Rename `secretName` to `SNICertificateSecretName` in OIDCProviderConfig

apis/config/v1alpha1/types_oidcproviderconfig.go.tmpl

@@ -31,14 +31,27 @@ type OIDCProviderConfigSpec struct {
 	// +kubebuilder:validation:MinLength=1
 	Issuer string `json:"issuer"`
 
-	// SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`,
+	// SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`,
 	// which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider.
-	// SecretName is required if you would like to use the HTTPS endpoints (e.g. when exposing them outside
+	// When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that
-	// the cluster using a LoadBalancer Service), and is not required when you would like to use only the
+	// contain the certificate and private key to use for TLS.
-	// HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS secret must contain keys named
+	//
-	// `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.
+	// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
+	//
+	// SNICertificateSecretName is required if you would like to use different TLS certificates for
+	// issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same
+	// DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.
+	//
+	// SNICertificateSecretName is not required when you would like to use only the
+	// HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you
+	// would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate,
+	// which is configured elsewhere.
+	//
+	// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work
+	// for IP addresses.
+	//
 	// +optional
-	SecretName string `json:"secretName,omitempty"`
+	SNICertificateSecretName string `json:"sniCertificateSecretName,omitempty"`
 }
 
 // OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC Provider.

deploy/supervisor/config.pinniped.dev_oidcproviderconfigs.yaml

@@ -49,16 +49,25 @@ spec:
                   for more information."
                 minLength: 1
                 type: string
-              secretName:
+              sniCertificateSecretName:
-                description: SecretName is an optional name of a Secret in the same
+                description: "SNICertificateSecretName is an optional name of a Secret
-                  namespace, of type `kubernetes.io/tls`, which contains the TLS serving
+                  in the same namespace, of type `kubernetes.io/tls`, which contains
-                  certificate for the HTTPS endpoints served by this OIDC Provider.
+                  the TLS serving certificate for the HTTPS endpoints served by this
-                  SecretName is required if you would like to use the HTTPS endpoints
+                  OIDC Provider. When provided, the TLS Secret named here must contain
-                  (e.g. when exposing them outside the cluster using a LoadBalancer
+                  keys named `tls.crt` and `tls.key` that contain the certificate
-                  Service), and is not required when you would like to use only the
+                  and private key to use for TLS. \n Server Name Indication (SNI)
-                  HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS
+                  is an extension to the Transport Layer Security (TLS) supported
-                  secret must contain keys named `tls.crt` and `tls.key` that contain
+                  by all major browsers. \n SNICertificateSecretName is required if
-                  the certificate and private key to use for TLS.
+                  you would like to use different TLS certificates for issuers of
+                  different hostnames. SNI requests do not include port numbers, so
+                  all issuers with the same DNS hostname must use the same SNICertificateSecretName
+                  value even if they have different port numbers. \n SNICertificateSecretName
+                  is not required when you would like to use only the HTTP endpoints
+                  (e.g. when terminating TLS at an Ingress). It is also not required
+                  when you would like all requests to this OIDC Provider's HTTPS endpoints
+                  to use the default TLS certificate, which is configured elsewhere.
+                  \n When your Issuer URL's host is an IP address, then this field
+                  is ignored. SNI does not work for IP addresses."
                 type: string
             required:
             - issuer

generated/1.17/README.adoc

@@ -132,7 +132,11 @@ OIDCProviderConfigSpec is a struct that describes an OIDC Provider.
 | Field | Description
 | *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint). 
  See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
-| *`secretName`* __string__ | SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. SecretName is required if you would like to use the HTTPS endpoints (e.g. when exposing them outside the cluster using a LoadBalancer Service), and is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS secret must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.
+| *`sniCertificateSecretName`* __string__ | SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. 
+ Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. 
+ SNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers. 
+ SNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. 
+ When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
 |===
 
 

generated/1.17/apis/config/v1alpha1/types_oidcproviderconfig.go

@@ -31,14 +31,27 @@ type OIDCProviderConfigSpec struct {
 	// +kubebuilder:validation:MinLength=1
 	Issuer string `json:"issuer"`
 
-	// SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`,
+	// SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`,
 	// which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider.
-	// SecretName is required if you would like to use the HTTPS endpoints (e.g. when exposing them outside
+	// When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that
-	// the cluster using a LoadBalancer Service), and is not required when you would like to use only the
+	// contain the certificate and private key to use for TLS.
-	// HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS secret must contain keys named
+	//
-	// `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.
+	// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
+	//
+	// SNICertificateSecretName is required if you would like to use different TLS certificates for
+	// issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same
+	// DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.
+	//
+	// SNICertificateSecretName is not required when you would like to use only the
+	// HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you
+	// would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate,
+	// which is configured elsewhere.
+	//
+	// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work
+	// for IP addresses.
+	//
 	// +optional
-	SecretName string `json:"secretName,omitempty"`
+	SNICertificateSecretName string `json:"sniCertificateSecretName,omitempty"`
 }
 
 // OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC Provider.

generated/1.17/client/openapi/zz_generated.openapi.go

@@ -397,9 +397,9 @@ func schema_117_apis_config_v1alpha1_OIDCProviderConfigSpec(ref common.Reference
 							Format:      "",
 						},
 					},
-					"secretName": {
+					"sniCertificateSecretName": {
 						SchemaProps: spec.SchemaProps{
-							Description: "SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. SecretName is required if you would like to use the HTTPS endpoints (e.g. when exposing them outside the cluster using a LoadBalancer Service), and is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS secret must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.",
+							Description: "SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.\n\nServer Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.\n\nSNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.\n\nSNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.\n\nWhen your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.",
 							Type:        []string{"string"},
 							Format:      "",
 						},

generated/1.17/crds/config.pinniped.dev_oidcproviderconfigs.yaml

@@ -49,16 +49,25 @@ spec:
                   for more information."
                 minLength: 1
                 type: string
-              secretName:
+              sniCertificateSecretName:
-                description: SecretName is an optional name of a Secret in the same
+                description: "SNICertificateSecretName is an optional name of a Secret
-                  namespace, of type `kubernetes.io/tls`, which contains the TLS serving
+                  in the same namespace, of type `kubernetes.io/tls`, which contains
-                  certificate for the HTTPS endpoints served by this OIDC Provider.
+                  the TLS serving certificate for the HTTPS endpoints served by this
-                  SecretName is required if you would like to use the HTTPS endpoints
+                  OIDC Provider. When provided, the TLS Secret named here must contain
-                  (e.g. when exposing them outside the cluster using a LoadBalancer
+                  keys named `tls.crt` and `tls.key` that contain the certificate
-                  Service), and is not required when you would like to use only the
+                  and private key to use for TLS. \n Server Name Indication (SNI)
-                  HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS
+                  is an extension to the Transport Layer Security (TLS) supported
-                  secret must contain keys named `tls.crt` and `tls.key` that contain
+                  by all major browsers. \n SNICertificateSecretName is required if
-                  the certificate and private key to use for TLS.
+                  you would like to use different TLS certificates for issuers of
+                  different hostnames. SNI requests do not include port numbers, so
+                  all issuers with the same DNS hostname must use the same SNICertificateSecretName
+                  value even if they have different port numbers. \n SNICertificateSecretName
+                  is not required when you would like to use only the HTTP endpoints
+                  (e.g. when terminating TLS at an Ingress). It is also not required
+                  when you would like all requests to this OIDC Provider's HTTPS endpoints
+                  to use the default TLS certificate, which is configured elsewhere.
+                  \n When your Issuer URL's host is an IP address, then this field
+                  is ignored. SNI does not work for IP addresses."
                 type: string
             required:
             - issuer

generated/1.18/README.adoc

@@ -132,7 +132,11 @@ OIDCProviderConfigSpec is a struct that describes an OIDC Provider.
 | Field | Description
 | *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint). 
  See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
-| *`secretName`* __string__ | SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. SecretName is required if you would like to use the HTTPS endpoints (e.g. when exposing them outside the cluster using a LoadBalancer Service), and is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS secret must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.
+| *`sniCertificateSecretName`* __string__ | SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. 
+ Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. 
+ SNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers. 
+ SNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. 
+ When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
 |===
 
 

generated/1.18/apis/config/v1alpha1/types_oidcproviderconfig.go

@@ -31,14 +31,27 @@ type OIDCProviderConfigSpec struct {
 	// +kubebuilder:validation:MinLength=1
 	Issuer string `json:"issuer"`
 
-	// SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`,
+	// SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`,
 	// which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider.
-	// SecretName is required if you would like to use the HTTPS endpoints (e.g. when exposing them outside
+	// When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that
-	// the cluster using a LoadBalancer Service), and is not required when you would like to use only the
+	// contain the certificate and private key to use for TLS.
-	// HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS secret must contain keys named
+	//
-	// `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.
+	// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
+	//
+	// SNICertificateSecretName is required if you would like to use different TLS certificates for
+	// issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same
+	// DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.
+	//
+	// SNICertificateSecretName is not required when you would like to use only the
+	// HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you
+	// would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate,
+	// which is configured elsewhere.
+	//
+	// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work
+	// for IP addresses.
+	//
 	// +optional
-	SecretName string `json:"secretName,omitempty"`
+	SNICertificateSecretName string `json:"sniCertificateSecretName,omitempty"`
 }
 
 // OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC Provider.

generated/1.18/client/openapi/zz_generated.openapi.go

@@ -397,9 +397,9 @@ func schema_118_apis_config_v1alpha1_OIDCProviderConfigSpec(ref common.Reference
 							Format:      "",
 						},
 					},
-					"secretName": {
+					"sniCertificateSecretName": {
 						SchemaProps: spec.SchemaProps{
-							Description: "SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. SecretName is required if you would like to use the HTTPS endpoints (e.g. when exposing them outside the cluster using a LoadBalancer Service), and is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS secret must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.",
+							Description: "SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.\n\nServer Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.\n\nSNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.\n\nSNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.\n\nWhen your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.",
 							Type:        []string{"string"},
 							Format:      "",
 						},

generated/1.18/crds/config.pinniped.dev_oidcproviderconfigs.yaml

@@ -49,16 +49,25 @@ spec:
                   for more information."
                 minLength: 1
                 type: string
-              secretName:
+              sniCertificateSecretName:
-                description: SecretName is an optional name of a Secret in the same
+                description: "SNICertificateSecretName is an optional name of a Secret
-                  namespace, of type `kubernetes.io/tls`, which contains the TLS serving
+                  in the same namespace, of type `kubernetes.io/tls`, which contains
-                  certificate for the HTTPS endpoints served by this OIDC Provider.
+                  the TLS serving certificate for the HTTPS endpoints served by this
-                  SecretName is required if you would like to use the HTTPS endpoints
+                  OIDC Provider. When provided, the TLS Secret named here must contain
-                  (e.g. when exposing them outside the cluster using a LoadBalancer
+                  keys named `tls.crt` and `tls.key` that contain the certificate
-                  Service), and is not required when you would like to use only the
+                  and private key to use for TLS. \n Server Name Indication (SNI)
-                  HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS
+                  is an extension to the Transport Layer Security (TLS) supported
-                  secret must contain keys named `tls.crt` and `tls.key` that contain
+                  by all major browsers. \n SNICertificateSecretName is required if
-                  the certificate and private key to use for TLS.
+                  you would like to use different TLS certificates for issuers of
+                  different hostnames. SNI requests do not include port numbers, so
+                  all issuers with the same DNS hostname must use the same SNICertificateSecretName
+                  value even if they have different port numbers. \n SNICertificateSecretName
+                  is not required when you would like to use only the HTTP endpoints
+                  (e.g. when terminating TLS at an Ingress). It is also not required
+                  when you would like all requests to this OIDC Provider's HTTPS endpoints
+                  to use the default TLS certificate, which is configured elsewhere.
+                  \n When your Issuer URL's host is an IP address, then this field
+                  is ignored. SNI does not work for IP addresses."
                 type: string
             required:
             - issuer

generated/1.19/README.adoc

@@ -132,7 +132,11 @@ OIDCProviderConfigSpec is a struct that describes an OIDC Provider.
 | Field | Description
 | *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint). 
  See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
-| *`secretName`* __string__ | SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. SecretName is required if you would like to use the HTTPS endpoints (e.g. when exposing them outside the cluster using a LoadBalancer Service), and is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS secret must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.
+| *`sniCertificateSecretName`* __string__ | SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. 
+ Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. 
+ SNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers. 
+ SNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. 
+ When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
 |===
 
 

generated/1.19/apis/config/v1alpha1/types_oidcproviderconfig.go

@@ -31,14 +31,27 @@ type OIDCProviderConfigSpec struct {
 	// +kubebuilder:validation:MinLength=1
 	Issuer string `json:"issuer"`
 
-	// SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`,
+	// SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`,
 	// which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider.
-	// SecretName is required if you would like to use the HTTPS endpoints (e.g. when exposing them outside
+	// When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that
-	// the cluster using a LoadBalancer Service), and is not required when you would like to use only the
+	// contain the certificate and private key to use for TLS.
-	// HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS secret must contain keys named
+	//
-	// `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.
+	// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
+	//
+	// SNICertificateSecretName is required if you would like to use different TLS certificates for
+	// issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same
+	// DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.
+	//
+	// SNICertificateSecretName is not required when you would like to use only the
+	// HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you
+	// would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate,
+	// which is configured elsewhere.
+	//
+	// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work
+	// for IP addresses.
+	//
 	// +optional
-	SecretName string `json:"secretName,omitempty"`
+	SNICertificateSecretName string `json:"sniCertificateSecretName,omitempty"`
 }
 
 // OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC Provider.

generated/1.19/client/openapi/zz_generated.openapi.go

@@ -398,9 +398,9 @@ func schema_119_apis_config_v1alpha1_OIDCProviderConfigSpec(ref common.Reference
 							Format:      "",
 						},
 					},
-					"secretName": {
+					"sniCertificateSecretName": {
 						SchemaProps: spec.SchemaProps{
-							Description: "SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. SecretName is required if you would like to use the HTTPS endpoints (e.g. when exposing them outside the cluster using a LoadBalancer Service), and is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS secret must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.",
+							Description: "SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.\n\nServer Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.\n\nSNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.\n\nSNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.\n\nWhen your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.",
 							Type:        []string{"string"},
 							Format:      "",
 						},

generated/1.19/crds/config.pinniped.dev_oidcproviderconfigs.yaml

@@ -49,16 +49,25 @@ spec:
                   for more information."
                 minLength: 1
                 type: string
-              secretName:
+              sniCertificateSecretName:
-                description: SecretName is an optional name of a Secret in the same
+                description: "SNICertificateSecretName is an optional name of a Secret
-                  namespace, of type `kubernetes.io/tls`, which contains the TLS serving
+                  in the same namespace, of type `kubernetes.io/tls`, which contains
-                  certificate for the HTTPS endpoints served by this OIDC Provider.
+                  the TLS serving certificate for the HTTPS endpoints served by this
-                  SecretName is required if you would like to use the HTTPS endpoints
+                  OIDC Provider. When provided, the TLS Secret named here must contain
-                  (e.g. when exposing them outside the cluster using a LoadBalancer
+                  keys named `tls.crt` and `tls.key` that contain the certificate
-                  Service), and is not required when you would like to use only the
+                  and private key to use for TLS. \n Server Name Indication (SNI)
-                  HTTP endpoints (e.g. when terminating TLS at an Ingress). The TLS
+                  is an extension to the Transport Layer Security (TLS) supported
-                  secret must contain keys named `tls.crt` and `tls.key` that contain
+                  by all major browsers. \n SNICertificateSecretName is required if
-                  the certificate and private key to use for TLS.
+                  you would like to use different TLS certificates for issuers of
+                  different hostnames. SNI requests do not include port numbers, so
+                  all issuers with the same DNS hostname must use the same SNICertificateSecretName
+                  value even if they have different port numbers. \n SNICertificateSecretName
+                  is not required when you would like to use only the HTTP endpoints
+                  (e.g. when terminating TLS at an Ingress). It is also not required
+                  when you would like all requests to this OIDC Provider's HTTPS endpoints
+                  to use the default TLS certificate, which is configured elsewhere.
+                  \n When your Issuer URL's host is an IP address, then this field
+                  is ignored. SNI does not work for IP addresses."
                 type: string
             required:
             - issuer

internal/controller/supervisorconfig/oidcproviderconfig_watcher.go

@@ -102,7 +102,7 @@ func (c *oidcProviderConfigWatcherController) Sync(ctx controllerlib.Context) er
 			setOfSecretNames = make(map[string]bool)
 			uniqueSecretNamesPerIssuerAddress[issuerURLToHostnameKey(issuerURL)] = setOfSecretNames
 		}
-		setOfSecretNames[opc.Spec.SecretName] = true
+		setOfSecretNames[opc.Spec.SNICertificateSecretName] = true
 	}
 
 	errs := multierror.New()

internal/controller/supervisorconfig/oidcproviderconfig_watcher_test.go

@@ -819,8 +819,8 @@ func TestSync(t *testing.T) {
 				oidcProviderConfigSameIssuerAddress1 = &v1alpha1.OIDCProviderConfig{
 					ObjectMeta: metav1.ObjectMeta{Name: "provider1", Namespace: namespace},
 					Spec: v1alpha1.OIDCProviderConfigSpec{
-						Issuer:     "https://iSSueR-duPlicAte-adDress.cOm/path1",
+						Issuer:                   "https://iSSueR-duPlicAte-adDress.cOm/path1",
-						SecretName: "secret1",
+						SNICertificateSecretName: "secret1",
 					},
 				}
 				r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderConfigSameIssuerAddress1))
@@ -830,8 +830,8 @@ func TestSync(t *testing.T) {
 					Spec: v1alpha1.OIDCProviderConfigSpec{
 						// Validation treats these as the same DNS hostname even though they have different port numbers,
 						// because SNI information on the incoming requests is not going to include port numbers.
-						Issuer:     "https://issuer-duplicate-address.com:1234/path2",
+						Issuer:                   "https://issuer-duplicate-address.com:1234/path2",
-						SecretName: "secret2",
+						SNICertificateSecretName: "secret2",
 					},
 				}
 				r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderConfigSameIssuerAddress2))
@@ -840,8 +840,8 @@ func TestSync(t *testing.T) {
 				oidcProviderConfigDifferentIssuerAddress = &v1alpha1.OIDCProviderConfig{
 					ObjectMeta: metav1.ObjectMeta{Name: "differentIssuerAddressProvider", Namespace: namespace},
 					Spec: v1alpha1.OIDCProviderConfigSpec{
-						Issuer:     "https://issuer-not-duplicate.com",
+						Issuer:                   "https://issuer-not-duplicate.com",
-						SecretName: "secret1",
+						SNICertificateSecretName: "secret1",
 					},
 				}
 				r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderConfigDifferentIssuerAddress))
@@ -855,8 +855,8 @@ func TestSync(t *testing.T) {
 				oidcProviderConfigWithInvalidIssuerURL = &v1alpha1.OIDCProviderConfig{
 					ObjectMeta: metav1.ObjectMeta{Name: "invalidIssuerURLProvider", Namespace: namespace},
 					Spec: v1alpha1.OIDCProviderConfigSpec{
-						Issuer:     invalidIssuerURL,
+						Issuer:                   invalidIssuerURL,
-						SecretName: "secret1",
+						SNICertificateSecretName: "secret1",
 					},
 				}
 				r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderConfigWithInvalidIssuerURL))

internal/controller/supervisorconfig/tls_cert_observer.go

@@ -68,7 +68,7 @@ func (c *tlsCertObserverController) Sync(ctx controllerlib.Context) error {
 	issuerHostToTLSCertMap := map[string]*tls.Certificate{}
 
 	for _, provider := range allProviders {
-		secretName := provider.Spec.SecretName
+		secretName := provider.Spec.SNICertificateSecretName
 		issuerURL, err := url.Parse(provider.Spec.Issuer)
 		if err != nil {
 			klog.InfoS("tlsCertObserverController Sync found an invalid issuer URL", "namespace", ns, "issuer", provider.Spec.Issuer)

internal/controller/supervisorconfig/tls_cert_observer_test.go

@@ -203,21 +203,27 @@ func TestTLSCertObserverControllerSync(t *testing.T) {
 						Name:      "no-secret-oidcproviderconfig1",
 						Namespace: installedInNamespace,
 					},
-					Spec: v1alpha1.OIDCProviderConfigSpec{Issuer: "https://no-secret-issuer1.com"}, // no SecretName field
+					Spec: v1alpha1.OIDCProviderConfigSpec{Issuer: "https://no-secret-issuer1.com"}, // no SNICertificateSecretName field
 				}
 				oidcProviderConfigWithoutSecret2 := &v1alpha1.OIDCProviderConfig{
 					ObjectMeta: metav1.ObjectMeta{
 						Name:      "no-secret-oidcproviderconfig2",
 						Namespace: installedInNamespace,
 					},
-					Spec: v1alpha1.OIDCProviderConfigSpec{Issuer: "https://no-secret-issuer2.com", SecretName: ""},
+					Spec: v1alpha1.OIDCProviderConfigSpec{
+						Issuer:                   "https://no-secret-issuer2.com",
+						SNICertificateSecretName: "",
+					},
 				}
 				oidcProviderConfigWithBadSecret := &v1alpha1.OIDCProviderConfig{
 					ObjectMeta: metav1.ObjectMeta{
 						Name:      "bad-secret-oidcproviderconfig",
 						Namespace: installedInNamespace,
 					},
-					Spec: v1alpha1.OIDCProviderConfigSpec{Issuer: "https://bad-secret-issuer.com", SecretName: "bad-tls-secret-name"},
+					Spec: v1alpha1.OIDCProviderConfigSpec{
+						Issuer:                   "https://bad-secret-issuer.com",
+						SNICertificateSecretName: "bad-tls-secret-name",
+					},
 				}
 				// Also add one with a URL that cannot be parsed to make sure that the controller is not confused by invalid URLs.
 				invalidIssuerURL := ":/host//path"
@@ -236,7 +242,10 @@ func TestTLSCertObserverControllerSync(t *testing.T) {
 						Namespace: installedInNamespace,
 					},
 					// Issuer hostname should be treated in a case-insensitive way and SNI ignores port numbers. Test without a port number.
-					Spec: v1alpha1.OIDCProviderConfigSpec{Issuer: "https://www.iSSuer-wiTh-goOd-secRet1.cOm/path", SecretName: "good-tls-secret-name1"},
+					Spec: v1alpha1.OIDCProviderConfigSpec{
+						Issuer:                   "https://www.iSSuer-wiTh-goOd-secRet1.cOm/path",
+						SNICertificateSecretName: "good-tls-secret-name1",
+					},
 				}
 				oidcProviderConfigWithGoodSecret2 := &v1alpha1.OIDCProviderConfig{
 					ObjectMeta: metav1.ObjectMeta{
@@ -244,7 +253,10 @@ func TestTLSCertObserverControllerSync(t *testing.T) {
 						Namespace: installedInNamespace,
 					},
 					// Issuer hostname should be treated in a case-insensitive way and SNI ignores port numbers. Test with a port number.
-					Spec: v1alpha1.OIDCProviderConfigSpec{Issuer: "https://www.issUEr-WIth-gOOd-seCret2.com:1234/path", SecretName: "good-tls-secret-name2"},
+					Spec: v1alpha1.OIDCProviderConfigSpec{
+						Issuer:                   "https://www.issUEr-WIth-gOOd-seCret2.com:1234/path",
+						SNICertificateSecretName: "good-tls-secret-name2",
+					},
 				}
 				testCrt1 := readTestFile("testdata/test.crt")
 				r.NotEmpty(testCrt1)