ContainerImage.Pinniped

Author	SHA1	Message	Date
Ryan Richard	0e60c93cef	Add UsernameClaim and GroupsClaim to JWTAuthenticator CRD spec Signed-off-by: Margo Crawford <margaretc@vmware.com>	2020-12-15 10:36:19 -08:00
Andrew Keesler	946b0539d2	Add JWTAuthenticator API type Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-12-08 15:41:48 -05:00
Matt Moyer	7520dadbdd	Use `omitempty` on UpstreamOIDCProvider `spec.authorizationConfig` field. This allows you to omit the field in creation requests, which was annoying. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-11-18 17:14:35 -06:00
Matt Moyer	e867fb82b9	Add `spec.tls` field to UpstreamOIDCProvider API. This allows for a custom CA bundle to be used when connecting to the upstream issuer. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-11-16 20:23:20 -06:00
Matt Moyer	d3d8ef44a0	Make more fields in UpstreamOIDCProvider optional. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-11-13 15:28:37 -06:00
Matt Moyer	bac3c19bec	Add UpstreamOIDCProvider API type definition. This is essentially just a copy of Andrew's work from https://github.com/vmware-tanzu/pinniped/pull/135. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-11-13 11:38:49 -06:00
Matt Moyer	7f2c43cd62	Put all of our APIs into a "pinniped" category, and never use "all". We want to have our APIs respond to `kubectl get pinniped`, and we shouldn't use `all` because we don't think most average users should have permission to see our API types, which means if we put our types there, they would get an error from `kubectl get all`. I also added some tests to assert these properties on all `*.pinniped.dev` API resources. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-11-12 16:26:34 -06:00
Matt Moyer	821190004c	Remove extraneous internal packages for CRD APIs. These only really make sense for aggregated API types where we need `conversion-gen` to do version conversion. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-11-12 14:04:53 -06:00
Matt Moyer	2bf5c8b48b	Replace the OIDCProvider field SNICertificateSecretName with a TLS.SecretName field. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-11-02 18:15:03 -06:00
Matt Moyer	2b8773aa54	Rename OIDCProviderConfig to OIDCProvider. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-11-02 17:40:39 -06:00
Matt Moyer	59263ea733	Rename CredentialIssuerConfig to CredentialIssuer. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-11-02 17:39:42 -06:00
Matt Moyer	9e1922f1ed	Split the config CRDs into two API groups. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-10-30 19:22:46 -05:00
Matt Moyer	f3a83882a4	Rename the IdentityProvider field to Authenticator in TokenCredentialRequest. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-10-30 15:11:53 -05:00
Matt Moyer	0f25657a35	Rename WebhookIdentityProvider to WebhookAuthenticator. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-10-30 15:11:53 -05:00
Matt Moyer	e69183aa8a	Rename `idp.concierge.pinniped.dev` to `authentication.concierge.pinniped.dev`. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-10-30 14:07:40 -05:00
Matt Moyer	81390bba89	Rename `idp.pinniped.dev` to `idp.concierge.pinniped.dev`. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-10-30 14:07:39 -05:00
Matt Moyer	f0320dfbd8	Rename login API to `login.concierge.pinniped.dev`. This is the first of a few related changes that re-organize our API after the big recent changes that introduced the supervisor component. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-10-30 09:58:28 -05:00
Ryan Richard	eeb110761e	Rename `secretName` to `SNICertificateSecretName` in OIDCProviderConfig	2020-10-26 17:25:45 -07:00
Ryan Richard	25a91019c2	Add `spec.secretName` to OPC and handle case-insensitive hostnames - When two different Issuers have the same host (i.e. they differ only by path) then they must have the same secretName. This is because it wouldn't make sense for there to be two different TLS certificates for one host. Find any that do not have the same secret name to put an error status on them and to avoid serving OIDC endpoints for them. The host comparison is case-insensitive. - Issuer hostnames should be treated as case-insensitive, because DNS hostnames are case-insensitive. So https://me.com and https://mE.cOm are duplicate issuers. However, paths are case-sensitive, so https://me.com/A and https://me.com/a are different issuers. Fixed this in the issuer validations and in the OIDC Manager's request router logic.	2020-10-23 16:25:44 -07:00
Andrew Keesler	1b99983441	apis: fix indentation in Go type Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-10-15 09:19:00 -04:00
Andrew Keesler	6aed025c79	supervisor-generate-key: initial spike Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-10-14 09:47:34 -04:00
Andrew Keesler	c555c14ccb	supervisor-oidc: add OIDCProviderConfig.Status.LastUpdateTime Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-10-09 11:54:50 -04:00
Andrew Keesler	da00fc708f	supervisor-oidc: checkpoint: add status to provider CRD Signed-off-by: Ryan Richard <richardry@vmware.com>	2020-10-08 13:27:45 -04:00
Andrew Keesler	ead1ade24b	supervisor-oidc: forgot OIDCProviderConfig type registration in `14f1d86` Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-10-07 10:50:55 -04:00
Ryan Richard	14f1d86833	supervisor-oidc: add OIDCProviderConfig CRD This will hopefully come in handy later if we ever decide to add support for multiple OIDC providers as a part of one supervisor. Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-10-06 15:20:29 -04:00
Matt Moyer	164f64a370	Add IdentityProvider field to TokenCredentialRequestSpec. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-09-22 10:03:31 -05:00
Matt Moyer	78ac27c262	Remove deprecated "pinniped.dev" API group. This has been replaced by the "login.pinniped.dev" group with a slightly different API. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-09-18 17:32:15 -05:00
Matt Moyer	907ccb68f5	Move CredentialIssuerConfig into new "config.pinniped.dev" API group. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-09-18 16:38:45 -05:00
Matt Moyer	2d4d7e588a	Add Go vanity import paths. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-09-18 14:56:24 -05:00
Matt Moyer	8c9c1e206d	Update module/package names to match GitHub org switch. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-09-17 12:56:54 -05:00
Matt Moyer	58bf93b10c	Add a new login.pinniped.dev API group with TokenCredentialRequest. This is essentially meant to be be "v1alpha2" of the existing CredentialRequest API, but since we want to move API groups we can just start over at v1alpha1. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-09-17 09:52:22 -05:00
Andrew Keesler	eab5c2b86b	Save 2 lines by using inline-style comments for Copyright Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-09-16 10:35:19 -04:00
Andrew Keesler	e7b389ae6c	Update copyright to reference Pinniped contributors Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-09-16 10:05:51 -04:00
Matt Moyer	8df910361c	Clean up CredentialRequest `types.go`. Mostly cleaned up and added doc strings, but also removed unneeded protobuf tags. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-09-15 14:30:12 -05:00
Matt Moyer	557fd0df26	Define the WebhookIdentityProvider CRD. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-09-15 11:44:23 -05:00
Matt Moyer	2959b54e7b	Generate CRD YAML using controller-tools, update doc strings. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-08-31 16:38:48 -05:00
Matt Moyer	f49317d7e4	Add some generated API documentation. (#81 ) Add some generated API documentation using https://github.com/elastic/crd-ref-docs which is now packaged in the codegen image.	2020-08-31 11:27:39 -05:00
Ryan Richard	5ed97f7f9e	Merge branch 'main' into self_test	2020-08-25 19:02:27 -07:00
Matt Moyer	1aef2f07d3	Add new `./apis` directory and codegen scripts. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-08-24 14:32:07 -05:00

39 Commits