + + [id="{anchor_prefix}-identity-concierge-pinniped-dev-identity"] === identity.concierge.pinniped.dev/identity diff --git a/generated/1.25/apis/supervisor/clientsecret/doc.go b/generated/1.25/apis/supervisor/clientsecret/doc.go new file mode 100644 index 00000000..c536bc75 --- /dev/null +++ b/generated/1.25/apis/supervisor/clientsecret/doc.go @@ -0,0 +1,8 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:deepcopy-gen=package +// +groupName=clientsecret.supervisor.pinniped.dev + +// Package clientsecret is the internal version of the Pinniped client secret API. +package clientsecret diff --git a/generated/1.25/apis/supervisor/clientsecret/register.go b/generated/1.25/apis/supervisor/clientsecret/register.go new file mode 100644 index 00000000..8a76f0fe --- /dev/null +++ b/generated/1.25/apis/supervisor/clientsecret/register.go @@ -0,0 +1,38 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package clientsecret + +import ( + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "clientsecret.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal} + +// Kind takes an unqualified kind and returns back a Group qualified GroupKind. +func Kind(kind string) schema.GroupKind { + return SchemeGroupVersion.WithKind(kind).GroupKind() +} + +// Resource takes an unqualified resource and returns back a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} + +var ( + SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) + AddToScheme = SchemeBuilder.AddToScheme +) + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClientSecretRequest{}, + &OIDCClientSecretRequestList{}, + ) + return nil +} diff --git a/generated/1.25/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go b/generated/1.25/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go new file mode 100644 index 00000000..c7ef37b2 --- /dev/null +++ b/generated/1.25/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go @@ -0,0 +1,46 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package clientsecret + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +type OIDCClientSecretRequestSpec struct { + // Request a new client secret to for the OIDCClient referenced by the metadata.name field. + GenerateNewSecret bool `json:"generateNewSecret"` + + // Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name + // field. + RevokeOldSecrets bool `json:"revokeOldSecrets"` +} + +type OIDCClientSecretRequestStatus struct { + // The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot + // be recovered if you lose it. + GeneratedSecret string `json:"generatedSecret,omitempty"` + + // The total number of client secrets associated with the OIDCClient referenced by the + // metadata.name field. + TotalClientSecrets int `json:"totalClientSecrets"` +} + +// OIDCClientSecretRequest can be used to update the client secrets associated with an +// OIDCClient. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequest struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID + + Spec OIDCClientSecretRequestSpec `json:"spec"` + Status OIDCClientSecretRequestStatus `json:"status"` +} + +// OIDCClientSecretList is a list of OIDCClientSecretRequest objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequestList struct { + metav1.TypeMeta + metav1.ListMeta + + // Items is a list of OIDCClientSecretRequest + Items []OIDCClientSecretRequest +} diff --git a/generated/1.25/apis/supervisor/clientsecret/v1alpha1/conversion.go b/generated/1.25/apis/supervisor/clientsecret/v1alpha1/conversion.go new file mode 100644 index 00000000..fcf4e82f --- /dev/null +++ b/generated/1.25/apis/supervisor/clientsecret/v1alpha1/conversion.go @@ -0,0 +1,4 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 diff --git a/generated/1.25/apis/supervisor/clientsecret/v1alpha1/defaults.go b/generated/1.25/apis/supervisor/clientsecret/v1alpha1/defaults.go new file mode 100644 index 00000000..d4f5a9e8 --- /dev/null +++ b/generated/1.25/apis/supervisor/clientsecret/v1alpha1/defaults.go @@ -0,0 +1,12 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + "k8s.io/apimachinery/pkg/runtime" +) + +func addDefaultingFuncs(scheme *runtime.Scheme) error { + return RegisterDefaults(scheme) +} diff --git a/generated/1.25/apis/supervisor/clientsecret/v1alpha1/doc.go b/generated/1.25/apis/supervisor/clientsecret/v1alpha1/doc.go new file mode 100644 index 00000000..64bc61fd --- /dev/null +++ b/generated/1.25/apis/supervisor/clientsecret/v1alpha1/doc.go @@ -0,0 +1,11 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen=package +// +k8s:conversion-gen=go.pinniped.dev/generated/1.25/apis/supervisor/clientsecret +// +k8s:defaulter-gen=TypeMeta +// +groupName=clientsecret.supervisor.pinniped.dev + +// Package v1alpha1 is the v1alpha1 version of the Pinniped client secret API. +package v1alpha1 diff --git a/generated/1.25/apis/supervisor/clientsecret/v1alpha1/register.go b/generated/1.25/apis/supervisor/clientsecret/v1alpha1/register.go new file mode 100644 index 00000000..4660e407 --- /dev/null +++ b/generated/1.25/apis/supervisor/clientsecret/v1alpha1/register.go @@ -0,0 +1,43 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "clientsecret.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = SchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClientSecretRequest{}, + &OIDCClientSecretRequestList{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns back a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/generated/1.25/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go b/generated/1.25/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go new file mode 100644 index 00000000..ef48e6c0 --- /dev/null +++ b/generated/1.25/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go @@ -0,0 +1,36 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +type OIDCClientSecretRequestSpec struct { + GenerateNewSecret bool `json:"generateNewSecret"` + RevokeOldSecrets bool `json:"revokeOldSecrets"` +} + +type OIDCClientSecretRequestStatus struct { + GeneratedSecret string `json:"generatedSecret,omitempty"` + TotalClientSecrets int `json:"totalClientSecrets"` +} + +// +genclient +// +genclient:onlyVerbs=create +// +kubebuilder:subresource:status +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequest struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID + + Spec OIDCClientSecretRequestSpec `json:"spec"` + Status OIDCClientSecretRequestStatus `json:"status"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequestList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []OIDCClientSecretRequest `json:"items"` +} diff --git a/generated/1.25/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go b/generated/1.25/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go new file mode 100644 index 00000000..b4dca243 --- /dev/null +++ b/generated/1.25/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go @@ -0,0 +1,165 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by conversion-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + unsafe "unsafe" + + clientsecret "go.pinniped.dev/generated/1.25/apis/supervisor/clientsecret" + conversion "k8s.io/apimachinery/pkg/conversion" + runtime "k8s.io/apimachinery/pkg/runtime" +) + +func init() { + localSchemeBuilder.Register(RegisterConversions) +} + +// RegisterConversions adds conversion functions to the given scheme. +// Public to allow building arbitrary schemes. +func RegisterConversions(s *runtime.Scheme) error { + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequest)(nil), (*clientsecret.OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(a.(*OIDCClientSecretRequest), b.(*clientsecret.OIDCClientSecretRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequest)(nil), (*OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(a.(*clientsecret.OIDCClientSecretRequest), b.(*OIDCClientSecretRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestList)(nil), (*clientsecret.OIDCClientSecretRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(a.(*OIDCClientSecretRequestList), b.(*clientsecret.OIDCClientSecretRequestList), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequestList)(nil), (*OIDCClientSecretRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(a.(*clientsecret.OIDCClientSecretRequestList), b.(*OIDCClientSecretRequestList), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*clientsecret.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*clientsecret.OIDCClientSecretRequestSpec), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequestSpec)(nil), (*OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(a.(*clientsecret.OIDCClientSecretRequestSpec), b.(*OIDCClientSecretRequestSpec), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestStatus)(nil), (*clientsecret.OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(a.(*OIDCClientSecretRequestStatus), b.(*clientsecret.OIDCClientSecretRequestStatus), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequestStatus)(nil), (*OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(a.(*clientsecret.OIDCClientSecretRequestStatus), b.(*OIDCClientSecretRequestStatus), scope) + }); err != nil { + return err + } + return nil +} + +func autoConvert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *clientsecret.OIDCClientSecretRequest, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { + return err + } + if err := Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *clientsecret.OIDCClientSecretRequest, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(in, out, s) +} + +func autoConvert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *clientsecret.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil { + return err + } + if err := Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest is an autogenerated conversion function. +func Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *clientsecret.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error { + return autoConvert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s) +} + +func autoConvert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in *OIDCClientSecretRequestList, out *clientsecret.OIDCClientSecretRequestList, s conversion.Scope) error { + out.ListMeta = in.ListMeta + out.Items = *(*[]clientsecret.OIDCClientSecretRequest)(unsafe.Pointer(&in.Items)) + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in *OIDCClientSecretRequestList, out *clientsecret.OIDCClientSecretRequestList, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in, out, s) +} + +func autoConvert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in *clientsecret.OIDCClientSecretRequestList, out *OIDCClientSecretRequestList, s conversion.Scope) error { + out.ListMeta = in.ListMeta + out.Items = *(*[]OIDCClientSecretRequest)(unsafe.Pointer(&in.Items)) + return nil +} + +// Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList is an autogenerated conversion function. +func Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in *clientsecret.OIDCClientSecretRequestList, out *OIDCClientSecretRequestList, s conversion.Scope) error { + return autoConvert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in, out, s) +} + +func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *clientsecret.OIDCClientSecretRequestSpec, s conversion.Scope) error { + out.GenerateNewSecret = in.GenerateNewSecret + out.RevokeOldSecrets = in.RevokeOldSecrets + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *clientsecret.OIDCClientSecretRequestSpec, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in, out, s) +} + +func autoConvert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *clientsecret.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { + out.GenerateNewSecret = in.GenerateNewSecret + out.RevokeOldSecrets = in.RevokeOldSecrets + return nil +} + +// Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec is an autogenerated conversion function. +func Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *clientsecret.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error { + return autoConvert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in, out, s) +} + +func autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *clientsecret.OIDCClientSecretRequestStatus, s conversion.Scope) error { + out.GeneratedSecret = in.GeneratedSecret + out.TotalClientSecrets = in.TotalClientSecrets + return nil +} + +// Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus is an autogenerated conversion function. +func Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *clientsecret.OIDCClientSecretRequestStatus, s conversion.Scope) error { + return autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(in, out, s) +} + +func autoConvert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *clientsecret.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { + out.GeneratedSecret = in.GeneratedSecret + out.TotalClientSecrets = in.TotalClientSecrets + return nil +} + +// Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus is an autogenerated conversion function. +func Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *clientsecret.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error { + return autoConvert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in, out, s) +} diff --git a/generated/1.25/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go b/generated/1.25/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go new file mode 100644 index 00000000..781e9831 --- /dev/null +++ b/generated/1.25/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go @@ -0,0 +1,106 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequest) DeepCopyInto(out *OIDCClientSecretRequest) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + out.Spec = in.Spec + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequest. +func (in *OIDCClientSecretRequest) DeepCopy() *OIDCClientSecretRequest { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequest) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestList) DeepCopyInto(out *OIDCClientSecretRequestList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClientSecretRequest, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestList. +func (in *OIDCClientSecretRequestList) DeepCopy() *OIDCClientSecretRequestList { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequestList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestSpec. +func (in *OIDCClientSecretRequestSpec) DeepCopy() *OIDCClientSecretRequestSpec { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestStatus) DeepCopyInto(out *OIDCClientSecretRequestStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestStatus. +func (in *OIDCClientSecretRequestStatus) DeepCopy() *OIDCClientSecretRequestStatus { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.25/apis/supervisor/clientsecret/v1alpha1/zz_generated.defaults.go b/generated/1.25/apis/supervisor/clientsecret/v1alpha1/zz_generated.defaults.go new file mode 100644 index 00000000..9097a935 --- /dev/null +++ b/generated/1.25/apis/supervisor/clientsecret/v1alpha1/zz_generated.defaults.go @@ -0,0 +1,20 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by defaulter-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// RegisterDefaults adds defaulters functions to the given scheme. +// Public to allow building arbitrary schemes. +// All generated defaulters are covering - they call all nested defaulters. +func RegisterDefaults(scheme *runtime.Scheme) error { + return nil +} diff --git a/generated/1.25/apis/supervisor/clientsecret/zz_generated.deepcopy.go b/generated/1.25/apis/supervisor/clientsecret/zz_generated.deepcopy.go new file mode 100644 index 00000000..ffd5e96e --- /dev/null +++ b/generated/1.25/apis/supervisor/clientsecret/zz_generated.deepcopy.go @@ -0,0 +1,106 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package clientsecret + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequest) DeepCopyInto(out *OIDCClientSecretRequest) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + out.Spec = in.Spec + out.Status = in.Status + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequest. +func (in *OIDCClientSecretRequest) DeepCopy() *OIDCClientSecretRequest { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequest) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestList) DeepCopyInto(out *OIDCClientSecretRequestList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClientSecretRequest, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestList. +func (in *OIDCClientSecretRequestList) DeepCopy() *OIDCClientSecretRequestList { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientSecretRequestList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestSpec. +func (in *OIDCClientSecretRequestSpec) DeepCopy() *OIDCClientSecretRequestSpec { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSecretRequestStatus) DeepCopyInto(out *OIDCClientSecretRequestStatus) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestStatus. +func (in *OIDCClientSecretRequestStatus) DeepCopy() *OIDCClientSecretRequestStatus { + if in == nil { + return nil + } + out := new(OIDCClientSecretRequestStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.25/apis/supervisor/config/v1alpha1/register.go b/generated/1.25/apis/supervisor/config/v1alpha1/register.go index 69045298..54c51699 100644 --- a/generated/1.25/apis/supervisor/config/v1alpha1/register.go +++ b/generated/1.25/apis/supervisor/config/v1alpha1/register.go @@ -32,6 +32,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &FederationDomain{}, &FederationDomainList{}, + &OIDCClient{}, + &OIDCClientList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.25/apis/supervisor/config/v1alpha1/types_meta.go b/generated/1.25/apis/supervisor/config/v1alpha1/types_meta.go new file mode 100644 index 00000000..cd46a471 --- /dev/null +++ b/generated/1.25/apis/supervisor/config/v1alpha1/types_meta.go @@ -0,0 +1,75 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// ConditionStatus is effectively an enum type for Condition.Status. +type ConditionStatus string + +// These are valid condition statuses. "ConditionTrue" means a resource is in the condition. +// "ConditionFalse" means a resource is not in the condition. "ConditionUnknown" means kubernetes +// can't decide if a resource is in the condition or not. In the future, we could add other +// intermediate conditions, e.g. ConditionDegraded. +const ( + ConditionTrue ConditionStatus = "True" + ConditionFalse ConditionStatus = "False" + ConditionUnknown ConditionStatus = "Unknown" +) + +// Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API +// version we can switch to using the upstream type. +// See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. +type Condition struct { + // type of condition in CamelCase or in foo.example.com/CamelCase. + // --- + // Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + // useful (see .node.status.conditions), the ability to deconflict is important. + // The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$` + // +kubebuilder:validation:MaxLength=316 + Type string `json:"type"` + + // status of the condition, one of True, False, Unknown. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Enum=True;False;Unknown + Status ConditionStatus `json:"status"` + + // observedGeneration represents the .metadata.generation that the condition was set based upon. + // For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + // with respect to the current state of the instance. + // +optional + // +kubebuilder:validation:Minimum=0 + ObservedGeneration int64 `json:"observedGeneration,omitempty"` + + // lastTransitionTime is the last time the condition transitioned from one status to another. + // This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Type=string + // +kubebuilder:validation:Format=date-time + LastTransitionTime metav1.Time `json:"lastTransitionTime"` + + // reason contains a programmatic identifier indicating the reason for the condition's last transition. + // Producers of specific condition types may define expected values and meanings for this field, + // and whether the values are considered a guaranteed API. + // The value should be a CamelCase string. + // This field may not be empty. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=1024 + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$` + Reason string `json:"reason"` + + // message is a human readable message indicating details about the transition. + // This may be an empty string. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=32768 + Message string `json:"message"` +} diff --git a/generated/1.25/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/1.25/apis/supervisor/config/v1alpha1/types_oidcclient.go new file mode 100644 index 00000000..719a597f --- /dev/null +++ b/generated/1.25/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -0,0 +1,122 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +type OIDCClientPhase string + +const ( + // PhasePending is the default phase for newly-created OIDCClient resources. + PhasePending OIDCClientPhase = "Pending" + + // PhaseReady is the phase for an OIDCClient resource in a healthy state. + PhaseReady OIDCClientPhase = "Ready" + + // PhaseError is the phase for an OIDCClient in an unhealthy state. + PhaseError OIDCClientPhase = "Error" +) + +// +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/` +type RedirectURI string + +// +kubebuilder:validation:Enum="authorization_code";"refresh_token";"urn:ietf:params:oauth:grant-type:token-exchange" +type GrantType string + +// +kubebuilder:validation:Enum="openid";"offline_access";"username";"groups";"pinniped:request-audience" +type Scope string + +// OIDCClientSpec is a struct that describes an OIDCClient. +type OIDCClientSpec struct { + // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this + // client. Any other uris will be rejected. + // Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. + // Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri. + // +listType=set + // +kubebuilder:validation:MinItems=1 + AllowedRedirectURIs []RedirectURI `json:"allowedRedirectURIs"` + + // allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this + // client. + // + // Must only contain the following values: + // - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to + // authenticate users. This grant must always be listed. + // - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. + // This grant must be listed if allowedScopes lists offline_access. + // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, + // which is a step in the process to be able to get a cluster credential for the user. + // This grant must be listed if allowedScopes lists pinniped:request-audience. + // +listType=set + // +kubebuilder:validation:MinItems=1 + AllowedGrantTypes []GrantType `json:"allowedGrantTypes"` + + // allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + // + // Must only contain the following values: + // - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). + // This scope must always be listed. + // - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. + // This scope must be listed if allowedGrantTypes lists refresh_token. + // - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, + // which is a step in the process to be able to get a cluster credential for the user. + // openid, username and groups scopes must be listed when this scope is present. + // This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. + // - username: The client is allowed to request that ID tokens contain the user's username. + // Without the username scope being requested and allowed, the ID token will not contain the user's username. + // - groups: The client is allowed to request that ID tokens contain the user's group membership, + // if their group membership is discoverable by the Supervisor. + // Without the groups scope being requested and allowed, the ID token will not contain groups. + // +listType=set + // +kubebuilder:validation:MinItems=1 + AllowedScopes []Scope `json:"allowedScopes"` +} + +// OIDCClientStatus is a struct that describes the actual state of an OIDCClient. +type OIDCClientStatus struct { + // phase summarizes the overall status of the OIDCClient. + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase OIDCClientPhase `json:"phase,omitempty"` + + // conditions represent the observations of an OIDCClient's current state. + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` + + // totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. + // +optional + TotalClientSecrets int32 `json:"totalClientSecrets"` // do not omitempty to allow it to show in the printer column even when it is 0 +} + +// OIDCClient describes the configuration of an OIDC client. +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped +// +kubebuilder:printcolumn:name="Privileged Scopes",type=string,JSONPath=`.spec.allowedScopes[?(@ == "pinniped:request-audience")]` +// +kubebuilder:printcolumn:name="Client Secrets",type=integer,JSONPath=`.status.totalClientSecrets` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type OIDCClient struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec of the OIDC client. + Spec OIDCClientSpec `json:"spec"` + + // Status of the OIDC client. + Status OIDCClientStatus `json:"status,omitempty"` +} + +// List of OIDCClient objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []OIDCClient `json:"items"` +} diff --git a/generated/1.25/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.25/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go index 856b8988..3e7f07d0 100644 --- a/generated/1.25/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.25/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go @@ -12,6 +12,23 @@ import ( runtime "k8s.io/apimachinery/pkg/runtime" ) +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Condition) DeepCopyInto(out *Condition) { + *out = *in + in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition. +func (in *Condition) DeepCopy() *Condition { + if in == nil { + return nil + } + out := new(Condition) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *FederationDomain) DeepCopyInto(out *FederationDomain) { *out = *in @@ -150,3 +167,118 @@ func (in *FederationDomainTLSSpec) DeepCopy() *FederationDomainTLSSpec { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. +func (in *OIDCClient) DeepCopy() *OIDCClient { + if in == nil { + return nil + } + out := new(OIDCClient) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClient) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OIDCClient, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList. +func (in *OIDCClientList) DeepCopy() *OIDCClientList { + if in == nil { + return nil + } + out := new(OIDCClientList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OIDCClientList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) { + *out = *in + if in.AllowedRedirectURIs != nil { + in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs + *out = make([]RedirectURI, len(*in)) + copy(*out, *in) + } + if in.AllowedGrantTypes != nil { + in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes + *out = make([]GrantType, len(*in)) + copy(*out, *in) + } + if in.AllowedScopes != nil { + in, out := &in.AllowedScopes, &out.AllowedScopes + *out = make([]Scope, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec. +func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec { + if in == nil { + return nil + } + out := new(OIDCClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus. +func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus { + if in == nil { + return nil + } + out := new(OIDCClientStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.25/apis/supervisor/oidc/types_supervisor_oidc.go b/generated/1.25/apis/supervisor/oidc/types_supervisor_oidc.go index b35aafcb..cb6fe627 100644 --- a/generated/1.25/apis/supervisor/oidc/types_supervisor_oidc.go +++ b/generated/1.25/apis/supervisor/oidc/types_supervisor_oidc.go @@ -15,11 +15,68 @@ const ( // or an LDAPIdentityProvider. AuthorizePasswordHeaderName = "Pinniped-Password" //nolint:gosec // this is not a credential - // AuthorizeUpstreamIDPNameParamName is the name of the HTTP request parameter which can be used to help select which - // identity provider should be used for authentication by sending the name of the desired identity provider. + // AuthorizeUpstreamIDPNameParamName is the name of the HTTP request parameter which can be used to help select + // which identity provider should be used for authentication by sending the name of the desired identity provider. AuthorizeUpstreamIDPNameParamName = "pinniped_idp_name" - // AuthorizeUpstreamIDPTypeParamName is the name of the HTTP request parameter which can be used to help select which - // identity provider should be used for authentication by sending the type of the desired identity provider. + // AuthorizeUpstreamIDPTypeParamName is the name of the HTTP request parameter which can be used to help select + // which identity provider should be used for authentication by sending the type of the desired identity provider. AuthorizeUpstreamIDPTypeParamName = "pinniped_idp_type" + + // IDTokenClaimIssuer is name of the issuer claim defined by the OIDC spec. + IDTokenClaimIssuer = "iss" + + // IDTokenClaimSubject is name of the subject claim defined by the OIDC spec. + IDTokenClaimSubject = "sub" + + // IDTokenClaimAuthorizedParty is name of the authorized party claim defined by the OIDC spec. + IDTokenClaimAuthorizedParty = "azp" + + // IDTokenClaimUsername is the name of a custom claim in the downstream ID token whose value will contain the user's + // username which was mapped from the upstream identity provider. + IDTokenClaimUsername = "username" + + // IDTokenClaimGroups is the name of a custom claim in the downstream ID token whose value will contain the user's + // group names which were mapped from the upstream identity provider. + IDTokenClaimGroups = "groups" + + // GrantTypeAuthorizationCode is the name of the grant type for authorization code flows defined by the OIDC spec. + GrantTypeAuthorizationCode = "authorization_code" + + // GrantTypeRefreshToken is the name of the grant type for refresh flow defined by the OIDC spec. + GrantTypeRefreshToken = "refresh_token" + + // GrantTypeTokenExchange is the name of a custom grant type for RFC8693 token exchanges. + GrantTypeTokenExchange = "urn:ietf:params:oauth:grant-type:token-exchange" //nolint:gosec // this is not a credential + + // ScopeOpenID is name of the openid scope defined by the OIDC spec. + ScopeOpenID = "openid" + + // ScopeOfflineAccess is name of the offline access scope defined by the OIDC spec, used for requesting refresh + // tokens. + ScopeOfflineAccess = "offline_access" + + // ScopeEmail is name of the email scope defined by the OIDC spec. + ScopeEmail = "email" + + // ScopeProfile is name of the profile scope defined by the OIDC spec. + ScopeProfile = "profile" + + // ScopeUsername is the name of a custom scope that determines whether the username claim will be returned inside + // ID tokens. + ScopeUsername = "username" + + // ScopeGroups is the name of a custom scope that determines whether the groups claim will be returned inside + // ID tokens. + ScopeGroups = "groups" + + // ScopeRequestAudience is the name of a custom scope that determines whether a RFC8693 token exchange is allowed to + // be used to request a different audience. + ScopeRequestAudience = "pinniped:request-audience" + + // ClientIDPinnipedCLI is the client ID of the statically defined public OIDC client which is used by the CLI. + ClientIDPinnipedCLI = "pinniped-cli" + + // ClientIDRequiredOIDCClientPrefix is the required prefix for the metadata.name of OIDCClient CRs. + ClientIDRequiredOIDCClientPrefix = "client.oauth.pinniped.dev-" ) diff --git a/generated/1.25/client/supervisor/clientset/versioned/clientset.go b/generated/1.25/client/supervisor/clientset/versioned/clientset.go index 42bfc489..21112979 100644 --- a/generated/1.25/client/supervisor/clientset/versioned/clientset.go +++ b/generated/1.25/client/supervisor/clientset/versioned/clientset.go @@ -9,6 +9,7 @@ import ( "fmt" "net/http" + clientsecretv1alpha1 "go.pinniped.dev/generated/1.25/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1" configv1alpha1 "go.pinniped.dev/generated/1.25/client/supervisor/clientset/versioned/typed/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1" discovery "k8s.io/client-go/discovery" @@ -18,6 +19,7 @@ import ( type Interface interface { Discovery() discovery.DiscoveryInterface + ClientsecretV1alpha1() clientsecretv1alpha1.ClientsecretV1alpha1Interface ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface } @@ -26,8 +28,14 @@ type Interface interface { // version included in a Clientset. type Clientset struct { *discovery.DiscoveryClient - configV1alpha1 *configv1alpha1.ConfigV1alpha1Client - iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client + clientsecretV1alpha1 *clientsecretv1alpha1.ClientsecretV1alpha1Client + configV1alpha1 *configv1alpha1.ConfigV1alpha1Client + iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client +} + +// ClientsecretV1alpha1 retrieves the ClientsecretV1alpha1Client +func (c *Clientset) ClientsecretV1alpha1() clientsecretv1alpha1.ClientsecretV1alpha1Interface { + return c.clientsecretV1alpha1 } // ConfigV1alpha1 retrieves the ConfigV1alpha1Client @@ -84,6 +92,10 @@ func NewForConfigAndClient(c *rest.Config, httpClient *http.Client) (*Clientset, var cs Clientset var err error + cs.clientsecretV1alpha1, err = clientsecretv1alpha1.NewForConfigAndClient(&configShallowCopy, httpClient) + if err != nil { + return nil, err + } cs.configV1alpha1, err = configv1alpha1.NewForConfigAndClient(&configShallowCopy, httpClient) if err != nil { return nil, err @@ -113,6 +125,7 @@ func NewForConfigOrDie(c *rest.Config) *Clientset { // New creates a new Clientset for the given RESTClient. func New(c rest.Interface) *Clientset { var cs Clientset + cs.clientsecretV1alpha1 = clientsecretv1alpha1.New(c) cs.configV1alpha1 = configv1alpha1.New(c) cs.iDPV1alpha1 = idpv1alpha1.New(c) diff --git a/generated/1.25/client/supervisor/clientset/versioned/fake/clientset_generated.go b/generated/1.25/client/supervisor/clientset/versioned/fake/clientset_generated.go index 193384be..eb8b4b55 100644 --- a/generated/1.25/client/supervisor/clientset/versioned/fake/clientset_generated.go +++ b/generated/1.25/client/supervisor/clientset/versioned/fake/clientset_generated.go @@ -7,6 +7,8 @@ package fake import ( clientset "go.pinniped.dev/generated/1.25/client/supervisor/clientset/versioned" + clientsecretv1alpha1 "go.pinniped.dev/generated/1.25/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1" + fakeclientsecretv1alpha1 "go.pinniped.dev/generated/1.25/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake" configv1alpha1 "go.pinniped.dev/generated/1.25/client/supervisor/clientset/versioned/typed/config/v1alpha1" fakeconfigv1alpha1 "go.pinniped.dev/generated/1.25/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake" idpv1alpha1 "go.pinniped.dev/generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1" @@ -68,6 +70,11 @@ var ( _ testing.FakeClient = &Clientset{} ) +// ClientsecretV1alpha1 retrieves the ClientsecretV1alpha1Client +func (c *Clientset) ClientsecretV1alpha1() clientsecretv1alpha1.ClientsecretV1alpha1Interface { + return &fakeclientsecretv1alpha1.FakeClientsecretV1alpha1{Fake: &c.Fake} +} + // ConfigV1alpha1 retrieves the ConfigV1alpha1Client func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { return &fakeconfigv1alpha1.FakeConfigV1alpha1{Fake: &c.Fake} diff --git a/generated/1.25/client/supervisor/clientset/versioned/fake/register.go b/generated/1.25/client/supervisor/clientset/versioned/fake/register.go index 10129a72..23ecb90b 100644 --- a/generated/1.25/client/supervisor/clientset/versioned/fake/register.go +++ b/generated/1.25/client/supervisor/clientset/versioned/fake/register.go @@ -6,6 +6,7 @@ package fake import ( + clientsecretv1alpha1 "go.pinniped.dev/generated/1.25/apis/supervisor/clientsecret/v1alpha1" configv1alpha1 "go.pinniped.dev/generated/1.25/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.25/apis/supervisor/idp/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -19,6 +20,7 @@ var scheme = runtime.NewScheme() var codecs = serializer.NewCodecFactory(scheme) var localSchemeBuilder = runtime.SchemeBuilder{ + clientsecretv1alpha1.AddToScheme, configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, } diff --git a/generated/1.25/client/supervisor/clientset/versioned/scheme/register.go b/generated/1.25/client/supervisor/clientset/versioned/scheme/register.go index 9d564f5d..05cb6ac5 100644 --- a/generated/1.25/client/supervisor/clientset/versioned/scheme/register.go +++ b/generated/1.25/client/supervisor/clientset/versioned/scheme/register.go @@ -6,6 +6,7 @@ package scheme import ( + clientsecretv1alpha1 "go.pinniped.dev/generated/1.25/apis/supervisor/clientsecret/v1alpha1" configv1alpha1 "go.pinniped.dev/generated/1.25/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/1.25/apis/supervisor/idp/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -19,6 +20,7 @@ var Scheme = runtime.NewScheme() var Codecs = serializer.NewCodecFactory(Scheme) var ParameterCodec = runtime.NewParameterCodec(Scheme) var localSchemeBuilder = runtime.SchemeBuilder{ + clientsecretv1alpha1.AddToScheme, configv1alpha1.AddToScheme, idpv1alpha1.AddToScheme, } diff --git a/generated/1.25/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/clientsecret_client.go b/generated/1.25/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/clientsecret_client.go new file mode 100644 index 00000000..412bb0db --- /dev/null +++ b/generated/1.25/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/clientsecret_client.go @@ -0,0 +1,94 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "net/http" + + v1alpha1 "go.pinniped.dev/generated/1.25/apis/supervisor/clientsecret/v1alpha1" + "go.pinniped.dev/generated/1.25/client/supervisor/clientset/versioned/scheme" + rest "k8s.io/client-go/rest" +) + +type ClientsecretV1alpha1Interface interface { + RESTClient() rest.Interface + OIDCClientSecretRequestsGetter +} + +// ClientsecretV1alpha1Client is used to interact with features provided by the clientsecret.supervisor.pinniped.dev group. +type ClientsecretV1alpha1Client struct { + restClient rest.Interface +} + +func (c *ClientsecretV1alpha1Client) OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface { + return newOIDCClientSecretRequests(c, namespace) +} + +// NewForConfig creates a new ClientsecretV1alpha1Client for the given config. +// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient), +// where httpClient was generated with rest.HTTPClientFor(c). +func NewForConfig(c *rest.Config) (*ClientsecretV1alpha1Client, error) { + config := *c + if err := setConfigDefaults(&config); err != nil { + return nil, err + } + httpClient, err := rest.HTTPClientFor(&config) + if err != nil { + return nil, err + } + return NewForConfigAndClient(&config, httpClient) +} + +// NewForConfigAndClient creates a new ClientsecretV1alpha1Client for the given config and http client. +// Note the http client provided takes precedence over the configured transport values. +func NewForConfigAndClient(c *rest.Config, h *http.Client) (*ClientsecretV1alpha1Client, error) { + config := *c + if err := setConfigDefaults(&config); err != nil { + return nil, err + } + client, err := rest.RESTClientForConfigAndClient(&config, h) + if err != nil { + return nil, err + } + return &ClientsecretV1alpha1Client{client}, nil +} + +// NewForConfigOrDie creates a new ClientsecretV1alpha1Client for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *ClientsecretV1alpha1Client { + client, err := NewForConfig(c) + if err != nil { + panic(err) + } + return client +} + +// New creates a new ClientsecretV1alpha1Client for the given RESTClient. +func New(c rest.Interface) *ClientsecretV1alpha1Client { + return &ClientsecretV1alpha1Client{c} +} + +func setConfigDefaults(config *rest.Config) error { + gv := v1alpha1.SchemeGroupVersion + config.GroupVersion = &gv + config.APIPath = "/apis" + config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() + + if config.UserAgent == "" { + config.UserAgent = rest.DefaultKubernetesUserAgent() + } + + return nil +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *ClientsecretV1alpha1Client) RESTClient() rest.Interface { + if c == nil { + return nil + } + return c.restClient +} diff --git a/generated/1.25/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/doc.go b/generated/1.25/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/doc.go new file mode 100644 index 00000000..e7a470b6 --- /dev/null +++ b/generated/1.25/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated typed clients. +package v1alpha1 diff --git a/generated/1.25/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/doc.go b/generated/1.25/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/doc.go new file mode 100644 index 00000000..7906901b --- /dev/null +++ b/generated/1.25/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// Package fake has the automatically generated clients. +package fake diff --git a/generated/1.25/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_clientsecret_client.go b/generated/1.25/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_clientsecret_client.go new file mode 100644 index 00000000..86951d2b --- /dev/null +++ b/generated/1.25/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_clientsecret_client.go @@ -0,0 +1,27 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + v1alpha1 "go.pinniped.dev/generated/1.25/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1" + rest "k8s.io/client-go/rest" + testing "k8s.io/client-go/testing" +) + +type FakeClientsecretV1alpha1 struct { + *testing.Fake +} + +func (c *FakeClientsecretV1alpha1) OIDCClientSecretRequests(namespace string) v1alpha1.OIDCClientSecretRequestInterface { + return &FakeOIDCClientSecretRequests{c, namespace} +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *FakeClientsecretV1alpha1) RESTClient() rest.Interface { + var ret *rest.RESTClient + return ret +} diff --git a/generated/1.25/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_oidcclientsecretrequest.go b/generated/1.25/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_oidcclientsecretrequest.go new file mode 100644 index 00000000..0139e6b3 --- /dev/null +++ b/generated/1.25/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/fake/fake_oidcclientsecretrequest.go @@ -0,0 +1,36 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.25/apis/supervisor/clientsecret/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + schema "k8s.io/apimachinery/pkg/runtime/schema" + testing "k8s.io/client-go/testing" +) + +// FakeOIDCClientSecretRequests implements OIDCClientSecretRequestInterface +type FakeOIDCClientSecretRequests struct { + Fake *FakeClientsecretV1alpha1 + ns string +} + +var oidcclientsecretrequestsResource = schema.GroupVersionResource{Group: "clientsecret.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclientsecretrequests"} + +var oidcclientsecretrequestsKind = schema.GroupVersionKind{Group: "clientsecret.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClientSecretRequest"} + +// Create takes the representation of a oIDCClientSecretRequest and creates it. Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any. +func (c *FakeOIDCClientSecretRequests) Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (result *v1alpha1.OIDCClientSecretRequest, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(oidcclientsecretrequestsResource, c.ns, oIDCClientSecretRequest), &v1alpha1.OIDCClientSecretRequest{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClientSecretRequest), err +} diff --git a/generated/1.25/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/generated_expansion.go b/generated/1.25/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/generated_expansion.go new file mode 100644 index 00000000..427a2ad8 --- /dev/null +++ b/generated/1.25/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/generated_expansion.go @@ -0,0 +1,8 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +type OIDCClientSecretRequestExpansion interface{} diff --git a/generated/1.25/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/oidcclientsecretrequest.go b/generated/1.25/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/oidcclientsecretrequest.go new file mode 100644 index 00000000..a80d4f55 --- /dev/null +++ b/generated/1.25/client/supervisor/clientset/versioned/typed/clientsecret/v1alpha1/oidcclientsecretrequest.go @@ -0,0 +1,54 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.25/apis/supervisor/clientsecret/v1alpha1" + scheme "go.pinniped.dev/generated/1.25/client/supervisor/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + rest "k8s.io/client-go/rest" +) + +// OIDCClientSecretRequestsGetter has a method to return a OIDCClientSecretRequestInterface. +// A group's client should implement this interface. +type OIDCClientSecretRequestsGetter interface { + OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface +} + +// OIDCClientSecretRequestInterface has methods to work with OIDCClientSecretRequest resources. +type OIDCClientSecretRequestInterface interface { + Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (*v1alpha1.OIDCClientSecretRequest, error) + OIDCClientSecretRequestExpansion +} + +// oIDCClientSecretRequests implements OIDCClientSecretRequestInterface +type oIDCClientSecretRequests struct { + client rest.Interface + ns string +} + +// newOIDCClientSecretRequests returns a OIDCClientSecretRequests +func newOIDCClientSecretRequests(c *ClientsecretV1alpha1Client, namespace string) *oIDCClientSecretRequests { + return &oIDCClientSecretRequests{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Create takes the representation of a oIDCClientSecretRequest and creates it. Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any. +func (c *oIDCClientSecretRequests) Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (result *v1alpha1.OIDCClientSecretRequest, err error) { + result = &v1alpha1.OIDCClientSecretRequest{} + err = c.client.Post(). + Namespace(c.ns). + Resource("oidcclientsecretrequests"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(oIDCClientSecretRequest). + Do(ctx). + Into(result) + return +} diff --git a/generated/1.25/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go b/generated/1.25/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go index 834bf2e1..42bf6948 100644 --- a/generated/1.25/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go +++ b/generated/1.25/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go @@ -16,6 +16,7 @@ import ( type ConfigV1alpha1Interface interface { RESTClient() rest.Interface FederationDomainsGetter + OIDCClientsGetter } // ConfigV1alpha1Client is used to interact with features provided by the config.supervisor.pinniped.dev group. @@ -27,6 +28,10 @@ func (c *ConfigV1alpha1Client) FederationDomains(namespace string) FederationDom return newFederationDomains(c, namespace) } +func (c *ConfigV1alpha1Client) OIDCClients(namespace string) OIDCClientInterface { + return newOIDCClients(c, namespace) +} + // NewForConfig creates a new ConfigV1alpha1Client for the given config. // NewForConfig is equivalent to NewForConfigAndClient(c, httpClient), // where httpClient was generated with rest.HTTPClientFor(c). diff --git a/generated/1.25/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go b/generated/1.25/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go index c0d49545..d41614ee 100644 --- a/generated/1.25/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go +++ b/generated/1.25/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go @@ -19,6 +19,10 @@ func (c *FakeConfigV1alpha1) FederationDomains(namespace string) v1alpha1.Federa return &FakeFederationDomains{c, namespace} } +func (c *FakeConfigV1alpha1) OIDCClients(namespace string) v1alpha1.OIDCClientInterface { + return &FakeOIDCClients{c, namespace} +} + // RESTClient returns a RESTClient that is used to communicate // with API server by this client implementation. func (c *FakeConfigV1alpha1) RESTClient() rest.Interface { diff --git a/generated/1.25/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go b/generated/1.25/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go new file mode 100644 index 00000000..f2b99a9b --- /dev/null +++ b/generated/1.25/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcclient.go @@ -0,0 +1,129 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.25/apis/supervisor/config/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeOIDCClients implements OIDCClientInterface +type FakeOIDCClients struct { + Fake *FakeConfigV1alpha1 + ns string +} + +var oidcclientsResource = schema.GroupVersionResource{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclients"} + +var oidcclientsKind = schema.GroupVersionKind{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClient"} + +// Get takes name of the oIDCClient, and returns the corresponding oIDCClient object, and an error if there is any. +func (c *FakeOIDCClients) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(oidcclientsResource, c.ns, name), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// List takes label and field selectors, and returns the list of OIDCClients that match those selectors. +func (c *FakeOIDCClients) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.OIDCClientList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(oidcclientsResource, oidcclientsKind, c.ns, opts), &v1alpha1.OIDCClientList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.OIDCClientList{ListMeta: obj.(*v1alpha1.OIDCClientList).ListMeta} + for _, item := range obj.(*v1alpha1.OIDCClientList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested oIDCClients. +func (c *FakeOIDCClients) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(oidcclientsResource, c.ns, opts)) + +} + +// Create takes the representation of a oIDCClient and creates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *FakeOIDCClients) Create(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.CreateOptions) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(oidcclientsResource, c.ns, oIDCClient), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// Update takes the representation of a oIDCClient and updates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *FakeOIDCClients) Update(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(oidcclientsResource, c.ns, oIDCClient), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeOIDCClients) UpdateStatus(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (*v1alpha1.OIDCClient, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(oidcclientsResource, "status", c.ns, oIDCClient), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} + +// Delete takes name of the oIDCClient and deletes it. Returns an error if one occurs. +func (c *FakeOIDCClients) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteActionWithOptions(oidcclientsResource, c.ns, name, opts), &v1alpha1.OIDCClient{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeOIDCClients) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(oidcclientsResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha1.OIDCClientList{}) + return err +} + +// Patch applies the patch and returns the patched oIDCClient. +func (c *FakeOIDCClients) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCClient, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(oidcclientsResource, c.ns, name, pt, data, subresources...), &v1alpha1.OIDCClient{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.OIDCClient), err +} diff --git a/generated/1.25/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go b/generated/1.25/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go index ba9c9173..35b9ee3d 100644 --- a/generated/1.25/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go +++ b/generated/1.25/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go @@ -6,3 +6,5 @@ package v1alpha1 type FederationDomainExpansion interface{} + +type OIDCClientExpansion interface{} diff --git a/generated/1.25/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go b/generated/1.25/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go new file mode 100644 index 00000000..ebf0ee36 --- /dev/null +++ b/generated/1.25/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcclient.go @@ -0,0 +1,182 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + "time" + + v1alpha1 "go.pinniped.dev/generated/1.25/apis/supervisor/config/v1alpha1" + scheme "go.pinniped.dev/generated/1.25/client/supervisor/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// OIDCClientsGetter has a method to return a OIDCClientInterface. +// A group's client should implement this interface. +type OIDCClientsGetter interface { + OIDCClients(namespace string) OIDCClientInterface +} + +// OIDCClientInterface has methods to work with OIDCClient resources. +type OIDCClientInterface interface { + Create(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.CreateOptions) (*v1alpha1.OIDCClient, error) + Update(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (*v1alpha1.OIDCClient, error) + UpdateStatus(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (*v1alpha1.OIDCClient, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.OIDCClient, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.OIDCClientList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCClient, err error) + OIDCClientExpansion +} + +// oIDCClients implements OIDCClientInterface +type oIDCClients struct { + client rest.Interface + ns string +} + +// newOIDCClients returns a OIDCClients +func newOIDCClients(c *ConfigV1alpha1Client, namespace string) *oIDCClients { + return &oIDCClients{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the oIDCClient, and returns the corresponding oIDCClient object, and an error if there is any. +func (c *oIDCClients) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Get(). + Namespace(c.ns). + Resource("oidcclients"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of OIDCClients that match those selectors. +func (c *oIDCClients) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.OIDCClientList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.OIDCClientList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("oidcclients"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested oIDCClients. +func (c *oIDCClients) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("oidcclients"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a oIDCClient and creates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *oIDCClients) Create(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.CreateOptions) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Post(). + Namespace(c.ns). + Resource("oidcclients"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(oIDCClient). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a oIDCClient and updates it. Returns the server's representation of the oIDCClient, and an error, if there is any. +func (c *oIDCClients) Update(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Put(). + Namespace(c.ns). + Resource("oidcclients"). + Name(oIDCClient.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(oIDCClient). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *oIDCClients) UpdateStatus(ctx context.Context, oIDCClient *v1alpha1.OIDCClient, opts v1.UpdateOptions) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Put(). + Namespace(c.ns). + Resource("oidcclients"). + Name(oIDCClient.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(oIDCClient). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the oIDCClient and deletes it. Returns an error if one occurs. +func (c *oIDCClients) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("oidcclients"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *oIDCClients) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("oidcclients"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched oIDCClient. +func (c *oIDCClients) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCClient, err error) { + result = &v1alpha1.OIDCClient{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("oidcclients"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/generated/1.25/client/supervisor/informers/externalversions/config/v1alpha1/interface.go b/generated/1.25/client/supervisor/informers/externalversions/config/v1alpha1/interface.go index 39d99948..ea266f5c 100644 --- a/generated/1.25/client/supervisor/informers/externalversions/config/v1alpha1/interface.go +++ b/generated/1.25/client/supervisor/informers/externalversions/config/v1alpha1/interface.go @@ -13,6 +13,8 @@ import ( type Interface interface { // FederationDomains returns a FederationDomainInformer. FederationDomains() FederationDomainInformer + // OIDCClients returns a OIDCClientInformer. + OIDCClients() OIDCClientInformer } type version struct { @@ -30,3 +32,8 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList func (v *version) FederationDomains() FederationDomainInformer { return &federationDomainInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } + +// OIDCClients returns a OIDCClientInformer. +func (v *version) OIDCClients() OIDCClientInformer { + return &oIDCClientInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} diff --git a/generated/1.25/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go b/generated/1.25/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go new file mode 100644 index 00000000..abe911f2 --- /dev/null +++ b/generated/1.25/client/supervisor/informers/externalversions/config/v1alpha1/oidcclient.go @@ -0,0 +1,77 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + time "time" + + configv1alpha1 "go.pinniped.dev/generated/1.25/apis/supervisor/config/v1alpha1" + versioned "go.pinniped.dev/generated/1.25/client/supervisor/clientset/versioned" + internalinterfaces "go.pinniped.dev/generated/1.25/client/supervisor/informers/externalversions/internalinterfaces" + v1alpha1 "go.pinniped.dev/generated/1.25/client/supervisor/listers/config/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// OIDCClientInformer provides access to a shared informer and lister for +// OIDCClients. +type OIDCClientInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.OIDCClientLister +} + +type oIDCClientInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewOIDCClientInformer constructs a new informer for OIDCClient type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewOIDCClientInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredOIDCClientInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredOIDCClientInformer constructs a new informer for OIDCClient type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredOIDCClientInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.ConfigV1alpha1().OIDCClients(namespace).List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.ConfigV1alpha1().OIDCClients(namespace).Watch(context.TODO(), options) + }, + }, + &configv1alpha1.OIDCClient{}, + resyncPeriod, + indexers, + ) +} + +func (f *oIDCClientInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredOIDCClientInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *oIDCClientInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&configv1alpha1.OIDCClient{}, f.defaultInformer) +} + +func (f *oIDCClientInformer) Lister() v1alpha1.OIDCClientLister { + return v1alpha1.NewOIDCClientLister(f.Informer().GetIndexer()) +} diff --git a/generated/1.25/client/supervisor/informers/externalversions/generic.go b/generated/1.25/client/supervisor/informers/externalversions/generic.go index 03ed19f7..781bca37 100644 --- a/generated/1.25/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.25/client/supervisor/informers/externalversions/generic.go @@ -43,6 +43,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource // Group=config.supervisor.pinniped.dev, Version=v1alpha1 case v1alpha1.SchemeGroupVersion.WithResource("federationdomains"): return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().FederationDomains().Informer()}, nil + case v1alpha1.SchemeGroupVersion.WithResource("oidcclients"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCClients().Informer()}, nil // Group=idp.supervisor.pinniped.dev, Version=v1alpha1 case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"): diff --git a/generated/1.25/client/supervisor/listers/config/v1alpha1/expansion_generated.go b/generated/1.25/client/supervisor/listers/config/v1alpha1/expansion_generated.go index d59892c4..bda2f20e 100644 --- a/generated/1.25/client/supervisor/listers/config/v1alpha1/expansion_generated.go +++ b/generated/1.25/client/supervisor/listers/config/v1alpha1/expansion_generated.go @@ -12,3 +12,11 @@ type FederationDomainListerExpansion interface{} // FederationDomainNamespaceListerExpansion allows custom methods to be added to // FederationDomainNamespaceLister. type FederationDomainNamespaceListerExpansion interface{} + +// OIDCClientListerExpansion allows custom methods to be added to +// OIDCClientLister. +type OIDCClientListerExpansion interface{} + +// OIDCClientNamespaceListerExpansion allows custom methods to be added to +// OIDCClientNamespaceLister. +type OIDCClientNamespaceListerExpansion interface{} diff --git a/generated/1.25/client/supervisor/listers/config/v1alpha1/oidcclient.go b/generated/1.25/client/supervisor/listers/config/v1alpha1/oidcclient.go new file mode 100644 index 00000000..8f8e8e10 --- /dev/null +++ b/generated/1.25/client/supervisor/listers/config/v1alpha1/oidcclient.go @@ -0,0 +1,86 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.25/apis/supervisor/config/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// OIDCClientLister helps list OIDCClients. +// All objects returned here must be treated as read-only. +type OIDCClientLister interface { + // List lists all OIDCClients in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) + // OIDCClients returns an object that can list and get OIDCClients. + OIDCClients(namespace string) OIDCClientNamespaceLister + OIDCClientListerExpansion +} + +// oIDCClientLister implements the OIDCClientLister interface. +type oIDCClientLister struct { + indexer cache.Indexer +} + +// NewOIDCClientLister returns a new OIDCClientLister. +func NewOIDCClientLister(indexer cache.Indexer) OIDCClientLister { + return &oIDCClientLister{indexer: indexer} +} + +// List lists all OIDCClients in the indexer. +func (s *oIDCClientLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.OIDCClient)) + }) + return ret, err +} + +// OIDCClients returns an object that can list and get OIDCClients. +func (s *oIDCClientLister) OIDCClients(namespace string) OIDCClientNamespaceLister { + return oIDCClientNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// OIDCClientNamespaceLister helps list and get OIDCClients. +// All objects returned here must be treated as read-only. +type OIDCClientNamespaceLister interface { + // List lists all OIDCClients in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) + // Get retrieves the OIDCClient from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha1.OIDCClient, error) + OIDCClientNamespaceListerExpansion +} + +// oIDCClientNamespaceLister implements the OIDCClientNamespaceLister +// interface. +type oIDCClientNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all OIDCClients in the indexer for a given namespace. +func (s oIDCClientNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCClient, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.OIDCClient)) + }) + return ret, err +} + +// Get retrieves the OIDCClient from the indexer for a given namespace and name. +func (s oIDCClientNamespaceLister) Get(name string) (*v1alpha1.OIDCClient, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("oidcclient"), name) + } + return obj.(*v1alpha1.OIDCClient), nil +} diff --git a/generated/1.25/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.25/crds/config.supervisor.pinniped.dev_oidcclients.yaml new file mode 100644 index 00000000..e4978627 --- /dev/null +++ b/generated/1.25/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -0,0 +1,221 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: oidcclients.config.supervisor.pinniped.dev +spec: + group: config.supervisor.pinniped.dev + names: + categories: + - pinniped + kind: OIDCClient + listKind: OIDCClientList + plural: oidcclients + singular: oidcclient + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.allowedScopes[?(@ == "pinniped:request-audience")] + name: Privileged Scopes + type: string + - jsonPath: .status.totalClientSecrets + name: Client Secrets + type: integer + - jsonPath: .status.phase + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: OIDCClient describes the configuration of an OIDC client. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec of the OIDC client. + properties: + allowedGrantTypes: + description: "allowedGrantTypes is a list of the allowed grant_type + param values that should be accepted during OIDC flows with this + client. \n Must only contain the following values: - authorization_code: + allows the client to perform the authorization code grant flow, + i.e. allows the webapp to authenticate users. This grant must always + be listed. - refresh_token: allows the client to perform refresh + grants for the user to extend the user's session. This grant must + be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: + allows the client to perform RFC8693 token exchange, which is a + step in the process to be able to get a cluster credential for the + user. This grant must be listed if allowedScopes lists pinniped:request-audience." + items: + enum: + - authorization_code + - refresh_token + - urn:ietf:params:oauth:grant-type:token-exchange + type: string + minItems: 1 + type: array + x-kubernetes-list-type: set + allowedRedirectURIs: + description: allowedRedirectURIs is a list of the allowed redirect_uri + param values that should be accepted during OIDC flows with this + client. Any other uris will be rejected. Must be a URI with the + https scheme, unless the hostname is 127.0.0.1 or ::1 which may + use the http scheme. Port numbers are not required for 127.0.0.1 + or ::1 and are ignored when checking for a matching redirect_uri. + items: + pattern: ^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/ + type: string + minItems: 1 + type: array + x-kubernetes-list-type: set + allowedScopes: + description: "allowedScopes is a list of the allowed scopes param + values that should be accepted during OIDC flows with this client. + \n Must only contain the following values: - openid: The client + is allowed to request ID tokens. ID tokens only include the required + claims by default (iss, sub, aud, exp, iat). This scope must always + be listed. - offline_access: The client is allowed to request an + initial refresh token during the authorization code grant flow. + This scope must be listed if allowedGrantTypes lists refresh_token. + - pinniped:request-audience: The client is allowed to request a + new audience value during a RFC8693 token exchange, which is a step + in the process to be able to get a cluster credential for the user. + openid, username and groups scopes must be listed when this scope + is present. This scope must be listed if allowedGrantTypes lists + urn:ietf:params:oauth:grant-type:token-exchange. - username: The + client is allowed to request that ID tokens contain the user's username. + Without the username scope being requested and allowed, the ID token + will not contain the user's username. - groups: The client is allowed + to request that ID tokens contain the user's group membership, if + their group membership is discoverable by the Supervisor. Without + the groups scope being requested and allowed, the ID token will + not contain groups." + items: + enum: + - openid + - offline_access + - username + - groups + - pinniped:request-audience + type: string + minItems: 1 + type: array + x-kubernetes-list-type: set + required: + - allowedGrantTypes + - allowedRedirectURIs + - allowedScopes + type: object + status: + description: Status of the OIDC client. + properties: + conditions: + description: conditions represent the observations of an OIDCClient's + current state. + items: + description: Condition status of a resource (mirrored from the metav1.Condition + type added in Kubernetes 1.19). In a future API version we can + switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + phase: + default: Pending + description: phase summarizes the overall status of the OIDCClient. + enum: + - Pending + - Ready + - Error + type: string + totalClientSecrets: + description: totalClientSecrets is the current number of client secrets + that are detected for this OIDCClient. + format: int32 + type: integer + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] From 1c296e5c4ccecccb241caf2b3a3bb920099b216d Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Fri, 26 Aug 2022 10:57:45 -0700 Subject: [PATCH 44/61] Implement the OIDCClientSecretRequest API This commit is a WIP commit because it doesn't include many tests for the new feature. Co-authored-by: Ryan Richard Co-authored-by: Benjamin A. Petersen --- deploy/supervisor/deployment.yaml | 20 +- .../oidcclientwatcher/oidc_client_watcher.go | 2 +- internal/crud/crud.go | 39 ++- internal/crud/crud_test.go | 11 +- .../fositestorage/accesstoken/accesstoken.go | 1 + .../authorizationcode/authorizationcode.go | 2 +- .../authorizationcode_test.go | 3 +- .../openidconnect/openidconnect.go | 2 +- internal/fositestorage/pkce/pkce.go | 2 +- .../refreshtoken/refreshtoken.go | 1 + .../clientregistry/clientregistry_test.go | 2 +- internal/oidc/kube_storage.go | 2 +- internal/oidc/nullstorage.go | 3 +- .../oidcclientvalidator.go | 8 +- .../oidc/provider/manager/manager_test.go | 2 +- .../oidcclientsecretstorage.go | 76 ++++-- .../oidcclientsecretstorage_test.go | 25 +- internal/registry/clientsecretrequest/rest.go | 244 +++++++++++++++++- internal/supervisor/apiserver/apiserver.go | 7 +- internal/supervisor/server/server.go | 12 +- .../ACCEPTANCE-NOTES.md | 200 ++++++++++++++ .../README.md | 4 +- test/integration/supervisor_login_test.go | 2 +- .../supervisor_oidc_client_test.go | 49 +++- .../supervisor_oidcclientsecret_test.go | 46 +++- test/testlib/client.go | 2 +- 26 files changed, 676 insertions(+), 91 deletions(-) create mode 100644 proposals/1125_dynamic-supervisor-oidc-clients/ACCEPTANCE-NOTES.md diff --git a/deploy/supervisor/deployment.yaml b/deploy/supervisor/deployment.yaml index e693dd62..293f1894 100644 --- a/deploy/supervisor/deployment.yaml +++ b/deploy/supervisor/deployment.yaml @@ -98,10 +98,26 @@ spec: readOnlyRootFilesystem: true resources: requests: - cpu: "100m" + #! If OIDCClient CRs are being used, then the Supervisor needs enough CPU to run expensive bcrypt + #! operations inside the implementation of the token endpoint for any authcode flows performed by those + #! clients, so for that use case administrators may wish to increase the requests.cpu value to more + #! closely align with their anticipated needs. Increasing this value will cause Kubernetes to give more + #! available CPU to this process during times of high CPU contention. By default, don't ask for too much + #! because that would make it impossible to install the Pinniped Supervisor on small clusters. + #! Aside from performing bcrypts at the token endpoint for those clients, the Supervisor is not a + #! particularly CPU-intensive process. + cpu: "100m" #! by default, request one-tenth of a CPU memory: "128Mi" limits: - cpu: "100m" + #! By declaring a CPU limit that is not equal to the CPU request value, the Supervisor will be classified + #! by Kubernetes to have "burstable" quality of service. + #! See https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-burstable + #! If OIDCClient CRs are being used, and lots of simultaneous users have active sessions, then it is hard + #! pre-determine what the CPU limit should be for that use case. Guessing too low would cause the + #! pod's CPU usage to be throttled, resulting in poor performance. Guessing too high would allow clients + #! to cause the usage of lots of CPU resources. Administrators who have a good sense of anticipated usage + #! patterns may choose to set the requests.cpu and limits.cpu differently from these defaults. + cpu: "1000m" #! by default, throttle each pod's usage at 1 CPU memory: "128Mi" volumeMounts: - name: config-volume diff --git a/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go b/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go index 69e513c6..44377fa3 100644 --- a/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go +++ b/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go @@ -82,7 +82,7 @@ func (c *oidcClientWatcherController) Sync(ctx controllerlib.Context) error { // We're only going to use storage to call GetName(), which happens to not need the constructor params. // This is because we can read the Secrets from the informer cache here, instead of doing live reads. - storage := oidcclientsecretstorage.New(nil, nil) + storage := oidcclientsecretstorage.New(nil) for _, oidcClient := range oidcClients { // Skip the OIDCClients that we are not trying to observe. diff --git a/internal/crud/crud.go b/internal/crud/crud.go index 12b3782f..e59b4652 100644 --- a/internal/crud/crud.go +++ b/internal/crud/crud.go @@ -14,8 +14,10 @@ import ( "time" corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" + "k8s.io/apimachinery/pkg/runtime/schema" corev1client "k8s.io/client-go/kubernetes/typed/core/v1" "go.pinniped.dev/internal/constable" @@ -40,7 +42,7 @@ const ( ) type Storage interface { - Create(ctx context.Context, signature string, data JSON, additionalLabels map[string]string) (resourceVersion string, err error) + Create(ctx context.Context, signature string, data JSON, additionalLabels map[string]string, ownerReferences []metav1.OwnerReference) (resourceVersion string, err error) Get(ctx context.Context, signature string, data JSON) (resourceVersion string, err error) Update(ctx context.Context, signature, resourceVersion string, data JSON) (newResourceVersion string, err error) Delete(ctx context.Context, signature string) error @@ -68,8 +70,8 @@ type secretsStorage struct { lifetime time.Duration } -func (s *secretsStorage) Create(ctx context.Context, signature string, data JSON, additionalLabels map[string]string) (string, error) { - secret, err := s.toSecret(signature, "", data, additionalLabels) +func (s *secretsStorage) Create(ctx context.Context, signature string, data JSON, additionalLabels map[string]string, ownerReferences []metav1.OwnerReference) (string, error) { + secret, err := s.toSecret(signature, "", data, additionalLabels, ownerReferences) if err != nil { return "", err } @@ -94,14 +96,26 @@ func (s *secretsStorage) Get(ctx context.Context, signature string, data JSON) ( } func (s *secretsStorage) Update(ctx context.Context, signature, resourceVersion string, data JSON) (string, error) { - // Note: There may be a small bug here in that toSecret will move the SecretLifetimeAnnotationKey date forward - // instead of keeping the storage resource's original SecretLifetimeAnnotationKey value. However, we only use - // this Update method in one place, and it doesn't matter in that place. Be aware that it might need improvement - // if we start using this Update method in more places. - secret, err := s.toSecret(signature, resourceVersion, data, nil) + secret, err := s.toSecret(signature, resourceVersion, data, nil, nil) if err != nil { return "", err } + + oldSecret, err := s.secrets.Get(ctx, secret.Name, metav1.GetOptions{}) + if err != nil { + return "", fmt.Errorf("failed to get %s for signature %s: %w", s.resource, signature, err) + } + // do not assume that our secret client does live reads + if oldSecret.ResourceVersion != resourceVersion { + return "", errors.NewConflict(schema.GroupResource{Resource: "Secret"}, secret.Name, + fmt.Errorf("resource version %s does not match expected value: %s", oldSecret.ResourceVersion, resourceVersion)) + } + + // preserve these fields - they are effectively immutable on update + secret.Labels = oldSecret.Labels + secret.Annotations = oldSecret.Annotations + secret.OwnerReferences = oldSecret.OwnerReferences + secret, err = s.secrets.Update(ctx, secret, metav1.UpdateOptions{}) if err != nil { return "", fmt.Errorf("failed to update %s for signature %s at resource version %s: %w", s.resource, signature, resourceVersion, err) @@ -180,18 +194,17 @@ func (s *secretsStorage) GetName(signature string) string { return fmt.Sprintf(secretNameFormat, s.resource, signatureAsValidName) } -func (s *secretsStorage) toSecret(signature, resourceVersion string, data JSON, additionalLabels map[string]string) (*corev1.Secret, error) { +func (s *secretsStorage) toSecret(signature, resourceVersion string, data JSON, additionalLabels map[string]string, ownerReferences []metav1.OwnerReference) (*corev1.Secret, error) { buf, err := json.Marshal(data) if err != nil { return nil, fmt.Errorf("failed to encode secret data for %s: %w", s.GetName(signature), err) } - labelsToAdd := map[string]string{ - SecretLabelKey: s.resource, // make it easier to find this stuff via kubectl - } + labelsToAdd := make(map[string]string, len(additionalLabels)+1) for labelName, labelValue := range additionalLabels { labelsToAdd[labelName] = labelValue } + labelsToAdd[SecretLabelKey] = s.resource // make it easier to find this stuff via kubectl var annotations map[string]string if s.lifetime > 0 { @@ -206,7 +219,7 @@ func (s *secretsStorage) toSecret(signature, resourceVersion string, data JSON, ResourceVersion: resourceVersion, Labels: labelsToAdd, Annotations: annotations, - OwnerReferences: nil, + OwnerReferences: ownerReferences, }, Data: map[string][]byte{ secretDataKey: buf, diff --git a/internal/crud/crud_test.go b/internal/crud/crud_test.go index 25ffdfad..33817c44 100644 --- a/internal/crud/crud_test.go +++ b/internal/crud/crud_test.go @@ -120,7 +120,7 @@ func TestStorage(t *testing.T) { require.NotEmpty(t, validateSecretName(signature, false)) // signature is not valid secret name as-is data := &testJSON{Data: "create-and-get"} - rv1, err := storage.Create(ctx, signature, data, nil) + rv1, err := storage.Create(ctx, signature, data, nil, nil) require.Empty(t, rv1) // fake client does not set this require.NoError(t, err) @@ -180,14 +180,14 @@ func TestStorage(t *testing.T) { mocks: nil, run: func(t *testing.T, storage Storage, fakeClock *clocktesting.FakeClock) error { data := &testJSON{Data: "create1"} - rv1, err := storage.Create(ctx, "sig1", data, nil) + rv1, err := storage.Create(ctx, "sig1", data, nil, nil) require.Empty(t, rv1) // fake client does not set this require.NoError(t, err) fakeClock.Step(42 * time.Minute) // simulate that a known amount of time has passed data = &testJSON{Data: "create2"} - rv1, err = storage.Create(ctx, "sig2", data, nil) + rv1, err = storage.Create(ctx, "sig2", data, nil, nil) require.Empty(t, rv1) // fake client does not set this require.NoError(t, err) @@ -279,7 +279,7 @@ func TestStorage(t *testing.T) { require.NotEmpty(t, validateSecretName(signature, false)) // signature is not valid secret name as-is data := &testJSON{Data: "create-and-get"} - rv1, err := storage.Create(ctx, signature, data, map[string]string{"label1": "value1", "label2": "value2"}) + rv1, err := storage.Create(ctx, signature, data, map[string]string{"label1": "value1", "label2": "value2"}, nil) require.Empty(t, rv1) // fake client does not set this require.NoError(t, err) @@ -456,6 +456,7 @@ func TestStorage(t *testing.T) { return nil }, wantActions: []coretesting.Action{ + coretesting.NewGetAction(secretsGVR, namespace, "pinniped-storage-stores-4wssc5gzt5mlln6iux6gl7hzz3klsirisydaxn7indnpvdnrs5ba"), coretesting.NewGetAction(secretsGVR, namespace, "pinniped-storage-stores-4wssc5gzt5mlln6iux6gl7hzz3klsirisydaxn7indnpvdnrs5ba"), coretesting.NewUpdateAction(secretsGVR, namespace, &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ @@ -1026,7 +1027,7 @@ func TestStorage(t *testing.T) { require.NotEmpty(t, validateSecretName(signature, false)) // signature is not valid secret name as-is data := &testJSON{Data: "create-and-get"} - rv1, err := storage.Create(ctx, signature, data, nil) + rv1, err := storage.Create(ctx, signature, data, nil, nil) require.Empty(t, rv1) // fake client does not set this require.NoError(t, err) diff --git a/internal/fositestorage/accesstoken/accesstoken.go b/internal/fositestorage/accesstoken/accesstoken.go index 606b75d2..d897da4c 100644 --- a/internal/fositestorage/accesstoken/accesstoken.go +++ b/internal/fositestorage/accesstoken/accesstoken.go @@ -85,6 +85,7 @@ func (a *accessTokenStorage) CreateAccessTokenSession(ctx context.Context, signa signature, &Session{Request: request, Version: accessTokenStorageVersion}, map[string]string{fositestorage.StorageRequestIDLabelName: requester.GetID()}, + nil, ) return err } diff --git a/internal/fositestorage/authorizationcode/authorizationcode.go b/internal/fositestorage/authorizationcode/authorizationcode.go index 562980f4..0185baf1 100644 --- a/internal/fositestorage/authorizationcode/authorizationcode.go +++ b/internal/fositestorage/authorizationcode/authorizationcode.go @@ -89,7 +89,7 @@ func (a *authorizeCodeStorage) CreateAuthorizeCodeSession(ctx context.Context, s // of the consent authorization request. It is used to identify the session. // signature for lookup in the DB - _, err = a.storage.Create(ctx, signature, &Session{Active: true, Request: request, Version: authorizeCodeStorageVersion}, nil) + _, err = a.storage.Create(ctx, signature, &Session{Active: true, Request: request, Version: authorizeCodeStorageVersion}, nil, nil) return err } diff --git a/internal/fositestorage/authorizationcode/authorizationcode_test.go b/internal/fositestorage/authorizationcode/authorizationcode_test.go index 9e2fbe4a..68d4c01e 100644 --- a/internal/fositestorage/authorizationcode/authorizationcode_test.go +++ b/internal/fositestorage/authorizationcode/authorizationcode_test.go @@ -72,6 +72,7 @@ func TestAuthorizationCodeStorage(t *testing.T) { }), kubetesting.NewGetAction(secretsGVR, namespace, "pinniped-storage-authcode-pwu5zs7lekbhnln2w4"), kubetesting.NewGetAction(secretsGVR, namespace, "pinniped-storage-authcode-pwu5zs7lekbhnln2w4"), + kubetesting.NewGetAction(secretsGVR, namespace, "pinniped-storage-authcode-pwu5zs7lekbhnln2w4"), kubetesting.NewUpdateAction(secretsGVR, namespace, &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: "pinniped-storage-authcode-pwu5zs7lekbhnln2w4", @@ -134,7 +135,7 @@ func TestAuthorizationCodeStorage(t *testing.T) { require.NoError(t, err) testutil.LogActualJSONFromCreateAction(t, client, 0) // makes it easier to update expected values when needed - testutil.LogActualJSONFromUpdateAction(t, client, 3) // makes it easier to update expected values when needed + testutil.LogActualJSONFromUpdateAction(t, client, 4) // makes it easier to update expected values when needed require.Equal(t, wantActions, client.Actions()) // Doing a Get on an invalidated session should still return the session, but also return an error. diff --git a/internal/fositestorage/openidconnect/openidconnect.go b/internal/fositestorage/openidconnect/openidconnect.go index 605ac523..6be3c862 100644 --- a/internal/fositestorage/openidconnect/openidconnect.go +++ b/internal/fositestorage/openidconnect/openidconnect.go @@ -60,7 +60,7 @@ func (a *openIDConnectRequestStorage) CreateOpenIDConnectSession(ctx context.Con return err } - _, err = a.storage.Create(ctx, signature, &session{Request: request, Version: oidcStorageVersion}, nil) + _, err = a.storage.Create(ctx, signature, &session{Request: request, Version: oidcStorageVersion}, nil, nil) return err } diff --git a/internal/fositestorage/pkce/pkce.go b/internal/fositestorage/pkce/pkce.go index f84b01da..e150cae1 100644 --- a/internal/fositestorage/pkce/pkce.go +++ b/internal/fositestorage/pkce/pkce.go @@ -53,7 +53,7 @@ func (a *pkceStorage) CreatePKCERequestSession(ctx context.Context, signature st return err } - _, err = a.storage.Create(ctx, signature, &session{Request: request, Version: pkceStorageVersion}, nil) + _, err = a.storage.Create(ctx, signature, &session{Request: request, Version: pkceStorageVersion}, nil, nil) return err } diff --git a/internal/fositestorage/refreshtoken/refreshtoken.go b/internal/fositestorage/refreshtoken/refreshtoken.go index 7f1147fb..d36d23c1 100644 --- a/internal/fositestorage/refreshtoken/refreshtoken.go +++ b/internal/fositestorage/refreshtoken/refreshtoken.go @@ -91,6 +91,7 @@ func (a *refreshTokenStorage) CreateRefreshTokenSession(ctx context.Context, sig signature, &Session{Request: request, Version: refreshTokenStorageVersion}, map[string]string{fositestorage.StorageRequestIDLabelName: requester.GetID()}, + nil, ) return err } diff --git a/internal/oidc/clientregistry/clientregistry_test.go b/internal/oidc/clientregistry/clientregistry_test.go index 5367d511..03651421 100644 --- a/internal/oidc/clientregistry/clientregistry_test.go +++ b/internal/oidc/clientregistry/clientregistry_test.go @@ -237,7 +237,7 @@ func TestClientManager(t *testing.T) { oidcClientsClient := supervisorClient.ConfigV1alpha1().OIDCClients(testNamespace) subject := NewClientManager( oidcClientsClient, - oidcclientsecretstorage.New(secrets, time.Now), + oidcclientsecretstorage.New(secrets), oidcclientvalidator.DefaultMinBcryptCost, ) diff --git a/internal/oidc/kube_storage.go b/internal/oidc/kube_storage.go index 529a5f6e..a197335e 100644 --- a/internal/oidc/kube_storage.go +++ b/internal/oidc/kube_storage.go @@ -43,7 +43,7 @@ func NewKubeStorage( ) *KubeStorage { nowFunc := time.Now return &KubeStorage{ - clientManager: clientregistry.NewClientManager(oidcClientsClient, oidcclientsecretstorage.New(secrets, nowFunc), minBcryptCost), + clientManager: clientregistry.NewClientManager(oidcClientsClient, oidcclientsecretstorage.New(secrets), minBcryptCost), authorizationCodeStorage: authorizationcode.New(secrets, nowFunc, timeoutsConfiguration.AuthorizationCodeSessionStorageLifetime), pkceStorage: pkce.New(secrets, nowFunc, timeoutsConfiguration.PKCESessionStorageLifetime), oidcStorage: openidconnect.New(secrets, nowFunc, timeoutsConfiguration.OIDCSessionStorageLifetime), diff --git a/internal/oidc/nullstorage.go b/internal/oidc/nullstorage.go index c6025a0c..61476f81 100644 --- a/internal/oidc/nullstorage.go +++ b/internal/oidc/nullstorage.go @@ -5,7 +5,6 @@ package oidc import ( "context" - "time" "github.com/ory/fosite" corev1client "k8s.io/client-go/kubernetes/typed/core/v1" @@ -32,7 +31,7 @@ func NewNullStorage( minBcryptCost int, ) *NullStorage { return &NullStorage{ - ClientManager: clientregistry.NewClientManager(oidcClientsClient, oidcclientsecretstorage.New(secrets, time.Now), minBcryptCost), + ClientManager: clientregistry.NewClientManager(oidcClientsClient, oidcclientsecretstorage.New(secrets), minBcryptCost), } } diff --git a/internal/oidc/oidcclientvalidator/oidcclientvalidator.go b/internal/oidc/oidcclientvalidator/oidcclientvalidator.go index fd09894c..ab16fef3 100644 --- a/internal/oidc/oidcclientvalidator/oidcclientvalidator.go +++ b/internal/oidc/oidcclientvalidator/oidcclientvalidator.go @@ -145,7 +145,7 @@ func validateSecret(secret *v1.Secret, conditions []*v1alpha1.Condition, minBcry return conditions, emptyList } - storedClientSecret, err := oidcclientsecretstorage.ReadFromSecret(secret) + storedClientSecrets, err := oidcclientsecretstorage.ReadFromSecret(secret) if err != nil { // Invalid: storage Secret exists but its data could not be parsed. conditions = append(conditions, &v1alpha1.Condition{ @@ -158,7 +158,7 @@ func validateSecret(secret *v1.Secret, conditions []*v1alpha1.Condition, minBcry } // Successfully read the stored client secrets, so check if there are any stored in the list. - storedClientSecretsCount := len(storedClientSecret.SecretHashes) + storedClientSecretsCount := len(storedClientSecrets) if storedClientSecretsCount == 0 { // Invalid: no client secrets stored. conditions = append(conditions, &v1alpha1.Condition{ @@ -172,7 +172,7 @@ func validateSecret(secret *v1.Secret, conditions []*v1alpha1.Condition, minBcry // Check each hashed password's format and bcrypt cost. bcryptErrs := make([]string, 0, storedClientSecretsCount) - for i, p := range storedClientSecret.SecretHashes { + for i, p := range storedClientSecrets { cost, err := bcrypt.Cost([]byte(p)) if err != nil { bcryptErrs = append(bcryptErrs, fmt.Sprintf( @@ -203,7 +203,7 @@ func validateSecret(secret *v1.Secret, conditions []*v1alpha1.Condition, minBcry Reason: reasonSuccess, Message: fmt.Sprintf("%d client secret(s) found", storedClientSecretsCount), }) - return conditions, storedClientSecret.SecretHashes + return conditions, storedClientSecrets } func allowedGrantTypesContains(haystack *v1alpha1.OIDCClient, needle string) bool { diff --git a/internal/oidc/provider/manager/manager_test.go b/internal/oidc/provider/manager/manager_test.go index 46039731..9f407b25 100644 --- a/internal/oidc/provider/manager/manager_test.go +++ b/internal/oidc/provider/manager/manager_test.go @@ -217,7 +217,7 @@ func TestManager(t *testing.T) { oidctestutil.VerifyECDSAIDToken(t, jwkIssuer, downstreamClientID, privateKey, idToken) // Make sure that we wired up the callback endpoint to use kube storage for fosite sessions. - r.Equal(len(kubeClient.Actions()), numberOfKubeActionsBeforeThisRequest+8, + r.Equal(len(kubeClient.Actions()), numberOfKubeActionsBeforeThisRequest+9, "did not perform any kube actions during the callback request, but should have") } diff --git a/internal/oidcclientsecretstorage/oidcclientsecretstorage.go b/internal/oidcclientsecretstorage/oidcclientsecretstorage.go index 7bec307e..b8eeaf78 100644 --- a/internal/oidcclientsecretstorage/oidcclientsecretstorage.go +++ b/internal/oidcclientsecretstorage/oidcclientsecretstorage.go @@ -7,7 +7,6 @@ import ( "context" "encoding/base64" "fmt" - "time" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/errors" @@ -15,6 +14,7 @@ import ( "k8s.io/apimachinery/pkg/types" corev1client "k8s.io/client-go/kubernetes/typed/core/v1" + configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" "go.pinniped.dev/internal/constable" "go.pinniped.dev/internal/crud" ) @@ -32,9 +32,9 @@ type OIDCClientSecretStorage struct { secrets corev1client.SecretInterface } -// StoredClientSecret defines the format of the content of a client's secrets when stored in a Secret +// storedClientSecret defines the format of the content of a client's secrets when stored in a Secret // as a JSON string value. -type StoredClientSecret struct { +type storedClientSecret struct { // List of bcrypt hashes. SecretHashes []string `json:"hashes"` // The format version. Take care when updating. We cannot simply bump the storage version and drop/ignore old data. @@ -42,14 +42,55 @@ type StoredClientSecret struct { Version string `json:"version"` } -func New(secrets corev1client.SecretInterface, clock func() time.Time) *OIDCClientSecretStorage { +func New(secrets corev1client.SecretInterface) *OIDCClientSecretStorage { return &OIDCClientSecretStorage{ - storage: crud.New(TypeLabelValue, secrets, clock, 0), + storage: crud.New(TypeLabelValue, secrets, nil, 0), // can use nil clock because we are using infinite lifetime secrets: secrets, } } -// TODO expose other methods as needed for get, create, update, etc. +func (s *OIDCClientSecretStorage) Get(ctx context.Context, oidcClientUID types.UID) (string, []string, error) { + secret := &storedClientSecret{} + rv, err := s.storage.Get(ctx, uidToName(oidcClientUID), secret) + if errors.IsNotFound(err) { + return "", nil, nil + } + if err != nil { + return "", nil, fmt.Errorf("failed to get client secret for uid %s: %w", oidcClientUID, err) + } + + return rv, secret.SecretHashes, nil +} + +func (s *OIDCClientSecretStorage) Set(ctx context.Context, resourceVersion, oidcClientName string, oidcClientUID types.UID, secretHashes []string) error { + secret := &storedClientSecret{ + SecretHashes: secretHashes, + Version: oidcClientSecretStorageVersion, + } + name := uidToName(oidcClientUID) + + if mustBeCreate := len(resourceVersion) == 0; mustBeCreate { + ownerReferences := []metav1.OwnerReference{ + { + APIVersion: configv1alpha1.SchemeGroupVersion.String(), + Kind: "OIDCClient", + Name: oidcClientName, + UID: oidcClientUID, + Controller: nil, // TODO should this be true? + BlockOwnerDeletion: nil, + }, + } + if _, err := s.storage.Create(ctx, name, secret, nil, ownerReferences); err != nil { + return fmt.Errorf("failed to create client secret for uid %s: %w", oidcClientUID, err) + } + return nil + } + + if _, err := s.storage.Update(ctx, name, resourceVersion, secret); err != nil { + return fmt.Errorf("failed to update client secret for uid %s: %w", oidcClientUID, err) + } + return nil +} // GetStorageSecret gets the corev1.Secret which is used to store the client secrets for the given client. // Returns nil,nil when the corev1.Secret was not found, as this is not an error for a client to not have any secrets yet. @@ -66,21 +107,24 @@ func (s *OIDCClientSecretStorage) GetStorageSecret(ctx context.Context, oidcClie // GetName returns the name of the Secret which would be used to store data for the given signature. func (s *OIDCClientSecretStorage) GetName(oidcClientUID types.UID) string { - // Avoid having s.storage.GetName() base64 decode something that wasn't ever encoded by encoding it here. - b64encodedUID := base64.RawURLEncoding.EncodeToString([]byte(oidcClientUID)) - return s.storage.GetName(b64encodedUID) + return s.storage.GetName(uidToName(oidcClientUID)) } -// ReadFromSecret reads the contents of a Secret as a StoredClientSecret. -func ReadFromSecret(secret *corev1.Secret) (*StoredClientSecret, error) { - storedClientSecret := &StoredClientSecret{} - err := crud.FromSecret(TypeLabelValue, secret, storedClientSecret) +func uidToName(oidcClientUID types.UID) string { + // Avoid having s.storage.GetName() base64 decode something that wasn't ever encoded by encoding it here. + return base64.RawURLEncoding.EncodeToString([]byte(oidcClientUID)) +} + +// ReadFromSecret reads the contents of a Secret as a storedClientSecret and returns the associated hashes. +func ReadFromSecret(secret *corev1.Secret) ([]string, error) { + clientSecret := &storedClientSecret{} + err := crud.FromSecret(TypeLabelValue, secret, clientSecret) if err != nil { return nil, err } - if storedClientSecret.Version != oidcClientSecretStorageVersion { + if clientSecret.Version != oidcClientSecretStorageVersion { return nil, fmt.Errorf("%w: OIDC client secret storage has version %s instead of %s", - ErrOIDCClientSecretStorageVersion, storedClientSecret.Version, oidcClientSecretStorageVersion) + ErrOIDCClientSecretStorageVersion, clientSecret.Version, oidcClientSecretStorageVersion) } - return storedClientSecret, nil + return clientSecret.SecretHashes, nil } diff --git a/internal/oidcclientsecretstorage/oidcclientsecretstorage_test.go b/internal/oidcclientsecretstorage/oidcclientsecretstorage_test.go index 09ff908c..3092e53e 100644 --- a/internal/oidcclientsecretstorage/oidcclientsecretstorage_test.go +++ b/internal/oidcclientsecretstorage/oidcclientsecretstorage_test.go @@ -15,7 +15,7 @@ import ( func TestGetName(t *testing.T) { // Note that GetName() should not depend on the constructor params, to make it easier to use in various contexts. - subject := New(nil, nil) + subject := New(nil) require.Equal(t, "pinniped-storage-oidc-client-secret-onxw2zjnmv4gc3lqnrss25ljmqyq", @@ -30,7 +30,7 @@ func TestReadFromSecret(t *testing.T) { tests := []struct { name string secret *corev1.Secret - wantStored *StoredClientSecret + wantHashes []string wantErr string }{ { @@ -49,10 +49,7 @@ func TestReadFromSecret(t *testing.T) { }, Type: "storage.pinniped.dev/oidc-client-secret", }, - wantStored: &StoredClientSecret{ - Version: "1", - SecretHashes: []string{"first-hash", "second-hash"}, - }, + wantHashes: []string{"first-hash", "second-hash"}, }, { name: "wrong secret type", @@ -113,20 +110,14 @@ func TestReadFromSecret(t *testing.T) { secret: testutil.OIDCClientSecretStorageSecretForUID(t, "some-namespace", "some-uid", []string{"first-hash", "second-hash"}, ), - wantStored: &StoredClientSecret{ - Version: "1", - SecretHashes: []string{"first-hash", "second-hash"}, - }, + wantHashes: []string{"first-hash", "second-hash"}, }, { name: "OIDCClientSecretStorageSecretWithoutName() test helper generates readable format, to ensure that test helpers are kept up to date", secret: testutil.OIDCClientSecretStorageSecretWithoutName(t, "some-namespace", []string{"first-hash", "second-hash"}, ), - wantStored: &StoredClientSecret{ - Version: "1", - SecretHashes: []string{"first-hash", "second-hash"}, - }, + wantHashes: []string{"first-hash", "second-hash"}, }, { name: "OIDCClientSecretStorageSecretForUIDWithWrongVersion() test helper generates readable format, to ensure that test helpers are kept up to date", @@ -139,13 +130,13 @@ func TestReadFromSecret(t *testing.T) { tt := tt t.Run(tt.name, func(t *testing.T) { t.Parallel() - session, err := ReadFromSecret(tt.secret) + hashes, err := ReadFromSecret(tt.secret) if tt.wantErr == "" { require.NoError(t, err) - require.Equal(t, tt.wantStored, session) + require.Equal(t, tt.wantHashes, hashes) } else { require.EqualError(t, err, tt.wantErr) - require.Nil(t, session) + require.Nil(t, hashes) } }) } diff --git a/internal/registry/clientsecretrequest/rest.go b/internal/registry/clientsecretrequest/rest.go index 03b245e1..b049aaa7 100644 --- a/internal/registry/clientsecretrequest/rest.go +++ b/internal/registry/clientsecretrequest/rest.go @@ -6,27 +6,76 @@ package clientsecretrequest import ( "context" + "crypto/rand" + "encoding/hex" "fmt" + "io" + "strings" + "golang.org/x/crypto/bcrypt" + apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" + "k8s.io/apiextensions-apiserver/pkg/registry/customresource/tableconvertor" apierrors "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/api/meta" + genericvalidation "k8s.io/apimachinery/pkg/api/validation" + "k8s.io/apimachinery/pkg/api/validation/path" metainternalversion "k8s.io/apimachinery/pkg/apis/meta/internalversion" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/apimachinery/pkg/util/validation/field" + genericapirequest "k8s.io/apiserver/pkg/endpoints/request" "k8s.io/apiserver/pkg/registry/rest" + corev1client "k8s.io/client-go/kubernetes/typed/core/v1" "k8s.io/utils/trace" clientsecretapi "go.pinniped.dev/generated/latest/apis/supervisor/clientsecret" + configv1alpha1clientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1" + "go.pinniped.dev/internal/oidcclientsecretstorage" ) -func NewREST(resource schema.GroupResource) *REST { +// cost is a good bcrypt cost for 2022, should take about 250 ms to validate. +// This value is expected to be increased over time to match CPU improvements. +const cost = 12 + +// nolint: gochecknoglobals +var tableConvertor = func() rest.TableConvertor { + // sadly this is not useful at the moment because `kubectl create` does not support table output + columns := []apiextensionsv1.CustomResourceColumnDefinition{ + { + Name: "Secret", + Type: "string", + Description: "", // TODO generate SwaggerDoc() method to fill this field + JSONPath: ".status.generatedSecret", + }, + { + Name: "Total", + Type: "integer", + Description: "", // TODO generate SwaggerDoc() method to fill this field + JSONPath: ".status.totalClientSecrets", + }, + } + tc, err := tableconvertor.New(columns) // just re-use the CRD table code so we do not have to implement the interface ourselves + if err != nil { + panic(err) // inputs are static so this should never happen + } + return tc +}() + +func NewREST(secrets corev1client.SecretInterface, clients configv1alpha1clientset.OIDCClientInterface, namespace string) *REST { return &REST{ - tableConvertor: rest.NewDefaultTableConvertor(resource), + secretStorage: oidcclientsecretstorage.New(secrets), + clients: clients, + namespace: namespace, + rand: rand.Reader, } } type REST struct { - tableConvertor rest.TableConvertor + secretStorage *oidcclientsecretstorage.OIDCClientSecretStorage + clients configv1alpha1clientset.OIDCClientInterface + namespace string + rand io.Reader } // Assert that our *REST implements all the optional interfaces that we expect it to implement. @@ -50,6 +99,8 @@ func (*REST) NewList() runtime.Object { return &clientsecretapi.OIDCClientSecretRequestList{} } +// List implements the list verb. Support the list verb to support `kubectl get pinniped`, to make sure all resources +// are in the pinniped category, and avoid kubectl errors when kubectl lists. func (*REST) List(_ context.Context, _ *metainternalversion.ListOptions) (runtime.Object, error) { return &clientsecretapi.OIDCClientSecretRequestList{ ListMeta: metav1.ListMeta{ @@ -60,7 +111,7 @@ func (*REST) List(_ context.Context, _ *metainternalversion.ListOptions) (runtim } func (r *REST) ConvertToTable(ctx context.Context, obj runtime.Object, tableOptions runtime.Object) (*metav1.Table, error) { - return r.tableConvertor.ConvertToTable(ctx, obj, tableOptions) + return tableConvertor.ConvertToTable(ctx, obj, tableOptions) } func (*REST) NamespaceScoped() bool { @@ -72,32 +123,162 @@ func (*REST) Categories() []string { } func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation rest.ValidateObjectFunc, options *metav1.CreateOptions) (runtime.Object, error) { - t := trace.FromContext(ctx).Nest("create", trace.Field{ - Key: "kind", - Value: "OIDCClientSecretRequest", - }) + t := trace.FromContext(ctx).Nest("create", + trace.Field{Key: "kind", Value: "OIDCClientSecretRequest"}, + trace.Field{Key: "metadata.name", Value: name(obj)}, + ) defer t.Log() - _, err := validateRequest(obj, t) + // Validate the create request before honoring it. + req, err := r.validateRequest(ctx, obj, createValidation, options, t) if err != nil { return nil, err } + t.Step("validateRequest") + // Find the specified OIDCClient. + oidcClient, err := r.clients.Get(ctx, req.Name, metav1.GetOptions{}) + if err != nil { + if apierrors.IsNotFound(err) { + traceValidationFailure(t, fmt.Sprintf("client %q does not exist", req.Name)) + errs := field.ErrorList{field.NotFound(field.NewPath("metadata", "name"), req.Name)} + return nil, apierrors.NewInvalid(kindFromContext(ctx), req.Name, errs) + } + traceFailureWithError(t, "clients.Get", err) + return nil, apierrors.NewInternalError(fmt.Errorf("getting client %q failed", req.Name)) + } + t.Step("clients.Get") + + // Using the OIDCClient's UID, check to see if the storage Secret for its client secrets already exists. + // Note that when it does not exist, this Get() function will not return an error, and will return nil rv and hashes. + rv, hashes, err := r.secretStorage.Get(ctx, oidcClient.UID) + if err != nil { + traceFailureWithError(t, "secretStorage.Get", err) + return nil, apierrors.NewInternalError(fmt.Errorf("getting secret for client %q failed", req.Name)) + } + t.Step("secretStorage.Get") + + // If requested, generate a new client secret and add it to the list. + var secret string + if req.Spec.GenerateNewSecret { + secret, err = generateSecret(r.rand) + if err != nil { + traceFailureWithError(t, "generateSecret", err) + return nil, apierrors.NewInternalError(fmt.Errorf("client secret generation failed")) + } + t.Step("generateSecret") + + hash, err := bcrypt.GenerateFromPassword([]byte(secret), cost) + if err != nil { + traceFailureWithError(t, "bcrypt.GenerateFromPassword", err) + return nil, apierrors.NewInternalError(fmt.Errorf("hash generation failed")) + } + t.Step("bcrypt.GenerateFromPassword") + + hashes = append([]string{string(hash)}, hashes...) + } + + // If requested, remove all client secrets except for the most recent one. + needsRevoke := req.Spec.RevokeOldSecrets && len(hashes) > 0 + if needsRevoke { + hashes = []string{hashes[0]} + } + + // If anything was requested to change... + if req.Spec.GenerateNewSecret || needsRevoke { + // Each bcrypt comparison is expensive, and we do not want a large list to cause wasted CPU. + if len(hashes) > 5 { + return nil, apierrors.NewRequestEntityTooLargeError( + fmt.Sprintf("OIDCClient %s has too many secrets, spec.revokeOldSecrets must be true", oidcClient.Name)) + } + + // Create or update the storage Secret for client secrets. + if err := r.secretStorage.Set(ctx, rv, oidcClient.Name, oidcClient.UID, hashes); err != nil { + if apierrors.IsAlreadyExists(err) || apierrors.IsConflict(err) { + return nil, apierrors.NewConflict(qualifiedResourceFromContext(ctx), req.Name, + fmt.Errorf("multiple concurrent secret generation requests for same client")) + } + + traceFailureWithError(t, "secretStorage.Set", err) + return nil, apierrors.NewInternalError(fmt.Errorf("setting client secret failed")) + } + t.Step("secretStorage.Set") + } + + // Return the new secret in plaintext, if one was generated, along with the total number of secrets. return &clientsecretapi.OIDCClientSecretRequest{ Status: clientsecretapi.OIDCClientSecretRequestStatus{ - GeneratedSecret: "not-a-real-secret", - TotalClientSecrets: 20, + GeneratedSecret: secret, + TotalClientSecrets: len(hashes), }, }, nil } -func validateRequest(obj runtime.Object, t *trace.Trace) (*clientsecretapi.OIDCClientSecretRequest, error) { +func (r *REST) validateRequest( + ctx context.Context, + obj runtime.Object, + createValidation rest.ValidateObjectFunc, + options *metav1.CreateOptions, + t *trace.Trace, +) (*clientsecretapi.OIDCClientSecretRequest, error) { clientSecretRequest, ok := obj.(*clientsecretapi.OIDCClientSecretRequest) if !ok { traceValidationFailure(t, "not an OIDCClientSecretRequest") return nil, apierrors.NewBadRequest(fmt.Sprintf("not an OIDCClientSecretRequest: %#v", obj)) } + // Ensure namespace on the object is correct, or error if a conflicting namespace was set in the object. + requestNamespace, ok := genericapirequest.NamespaceFrom(ctx) + if !ok { + return nil, apierrors.NewInternalError(fmt.Errorf("no namespace information found in request context")) + } + if err := rest.EnsureObjectNamespaceMatchesRequestNamespace(requestNamespace, clientSecretRequest); err != nil { + return nil, err + } + // Making client secrets outside the supervisor's namespace does not make sense. + if requestNamespace != r.namespace { + msg := fmt.Sprintf("namespace must be %s on OIDCClientSecretRequest, was %s", r.namespace, requestNamespace) + traceValidationFailure(t, msg) + return nil, apierrors.NewBadRequest(msg) + } + + if errs := genericvalidation.ValidateObjectMetaAccessor( + clientSecretRequest, + true, + func(name string, prefix bool) []string { + if prefix { + return []string{"generateName is not supported"} + } + var errs []string + if name == "client.oauth.pinniped.dev-" { + errs = append(errs, `must not equal 'client.oauth.pinniped.dev-'`) + } + if !strings.HasPrefix(name, "client.oauth.pinniped.dev-") { + errs = append(errs, `must start with 'client.oauth.pinniped.dev-'`) + } + return append(errs, path.IsValidPathSegmentName(name)...) + }, + field.NewPath("metadata"), + ); len(errs) > 0 { + return nil, apierrors.NewInvalid(kindFromContext(ctx), clientSecretRequest.Name, errs) + } + + // just a sanity check, not sure how to honor a dry run on a virtual API + if options != nil { + if len(options.DryRun) != 0 { + traceValidationFailure(t, "dryRun not supported") + errs := field.ErrorList{field.NotSupported(field.NewPath("dryRun"), options.DryRun, nil)} + return nil, apierrors.NewInvalid(kindFromContext(ctx), clientSecretRequest.Name, errs) + } + } + + if createValidation != nil { + if err := createValidation(ctx, obj.DeepCopyObject()); err != nil { + traceFailureWithError(t, "validation webhook", err) + return nil, err + } + } + return clientSecretRequest, nil } @@ -107,3 +288,42 @@ func traceValidationFailure(t *trace.Trace, msg string) { trace.Field{Key: "msg", Value: msg}, ) } + +func traceFailureWithError(t *trace.Trace, failureType string, err error) { + t.Step("failure", + trace.Field{Key: "failureType", Value: failureType}, + trace.Field{Key: "msg", Value: err.Error()}, + ) +} + +func generateSecret(rand io.Reader) (string, error) { + var buf [32]byte + if _, err := io.ReadFull(rand, buf[:]); err != nil { + return "", fmt.Errorf("could not generate client secret: %w", err) + } + return hex.EncodeToString(buf[:]), nil +} + +func name(obj runtime.Object) string { + accessor, err := meta.Accessor(obj) + if err != nil { + return "" + } + return accessor.GetName() +} + +func qualifiedResourceFromContext(ctx context.Context) schema.GroupResource { + if info, ok := genericapirequest.RequestInfoFrom(ctx); ok { + return schema.GroupResource{Group: info.APIGroup, Resource: info.Resource} + } + // this should never happen in practice + return clientsecretapi.Resource("oidcclientsecretrequests") +} + +func kindFromContext(ctx context.Context) schema.GroupKind { + if info, ok := genericapirequest.RequestInfoFrom(ctx); ok { + return schema.GroupKind{Group: info.APIGroup, Kind: "OIDCClientSecretRequest"} + } + // this should never happen in practice + return clientsecretapi.Kind("OIDCClientSecretRequest") +} diff --git a/internal/supervisor/apiserver/apiserver.go b/internal/supervisor/apiserver/apiserver.go index 2da90422..9f0cbc52 100644 --- a/internal/supervisor/apiserver/apiserver.go +++ b/internal/supervisor/apiserver/apiserver.go @@ -14,8 +14,10 @@ import ( "k8s.io/apimachinery/pkg/util/errors" "k8s.io/apiserver/pkg/registry/rest" genericapiserver "k8s.io/apiserver/pkg/server" + corev1client "k8s.io/client-go/kubernetes/typed/core/v1" "k8s.io/client-go/pkg/version" + configv1alpha1clientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1" "go.pinniped.dev/internal/controllerinit" "go.pinniped.dev/internal/plog" "go.pinniped.dev/internal/registry/clientsecretrequest" @@ -31,6 +33,9 @@ type ExtraConfig struct { Scheme *runtime.Scheme NegotiatedSerializer runtime.NegotiatedSerializer ClientSecretSupervisorGroupVersion schema.GroupVersion + Secrets corev1client.SecretInterface + OIDCClients configv1alpha1clientset.OIDCClientInterface + Namespace string } type PinnipedServer struct { @@ -75,7 +80,7 @@ func (c completedConfig) New() (*PinnipedServer, error) { for _, f := range []func() (schema.GroupVersionResource, rest.Storage){ func() (schema.GroupVersionResource, rest.Storage) { clientSecretReqGVR := c.ExtraConfig.ClientSecretSupervisorGroupVersion.WithResource("oidcclientsecretrequests") - clientSecretReqStorage := clientsecretrequest.NewREST(clientSecretReqGVR.GroupResource()) + clientSecretReqStorage := clientsecretrequest.NewREST(c.ExtraConfig.Secrets, c.ExtraConfig.OIDCClients, c.ExtraConfig.Namespace) return clientSecretReqGVR, clientSecretReqStorage }, } { diff --git a/internal/supervisor/server/server.go b/internal/supervisor/server/server.go index 02574854..31d691e2 100644 --- a/internal/supervisor/server/server.go +++ b/internal/supervisor/server/server.go @@ -31,6 +31,7 @@ import ( genericoptions "k8s.io/apiserver/pkg/server/options" kubeinformers "k8s.io/client-go/informers" "k8s.io/client-go/kubernetes" + corev1client "k8s.io/client-go/kubernetes/typed/core/v1" "k8s.io/client-go/pkg/version" "k8s.io/client-go/rest" aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset" @@ -38,6 +39,7 @@ import ( configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" pinnipedclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" + "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1" pinnipedinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions" "go.pinniped.dev/internal/apiserviceref" "go.pinniped.dev/internal/config/supervisor" @@ -475,6 +477,9 @@ func runSupervisor(ctx context.Context, podInfo *downward.PodInfo, cfg *supervis *cfg.AggregatedAPIServerPort, scheme, clientSecretGV, + clientWithoutLeaderElection.Kubernetes.CoreV1().Secrets(serverInstallationNamespace), + client.PinnipedSupervisor.ConfigV1alpha1().OIDCClients(serverInstallationNamespace), + serverInstallationNamespace, ) if err != nil { return fmt.Errorf("could not configure aggregated API server: %w", err) @@ -568,7 +573,6 @@ func runSupervisor(ctx context.Context, podInfo *downward.PodInfo, cfg *supervis return nil } -// Create a configuration for the aggregated API server. func getAggregatedAPIServerConfig( dynamicCertProvider dynamiccert.Private, buildControllers controllerinit.RunnerBuilder, @@ -576,6 +580,9 @@ func getAggregatedAPIServerConfig( aggregatedAPIServerPort int64, scheme *runtime.Scheme, clientSecretSupervisorGroupVersion schema.GroupVersion, + secrets corev1client.SecretInterface, + oidcClients v1alpha1.OIDCClientInterface, + serverInstallationNamespace string, ) (*apiserver.Config, error) { codecs := serializer.NewCodecFactory(scheme) @@ -620,6 +627,9 @@ func getAggregatedAPIServerConfig( Scheme: scheme, NegotiatedSerializer: codecs, ClientSecretSupervisorGroupVersion: clientSecretSupervisorGroupVersion, + Secrets: secrets, + OIDCClients: oidcClients, + Namespace: serverInstallationNamespace, }, } return apiServerConfig, nil diff --git a/proposals/1125_dynamic-supervisor-oidc-clients/ACCEPTANCE-NOTES.md b/proposals/1125_dynamic-supervisor-oidc-clients/ACCEPTANCE-NOTES.md new file mode 100644 index 00000000..1155d3a1 --- /dev/null +++ b/proposals/1125_dynamic-supervisor-oidc-clients/ACCEPTANCE-NOTES.md @@ -0,0 +1,200 @@ +# Notes for story acceptance for the dynamic clients feature + +Rather than writing a webapp to manually test the dynamic client features during user story acceptance, +we can simulate the requests that a webapp would make to the Supervisor using the commands shown below. +The commands below the happy path for a fully-capable OIDCClient which is allowed to use all supported +grant types and scopes. These commands can be adjusted to test other scenarios of interest. + +## Deploy and configure a basic Supervisor locally + +We can use the developer hack scripts to deploy a working Supervisor on a local Kind cluster. +These clusters have no ingress, so we use Kind's port mapping feature to expose a web proxy outside +the cluster. The proxy can then be used to access the Supervisor. In this setup, the Supervisor's CA +is not trusted by the web browser, however, the curl commands can trust the CA cert by using the `--cacert` flag. + +```shell +./hack/prepare-for-integration-tests.sh -c +source /tmp/integration-test-env +# We'll use LDAP so we can login in via curl commands through the Supervisor. +./hack/prepare-supervisor-on-kind.sh --ldap --flow browser_authcode +``` + +Alternatively, the Supervisor could be installed into a cluster in a more production-like way, with ingress, +a DNS entry, and TLS certs. In this case, the proxy env vars used below would not be needed, and the issuer string +would be adjusted to match the Supervisor's ingress DNS hostname. + +## Create an OIDCClient + +```shell +cat <