Rename secretName to SNICertificateSecretName in OIDCProviderConfig

This commit is contained in:
Ryan Richard 2020-10-26 17:25:45 -07:00
parent 8b7c30cfbd
commit eeb110761e
18 changed files with 200 additions and 88 deletions

View File

@ -31,14 +31,27 @@ type OIDCProviderConfigSpec struct {
// +kubebuilder:validation:MinLength=1
Issuer string `json:"issuer"`
// SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`,
// SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`,
// which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider.
// SecretName is required if you would like to use the HTTPS endpoints (e.g. when exposing them outside
// the cluster using a LoadBalancer Service), and is not required when you would like to use only the
// HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS secret must contain keys named
// `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.
// When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that
// contain the certificate and private key to use for TLS.
//
// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
//
// SNICertificateSecretName is required if you would like to use different TLS certificates for
// issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same
// DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.
//
// SNICertificateSecretName is not required when you would like to use only the
// HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you
// would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate,
// which is configured elsewhere.
//
// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work
// for IP addresses.
//
// +optional
SecretName string `json:"secretName,omitempty"`
SNICertificateSecretName string `json:"sniCertificateSecretName,omitempty"`
}
// OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC Provider.

View File

@ -49,16 +49,25 @@ spec:
for more information."
minLength: 1
type: string
secretName:
description: SecretName is an optional name of a Secret in the same
namespace, of type `kubernetes.io/tls`, which contains the TLS serving
certificate for the HTTPS endpoints served by this OIDC Provider.
SecretName is required if you would like to use the HTTPS endpoints
(e.g. when exposing them outside the cluster using a LoadBalancer
Service), and is not required when you would like to use only the
HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS
secret must contain keys named `tls.crt` and `tls.key` that contain
the certificate and private key to use for TLS.
sniCertificateSecretName:
description: "SNICertificateSecretName is an optional name of a Secret
in the same namespace, of type `kubernetes.io/tls`, which contains
the TLS serving certificate for the HTTPS endpoints served by this
OIDC Provider. When provided, the TLS Secret named here must contain
keys named `tls.crt` and `tls.key` that contain the certificate
and private key to use for TLS. \n Server Name Indication (SNI)
is an extension to the Transport Layer Security (TLS) supported
by all major browsers. \n SNICertificateSecretName is required if
you would like to use different TLS certificates for issuers of
different hostnames. SNI requests do not include port numbers, so
all issuers with the same DNS hostname must use the same SNICertificateSecretName
value even if they have different port numbers. \n SNICertificateSecretName
is not required when you would like to use only the HTTP endpoints
(e.g. when terminating TLS at an Ingress). It is also not required
when you would like all requests to this OIDC Provider's HTTPS endpoints
to use the default TLS certificate, which is configured elsewhere.
\n When your Issuer URL's host is an IP address, then this field
is ignored. SNI does not work for IP addresses."
type: string
required:
- issuer

View File

@ -132,7 +132,11 @@ OIDCProviderConfigSpec is a struct that describes an OIDC Provider.
| Field | Description
| *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint).
See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
| *`secretName`* __string__ | SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. SecretName is required if you would like to use the HTTPS endpoints (e.g. when exposing them outside the cluster using a LoadBalancer Service), and is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS secret must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.
| *`sniCertificateSecretName`* __string__ | SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.
Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
SNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.
SNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.
When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
|===

View File

@ -31,14 +31,27 @@ type OIDCProviderConfigSpec struct {
// +kubebuilder:validation:MinLength=1
Issuer string `json:"issuer"`
// SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`,
// SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`,
// which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider.
// SecretName is required if you would like to use the HTTPS endpoints (e.g. when exposing them outside
// the cluster using a LoadBalancer Service), and is not required when you would like to use only the
// HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS secret must contain keys named
// `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.
// When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that
// contain the certificate and private key to use for TLS.
//
// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
//
// SNICertificateSecretName is required if you would like to use different TLS certificates for
// issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same
// DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.
//
// SNICertificateSecretName is not required when you would like to use only the
// HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you
// would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate,
// which is configured elsewhere.
//
// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work
// for IP addresses.
//
// +optional
SecretName string `json:"secretName,omitempty"`
SNICertificateSecretName string `json:"sniCertificateSecretName,omitempty"`
}
// OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC Provider.

View File

@ -397,9 +397,9 @@ func schema_117_apis_config_v1alpha1_OIDCProviderConfigSpec(ref common.Reference
Format: "",
},
},
"secretName": {
"sniCertificateSecretName": {
SchemaProps: spec.SchemaProps{
Description: "SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. SecretName is required if you would like to use the HTTPS endpoints (e.g. when exposing them outside the cluster using a LoadBalancer Service), and is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS secret must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.",
Description: "SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.\n\nServer Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.\n\nSNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.\n\nSNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.\n\nWhen your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.",
Type: []string{"string"},
Format: "",
},

View File

@ -49,16 +49,25 @@ spec:
for more information."
minLength: 1
type: string
secretName:
description: SecretName is an optional name of a Secret in the same
namespace, of type `kubernetes.io/tls`, which contains the TLS serving
certificate for the HTTPS endpoints served by this OIDC Provider.
SecretName is required if you would like to use the HTTPS endpoints
(e.g. when exposing them outside the cluster using a LoadBalancer
Service), and is not required when you would like to use only the
HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS
secret must contain keys named `tls.crt` and `tls.key` that contain
the certificate and private key to use for TLS.
sniCertificateSecretName:
description: "SNICertificateSecretName is an optional name of a Secret
in the same namespace, of type `kubernetes.io/tls`, which contains
the TLS serving certificate for the HTTPS endpoints served by this
OIDC Provider. When provided, the TLS Secret named here must contain
keys named `tls.crt` and `tls.key` that contain the certificate
and private key to use for TLS. \n Server Name Indication (SNI)
is an extension to the Transport Layer Security (TLS) supported
by all major browsers. \n SNICertificateSecretName is required if
you would like to use different TLS certificates for issuers of
different hostnames. SNI requests do not include port numbers, so
all issuers with the same DNS hostname must use the same SNICertificateSecretName
value even if they have different port numbers. \n SNICertificateSecretName
is not required when you would like to use only the HTTP endpoints
(e.g. when terminating TLS at an Ingress). It is also not required
when you would like all requests to this OIDC Provider's HTTPS endpoints
to use the default TLS certificate, which is configured elsewhere.
\n When your Issuer URL's host is an IP address, then this field
is ignored. SNI does not work for IP addresses."
type: string
required:
- issuer

View File

@ -132,7 +132,11 @@ OIDCProviderConfigSpec is a struct that describes an OIDC Provider.
| Field | Description
| *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint).
See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
| *`secretName`* __string__ | SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. SecretName is required if you would like to use the HTTPS endpoints (e.g. when exposing them outside the cluster using a LoadBalancer Service), and is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS secret must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.
| *`sniCertificateSecretName`* __string__ | SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.
Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
SNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.
SNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.
When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
|===

View File

@ -31,14 +31,27 @@ type OIDCProviderConfigSpec struct {
// +kubebuilder:validation:MinLength=1
Issuer string `json:"issuer"`
// SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`,
// SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`,
// which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider.
// SecretName is required if you would like to use the HTTPS endpoints (e.g. when exposing them outside
// the cluster using a LoadBalancer Service), and is not required when you would like to use only the
// HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS secret must contain keys named
// `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.
// When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that
// contain the certificate and private key to use for TLS.
//
// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
//
// SNICertificateSecretName is required if you would like to use different TLS certificates for
// issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same
// DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.
//
// SNICertificateSecretName is not required when you would like to use only the
// HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you
// would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate,
// which is configured elsewhere.
//
// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work
// for IP addresses.
//
// +optional
SecretName string `json:"secretName,omitempty"`
SNICertificateSecretName string `json:"sniCertificateSecretName,omitempty"`
}
// OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC Provider.

View File

@ -397,9 +397,9 @@ func schema_118_apis_config_v1alpha1_OIDCProviderConfigSpec(ref common.Reference
Format: "",
},
},
"secretName": {
"sniCertificateSecretName": {
SchemaProps: spec.SchemaProps{
Description: "SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. SecretName is required if you would like to use the HTTPS endpoints (e.g. when exposing them outside the cluster using a LoadBalancer Service), and is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS secret must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.",
Description: "SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.\n\nServer Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.\n\nSNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.\n\nSNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.\n\nWhen your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.",
Type: []string{"string"},
Format: "",
},

View File

@ -49,16 +49,25 @@ spec:
for more information."
minLength: 1
type: string
secretName:
description: SecretName is an optional name of a Secret in the same
namespace, of type `kubernetes.io/tls`, which contains the TLS serving
certificate for the HTTPS endpoints served by this OIDC Provider.
SecretName is required if you would like to use the HTTPS endpoints
(e.g. when exposing them outside the cluster using a LoadBalancer
Service), and is not required when you would like to use only the
HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS
secret must contain keys named `tls.crt` and `tls.key` that contain
the certificate and private key to use for TLS.
sniCertificateSecretName:
description: "SNICertificateSecretName is an optional name of a Secret
in the same namespace, of type `kubernetes.io/tls`, which contains
the TLS serving certificate for the HTTPS endpoints served by this
OIDC Provider. When provided, the TLS Secret named here must contain
keys named `tls.crt` and `tls.key` that contain the certificate
and private key to use for TLS. \n Server Name Indication (SNI)
is an extension to the Transport Layer Security (TLS) supported
by all major browsers. \n SNICertificateSecretName is required if
you would like to use different TLS certificates for issuers of
different hostnames. SNI requests do not include port numbers, so
all issuers with the same DNS hostname must use the same SNICertificateSecretName
value even if they have different port numbers. \n SNICertificateSecretName
is not required when you would like to use only the HTTP endpoints
(e.g. when terminating TLS at an Ingress). It is also not required
when you would like all requests to this OIDC Provider's HTTPS endpoints
to use the default TLS certificate, which is configured elsewhere.
\n When your Issuer URL's host is an IP address, then this field
is ignored. SNI does not work for IP addresses."
type: string
required:
- issuer

View File

@ -132,7 +132,11 @@ OIDCProviderConfigSpec is a struct that describes an OIDC Provider.
| Field | Description
| *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint).
See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
| *`secretName`* __string__ | SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. SecretName is required if you would like to use the HTTPS endpoints (e.g. when exposing them outside the cluster using a LoadBalancer Service), and is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS secret must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.
| *`sniCertificateSecretName`* __string__ | SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.
Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
SNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.
SNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.
When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
|===

View File

@ -31,14 +31,27 @@ type OIDCProviderConfigSpec struct {
// +kubebuilder:validation:MinLength=1
Issuer string `json:"issuer"`
// SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`,
// SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`,
// which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider.
// SecretName is required if you would like to use the HTTPS endpoints (e.g. when exposing them outside
// the cluster using a LoadBalancer Service), and is not required when you would like to use only the
// HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS secret must contain keys named
// `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.
// When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that
// contain the certificate and private key to use for TLS.
//
// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
//
// SNICertificateSecretName is required if you would like to use different TLS certificates for
// issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same
// DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.
//
// SNICertificateSecretName is not required when you would like to use only the
// HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you
// would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate,
// which is configured elsewhere.
//
// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work
// for IP addresses.
//
// +optional
SecretName string `json:"secretName,omitempty"`
SNICertificateSecretName string `json:"sniCertificateSecretName,omitempty"`
}
// OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC Provider.

View File

@ -398,9 +398,9 @@ func schema_119_apis_config_v1alpha1_OIDCProviderConfigSpec(ref common.Reference
Format: "",
},
},
"secretName": {
"sniCertificateSecretName": {
SchemaProps: spec.SchemaProps{
Description: "SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. SecretName is required if you would like to use the HTTPS endpoints (e.g. when exposing them outside the cluster using a LoadBalancer Service), and is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS secret must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.",
Description: "SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.\n\nServer Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.\n\nSNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.\n\nSNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.\n\nWhen your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.",
Type: []string{"string"},
Format: "",
},

View File

@ -49,16 +49,25 @@ spec:
for more information."
minLength: 1
type: string
secretName:
description: SecretName is an optional name of a Secret in the same
namespace, of type `kubernetes.io/tls`, which contains the TLS serving
certificate for the HTTPS endpoints served by this OIDC Provider.
SecretName is required if you would like to use the HTTPS endpoints
(e.g. when exposing them outside the cluster using a LoadBalancer
Service), and is not required when you would like to use only the
HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS
secret must contain keys named `tls.crt` and `tls.key` that contain
the certificate and private key to use for TLS.
sniCertificateSecretName:
description: "SNICertificateSecretName is an optional name of a Secret
in the same namespace, of type `kubernetes.io/tls`, which contains
the TLS serving certificate for the HTTPS endpoints served by this
OIDC Provider. When provided, the TLS Secret named here must contain
keys named `tls.crt` and `tls.key` that contain the certificate
and private key to use for TLS. \n Server Name Indication (SNI)
is an extension to the Transport Layer Security (TLS) supported
by all major browsers. \n SNICertificateSecretName is required if
you would like to use different TLS certificates for issuers of
different hostnames. SNI requests do not include port numbers, so
all issuers with the same DNS hostname must use the same SNICertificateSecretName
value even if they have different port numbers. \n SNICertificateSecretName
is not required when you would like to use only the HTTP endpoints
(e.g. when terminating TLS at an Ingress). It is also not required
when you would like all requests to this OIDC Provider's HTTPS endpoints
to use the default TLS certificate, which is configured elsewhere.
\n When your Issuer URL's host is an IP address, then this field
is ignored. SNI does not work for IP addresses."
type: string
required:
- issuer

View File

@ -102,7 +102,7 @@ func (c *oidcProviderConfigWatcherController) Sync(ctx controllerlib.Context) er
setOfSecretNames = make(map[string]bool)
uniqueSecretNamesPerIssuerAddress[issuerURLToHostnameKey(issuerURL)] = setOfSecretNames
}
setOfSecretNames[opc.Spec.SecretName] = true
setOfSecretNames[opc.Spec.SNICertificateSecretName] = true
}
errs := multierror.New()

View File

@ -819,8 +819,8 @@ func TestSync(t *testing.T) {
oidcProviderConfigSameIssuerAddress1 = &v1alpha1.OIDCProviderConfig{
ObjectMeta: metav1.ObjectMeta{Name: "provider1", Namespace: namespace},
Spec: v1alpha1.OIDCProviderConfigSpec{
Issuer: "https://iSSueR-duPlicAte-adDress.cOm/path1",
SecretName: "secret1",
Issuer: "https://iSSueR-duPlicAte-adDress.cOm/path1",
SNICertificateSecretName: "secret1",
},
}
r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderConfigSameIssuerAddress1))
@ -830,8 +830,8 @@ func TestSync(t *testing.T) {
Spec: v1alpha1.OIDCProviderConfigSpec{
// Validation treats these as the same DNS hostname even though they have different port numbers,
// because SNI information on the incoming requests is not going to include port numbers.
Issuer: "https://issuer-duplicate-address.com:1234/path2",
SecretName: "secret2",
Issuer: "https://issuer-duplicate-address.com:1234/path2",
SNICertificateSecretName: "secret2",
},
}
r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderConfigSameIssuerAddress2))
@ -840,8 +840,8 @@ func TestSync(t *testing.T) {
oidcProviderConfigDifferentIssuerAddress = &v1alpha1.OIDCProviderConfig{
ObjectMeta: metav1.ObjectMeta{Name: "differentIssuerAddressProvider", Namespace: namespace},
Spec: v1alpha1.OIDCProviderConfigSpec{
Issuer: "https://issuer-not-duplicate.com",
SecretName: "secret1",
Issuer: "https://issuer-not-duplicate.com",
SNICertificateSecretName: "secret1",
},
}
r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderConfigDifferentIssuerAddress))
@ -855,8 +855,8 @@ func TestSync(t *testing.T) {
oidcProviderConfigWithInvalidIssuerURL = &v1alpha1.OIDCProviderConfig{
ObjectMeta: metav1.ObjectMeta{Name: "invalidIssuerURLProvider", Namespace: namespace},
Spec: v1alpha1.OIDCProviderConfigSpec{
Issuer: invalidIssuerURL,
SecretName: "secret1",
Issuer: invalidIssuerURL,
SNICertificateSecretName: "secret1",
},
}
r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderConfigWithInvalidIssuerURL))

View File

@ -68,7 +68,7 @@ func (c *tlsCertObserverController) Sync(ctx controllerlib.Context) error {
issuerHostToTLSCertMap := map[string]*tls.Certificate{}
for _, provider := range allProviders {
secretName := provider.Spec.SecretName
secretName := provider.Spec.SNICertificateSecretName
issuerURL, err := url.Parse(provider.Spec.Issuer)
if err != nil {
klog.InfoS("tlsCertObserverController Sync found an invalid issuer URL", "namespace", ns, "issuer", provider.Spec.Issuer)

View File

@ -203,21 +203,27 @@ func TestTLSCertObserverControllerSync(t *testing.T) {
Name: "no-secret-oidcproviderconfig1",
Namespace: installedInNamespace,
},
Spec: v1alpha1.OIDCProviderConfigSpec{Issuer: "https://no-secret-issuer1.com"}, // no SecretName field
Spec: v1alpha1.OIDCProviderConfigSpec{Issuer: "https://no-secret-issuer1.com"}, // no SNICertificateSecretName field
}
oidcProviderConfigWithoutSecret2 := &v1alpha1.OIDCProviderConfig{
ObjectMeta: metav1.ObjectMeta{
Name: "no-secret-oidcproviderconfig2",
Namespace: installedInNamespace,
},
Spec: v1alpha1.OIDCProviderConfigSpec{Issuer: "https://no-secret-issuer2.com", SecretName: ""},
Spec: v1alpha1.OIDCProviderConfigSpec{
Issuer: "https://no-secret-issuer2.com",
SNICertificateSecretName: "",
},
}
oidcProviderConfigWithBadSecret := &v1alpha1.OIDCProviderConfig{
ObjectMeta: metav1.ObjectMeta{
Name: "bad-secret-oidcproviderconfig",
Namespace: installedInNamespace,
},
Spec: v1alpha1.OIDCProviderConfigSpec{Issuer: "https://bad-secret-issuer.com", SecretName: "bad-tls-secret-name"},
Spec: v1alpha1.OIDCProviderConfigSpec{
Issuer: "https://bad-secret-issuer.com",
SNICertificateSecretName: "bad-tls-secret-name",
},
}
// Also add one with a URL that cannot be parsed to make sure that the controller is not confused by invalid URLs.
invalidIssuerURL := ":/host//path"
@ -236,7 +242,10 @@ func TestTLSCertObserverControllerSync(t *testing.T) {
Namespace: installedInNamespace,
},
// Issuer hostname should be treated in a case-insensitive way and SNI ignores port numbers. Test without a port number.
Spec: v1alpha1.OIDCProviderConfigSpec{Issuer: "https://www.iSSuer-wiTh-goOd-secRet1.cOm/path", SecretName: "good-tls-secret-name1"},
Spec: v1alpha1.OIDCProviderConfigSpec{
Issuer: "https://www.iSSuer-wiTh-goOd-secRet1.cOm/path",
SNICertificateSecretName: "good-tls-secret-name1",
},
}
oidcProviderConfigWithGoodSecret2 := &v1alpha1.OIDCProviderConfig{
ObjectMeta: metav1.ObjectMeta{
@ -244,7 +253,10 @@ func TestTLSCertObserverControllerSync(t *testing.T) {
Namespace: installedInNamespace,
},
// Issuer hostname should be treated in a case-insensitive way and SNI ignores port numbers. Test with a port number.
Spec: v1alpha1.OIDCProviderConfigSpec{Issuer: "https://www.issUEr-WIth-gOOd-seCret2.com:1234/path", SecretName: "good-tls-secret-name2"},
Spec: v1alpha1.OIDCProviderConfigSpec{
Issuer: "https://www.issUEr-WIth-gOOd-seCret2.com:1234/path",
SNICertificateSecretName: "good-tls-secret-name2",
},
}
testCrt1 := readTestFile("testdata/test.crt")
r.NotEmpty(testCrt1)