Rename secretName to SNICertificateSecretName in OIDCProviderConfig

This commit is contained in:
Ryan Richard 2020-10-26 17:25:45 -07:00
parent 8b7c30cfbd
commit eeb110761e
18 changed files with 200 additions and 88 deletions

View File

@ -31,14 +31,27 @@ type OIDCProviderConfigSpec struct {
// +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MinLength=1
Issuer string `json:"issuer"` Issuer string `json:"issuer"`
// SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, // SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`,
// which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. // which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider.
// SecretName is required if you would like to use the HTTPS endpoints (e.g. when exposing them outside // When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that
// the cluster using a LoadBalancer Service), and is not required when you would like to use only the // contain the certificate and private key to use for TLS.
// HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS secret must contain keys named //
// `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. // Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
//
// SNICertificateSecretName is required if you would like to use different TLS certificates for
// issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same
// DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.
//
// SNICertificateSecretName is not required when you would like to use only the
// HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you
// would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate,
// which is configured elsewhere.
//
// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work
// for IP addresses.
//
// +optional // +optional
SecretName string `json:"secretName,omitempty"` SNICertificateSecretName string `json:"sniCertificateSecretName,omitempty"`
} }
// OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC Provider. // OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC Provider.

View File

@ -49,16 +49,25 @@ spec:
for more information." for more information."
minLength: 1 minLength: 1
type: string type: string
secretName: sniCertificateSecretName:
description: SecretName is an optional name of a Secret in the same description: "SNICertificateSecretName is an optional name of a Secret
namespace, of type `kubernetes.io/tls`, which contains the TLS serving in the same namespace, of type `kubernetes.io/tls`, which contains
certificate for the HTTPS endpoints served by this OIDC Provider. the TLS serving certificate for the HTTPS endpoints served by this
SecretName is required if you would like to use the HTTPS endpoints OIDC Provider. When provided, the TLS Secret named here must contain
(e.g. when exposing them outside the cluster using a LoadBalancer keys named `tls.crt` and `tls.key` that contain the certificate
Service), and is not required when you would like to use only the and private key to use for TLS. \n Server Name Indication (SNI)
HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS is an extension to the Transport Layer Security (TLS) supported
secret must contain keys named `tls.crt` and `tls.key` that contain by all major browsers. \n SNICertificateSecretName is required if
the certificate and private key to use for TLS. you would like to use different TLS certificates for issuers of
different hostnames. SNI requests do not include port numbers, so
all issuers with the same DNS hostname must use the same SNICertificateSecretName
value even if they have different port numbers. \n SNICertificateSecretName
is not required when you would like to use only the HTTP endpoints
(e.g. when terminating TLS at an Ingress). It is also not required
when you would like all requests to this OIDC Provider's HTTPS endpoints
to use the default TLS certificate, which is configured elsewhere.
\n When your Issuer URL's host is an IP address, then this field
is ignored. SNI does not work for IP addresses."
type: string type: string
required: required:
- issuer - issuer

View File

@ -132,7 +132,11 @@ OIDCProviderConfigSpec is a struct that describes an OIDC Provider.
| Field | Description | Field | Description
| *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint). | *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint).
See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
| *`secretName`* __string__ | SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. SecretName is required if you would like to use the HTTPS endpoints (e.g. when exposing them outside the cluster using a LoadBalancer Service), and is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS secret must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. | *`sniCertificateSecretName`* __string__ | SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.
Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
SNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.
SNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.
When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
|=== |===

View File

@ -31,14 +31,27 @@ type OIDCProviderConfigSpec struct {
// +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MinLength=1
Issuer string `json:"issuer"` Issuer string `json:"issuer"`
// SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, // SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`,
// which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. // which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider.
// SecretName is required if you would like to use the HTTPS endpoints (e.g. when exposing them outside // When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that
// the cluster using a LoadBalancer Service), and is not required when you would like to use only the // contain the certificate and private key to use for TLS.
// HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS secret must contain keys named //
// `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. // Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
//
// SNICertificateSecretName is required if you would like to use different TLS certificates for
// issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same
// DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.
//
// SNICertificateSecretName is not required when you would like to use only the
// HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you
// would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate,
// which is configured elsewhere.
//
// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work
// for IP addresses.
//
// +optional // +optional
SecretName string `json:"secretName,omitempty"` SNICertificateSecretName string `json:"sniCertificateSecretName,omitempty"`
} }
// OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC Provider. // OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC Provider.

View File

@ -397,9 +397,9 @@ func schema_117_apis_config_v1alpha1_OIDCProviderConfigSpec(ref common.Reference
Format: "", Format: "",
}, },
}, },
"secretName": { "sniCertificateSecretName": {
SchemaProps: spec.SchemaProps{ SchemaProps: spec.SchemaProps{
Description: "SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. SecretName is required if you would like to use the HTTPS endpoints (e.g. when exposing them outside the cluster using a LoadBalancer Service), and is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS secret must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.", Description: "SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.\n\nServer Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.\n\nSNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.\n\nSNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.\n\nWhen your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.",
Type: []string{"string"}, Type: []string{"string"},
Format: "", Format: "",
}, },

View File

@ -49,16 +49,25 @@ spec:
for more information." for more information."
minLength: 1 minLength: 1
type: string type: string
secretName: sniCertificateSecretName:
description: SecretName is an optional name of a Secret in the same description: "SNICertificateSecretName is an optional name of a Secret
namespace, of type `kubernetes.io/tls`, which contains the TLS serving in the same namespace, of type `kubernetes.io/tls`, which contains
certificate for the HTTPS endpoints served by this OIDC Provider. the TLS serving certificate for the HTTPS endpoints served by this
SecretName is required if you would like to use the HTTPS endpoints OIDC Provider. When provided, the TLS Secret named here must contain
(e.g. when exposing them outside the cluster using a LoadBalancer keys named `tls.crt` and `tls.key` that contain the certificate
Service), and is not required when you would like to use only the and private key to use for TLS. \n Server Name Indication (SNI)
HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS is an extension to the Transport Layer Security (TLS) supported
secret must contain keys named `tls.crt` and `tls.key` that contain by all major browsers. \n SNICertificateSecretName is required if
the certificate and private key to use for TLS. you would like to use different TLS certificates for issuers of
different hostnames. SNI requests do not include port numbers, so
all issuers with the same DNS hostname must use the same SNICertificateSecretName
value even if they have different port numbers. \n SNICertificateSecretName
is not required when you would like to use only the HTTP endpoints
(e.g. when terminating TLS at an Ingress). It is also not required
when you would like all requests to this OIDC Provider's HTTPS endpoints
to use the default TLS certificate, which is configured elsewhere.
\n When your Issuer URL's host is an IP address, then this field
is ignored. SNI does not work for IP addresses."
type: string type: string
required: required:
- issuer - issuer

View File

@ -132,7 +132,11 @@ OIDCProviderConfigSpec is a struct that describes an OIDC Provider.
| Field | Description | Field | Description
| *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint). | *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint).
See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
| *`secretName`* __string__ | SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. SecretName is required if you would like to use the HTTPS endpoints (e.g. when exposing them outside the cluster using a LoadBalancer Service), and is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS secret must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. | *`sniCertificateSecretName`* __string__ | SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.
Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
SNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.
SNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.
When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
|=== |===

View File

@ -31,14 +31,27 @@ type OIDCProviderConfigSpec struct {
// +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MinLength=1
Issuer string `json:"issuer"` Issuer string `json:"issuer"`
// SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, // SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`,
// which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. // which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider.
// SecretName is required if you would like to use the HTTPS endpoints (e.g. when exposing them outside // When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that
// the cluster using a LoadBalancer Service), and is not required when you would like to use only the // contain the certificate and private key to use for TLS.
// HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS secret must contain keys named //
// `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. // Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
//
// SNICertificateSecretName is required if you would like to use different TLS certificates for
// issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same
// DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.
//
// SNICertificateSecretName is not required when you would like to use only the
// HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you
// would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate,
// which is configured elsewhere.
//
// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work
// for IP addresses.
//
// +optional // +optional
SecretName string `json:"secretName,omitempty"` SNICertificateSecretName string `json:"sniCertificateSecretName,omitempty"`
} }
// OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC Provider. // OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC Provider.

View File

@ -397,9 +397,9 @@ func schema_118_apis_config_v1alpha1_OIDCProviderConfigSpec(ref common.Reference
Format: "", Format: "",
}, },
}, },
"secretName": { "sniCertificateSecretName": {
SchemaProps: spec.SchemaProps{ SchemaProps: spec.SchemaProps{
Description: "SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. SecretName is required if you would like to use the HTTPS endpoints (e.g. when exposing them outside the cluster using a LoadBalancer Service), and is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS secret must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.", Description: "SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.\n\nServer Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.\n\nSNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.\n\nSNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.\n\nWhen your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.",
Type: []string{"string"}, Type: []string{"string"},
Format: "", Format: "",
}, },

View File

@ -49,16 +49,25 @@ spec:
for more information." for more information."
minLength: 1 minLength: 1
type: string type: string
secretName: sniCertificateSecretName:
description: SecretName is an optional name of a Secret in the same description: "SNICertificateSecretName is an optional name of a Secret
namespace, of type `kubernetes.io/tls`, which contains the TLS serving in the same namespace, of type `kubernetes.io/tls`, which contains
certificate for the HTTPS endpoints served by this OIDC Provider. the TLS serving certificate for the HTTPS endpoints served by this
SecretName is required if you would like to use the HTTPS endpoints OIDC Provider. When provided, the TLS Secret named here must contain
(e.g. when exposing them outside the cluster using a LoadBalancer keys named `tls.crt` and `tls.key` that contain the certificate
Service), and is not required when you would like to use only the and private key to use for TLS. \n Server Name Indication (SNI)
HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS is an extension to the Transport Layer Security (TLS) supported
secret must contain keys named `tls.crt` and `tls.key` that contain by all major browsers. \n SNICertificateSecretName is required if
the certificate and private key to use for TLS. you would like to use different TLS certificates for issuers of
different hostnames. SNI requests do not include port numbers, so
all issuers with the same DNS hostname must use the same SNICertificateSecretName
value even if they have different port numbers. \n SNICertificateSecretName
is not required when you would like to use only the HTTP endpoints
(e.g. when terminating TLS at an Ingress). It is also not required
when you would like all requests to this OIDC Provider's HTTPS endpoints
to use the default TLS certificate, which is configured elsewhere.
\n When your Issuer URL's host is an IP address, then this field
is ignored. SNI does not work for IP addresses."
type: string type: string
required: required:
- issuer - issuer

View File

@ -132,7 +132,11 @@ OIDCProviderConfigSpec is a struct that describes an OIDC Provider.
| Field | Description | Field | Description
| *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint). | *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint).
See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
| *`secretName`* __string__ | SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. SecretName is required if you would like to use the HTTPS endpoints (e.g. when exposing them outside the cluster using a LoadBalancer Service), and is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS secret must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. | *`sniCertificateSecretName`* __string__ | SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.
Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
SNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.
SNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.
When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
|=== |===

View File

@ -31,14 +31,27 @@ type OIDCProviderConfigSpec struct {
// +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MinLength=1
Issuer string `json:"issuer"` Issuer string `json:"issuer"`
// SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, // SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`,
// which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. // which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider.
// SecretName is required if you would like to use the HTTPS endpoints (e.g. when exposing them outside // When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that
// the cluster using a LoadBalancer Service), and is not required when you would like to use only the // contain the certificate and private key to use for TLS.
// HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS secret must contain keys named //
// `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. // Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
//
// SNICertificateSecretName is required if you would like to use different TLS certificates for
// issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same
// DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.
//
// SNICertificateSecretName is not required when you would like to use only the
// HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you
// would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate,
// which is configured elsewhere.
//
// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work
// for IP addresses.
//
// +optional // +optional
SecretName string `json:"secretName,omitempty"` SNICertificateSecretName string `json:"sniCertificateSecretName,omitempty"`
} }
// OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC Provider. // OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC Provider.

View File

@ -398,9 +398,9 @@ func schema_119_apis_config_v1alpha1_OIDCProviderConfigSpec(ref common.Reference
Format: "", Format: "",
}, },
}, },
"secretName": { "sniCertificateSecretName": {
SchemaProps: spec.SchemaProps{ SchemaProps: spec.SchemaProps{
Description: "SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. SecretName is required if you would like to use the HTTPS endpoints (e.g. when exposing them outside the cluster using a LoadBalancer Service), and is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS secret must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.", Description: "SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.\n\nServer Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.\n\nSNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.\n\nSNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.\n\nWhen your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.",
Type: []string{"string"}, Type: []string{"string"},
Format: "", Format: "",
}, },

View File

@ -49,16 +49,25 @@ spec:
for more information." for more information."
minLength: 1 minLength: 1
type: string type: string
secretName: sniCertificateSecretName:
description: SecretName is an optional name of a Secret in the same description: "SNICertificateSecretName is an optional name of a Secret
namespace, of type `kubernetes.io/tls`, which contains the TLS serving in the same namespace, of type `kubernetes.io/tls`, which contains
certificate for the HTTPS endpoints served by this OIDC Provider. the TLS serving certificate for the HTTPS endpoints served by this
SecretName is required if you would like to use the HTTPS endpoints OIDC Provider. When provided, the TLS Secret named here must contain
(e.g. when exposing them outside the cluster using a LoadBalancer keys named `tls.crt` and `tls.key` that contain the certificate
Service), and is not required when you would like to use only the and private key to use for TLS. \n Server Name Indication (SNI)
HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS is an extension to the Transport Layer Security (TLS) supported
secret must contain keys named `tls.crt` and `tls.key` that contain by all major browsers. \n SNICertificateSecretName is required if
the certificate and private key to use for TLS. you would like to use different TLS certificates for issuers of
different hostnames. SNI requests do not include port numbers, so
all issuers with the same DNS hostname must use the same SNICertificateSecretName
value even if they have different port numbers. \n SNICertificateSecretName
is not required when you would like to use only the HTTP endpoints
(e.g. when terminating TLS at an Ingress). It is also not required
when you would like all requests to this OIDC Provider's HTTPS endpoints
to use the default TLS certificate, which is configured elsewhere.
\n When your Issuer URL's host is an IP address, then this field
is ignored. SNI does not work for IP addresses."
type: string type: string
required: required:
- issuer - issuer

View File

@ -102,7 +102,7 @@ func (c *oidcProviderConfigWatcherController) Sync(ctx controllerlib.Context) er
setOfSecretNames = make(map[string]bool) setOfSecretNames = make(map[string]bool)
uniqueSecretNamesPerIssuerAddress[issuerURLToHostnameKey(issuerURL)] = setOfSecretNames uniqueSecretNamesPerIssuerAddress[issuerURLToHostnameKey(issuerURL)] = setOfSecretNames
} }
setOfSecretNames[opc.Spec.SecretName] = true setOfSecretNames[opc.Spec.SNICertificateSecretName] = true
} }
errs := multierror.New() errs := multierror.New()

View File

@ -820,7 +820,7 @@ func TestSync(t *testing.T) {
ObjectMeta: metav1.ObjectMeta{Name: "provider1", Namespace: namespace}, ObjectMeta: metav1.ObjectMeta{Name: "provider1", Namespace: namespace},
Spec: v1alpha1.OIDCProviderConfigSpec{ Spec: v1alpha1.OIDCProviderConfigSpec{
Issuer: "https://iSSueR-duPlicAte-adDress.cOm/path1", Issuer: "https://iSSueR-duPlicAte-adDress.cOm/path1",
SecretName: "secret1", SNICertificateSecretName: "secret1",
}, },
} }
r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderConfigSameIssuerAddress1)) r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderConfigSameIssuerAddress1))
@ -831,7 +831,7 @@ func TestSync(t *testing.T) {
// Validation treats these as the same DNS hostname even though they have different port numbers, // Validation treats these as the same DNS hostname even though they have different port numbers,
// because SNI information on the incoming requests is not going to include port numbers. // because SNI information on the incoming requests is not going to include port numbers.
Issuer: "https://issuer-duplicate-address.com:1234/path2", Issuer: "https://issuer-duplicate-address.com:1234/path2",
SecretName: "secret2", SNICertificateSecretName: "secret2",
}, },
} }
r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderConfigSameIssuerAddress2)) r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderConfigSameIssuerAddress2))
@ -841,7 +841,7 @@ func TestSync(t *testing.T) {
ObjectMeta: metav1.ObjectMeta{Name: "differentIssuerAddressProvider", Namespace: namespace}, ObjectMeta: metav1.ObjectMeta{Name: "differentIssuerAddressProvider", Namespace: namespace},
Spec: v1alpha1.OIDCProviderConfigSpec{ Spec: v1alpha1.OIDCProviderConfigSpec{
Issuer: "https://issuer-not-duplicate.com", Issuer: "https://issuer-not-duplicate.com",
SecretName: "secret1", SNICertificateSecretName: "secret1",
}, },
} }
r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderConfigDifferentIssuerAddress)) r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderConfigDifferentIssuerAddress))
@ -856,7 +856,7 @@ func TestSync(t *testing.T) {
ObjectMeta: metav1.ObjectMeta{Name: "invalidIssuerURLProvider", Namespace: namespace}, ObjectMeta: metav1.ObjectMeta{Name: "invalidIssuerURLProvider", Namespace: namespace},
Spec: v1alpha1.OIDCProviderConfigSpec{ Spec: v1alpha1.OIDCProviderConfigSpec{
Issuer: invalidIssuerURL, Issuer: invalidIssuerURL,
SecretName: "secret1", SNICertificateSecretName: "secret1",
}, },
} }
r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderConfigWithInvalidIssuerURL)) r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderConfigWithInvalidIssuerURL))

View File

@ -68,7 +68,7 @@ func (c *tlsCertObserverController) Sync(ctx controllerlib.Context) error {
issuerHostToTLSCertMap := map[string]*tls.Certificate{} issuerHostToTLSCertMap := map[string]*tls.Certificate{}
for _, provider := range allProviders { for _, provider := range allProviders {
secretName := provider.Spec.SecretName secretName := provider.Spec.SNICertificateSecretName
issuerURL, err := url.Parse(provider.Spec.Issuer) issuerURL, err := url.Parse(provider.Spec.Issuer)
if err != nil { if err != nil {
klog.InfoS("tlsCertObserverController Sync found an invalid issuer URL", "namespace", ns, "issuer", provider.Spec.Issuer) klog.InfoS("tlsCertObserverController Sync found an invalid issuer URL", "namespace", ns, "issuer", provider.Spec.Issuer)

View File

@ -203,21 +203,27 @@ func TestTLSCertObserverControllerSync(t *testing.T) {
Name: "no-secret-oidcproviderconfig1", Name: "no-secret-oidcproviderconfig1",
Namespace: installedInNamespace, Namespace: installedInNamespace,
}, },
Spec: v1alpha1.OIDCProviderConfigSpec{Issuer: "https://no-secret-issuer1.com"}, // no SecretName field Spec: v1alpha1.OIDCProviderConfigSpec{Issuer: "https://no-secret-issuer1.com"}, // no SNICertificateSecretName field
} }
oidcProviderConfigWithoutSecret2 := &v1alpha1.OIDCProviderConfig{ oidcProviderConfigWithoutSecret2 := &v1alpha1.OIDCProviderConfig{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: "no-secret-oidcproviderconfig2", Name: "no-secret-oidcproviderconfig2",
Namespace: installedInNamespace, Namespace: installedInNamespace,
}, },
Spec: v1alpha1.OIDCProviderConfigSpec{Issuer: "https://no-secret-issuer2.com", SecretName: ""}, Spec: v1alpha1.OIDCProviderConfigSpec{
Issuer: "https://no-secret-issuer2.com",
SNICertificateSecretName: "",
},
} }
oidcProviderConfigWithBadSecret := &v1alpha1.OIDCProviderConfig{ oidcProviderConfigWithBadSecret := &v1alpha1.OIDCProviderConfig{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: "bad-secret-oidcproviderconfig", Name: "bad-secret-oidcproviderconfig",
Namespace: installedInNamespace, Namespace: installedInNamespace,
}, },
Spec: v1alpha1.OIDCProviderConfigSpec{Issuer: "https://bad-secret-issuer.com", SecretName: "bad-tls-secret-name"}, Spec: v1alpha1.OIDCProviderConfigSpec{
Issuer: "https://bad-secret-issuer.com",
SNICertificateSecretName: "bad-tls-secret-name",
},
} }
// Also add one with a URL that cannot be parsed to make sure that the controller is not confused by invalid URLs. // Also add one with a URL that cannot be parsed to make sure that the controller is not confused by invalid URLs.
invalidIssuerURL := ":/host//path" invalidIssuerURL := ":/host//path"
@ -236,7 +242,10 @@ func TestTLSCertObserverControllerSync(t *testing.T) {
Namespace: installedInNamespace, Namespace: installedInNamespace,
}, },
// Issuer hostname should be treated in a case-insensitive way and SNI ignores port numbers. Test without a port number. // Issuer hostname should be treated in a case-insensitive way and SNI ignores port numbers. Test without a port number.
Spec: v1alpha1.OIDCProviderConfigSpec{Issuer: "https://www.iSSuer-wiTh-goOd-secRet1.cOm/path", SecretName: "good-tls-secret-name1"}, Spec: v1alpha1.OIDCProviderConfigSpec{
Issuer: "https://www.iSSuer-wiTh-goOd-secRet1.cOm/path",
SNICertificateSecretName: "good-tls-secret-name1",
},
} }
oidcProviderConfigWithGoodSecret2 := &v1alpha1.OIDCProviderConfig{ oidcProviderConfigWithGoodSecret2 := &v1alpha1.OIDCProviderConfig{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
@ -244,7 +253,10 @@ func TestTLSCertObserverControllerSync(t *testing.T) {
Namespace: installedInNamespace, Namespace: installedInNamespace,
}, },
// Issuer hostname should be treated in a case-insensitive way and SNI ignores port numbers. Test with a port number. // Issuer hostname should be treated in a case-insensitive way and SNI ignores port numbers. Test with a port number.
Spec: v1alpha1.OIDCProviderConfigSpec{Issuer: "https://www.issUEr-WIth-gOOd-seCret2.com:1234/path", SecretName: "good-tls-secret-name2"}, Spec: v1alpha1.OIDCProviderConfigSpec{
Issuer: "https://www.issUEr-WIth-gOOd-seCret2.com:1234/path",
SNICertificateSecretName: "good-tls-secret-name2",
},
} }
testCrt1 := readTestFile("testdata/test.crt") testCrt1 := readTestFile("testdata/test.crt")
r.NotEmpty(testCrt1) r.NotEmpty(testCrt1)