From eeb110761ee34595712167727a62c7bb7884e0b5 Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Mon, 26 Oct 2020 17:25:45 -0700 Subject: [PATCH] Rename `secretName` to `SNICertificateSecretName` in OIDCProviderConfig --- .../v1alpha1/types_oidcproviderconfig.go.tmpl | 25 ++++++++++++---- ...nfig.pinniped.dev_oidcproviderconfigs.yaml | 29 ++++++++++++------- generated/1.17/README.adoc | 6 +++- .../v1alpha1/types_oidcproviderconfig.go | 25 ++++++++++++---- .../client/openapi/zz_generated.openapi.go | 4 +-- ...nfig.pinniped.dev_oidcproviderconfigs.yaml | 29 ++++++++++++------- generated/1.18/README.adoc | 6 +++- .../v1alpha1/types_oidcproviderconfig.go | 25 ++++++++++++---- .../client/openapi/zz_generated.openapi.go | 4 +-- ...nfig.pinniped.dev_oidcproviderconfigs.yaml | 29 ++++++++++++------- generated/1.19/README.adoc | 6 +++- .../v1alpha1/types_oidcproviderconfig.go | 25 ++++++++++++---- .../client/openapi/zz_generated.openapi.go | 4 +-- ...nfig.pinniped.dev_oidcproviderconfigs.yaml | 29 ++++++++++++------- .../oidcproviderconfig_watcher.go | 2 +- .../oidcproviderconfig_watcher_test.go | 16 +++++----- .../supervisorconfig/tls_cert_observer.go | 2 +- .../tls_cert_observer_test.go | 22 ++++++++++---- 18 files changed, 200 insertions(+), 88 deletions(-) diff --git a/apis/config/v1alpha1/types_oidcproviderconfig.go.tmpl b/apis/config/v1alpha1/types_oidcproviderconfig.go.tmpl index 38c2f0b2..a2dc9cbc 100644 --- a/apis/config/v1alpha1/types_oidcproviderconfig.go.tmpl +++ b/apis/config/v1alpha1/types_oidcproviderconfig.go.tmpl @@ -31,14 +31,27 @@ type OIDCProviderConfigSpec struct { // +kubebuilder:validation:MinLength=1 Issuer string `json:"issuer"` - // SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, + // SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, // which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. - // SecretName is required if you would like to use the HTTPS endpoints (e.g. when exposing them outside - // the cluster using a LoadBalancer Service), and is not required when you would like to use only the - // HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS secret must contain keys named - // `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. + // When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that + // contain the certificate and private key to use for TLS. + // + // Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. + // + // SNICertificateSecretName is required if you would like to use different TLS certificates for + // issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same + // DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers. + // + // SNICertificateSecretName is not required when you would like to use only the + // HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you + // would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, + // which is configured elsewhere. + // + // When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work + // for IP addresses. + // // +optional - SecretName string `json:"secretName,omitempty"` + SNICertificateSecretName string `json:"sniCertificateSecretName,omitempty"` } // OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC Provider. diff --git a/deploy/supervisor/config.pinniped.dev_oidcproviderconfigs.yaml b/deploy/supervisor/config.pinniped.dev_oidcproviderconfigs.yaml index 528f6727..e8330ab3 100644 --- a/deploy/supervisor/config.pinniped.dev_oidcproviderconfigs.yaml +++ b/deploy/supervisor/config.pinniped.dev_oidcproviderconfigs.yaml @@ -49,16 +49,25 @@ spec: for more information." minLength: 1 type: string - secretName: - description: SecretName is an optional name of a Secret in the same - namespace, of type `kubernetes.io/tls`, which contains the TLS serving - certificate for the HTTPS endpoints served by this OIDC Provider. - SecretName is required if you would like to use the HTTPS endpoints - (e.g. when exposing them outside the cluster using a LoadBalancer - Service), and is not required when you would like to use only the - HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS - secret must contain keys named `tls.crt` and `tls.key` that contain - the certificate and private key to use for TLS. + sniCertificateSecretName: + description: "SNICertificateSecretName is an optional name of a Secret + in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the HTTPS endpoints served by this + OIDC Provider. When provided, the TLS Secret named here must contain + keys named `tls.crt` and `tls.key` that contain the certificate + and private key to use for TLS. \n Server Name Indication (SNI) + is an extension to the Transport Layer Security (TLS) supported + by all major browsers. \n SNICertificateSecretName is required if + you would like to use different TLS certificates for issuers of + different hostnames. SNI requests do not include port numbers, so + all issuers with the same DNS hostname must use the same SNICertificateSecretName + value even if they have different port numbers. \n SNICertificateSecretName + is not required when you would like to use only the HTTP endpoints + (e.g. when terminating TLS at an Ingress). It is also not required + when you would like all requests to this OIDC Provider's HTTPS endpoints + to use the default TLS certificate, which is configured elsewhere. + \n When your Issuer URL's host is an IP address, then this field + is ignored. SNI does not work for IP addresses." type: string required: - issuer diff --git a/generated/1.17/README.adoc b/generated/1.17/README.adoc index a43ac459..b6da2c0c 100644 --- a/generated/1.17/README.adoc +++ b/generated/1.17/README.adoc @@ -132,7 +132,11 @@ OIDCProviderConfigSpec is a struct that describes an OIDC Provider. | Field | Description | *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint). See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. -| *`secretName`* __string__ | SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. SecretName is required if you would like to use the HTTPS endpoints (e.g. when exposing them outside the cluster using a LoadBalancer Service), and is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS secret must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. +| *`sniCertificateSecretName`* __string__ | SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. + Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. + SNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers. + SNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. + When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. |=== diff --git a/generated/1.17/apis/config/v1alpha1/types_oidcproviderconfig.go b/generated/1.17/apis/config/v1alpha1/types_oidcproviderconfig.go index 38c2f0b2..a2dc9cbc 100644 --- a/generated/1.17/apis/config/v1alpha1/types_oidcproviderconfig.go +++ b/generated/1.17/apis/config/v1alpha1/types_oidcproviderconfig.go @@ -31,14 +31,27 @@ type OIDCProviderConfigSpec struct { // +kubebuilder:validation:MinLength=1 Issuer string `json:"issuer"` - // SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, + // SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, // which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. - // SecretName is required if you would like to use the HTTPS endpoints (e.g. when exposing them outside - // the cluster using a LoadBalancer Service), and is not required when you would like to use only the - // HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS secret must contain keys named - // `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. + // When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that + // contain the certificate and private key to use for TLS. + // + // Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. + // + // SNICertificateSecretName is required if you would like to use different TLS certificates for + // issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same + // DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers. + // + // SNICertificateSecretName is not required when you would like to use only the + // HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you + // would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, + // which is configured elsewhere. + // + // When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work + // for IP addresses. + // // +optional - SecretName string `json:"secretName,omitempty"` + SNICertificateSecretName string `json:"sniCertificateSecretName,omitempty"` } // OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC Provider. diff --git a/generated/1.17/client/openapi/zz_generated.openapi.go b/generated/1.17/client/openapi/zz_generated.openapi.go index 8ae4db21..e8028d0f 100644 --- a/generated/1.17/client/openapi/zz_generated.openapi.go +++ b/generated/1.17/client/openapi/zz_generated.openapi.go @@ -397,9 +397,9 @@ func schema_117_apis_config_v1alpha1_OIDCProviderConfigSpec(ref common.Reference Format: "", }, }, - "secretName": { + "sniCertificateSecretName": { SchemaProps: spec.SchemaProps{ - Description: "SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. SecretName is required if you would like to use the HTTPS endpoints (e.g. when exposing them outside the cluster using a LoadBalancer Service), and is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS secret must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.", + Description: "SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.\n\nServer Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.\n\nSNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.\n\nSNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.\n\nWhen your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.", Type: []string{"string"}, Format: "", }, diff --git a/generated/1.17/crds/config.pinniped.dev_oidcproviderconfigs.yaml b/generated/1.17/crds/config.pinniped.dev_oidcproviderconfigs.yaml index 528f6727..e8330ab3 100644 --- a/generated/1.17/crds/config.pinniped.dev_oidcproviderconfigs.yaml +++ b/generated/1.17/crds/config.pinniped.dev_oidcproviderconfigs.yaml @@ -49,16 +49,25 @@ spec: for more information." minLength: 1 type: string - secretName: - description: SecretName is an optional name of a Secret in the same - namespace, of type `kubernetes.io/tls`, which contains the TLS serving - certificate for the HTTPS endpoints served by this OIDC Provider. - SecretName is required if you would like to use the HTTPS endpoints - (e.g. when exposing them outside the cluster using a LoadBalancer - Service), and is not required when you would like to use only the - HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS - secret must contain keys named `tls.crt` and `tls.key` that contain - the certificate and private key to use for TLS. + sniCertificateSecretName: + description: "SNICertificateSecretName is an optional name of a Secret + in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the HTTPS endpoints served by this + OIDC Provider. When provided, the TLS Secret named here must contain + keys named `tls.crt` and `tls.key` that contain the certificate + and private key to use for TLS. \n Server Name Indication (SNI) + is an extension to the Transport Layer Security (TLS) supported + by all major browsers. \n SNICertificateSecretName is required if + you would like to use different TLS certificates for issuers of + different hostnames. SNI requests do not include port numbers, so + all issuers with the same DNS hostname must use the same SNICertificateSecretName + value even if they have different port numbers. \n SNICertificateSecretName + is not required when you would like to use only the HTTP endpoints + (e.g. when terminating TLS at an Ingress). It is also not required + when you would like all requests to this OIDC Provider's HTTPS endpoints + to use the default TLS certificate, which is configured elsewhere. + \n When your Issuer URL's host is an IP address, then this field + is ignored. SNI does not work for IP addresses." type: string required: - issuer diff --git a/generated/1.18/README.adoc b/generated/1.18/README.adoc index 0a6f30fe..5b3892d1 100644 --- a/generated/1.18/README.adoc +++ b/generated/1.18/README.adoc @@ -132,7 +132,11 @@ OIDCProviderConfigSpec is a struct that describes an OIDC Provider. | Field | Description | *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint). See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. -| *`secretName`* __string__ | SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. SecretName is required if you would like to use the HTTPS endpoints (e.g. when exposing them outside the cluster using a LoadBalancer Service), and is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS secret must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. +| *`sniCertificateSecretName`* __string__ | SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. + Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. + SNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers. + SNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. + When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. |=== diff --git a/generated/1.18/apis/config/v1alpha1/types_oidcproviderconfig.go b/generated/1.18/apis/config/v1alpha1/types_oidcproviderconfig.go index 38c2f0b2..a2dc9cbc 100644 --- a/generated/1.18/apis/config/v1alpha1/types_oidcproviderconfig.go +++ b/generated/1.18/apis/config/v1alpha1/types_oidcproviderconfig.go @@ -31,14 +31,27 @@ type OIDCProviderConfigSpec struct { // +kubebuilder:validation:MinLength=1 Issuer string `json:"issuer"` - // SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, + // SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, // which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. - // SecretName is required if you would like to use the HTTPS endpoints (e.g. when exposing them outside - // the cluster using a LoadBalancer Service), and is not required when you would like to use only the - // HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS secret must contain keys named - // `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. + // When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that + // contain the certificate and private key to use for TLS. + // + // Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. + // + // SNICertificateSecretName is required if you would like to use different TLS certificates for + // issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same + // DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers. + // + // SNICertificateSecretName is not required when you would like to use only the + // HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you + // would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, + // which is configured elsewhere. + // + // When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work + // for IP addresses. + // // +optional - SecretName string `json:"secretName,omitempty"` + SNICertificateSecretName string `json:"sniCertificateSecretName,omitempty"` } // OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC Provider. diff --git a/generated/1.18/client/openapi/zz_generated.openapi.go b/generated/1.18/client/openapi/zz_generated.openapi.go index 85a105ef..737854c0 100644 --- a/generated/1.18/client/openapi/zz_generated.openapi.go +++ b/generated/1.18/client/openapi/zz_generated.openapi.go @@ -397,9 +397,9 @@ func schema_118_apis_config_v1alpha1_OIDCProviderConfigSpec(ref common.Reference Format: "", }, }, - "secretName": { + "sniCertificateSecretName": { SchemaProps: spec.SchemaProps{ - Description: "SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. SecretName is required if you would like to use the HTTPS endpoints (e.g. when exposing them outside the cluster using a LoadBalancer Service), and is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS secret must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.", + Description: "SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.\n\nServer Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.\n\nSNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.\n\nSNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.\n\nWhen your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.", Type: []string{"string"}, Format: "", }, diff --git a/generated/1.18/crds/config.pinniped.dev_oidcproviderconfigs.yaml b/generated/1.18/crds/config.pinniped.dev_oidcproviderconfigs.yaml index 528f6727..e8330ab3 100644 --- a/generated/1.18/crds/config.pinniped.dev_oidcproviderconfigs.yaml +++ b/generated/1.18/crds/config.pinniped.dev_oidcproviderconfigs.yaml @@ -49,16 +49,25 @@ spec: for more information." minLength: 1 type: string - secretName: - description: SecretName is an optional name of a Secret in the same - namespace, of type `kubernetes.io/tls`, which contains the TLS serving - certificate for the HTTPS endpoints served by this OIDC Provider. - SecretName is required if you would like to use the HTTPS endpoints - (e.g. when exposing them outside the cluster using a LoadBalancer - Service), and is not required when you would like to use only the - HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS - secret must contain keys named `tls.crt` and `tls.key` that contain - the certificate and private key to use for TLS. + sniCertificateSecretName: + description: "SNICertificateSecretName is an optional name of a Secret + in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the HTTPS endpoints served by this + OIDC Provider. When provided, the TLS Secret named here must contain + keys named `tls.crt` and `tls.key` that contain the certificate + and private key to use for TLS. \n Server Name Indication (SNI) + is an extension to the Transport Layer Security (TLS) supported + by all major browsers. \n SNICertificateSecretName is required if + you would like to use different TLS certificates for issuers of + different hostnames. SNI requests do not include port numbers, so + all issuers with the same DNS hostname must use the same SNICertificateSecretName + value even if they have different port numbers. \n SNICertificateSecretName + is not required when you would like to use only the HTTP endpoints + (e.g. when terminating TLS at an Ingress). It is also not required + when you would like all requests to this OIDC Provider's HTTPS endpoints + to use the default TLS certificate, which is configured elsewhere. + \n When your Issuer URL's host is an IP address, then this field + is ignored. SNI does not work for IP addresses." type: string required: - issuer diff --git a/generated/1.19/README.adoc b/generated/1.19/README.adoc index fa454528..49ed2bcf 100644 --- a/generated/1.19/README.adoc +++ b/generated/1.19/README.adoc @@ -132,7 +132,11 @@ OIDCProviderConfigSpec is a struct that describes an OIDC Provider. | Field | Description | *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint). See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. -| *`secretName`* __string__ | SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. SecretName is required if you would like to use the HTTPS endpoints (e.g. when exposing them outside the cluster using a LoadBalancer Service), and is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS secret must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. +| *`sniCertificateSecretName`* __string__ | SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. + Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. + SNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers. + SNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. + When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. |=== diff --git a/generated/1.19/apis/config/v1alpha1/types_oidcproviderconfig.go b/generated/1.19/apis/config/v1alpha1/types_oidcproviderconfig.go index 38c2f0b2..a2dc9cbc 100644 --- a/generated/1.19/apis/config/v1alpha1/types_oidcproviderconfig.go +++ b/generated/1.19/apis/config/v1alpha1/types_oidcproviderconfig.go @@ -31,14 +31,27 @@ type OIDCProviderConfigSpec struct { // +kubebuilder:validation:MinLength=1 Issuer string `json:"issuer"` - // SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, + // SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, // which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. - // SecretName is required if you would like to use the HTTPS endpoints (e.g. when exposing them outside - // the cluster using a LoadBalancer Service), and is not required when you would like to use only the - // HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS secret must contain keys named - // `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. + // When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that + // contain the certificate and private key to use for TLS. + // + // Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. + // + // SNICertificateSecretName is required if you would like to use different TLS certificates for + // issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same + // DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers. + // + // SNICertificateSecretName is not required when you would like to use only the + // HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you + // would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, + // which is configured elsewhere. + // + // When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work + // for IP addresses. + // // +optional - SecretName string `json:"secretName,omitempty"` + SNICertificateSecretName string `json:"sniCertificateSecretName,omitempty"` } // OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC Provider. diff --git a/generated/1.19/client/openapi/zz_generated.openapi.go b/generated/1.19/client/openapi/zz_generated.openapi.go index 015721f8..66e21e84 100644 --- a/generated/1.19/client/openapi/zz_generated.openapi.go +++ b/generated/1.19/client/openapi/zz_generated.openapi.go @@ -398,9 +398,9 @@ func schema_119_apis_config_v1alpha1_OIDCProviderConfigSpec(ref common.Reference Format: "", }, }, - "secretName": { + "sniCertificateSecretName": { SchemaProps: spec.SchemaProps{ - Description: "SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. SecretName is required if you would like to use the HTTPS endpoints (e.g. when exposing them outside the cluster using a LoadBalancer Service), and is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS secret must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.", + Description: "SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.\n\nServer Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.\n\nSNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.\n\nSNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.\n\nWhen your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.", Type: []string{"string"}, Format: "", }, diff --git a/generated/1.19/crds/config.pinniped.dev_oidcproviderconfigs.yaml b/generated/1.19/crds/config.pinniped.dev_oidcproviderconfigs.yaml index 528f6727..e8330ab3 100644 --- a/generated/1.19/crds/config.pinniped.dev_oidcproviderconfigs.yaml +++ b/generated/1.19/crds/config.pinniped.dev_oidcproviderconfigs.yaml @@ -49,16 +49,25 @@ spec: for more information." minLength: 1 type: string - secretName: - description: SecretName is an optional name of a Secret in the same - namespace, of type `kubernetes.io/tls`, which contains the TLS serving - certificate for the HTTPS endpoints served by this OIDC Provider. - SecretName is required if you would like to use the HTTPS endpoints - (e.g. when exposing them outside the cluster using a LoadBalancer - Service), and is not required when you would like to use only the - HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS - secret must contain keys named `tls.crt` and `tls.key` that contain - the certificate and private key to use for TLS. + sniCertificateSecretName: + description: "SNICertificateSecretName is an optional name of a Secret + in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the HTTPS endpoints served by this + OIDC Provider. When provided, the TLS Secret named here must contain + keys named `tls.crt` and `tls.key` that contain the certificate + and private key to use for TLS. \n Server Name Indication (SNI) + is an extension to the Transport Layer Security (TLS) supported + by all major browsers. \n SNICertificateSecretName is required if + you would like to use different TLS certificates for issuers of + different hostnames. SNI requests do not include port numbers, so + all issuers with the same DNS hostname must use the same SNICertificateSecretName + value even if they have different port numbers. \n SNICertificateSecretName + is not required when you would like to use only the HTTP endpoints + (e.g. when terminating TLS at an Ingress). It is also not required + when you would like all requests to this OIDC Provider's HTTPS endpoints + to use the default TLS certificate, which is configured elsewhere. + \n When your Issuer URL's host is an IP address, then this field + is ignored. SNI does not work for IP addresses." type: string required: - issuer diff --git a/internal/controller/supervisorconfig/oidcproviderconfig_watcher.go b/internal/controller/supervisorconfig/oidcproviderconfig_watcher.go index cb17bb46..87e9d227 100644 --- a/internal/controller/supervisorconfig/oidcproviderconfig_watcher.go +++ b/internal/controller/supervisorconfig/oidcproviderconfig_watcher.go @@ -102,7 +102,7 @@ func (c *oidcProviderConfigWatcherController) Sync(ctx controllerlib.Context) er setOfSecretNames = make(map[string]bool) uniqueSecretNamesPerIssuerAddress[issuerURLToHostnameKey(issuerURL)] = setOfSecretNames } - setOfSecretNames[opc.Spec.SecretName] = true + setOfSecretNames[opc.Spec.SNICertificateSecretName] = true } errs := multierror.New() diff --git a/internal/controller/supervisorconfig/oidcproviderconfig_watcher_test.go b/internal/controller/supervisorconfig/oidcproviderconfig_watcher_test.go index 7efeffe4..f486da94 100644 --- a/internal/controller/supervisorconfig/oidcproviderconfig_watcher_test.go +++ b/internal/controller/supervisorconfig/oidcproviderconfig_watcher_test.go @@ -819,8 +819,8 @@ func TestSync(t *testing.T) { oidcProviderConfigSameIssuerAddress1 = &v1alpha1.OIDCProviderConfig{ ObjectMeta: metav1.ObjectMeta{Name: "provider1", Namespace: namespace}, Spec: v1alpha1.OIDCProviderConfigSpec{ - Issuer: "https://iSSueR-duPlicAte-adDress.cOm/path1", - SecretName: "secret1", + Issuer: "https://iSSueR-duPlicAte-adDress.cOm/path1", + SNICertificateSecretName: "secret1", }, } r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderConfigSameIssuerAddress1)) @@ -830,8 +830,8 @@ func TestSync(t *testing.T) { Spec: v1alpha1.OIDCProviderConfigSpec{ // Validation treats these as the same DNS hostname even though they have different port numbers, // because SNI information on the incoming requests is not going to include port numbers. - Issuer: "https://issuer-duplicate-address.com:1234/path2", - SecretName: "secret2", + Issuer: "https://issuer-duplicate-address.com:1234/path2", + SNICertificateSecretName: "secret2", }, } r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderConfigSameIssuerAddress2)) @@ -840,8 +840,8 @@ func TestSync(t *testing.T) { oidcProviderConfigDifferentIssuerAddress = &v1alpha1.OIDCProviderConfig{ ObjectMeta: metav1.ObjectMeta{Name: "differentIssuerAddressProvider", Namespace: namespace}, Spec: v1alpha1.OIDCProviderConfigSpec{ - Issuer: "https://issuer-not-duplicate.com", - SecretName: "secret1", + Issuer: "https://issuer-not-duplicate.com", + SNICertificateSecretName: "secret1", }, } r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderConfigDifferentIssuerAddress)) @@ -855,8 +855,8 @@ func TestSync(t *testing.T) { oidcProviderConfigWithInvalidIssuerURL = &v1alpha1.OIDCProviderConfig{ ObjectMeta: metav1.ObjectMeta{Name: "invalidIssuerURLProvider", Namespace: namespace}, Spec: v1alpha1.OIDCProviderConfigSpec{ - Issuer: invalidIssuerURL, - SecretName: "secret1", + Issuer: invalidIssuerURL, + SNICertificateSecretName: "secret1", }, } r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderConfigWithInvalidIssuerURL)) diff --git a/internal/controller/supervisorconfig/tls_cert_observer.go b/internal/controller/supervisorconfig/tls_cert_observer.go index 5d382bbf..6a4ce599 100644 --- a/internal/controller/supervisorconfig/tls_cert_observer.go +++ b/internal/controller/supervisorconfig/tls_cert_observer.go @@ -68,7 +68,7 @@ func (c *tlsCertObserverController) Sync(ctx controllerlib.Context) error { issuerHostToTLSCertMap := map[string]*tls.Certificate{} for _, provider := range allProviders { - secretName := provider.Spec.SecretName + secretName := provider.Spec.SNICertificateSecretName issuerURL, err := url.Parse(provider.Spec.Issuer) if err != nil { klog.InfoS("tlsCertObserverController Sync found an invalid issuer URL", "namespace", ns, "issuer", provider.Spec.Issuer) diff --git a/internal/controller/supervisorconfig/tls_cert_observer_test.go b/internal/controller/supervisorconfig/tls_cert_observer_test.go index 6510b732..c82449e7 100644 --- a/internal/controller/supervisorconfig/tls_cert_observer_test.go +++ b/internal/controller/supervisorconfig/tls_cert_observer_test.go @@ -203,21 +203,27 @@ func TestTLSCertObserverControllerSync(t *testing.T) { Name: "no-secret-oidcproviderconfig1", Namespace: installedInNamespace, }, - Spec: v1alpha1.OIDCProviderConfigSpec{Issuer: "https://no-secret-issuer1.com"}, // no SecretName field + Spec: v1alpha1.OIDCProviderConfigSpec{Issuer: "https://no-secret-issuer1.com"}, // no SNICertificateSecretName field } oidcProviderConfigWithoutSecret2 := &v1alpha1.OIDCProviderConfig{ ObjectMeta: metav1.ObjectMeta{ Name: "no-secret-oidcproviderconfig2", Namespace: installedInNamespace, }, - Spec: v1alpha1.OIDCProviderConfigSpec{Issuer: "https://no-secret-issuer2.com", SecretName: ""}, + Spec: v1alpha1.OIDCProviderConfigSpec{ + Issuer: "https://no-secret-issuer2.com", + SNICertificateSecretName: "", + }, } oidcProviderConfigWithBadSecret := &v1alpha1.OIDCProviderConfig{ ObjectMeta: metav1.ObjectMeta{ Name: "bad-secret-oidcproviderconfig", Namespace: installedInNamespace, }, - Spec: v1alpha1.OIDCProviderConfigSpec{Issuer: "https://bad-secret-issuer.com", SecretName: "bad-tls-secret-name"}, + Spec: v1alpha1.OIDCProviderConfigSpec{ + Issuer: "https://bad-secret-issuer.com", + SNICertificateSecretName: "bad-tls-secret-name", + }, } // Also add one with a URL that cannot be parsed to make sure that the controller is not confused by invalid URLs. invalidIssuerURL := ":/host//path" @@ -236,7 +242,10 @@ func TestTLSCertObserverControllerSync(t *testing.T) { Namespace: installedInNamespace, }, // Issuer hostname should be treated in a case-insensitive way and SNI ignores port numbers. Test without a port number. - Spec: v1alpha1.OIDCProviderConfigSpec{Issuer: "https://www.iSSuer-wiTh-goOd-secRet1.cOm/path", SecretName: "good-tls-secret-name1"}, + Spec: v1alpha1.OIDCProviderConfigSpec{ + Issuer: "https://www.iSSuer-wiTh-goOd-secRet1.cOm/path", + SNICertificateSecretName: "good-tls-secret-name1", + }, } oidcProviderConfigWithGoodSecret2 := &v1alpha1.OIDCProviderConfig{ ObjectMeta: metav1.ObjectMeta{ @@ -244,7 +253,10 @@ func TestTLSCertObserverControllerSync(t *testing.T) { Namespace: installedInNamespace, }, // Issuer hostname should be treated in a case-insensitive way and SNI ignores port numbers. Test with a port number. - Spec: v1alpha1.OIDCProviderConfigSpec{Issuer: "https://www.issUEr-WIth-gOOd-seCret2.com:1234/path", SecretName: "good-tls-secret-name2"}, + Spec: v1alpha1.OIDCProviderConfigSpec{ + Issuer: "https://www.issUEr-WIth-gOOd-seCret2.com:1234/path", + SNICertificateSecretName: "good-tls-secret-name2", + }, } testCrt1 := readTestFile("testdata/test.crt") r.NotEmpty(testCrt1)