diff --git a/apis/supervisor/idp/v1alpha1/register.go.tmpl b/apis/supervisor/idp/v1alpha1/register.go.tmpl index 8829a86385..705be8076c 100644 --- a/apis/supervisor/idp/v1alpha1/register.go.tmpl +++ b/apis/supervisor/idp/v1alpha1/register.go.tmpl @@ -1,4 +1,4 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -36,6 +36,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { &LDAPIdentityProviderList{}, &ActiveDirectoryIdentityProvider{}, &ActiveDirectoryIdentityProviderList{}, + &GitHubIdentityProvider{}, + &GitHubIdentityProviderList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go.tmpl b/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go.tmpl new file mode 100644 index 0000000000..92bd19724b --- /dev/null +++ b/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go.tmpl @@ -0,0 +1,231 @@ +// Copyright 2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +type GitHubIdentityProviderPhase string + +const ( + // GitHubPhasePending is the default phase for newly-created GitHubIdentityProvider resources. + GitHubPhasePending GitHubIdentityProviderPhase = "Pending" + + // GitHubPhaseReady is the phase for an GitHubIdentityProvider resource in a healthy state. + GitHubPhaseReady GitHubIdentityProviderPhase = "Ready" + + // GitHubPhaseError is the phase for an GitHubIdentityProvider in an unhealthy state. + GitHubPhaseError GitHubIdentityProviderPhase = "Error" +) + +type GitHubOrganizationLoginPolicy string + +const ( + // GitHubOrganizationLoginPolicyAllOrgsAllowed means any GitHub user is allowed to log in using this identity + // provider, regardless of their organization membership or lack thereof. + GitHubOrganizationLoginPolicyAllOrgsAllowed GitHubOrganizationLoginPolicy = "AllOrganizationsAllowed" + + // GitHubOrganizationLoginPolicyAllowedOrgsOnly means only those users with membership in the listed GitHub + // organizations are allowed to log in. + GitHubOrganizationLoginPolicyAllowedOrgsOnly GitHubOrganizationLoginPolicy = "AllowedOrganizationsOnly" +) + +// GitHubIdentityProviderStatus is the status of an GitHub identity provider. +type GitHubIdentityProviderStatus struct { + // Phase summarizes the overall status of the GitHubIdentityProvider. + // + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase GitHubIdentityProviderPhase `json:"phase,omitempty"` + + // Conditions represents the observations of an identity provider's current state. + // + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` +} + +// GitHubAPIConfig allows configuration for GitHub Enterprise Server +type GitHubAPIConfig struct { + // Host is required only for GitHub Enterprise Server. + // Defaults to using GitHub's public API (github.com). + // + // +kubebuilder:default="github.com" + // +optional + Host string `json:"host"` + + // TLS configuration for GitHub Enterprise Server. + // + // +optional + TLS *TLSSpec `json:"tls,omitempty"` +} + +// GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the downstream username. +// See the response schema for +// [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +type GitHubUsernameAttribute string + +const ( + // GitHubUsernameID specifies using the `id` attribute from the GitHub user as the downstream username. + GitHubUsernameID GitHubUsernameAttribute = "id" + + // GitHubUsernameLogin specifies using the `login` attribute from the GitHub user as the downstream username. + GitHubUsernameLogin GitHubUsernameAttribute = "login" + + // GitHubUsernameLoginAndID specifies combining the `login` and `id` attributes from the GitHub user as the + // downstream username, separated by a colon. Example: "my-login:1234" + GitHubUsernameLoginAndID GitHubUsernameAttribute = "login:id" +) + +// GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the downstream group +// names. See the response schema for +// [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +type GitHubGroupNameAttribute string + +const ( + // GitHubUseTeamNameForGrouypName specifies using the GitHub team's `name` attribute as the downstream group name. + GitHubUseTeamNameForGrouypName GitHubGroupNameAttribute = "name" + + // GitHubUseTeamSlugForGroupName specifies using the GitHub team's `slug` attribute as the downstream group name. + GitHubUseTeamSlugForGroupName GitHubGroupNameAttribute = "slug" +) + +// GitHubClaims allows customization of the username and groups claims +type GitHubClaims struct { + // Username configures which property of the GitHub user record shall determine the username in Kubernetes. + // + // Can be either "id", "login", or "login:id". Defaults to "login:id". + // + // GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + // and may not start or end with hyphens. GitHub users are allowed to change their login name, + // although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + // then a second user might change their name from "baz" to "foo" in order to take the old + // username of the first user. For this reason, it is not as safe to make authorization decisions + // based only on the user's login attribute. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these usernames are presented to Kubernetes. + // + // Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + // unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + // from GitHub. Note that colons are not allowed in GitHub login attributes or ID numbers, so the colon in the + // "login:id" name will always be the login:id separator colon. + // + // See the response schema for + // [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + // + // +kubebuilder:default="login:id" + // +kubebuilder:validation:Enum={"id","login","login:id"} + Username GitHubUsernameAttribute `json:"username"` + + // Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + // + // Can be either "name" or "slug". Defaults to "slug". + // + // GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + // + // GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + // + // Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + // forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + // or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + // the team name or slug. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these group names are presented to Kubernetes. + // + // See the response schema for + // [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + // + // +kubebuilder:default=slug + // +kubebuilder:validation:Enum=name;slug + Groups GitHubGroupNameAttribute `json:"groups"` +} + +// GitHubClientSpec contains information about the GitHub client that this identity provider will use +// for web-based login flows. +type GitHubClientSpec struct { + // SecretName contains the name of a namespace-local Secret object that provides the clientID and + // clientSecret for an GitHub App or GitHub OAuth2 client. + // + // This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + SecretName string `json:"secretName"` +} + +// GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider. +type GitHubIdentityProviderSpec struct { + // GitHubApi allows configuration for GitHub Enterprise Server + // + // +kubebuilder:default={} + GitHubApi GitHubAPIConfig `json:"gitHubAPI,omitempty"` + + // Claims allows customization of the username and groups claims + // + // +optional + Claims GitHubClaims `json:"claims,omitempty"` + + // AllowedOrganizations, when specified, indicates that only users with membership in at least one of the listed + // GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + // teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + // provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + // + // The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + // otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + // within that organization. + // + // If no organizations are listed, you must set gitHubOrganizationLoginPolicy: AllOrganizationsAllowed + // + // +optional + AllowedOrganizations []string `json:"allowedOrganizations,omitempty"` + + // GitHubOrganizationLoginPolicy must be set to "AllOrganizationsAllowed" if allowedOrganizations is empty. + // + // This field only exists to ensure that Pinniped administrators are aware that an empty list of + // allowedOrganizations means all GitHub users are allowed to log in. + // + // +kubebuilder:default=AllowedOrganizationsOnly + // +kubebuilder:validation:Enum=AllowedOrganizationsOnly;AllOrganizationsAllowed + // +optional + GitHubOrganizationLoginPolicy GitHubOrganizationLoginPolicy `json:"gitHubOrganizationLoginPolicy"` + + // Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). + Client GitHubClientSpec `json:"client"` +} + +// GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. +// This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. +// +// Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured +// as OIDCClients. +// +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps +// +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.gitHubAPI.host` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type GitHubIdentityProvider struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec for configuring the identity provider. + Spec GitHubIdentityProviderSpec `json:"spec"` + + // Status of the identity provider. + Status GitHubIdentityProviderStatus `json:"status,omitempty"` +} + +// GitHubIdentityProviderList lists GitHubIdentityProvider objects. +// +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type GitHubIdentityProviderList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []GitHubIdentityProvider `json:"items"` +} diff --git a/apis/supervisor/idp/v1alpha1/types_tls.go.tmpl b/apis/supervisor/idp/v1alpha1/types_tls.go.tmpl index 1413a262cc..49b49373cd 100644 --- a/apis/supervisor/idp/v1alpha1/types_tls.go.tmpl +++ b/apis/supervisor/idp/v1alpha1/types_tls.go.tmpl @@ -1,9 +1,9 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 -// Configuration for TLS parameters related to identity provider integration. +// TLSSpec provides TLS configuration for identity provider integration. type TLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. // +optional diff --git a/deploy/supervisor/idp.supervisor.pinniped.dev_githubidentityproviders.yaml b/deploy/supervisor/idp.supervisor.pinniped.dev_githubidentityproviders.yaml new file mode 100644 index 0000000000..d10a330731 --- /dev/null +++ b/deploy/supervisor/idp.supervisor.pinniped.dev_githubidentityproviders.yaml @@ -0,0 +1,295 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: githubidentityproviders.idp.supervisor.pinniped.dev +spec: + group: idp.supervisor.pinniped.dev + names: + categories: + - pinniped + - pinniped-idp + - pinniped-idps + kind: GitHubIdentityProvider + listKind: GitHubIdentityProviderList + plural: githubidentityproviders + singular: githubidentityprovider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.gitHubAPI.host + name: Host + type: string + - jsonPath: .status.phase + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. + This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. + + + Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured + as OIDCClients. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec for configuring the identity provider. + properties: + allowedOrganizations: + description: |- + AllowedOrganizations, when specified, indicates that only users with membership in at least one of the listed + GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + + + The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + within that organization. + + + If no organizations are listed, you must set gitHubOrganizationLoginPolicy: AllOrganizationsAllowed + items: + type: string + type: array + claims: + description: Claims allows customization of the username and groups + claims + properties: + groups: + default: slug + description: |- + Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + + + Can be either "name" or "slug". Defaults to "slug". + + + GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + + + GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + + + Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + the team name or slug. + + + If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + FederationDomain to further customize how these group names are presented to Kubernetes. + + + See the response schema for + [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + enum: + - name + - slug + type: string + username: + default: login:id + description: |- + Username configures which property of the GitHub user record shall determine the username in Kubernetes. + + + Can be either "id", "login", or "login:id". Defaults to "login:id". + + + GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + and may not start or end with hyphens. GitHub users are allowed to change their login name, + although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + then a second user might change their name from "baz" to "foo" in order to take the old + username of the first user. For this reason, it is not as safe to make authorization decisions + based only on the user's login attribute. + + + If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + FederationDomain to further customize how these usernames are presented to Kubernetes. + + + Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + from GitHub. Note that colons are not allowed in GitHub login attributes or ID numbers, so the colon in the + "login:id" name will always be the login:id separator colon. + + + See the response schema for + [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + enum: + - id + - login + - login:id + type: string + required: + - groups + - username + type: object + client: + description: Client identifies the secret with credentials for a GitHub + App or GitHub OAuth2 App (a GitHub client). + properties: + secretName: + description: |- + SecretName contains the name of a namespace-local Secret object that provides the clientID and + clientSecret for an GitHub App or GitHub OAuth2 client. + + + This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + type: string + required: + - secretName + type: object + gitHubAPI: + default: {} + description: GitHubApi allows configuration for GitHub Enterprise + Server + properties: + host: + default: github.com + description: |- + Host is required only for GitHub Enterprise Server. + Defaults to using GitHub's public API (github.com). + type: string + tls: + description: TLS configuration for GitHub Enterprise Server. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM + bundle). If omitted, a default set of system roots will + be trusted. + type: string + type: object + type: object + gitHubOrganizationLoginPolicy: + default: AllowedOrganizationsOnly + description: |- + GitHubOrganizationLoginPolicy must be set to "AllOrganizationsAllowed" if allowedOrganizations is empty. + + + This field only exists to ensure that Pinniped administrators are aware that an empty list of + allowedOrganizations means all GitHub users are allowed to log in. + enum: + - AllowedOrganizationsOnly + - AllOrganizationsAllowed + type: string + required: + - client + type: object + status: + description: Status of the identity provider. + properties: + conditions: + description: Conditions represents the observations of an identity + provider's current state. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + phase: + default: Pending + description: Phase summarizes the overall status of the GitHubIdentityProvider. + enum: + - Pending + - Ready + - Error + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/deploy/supervisor/rbac.yaml b/deploy/supervisor/rbac.yaml index 97b542fe2f..86c322e9ac 100644 --- a/deploy/supervisor/rbac.yaml +++ b/deploy/supervisor/rbac.yaml @@ -1,4 +1,4 @@ -#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +#! Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. #! SPDX-License-Identifier: Apache-2.0 #@ load("@ytt:data", "data") @@ -56,6 +56,14 @@ rules: - #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor") resources: [activedirectoryidentityproviders/status] verbs: [get, patch, update] + - apiGroups: + - #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor") + resources: [githubidentityproviders] + verbs: [get, list, watch] + - apiGroups: + - #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor") + resources: [githubidentityproviders/status] + verbs: [get, patch, update] #! We want to be able to read pods/replicasets/deployment so we can learn who our deployment is to set #! as an owner reference. - apiGroups: [""] diff --git a/deploy/supervisor/z0_crd_overlay.yaml b/deploy/supervisor/z0_crd_overlay.yaml index f7a50a88dc..889c0166b5 100644 --- a/deploy/supervisor/z0_crd_overlay.yaml +++ b/deploy/supervisor/z0_crd_overlay.yaml @@ -1,4 +1,4 @@ -#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +#! Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. #! SPDX-License-Identifier: Apache-2.0 #@ load("@ytt:overlay", "overlay") @@ -41,6 +41,15 @@ metadata: spec: group: #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor") +#@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"githubidentityproviders.idp.supervisor.pinniped.dev"}}), expects=1 +--- +metadata: + #@overlay/match missing_ok=True + labels: #@ labels() + name: #@ pinnipedDevAPIGroupWithPrefix("githubidentityproviders.idp.supervisor") +spec: + group: #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor") + #@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"oidcclients.config.supervisor.pinniped.dev"}}), expects=1 --- metadata: diff --git a/generated/1.21/README.adoc b/generated/1.21/README.adoc index 34dca9ce21..da393f004c 100644 --- a/generated/1.21/README.adoc +++ b/generated/1.21/README.adoc @@ -1366,6 +1366,199 @@ Status of an Active Directory identity provider. |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubapiconfig"] +==== GitHubAPIConfig + +GitHubAPIConfig allows configuration for GitHub Enterprise Server + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`host`* __string__ | Host is required only for GitHub Enterprise Server. Defaults to using GitHub's public API (github.com). +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubclaims"] +==== GitHubClaims + +GitHubClaims allows customization of the username and groups claims + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. + + +Can be either "id", "login", or "login:id". Defaults to "login:id". + + +GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, and may not start or end with hyphens. GitHub users are allowed to change their login name, although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", then a second user might change their name from "baz" to "foo" in order to take the old username of the first user. For this reason, it is not as safe to make authorization decisions based only on the user's login attribute. + + +If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these usernames are presented to Kubernetes. + + +Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value from GitHub. Note that colons are not allowed in GitHub login attributes or ID numbers, so the colon in the "login:id" name will always be the login:id separator colon. + + +See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +| *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + + +Can be either "name" or "slug". Defaults to "slug". + + +GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + + +GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + + +Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters or single hyphens, so the first forward slash `/` will be the separator between the organization login name and the team name or slug. + + +If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these group names are presented to Kubernetes. + + +See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubclientspec"] +==== GitHubClientSpec + +GitHubClientSpec contains information about the GitHub client that this identity provider will use for web-based login flows. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and clientSecret for an GitHub App or GitHub OAuth2 client. + + +This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubgroupnameattribute"] +==== GitHubGroupNameAttribute (string) + +GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the downstream group names. See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubidentityprovider"] +==== GitHubIdentityProvider + +GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. + Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured as OIDCClients. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubidentityproviderlist[$$GitHubIdentityProviderList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]__ | Spec for configuring the identity provider. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]__ | Status of the identity provider. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubidentityproviderphase"] +==== GitHubIdentityProviderPhase (string) + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubidentityproviderspec"] +==== GitHubIdentityProviderSpec + +GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`gitHubAPI`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]__ | GitHubApi allows configuration for GitHub Enterprise Server +| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]__ | Claims allows customization of the username and groups claims +| *`allowedOrganizations`* __string array__ | AllowedOrganizations, when specified, indicates that only users with membership in at least one of the listed GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + + +The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams within that organization. + + +If no organizations are listed, you must set gitHubOrganizationLoginPolicy: AllOrganizationsAllowed +| *`gitHubOrganizationLoginPolicy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githuborganizationloginpolicy[$$GitHubOrganizationLoginPolicy$$]__ | GitHubOrganizationLoginPolicy must be set to "AllOrganizationsAllowed" if allowedOrganizations is empty. + + +This field only exists to ensure that Pinniped administrators are aware that an empty list of allowedOrganizations means all GitHub users are allowed to log in. +| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubclientspec[$$GitHubClientSpec$$]__ | Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus"] +==== GitHubIdentityProviderStatus + +GitHubIdentityProviderStatus is the status of an GitHub identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubidentityproviderphase[$$GitHubIdentityProviderPhase$$]__ | Phase summarizes the overall status of the GitHubIdentityProvider. +| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#condition-v1-meta[$$Condition$$] array__ | Conditions represents the observations of an identity provider's current state. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githuborganizationloginpolicy"] +==== GitHubOrganizationLoginPolicy (string) + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubusernameattribute"] +==== GitHubUsernameAttribute (string) + +GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the downstream username. See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$] +**** + + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-ldapidentityprovider"] ==== LDAPIdentityProvider @@ -1686,11 +1879,12 @@ Parameter is a key/value pair which represents a parameter in an HTTP request. [id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-tlsspec"] ==== TLSSpec -Configuration for TLS parameters related to identity provider integration. +TLSSpec provides TLS configuration for identity provider integration. .Appears In: **** - xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderspec[$$ActiveDirectoryIdentityProviderSpec$$] +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$] - xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$] - xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec[$$OIDCIdentityProviderSpec$$] **** diff --git a/generated/1.21/apis/supervisor/idp/v1alpha1/register.go b/generated/1.21/apis/supervisor/idp/v1alpha1/register.go index 8829a86385..705be8076c 100644 --- a/generated/1.21/apis/supervisor/idp/v1alpha1/register.go +++ b/generated/1.21/apis/supervisor/idp/v1alpha1/register.go @@ -1,4 +1,4 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -36,6 +36,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { &LDAPIdentityProviderList{}, &ActiveDirectoryIdentityProvider{}, &ActiveDirectoryIdentityProviderList{}, + &GitHubIdentityProvider{}, + &GitHubIdentityProviderList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.21/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go b/generated/1.21/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go new file mode 100644 index 0000000000..92bd19724b --- /dev/null +++ b/generated/1.21/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go @@ -0,0 +1,231 @@ +// Copyright 2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +type GitHubIdentityProviderPhase string + +const ( + // GitHubPhasePending is the default phase for newly-created GitHubIdentityProvider resources. + GitHubPhasePending GitHubIdentityProviderPhase = "Pending" + + // GitHubPhaseReady is the phase for an GitHubIdentityProvider resource in a healthy state. + GitHubPhaseReady GitHubIdentityProviderPhase = "Ready" + + // GitHubPhaseError is the phase for an GitHubIdentityProvider in an unhealthy state. + GitHubPhaseError GitHubIdentityProviderPhase = "Error" +) + +type GitHubOrganizationLoginPolicy string + +const ( + // GitHubOrganizationLoginPolicyAllOrgsAllowed means any GitHub user is allowed to log in using this identity + // provider, regardless of their organization membership or lack thereof. + GitHubOrganizationLoginPolicyAllOrgsAllowed GitHubOrganizationLoginPolicy = "AllOrganizationsAllowed" + + // GitHubOrganizationLoginPolicyAllowedOrgsOnly means only those users with membership in the listed GitHub + // organizations are allowed to log in. + GitHubOrganizationLoginPolicyAllowedOrgsOnly GitHubOrganizationLoginPolicy = "AllowedOrganizationsOnly" +) + +// GitHubIdentityProviderStatus is the status of an GitHub identity provider. +type GitHubIdentityProviderStatus struct { + // Phase summarizes the overall status of the GitHubIdentityProvider. + // + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase GitHubIdentityProviderPhase `json:"phase,omitempty"` + + // Conditions represents the observations of an identity provider's current state. + // + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` +} + +// GitHubAPIConfig allows configuration for GitHub Enterprise Server +type GitHubAPIConfig struct { + // Host is required only for GitHub Enterprise Server. + // Defaults to using GitHub's public API (github.com). + // + // +kubebuilder:default="github.com" + // +optional + Host string `json:"host"` + + // TLS configuration for GitHub Enterprise Server. + // + // +optional + TLS *TLSSpec `json:"tls,omitempty"` +} + +// GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the downstream username. +// See the response schema for +// [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +type GitHubUsernameAttribute string + +const ( + // GitHubUsernameID specifies using the `id` attribute from the GitHub user as the downstream username. + GitHubUsernameID GitHubUsernameAttribute = "id" + + // GitHubUsernameLogin specifies using the `login` attribute from the GitHub user as the downstream username. + GitHubUsernameLogin GitHubUsernameAttribute = "login" + + // GitHubUsernameLoginAndID specifies combining the `login` and `id` attributes from the GitHub user as the + // downstream username, separated by a colon. Example: "my-login:1234" + GitHubUsernameLoginAndID GitHubUsernameAttribute = "login:id" +) + +// GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the downstream group +// names. See the response schema for +// [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +type GitHubGroupNameAttribute string + +const ( + // GitHubUseTeamNameForGrouypName specifies using the GitHub team's `name` attribute as the downstream group name. + GitHubUseTeamNameForGrouypName GitHubGroupNameAttribute = "name" + + // GitHubUseTeamSlugForGroupName specifies using the GitHub team's `slug` attribute as the downstream group name. + GitHubUseTeamSlugForGroupName GitHubGroupNameAttribute = "slug" +) + +// GitHubClaims allows customization of the username and groups claims +type GitHubClaims struct { + // Username configures which property of the GitHub user record shall determine the username in Kubernetes. + // + // Can be either "id", "login", or "login:id". Defaults to "login:id". + // + // GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + // and may not start or end with hyphens. GitHub users are allowed to change their login name, + // although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + // then a second user might change their name from "baz" to "foo" in order to take the old + // username of the first user. For this reason, it is not as safe to make authorization decisions + // based only on the user's login attribute. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these usernames are presented to Kubernetes. + // + // Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + // unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + // from GitHub. Note that colons are not allowed in GitHub login attributes or ID numbers, so the colon in the + // "login:id" name will always be the login:id separator colon. + // + // See the response schema for + // [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + // + // +kubebuilder:default="login:id" + // +kubebuilder:validation:Enum={"id","login","login:id"} + Username GitHubUsernameAttribute `json:"username"` + + // Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + // + // Can be either "name" or "slug". Defaults to "slug". + // + // GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + // + // GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + // + // Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + // forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + // or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + // the team name or slug. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these group names are presented to Kubernetes. + // + // See the response schema for + // [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + // + // +kubebuilder:default=slug + // +kubebuilder:validation:Enum=name;slug + Groups GitHubGroupNameAttribute `json:"groups"` +} + +// GitHubClientSpec contains information about the GitHub client that this identity provider will use +// for web-based login flows. +type GitHubClientSpec struct { + // SecretName contains the name of a namespace-local Secret object that provides the clientID and + // clientSecret for an GitHub App or GitHub OAuth2 client. + // + // This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + SecretName string `json:"secretName"` +} + +// GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider. +type GitHubIdentityProviderSpec struct { + // GitHubApi allows configuration for GitHub Enterprise Server + // + // +kubebuilder:default={} + GitHubApi GitHubAPIConfig `json:"gitHubAPI,omitempty"` + + // Claims allows customization of the username and groups claims + // + // +optional + Claims GitHubClaims `json:"claims,omitempty"` + + // AllowedOrganizations, when specified, indicates that only users with membership in at least one of the listed + // GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + // teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + // provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + // + // The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + // otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + // within that organization. + // + // If no organizations are listed, you must set gitHubOrganizationLoginPolicy: AllOrganizationsAllowed + // + // +optional + AllowedOrganizations []string `json:"allowedOrganizations,omitempty"` + + // GitHubOrganizationLoginPolicy must be set to "AllOrganizationsAllowed" if allowedOrganizations is empty. + // + // This field only exists to ensure that Pinniped administrators are aware that an empty list of + // allowedOrganizations means all GitHub users are allowed to log in. + // + // +kubebuilder:default=AllowedOrganizationsOnly + // +kubebuilder:validation:Enum=AllowedOrganizationsOnly;AllOrganizationsAllowed + // +optional + GitHubOrganizationLoginPolicy GitHubOrganizationLoginPolicy `json:"gitHubOrganizationLoginPolicy"` + + // Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). + Client GitHubClientSpec `json:"client"` +} + +// GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. +// This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. +// +// Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured +// as OIDCClients. +// +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps +// +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.gitHubAPI.host` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type GitHubIdentityProvider struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec for configuring the identity provider. + Spec GitHubIdentityProviderSpec `json:"spec"` + + // Status of the identity provider. + Status GitHubIdentityProviderStatus `json:"status,omitempty"` +} + +// GitHubIdentityProviderList lists GitHubIdentityProvider objects. +// +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type GitHubIdentityProviderList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []GitHubIdentityProvider `json:"items"` +} diff --git a/generated/1.21/apis/supervisor/idp/v1alpha1/types_tls.go b/generated/1.21/apis/supervisor/idp/v1alpha1/types_tls.go index 1413a262cc..49b49373cd 100644 --- a/generated/1.21/apis/supervisor/idp/v1alpha1/types_tls.go +++ b/generated/1.21/apis/supervisor/idp/v1alpha1/types_tls.go @@ -1,9 +1,9 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 -// Configuration for TLS parameters related to identity provider integration. +// TLSSpec provides TLS configuration for identity provider integration. type TLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. // +optional diff --git a/generated/1.21/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.21/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index b0cb168b54..724643e7c2 100644 --- a/generated/1.21/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.21/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -203,6 +203,167 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) { + *out = *in + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(TLSSpec) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAPIConfig. +func (in *GitHubAPIConfig) DeepCopy() *GitHubAPIConfig { + if in == nil { + return nil + } + out := new(GitHubAPIConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubClaims) DeepCopyInto(out *GitHubClaims) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClaims. +func (in *GitHubClaims) DeepCopy() *GitHubClaims { + if in == nil { + return nil + } + out := new(GitHubClaims) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubClientSpec) DeepCopyInto(out *GitHubClientSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClientSpec. +func (in *GitHubClientSpec) DeepCopy() *GitHubClientSpec { + if in == nil { + return nil + } + out := new(GitHubClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProvider) DeepCopyInto(out *GitHubIdentityProvider) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProvider. +func (in *GitHubIdentityProvider) DeepCopy() *GitHubIdentityProvider { + if in == nil { + return nil + } + out := new(GitHubIdentityProvider) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *GitHubIdentityProvider) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderList) DeepCopyInto(out *GitHubIdentityProviderList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]GitHubIdentityProvider, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderList. +func (in *GitHubIdentityProviderList) DeepCopy() *GitHubIdentityProviderList { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *GitHubIdentityProviderList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderSpec) DeepCopyInto(out *GitHubIdentityProviderSpec) { + *out = *in + in.GitHubApi.DeepCopyInto(&out.GitHubApi) + out.Claims = in.Claims + if in.AllowedOrganizations != nil { + in, out := &in.AllowedOrganizations, &out.AllowedOrganizations + *out = make([]string, len(*in)) + copy(*out, *in) + } + out.Client = in.Client + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderSpec. +func (in *GitHubIdentityProviderSpec) DeepCopy() *GitHubIdentityProviderSpec { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderStatus) DeepCopyInto(out *GitHubIdentityProviderStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]v1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderStatus. +func (in *GitHubIdentityProviderStatus) DeepCopy() *GitHubIdentityProviderStatus { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *LDAPIdentityProvider) DeepCopyInto(out *LDAPIdentityProvider) { *out = *in diff --git a/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go b/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go new file mode 100644 index 0000000000..3d9c46a5fb --- /dev/null +++ b/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go @@ -0,0 +1,129 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeGitHubIdentityProviders implements GitHubIdentityProviderInterface +type FakeGitHubIdentityProviders struct { + Fake *FakeIDPV1alpha1 + ns string +} + +var githubidentityprovidersResource = schema.GroupVersionResource{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "githubidentityproviders"} + +var githubidentityprovidersKind = schema.GroupVersionKind{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "GitHubIdentityProvider"} + +// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any. +func (c *FakeGitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(githubidentityprovidersResource, c.ns, name), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors. +func (c *FakeGitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(githubidentityprovidersResource, githubidentityprovidersKind, c.ns, opts), &v1alpha1.GitHubIdentityProviderList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.GitHubIdentityProviderList{ListMeta: obj.(*v1alpha1.GitHubIdentityProviderList).ListMeta} + for _, item := range obj.(*v1alpha1.GitHubIdentityProviderList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders. +func (c *FakeGitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(githubidentityprovidersResource, c.ns, opts)) + +} + +// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *FakeGitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *FakeGitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeGitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(githubidentityprovidersResource, "status", c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs. +func (c *FakeGitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteAction(githubidentityprovidersResource, c.ns, name), &v1alpha1.GitHubIdentityProvider{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeGitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(githubidentityprovidersResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha1.GitHubIdentityProviderList{}) + return err +} + +// Patch applies the patch and returns the patched gitHubIdentityProvider. +func (c *FakeGitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(githubidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} diff --git a/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go b/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go index 0d38fc7b92..9943848568 100644 --- a/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go +++ b/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go @@ -19,6 +19,10 @@ func (c *FakeIDPV1alpha1) ActiveDirectoryIdentityProviders(namespace string) v1a return &FakeActiveDirectoryIdentityProviders{c, namespace} } +func (c *FakeIDPV1alpha1) GitHubIdentityProviders(namespace string) v1alpha1.GitHubIdentityProviderInterface { + return &FakeGitHubIdentityProviders{c, namespace} +} + func (c *FakeIDPV1alpha1) LDAPIdentityProviders(namespace string) v1alpha1.LDAPIdentityProviderInterface { return &FakeLDAPIdentityProviders{c, namespace} } diff --git a/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go b/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go index 79be098d6c..a7acc8120f 100644 --- a/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go +++ b/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go @@ -7,6 +7,8 @@ package v1alpha1 type ActiveDirectoryIdentityProviderExpansion interface{} +type GitHubIdentityProviderExpansion interface{} + type LDAPIdentityProviderExpansion interface{} type OIDCIdentityProviderExpansion interface{} diff --git a/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go b/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 0000000000..c75a77de37 --- /dev/null +++ b/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,182 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + "time" + + v1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/idp/v1alpha1" + scheme "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// GitHubIdentityProvidersGetter has a method to return a GitHubIdentityProviderInterface. +// A group's client should implement this interface. +type GitHubIdentityProvidersGetter interface { + GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface +} + +// GitHubIdentityProviderInterface has methods to work with GitHubIdentityProvider resources. +type GitHubIdentityProviderInterface interface { + Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (*v1alpha1.GitHubIdentityProvider, error) + Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) + UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.GitHubIdentityProvider, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.GitHubIdentityProviderList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) + GitHubIdentityProviderExpansion +} + +// gitHubIdentityProviders implements GitHubIdentityProviderInterface +type gitHubIdentityProviders struct { + client rest.Interface + ns string +} + +// newGitHubIdentityProviders returns a GitHubIdentityProviders +func newGitHubIdentityProviders(c *IDPV1alpha1Client, namespace string) *gitHubIdentityProviders { + return &gitHubIdentityProviders{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any. +func (c *gitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors. +func (c *gitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.GitHubIdentityProviderList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders. +func (c *gitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *gitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Post(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *gitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(gitHubIdentityProvider.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *gitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(gitHubIdentityProvider.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs. +func (c *gitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *gitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched gitHubIdentityProvider. +func (c *gitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go b/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go index d4492fdcf0..284b93f25d 100644 --- a/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go +++ b/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go @@ -14,6 +14,7 @@ import ( type IDPV1alpha1Interface interface { RESTClient() rest.Interface ActiveDirectoryIdentityProvidersGetter + GitHubIdentityProvidersGetter LDAPIdentityProvidersGetter OIDCIdentityProvidersGetter } @@ -27,6 +28,10 @@ func (c *IDPV1alpha1Client) ActiveDirectoryIdentityProviders(namespace string) A return newActiveDirectoryIdentityProviders(c, namespace) } +func (c *IDPV1alpha1Client) GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface { + return newGitHubIdentityProviders(c, namespace) +} + func (c *IDPV1alpha1Client) LDAPIdentityProviders(namespace string) LDAPIdentityProviderInterface { return newLDAPIdentityProviders(c, namespace) } diff --git a/generated/1.21/client/supervisor/informers/externalversions/generic.go b/generated/1.21/client/supervisor/informers/externalversions/generic.go index 64054d64b8..72a954959f 100644 --- a/generated/1.21/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.21/client/supervisor/informers/externalversions/generic.go @@ -49,6 +49,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource // Group=idp.supervisor.pinniped.dev, Version=v1alpha1 case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().ActiveDirectoryIdentityProviders().Informer()}, nil + case idpv1alpha1.SchemeGroupVersion.WithResource("githubidentityproviders"): + return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().GitHubIdentityProviders().Informer()}, nil case idpv1alpha1.SchemeGroupVersion.WithResource("ldapidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().LDAPIdentityProviders().Informer()}, nil case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): diff --git a/generated/1.21/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go b/generated/1.21/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 0000000000..aaf4559eb6 --- /dev/null +++ b/generated/1.21/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,77 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + time "time" + + idpv1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/idp/v1alpha1" + versioned "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned" + internalinterfaces "go.pinniped.dev/generated/1.21/client/supervisor/informers/externalversions/internalinterfaces" + v1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/listers/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// GitHubIdentityProviderInformer provides access to a shared informer and lister for +// GitHubIdentityProviders. +type GitHubIdentityProviderInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.GitHubIdentityProviderLister +} + +type gitHubIdentityProviderInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredGitHubIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().GitHubIdentityProviders(namespace).List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().GitHubIdentityProviders(namespace).Watch(context.TODO(), options) + }, + }, + &idpv1alpha1.GitHubIdentityProvider{}, + resyncPeriod, + indexers, + ) +} + +func (f *gitHubIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredGitHubIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *gitHubIdentityProviderInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&idpv1alpha1.GitHubIdentityProvider{}, f.defaultInformer) +} + +func (f *gitHubIdentityProviderInformer) Lister() v1alpha1.GitHubIdentityProviderLister { + return v1alpha1.NewGitHubIdentityProviderLister(f.Informer().GetIndexer()) +} diff --git a/generated/1.21/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go b/generated/1.21/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go index 4bebcc71ae..8c9ebb1758 100644 --- a/generated/1.21/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go +++ b/generated/1.21/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go @@ -13,6 +13,8 @@ import ( type Interface interface { // ActiveDirectoryIdentityProviders returns a ActiveDirectoryIdentityProviderInformer. ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProviderInformer + // GitHubIdentityProviders returns a GitHubIdentityProviderInformer. + GitHubIdentityProviders() GitHubIdentityProviderInformer // LDAPIdentityProviders returns a LDAPIdentityProviderInformer. LDAPIdentityProviders() LDAPIdentityProviderInformer // OIDCIdentityProviders returns a OIDCIdentityProviderInformer. @@ -35,6 +37,11 @@ func (v *version) ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProv return &activeDirectoryIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } +// GitHubIdentityProviders returns a GitHubIdentityProviderInformer. +func (v *version) GitHubIdentityProviders() GitHubIdentityProviderInformer { + return &gitHubIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} + // LDAPIdentityProviders returns a LDAPIdentityProviderInformer. func (v *version) LDAPIdentityProviders() LDAPIdentityProviderInformer { return &lDAPIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} diff --git a/generated/1.21/client/supervisor/listers/idp/v1alpha1/expansion_generated.go b/generated/1.21/client/supervisor/listers/idp/v1alpha1/expansion_generated.go index b491a9e8d4..470c06abb0 100644 --- a/generated/1.21/client/supervisor/listers/idp/v1alpha1/expansion_generated.go +++ b/generated/1.21/client/supervisor/listers/idp/v1alpha1/expansion_generated.go @@ -13,6 +13,14 @@ type ActiveDirectoryIdentityProviderListerExpansion interface{} // ActiveDirectoryIdentityProviderNamespaceLister. type ActiveDirectoryIdentityProviderNamespaceListerExpansion interface{} +// GitHubIdentityProviderListerExpansion allows custom methods to be added to +// GitHubIdentityProviderLister. +type GitHubIdentityProviderListerExpansion interface{} + +// GitHubIdentityProviderNamespaceListerExpansion allows custom methods to be added to +// GitHubIdentityProviderNamespaceLister. +type GitHubIdentityProviderNamespaceListerExpansion interface{} + // LDAPIdentityProviderListerExpansion allows custom methods to be added to // LDAPIdentityProviderLister. type LDAPIdentityProviderListerExpansion interface{} diff --git a/generated/1.21/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go b/generated/1.21/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 0000000000..fc0eb051b2 --- /dev/null +++ b/generated/1.21/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,86 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/idp/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// GitHubIdentityProviderLister helps list GitHubIdentityProviders. +// All objects returned here must be treated as read-only. +type GitHubIdentityProviderLister interface { + // List lists all GitHubIdentityProviders in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) + // GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders. + GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister + GitHubIdentityProviderListerExpansion +} + +// gitHubIdentityProviderLister implements the GitHubIdentityProviderLister interface. +type gitHubIdentityProviderLister struct { + indexer cache.Indexer +} + +// NewGitHubIdentityProviderLister returns a new GitHubIdentityProviderLister. +func NewGitHubIdentityProviderLister(indexer cache.Indexer) GitHubIdentityProviderLister { + return &gitHubIdentityProviderLister{indexer: indexer} +} + +// List lists all GitHubIdentityProviders in the indexer. +func (s *gitHubIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider)) + }) + return ret, err +} + +// GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders. +func (s *gitHubIdentityProviderLister) GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister { + return gitHubIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// GitHubIdentityProviderNamespaceLister helps list and get GitHubIdentityProviders. +// All objects returned here must be treated as read-only. +type GitHubIdentityProviderNamespaceLister interface { + // List lists all GitHubIdentityProviders in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) + // Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha1.GitHubIdentityProvider, error) + GitHubIdentityProviderNamespaceListerExpansion +} + +// gitHubIdentityProviderNamespaceLister implements the GitHubIdentityProviderNamespaceLister +// interface. +type gitHubIdentityProviderNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all GitHubIdentityProviders in the indexer for a given namespace. +func (s gitHubIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider)) + }) + return ret, err +} + +// Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name. +func (s gitHubIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.GitHubIdentityProvider, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("githubidentityprovider"), name) + } + return obj.(*v1alpha1.GitHubIdentityProvider), nil +} diff --git a/generated/1.21/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml b/generated/1.21/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml new file mode 100644 index 0000000000..8cc51b06f4 --- /dev/null +++ b/generated/1.21/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml @@ -0,0 +1,301 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: githubidentityproviders.idp.supervisor.pinniped.dev +spec: + group: idp.supervisor.pinniped.dev + names: + categories: + - pinniped + - pinniped-idp + - pinniped-idps + kind: GitHubIdentityProvider + listKind: GitHubIdentityProviderList + plural: githubidentityproviders + singular: githubidentityprovider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.gitHubAPI.host + name: Host + type: string + - jsonPath: .status.phase + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. + This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. + + + Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured + as OIDCClients. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec for configuring the identity provider. + properties: + allowedOrganizations: + description: |- + AllowedOrganizations, when specified, indicates that only users with membership in at least one of the listed + GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + + + The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + within that organization. + + + If no organizations are listed, you must set gitHubOrganizationLoginPolicy: AllOrganizationsAllowed + items: + type: string + type: array + claims: + description: Claims allows customization of the username and groups + claims + properties: + groups: + default: slug + description: |- + Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + + + Can be either "name" or "slug". Defaults to "slug". + + + GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + + + GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + + + Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + the team name or slug. + + + If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + FederationDomain to further customize how these group names are presented to Kubernetes. + + + See the response schema for + [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + enum: + - name + - slug + type: string + username: + default: login:id + description: |- + Username configures which property of the GitHub user record shall determine the username in Kubernetes. + + + Can be either "id", "login", or "login:id". Defaults to "login:id". + + + GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + and may not start or end with hyphens. GitHub users are allowed to change their login name, + although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + then a second user might change their name from "baz" to "foo" in order to take the old + username of the first user. For this reason, it is not as safe to make authorization decisions + based only on the user's login attribute. + + + If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + FederationDomain to further customize how these usernames are presented to Kubernetes. + + + Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + from GitHub. Note that colons are not allowed in GitHub login attributes or ID numbers, so the colon in the + "login:id" name will always be the login:id separator colon. + + + See the response schema for + [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + enum: + - id + - login + - login:id + type: string + required: + - groups + - username + type: object + client: + description: Client identifies the secret with credentials for a GitHub + App or GitHub OAuth2 App (a GitHub client). + properties: + secretName: + description: |- + SecretName contains the name of a namespace-local Secret object that provides the clientID and + clientSecret for an GitHub App or GitHub OAuth2 client. + + + This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + type: string + required: + - secretName + type: object + gitHubAPI: + default: {} + description: GitHubApi allows configuration for GitHub Enterprise + Server + properties: + host: + default: github.com + description: |- + Host is required only for GitHub Enterprise Server. + Defaults to using GitHub's public API (github.com). + type: string + tls: + description: TLS configuration for GitHub Enterprise Server. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM + bundle). If omitted, a default set of system roots will + be trusted. + type: string + type: object + type: object + gitHubOrganizationLoginPolicy: + default: AllowedOrganizationsOnly + description: |- + GitHubOrganizationLoginPolicy must be set to "AllOrganizationsAllowed" if allowedOrganizations is empty. + + + This field only exists to ensure that Pinniped administrators are aware that an empty list of + allowedOrganizations means all GitHub users are allowed to log in. + enum: + - AllowedOrganizationsOnly + - AllOrganizationsAllowed + type: string + required: + - client + type: object + status: + description: Status of the identity provider. + properties: + conditions: + description: Conditions represents the observations of an identity + provider's current state. + items: + description: |- + Condition contains details for one aspect of the current state of this API Resource. + --- + This struct is intended for direct use as an array at the field path .status.conditions. For example, + type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + + + // other fields + } + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + phase: + default: Pending + description: Phase summarizes the overall status of the GitHubIdentityProvider. + enum: + - Pending + - Ready + - Error + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/generated/1.22/README.adoc b/generated/1.22/README.adoc index f8943df409..fd375c5299 100644 --- a/generated/1.22/README.adoc +++ b/generated/1.22/README.adoc @@ -1366,6 +1366,199 @@ Status of an Active Directory identity provider. |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubapiconfig"] +==== GitHubAPIConfig + +GitHubAPIConfig allows configuration for GitHub Enterprise Server + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`host`* __string__ | Host is required only for GitHub Enterprise Server. Defaults to using GitHub's public API (github.com). +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubclaims"] +==== GitHubClaims + +GitHubClaims allows customization of the username and groups claims + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. + + +Can be either "id", "login", or "login:id". Defaults to "login:id". + + +GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, and may not start or end with hyphens. GitHub users are allowed to change their login name, although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", then a second user might change their name from "baz" to "foo" in order to take the old username of the first user. For this reason, it is not as safe to make authorization decisions based only on the user's login attribute. + + +If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these usernames are presented to Kubernetes. + + +Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value from GitHub. Note that colons are not allowed in GitHub login attributes or ID numbers, so the colon in the "login:id" name will always be the login:id separator colon. + + +See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +| *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + + +Can be either "name" or "slug". Defaults to "slug". + + +GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + + +GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + + +Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters or single hyphens, so the first forward slash `/` will be the separator between the organization login name and the team name or slug. + + +If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these group names are presented to Kubernetes. + + +See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubclientspec"] +==== GitHubClientSpec + +GitHubClientSpec contains information about the GitHub client that this identity provider will use for web-based login flows. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and clientSecret for an GitHub App or GitHub OAuth2 client. + + +This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubgroupnameattribute"] +==== GitHubGroupNameAttribute (string) + +GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the downstream group names. See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubidentityprovider"] +==== GitHubIdentityProvider + +GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. + Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured as OIDCClients. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubidentityproviderlist[$$GitHubIdentityProviderList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]__ | Spec for configuring the identity provider. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]__ | Status of the identity provider. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubidentityproviderphase"] +==== GitHubIdentityProviderPhase (string) + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubidentityproviderspec"] +==== GitHubIdentityProviderSpec + +GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`gitHubAPI`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]__ | GitHubApi allows configuration for GitHub Enterprise Server +| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]__ | Claims allows customization of the username and groups claims +| *`allowedOrganizations`* __string array__ | AllowedOrganizations, when specified, indicates that only users with membership in at least one of the listed GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + + +The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams within that organization. + + +If no organizations are listed, you must set gitHubOrganizationLoginPolicy: AllOrganizationsAllowed +| *`gitHubOrganizationLoginPolicy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githuborganizationloginpolicy[$$GitHubOrganizationLoginPolicy$$]__ | GitHubOrganizationLoginPolicy must be set to "AllOrganizationsAllowed" if allowedOrganizations is empty. + + +This field only exists to ensure that Pinniped administrators are aware that an empty list of allowedOrganizations means all GitHub users are allowed to log in. +| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubclientspec[$$GitHubClientSpec$$]__ | Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus"] +==== GitHubIdentityProviderStatus + +GitHubIdentityProviderStatus is the status of an GitHub identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubidentityproviderphase[$$GitHubIdentityProviderPhase$$]__ | Phase summarizes the overall status of the GitHubIdentityProvider. +| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#condition-v1-meta[$$Condition$$] array__ | Conditions represents the observations of an identity provider's current state. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githuborganizationloginpolicy"] +==== GitHubOrganizationLoginPolicy (string) + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubusernameattribute"] +==== GitHubUsernameAttribute (string) + +GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the downstream username. See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$] +**** + + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-ldapidentityprovider"] ==== LDAPIdentityProvider @@ -1686,11 +1879,12 @@ Parameter is a key/value pair which represents a parameter in an HTTP request. [id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-tlsspec"] ==== TLSSpec -Configuration for TLS parameters related to identity provider integration. +TLSSpec provides TLS configuration for identity provider integration. .Appears In: **** - xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderspec[$$ActiveDirectoryIdentityProviderSpec$$] +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$] - xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$] - xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec[$$OIDCIdentityProviderSpec$$] **** diff --git a/generated/1.22/apis/supervisor/idp/v1alpha1/register.go b/generated/1.22/apis/supervisor/idp/v1alpha1/register.go index 8829a86385..705be8076c 100644 --- a/generated/1.22/apis/supervisor/idp/v1alpha1/register.go +++ b/generated/1.22/apis/supervisor/idp/v1alpha1/register.go @@ -1,4 +1,4 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -36,6 +36,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { &LDAPIdentityProviderList{}, &ActiveDirectoryIdentityProvider{}, &ActiveDirectoryIdentityProviderList{}, + &GitHubIdentityProvider{}, + &GitHubIdentityProviderList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.22/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go b/generated/1.22/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go new file mode 100644 index 0000000000..92bd19724b --- /dev/null +++ b/generated/1.22/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go @@ -0,0 +1,231 @@ +// Copyright 2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +type GitHubIdentityProviderPhase string + +const ( + // GitHubPhasePending is the default phase for newly-created GitHubIdentityProvider resources. + GitHubPhasePending GitHubIdentityProviderPhase = "Pending" + + // GitHubPhaseReady is the phase for an GitHubIdentityProvider resource in a healthy state. + GitHubPhaseReady GitHubIdentityProviderPhase = "Ready" + + // GitHubPhaseError is the phase for an GitHubIdentityProvider in an unhealthy state. + GitHubPhaseError GitHubIdentityProviderPhase = "Error" +) + +type GitHubOrganizationLoginPolicy string + +const ( + // GitHubOrganizationLoginPolicyAllOrgsAllowed means any GitHub user is allowed to log in using this identity + // provider, regardless of their organization membership or lack thereof. + GitHubOrganizationLoginPolicyAllOrgsAllowed GitHubOrganizationLoginPolicy = "AllOrganizationsAllowed" + + // GitHubOrganizationLoginPolicyAllowedOrgsOnly means only those users with membership in the listed GitHub + // organizations are allowed to log in. + GitHubOrganizationLoginPolicyAllowedOrgsOnly GitHubOrganizationLoginPolicy = "AllowedOrganizationsOnly" +) + +// GitHubIdentityProviderStatus is the status of an GitHub identity provider. +type GitHubIdentityProviderStatus struct { + // Phase summarizes the overall status of the GitHubIdentityProvider. + // + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase GitHubIdentityProviderPhase `json:"phase,omitempty"` + + // Conditions represents the observations of an identity provider's current state. + // + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` +} + +// GitHubAPIConfig allows configuration for GitHub Enterprise Server +type GitHubAPIConfig struct { + // Host is required only for GitHub Enterprise Server. + // Defaults to using GitHub's public API (github.com). + // + // +kubebuilder:default="github.com" + // +optional + Host string `json:"host"` + + // TLS configuration for GitHub Enterprise Server. + // + // +optional + TLS *TLSSpec `json:"tls,omitempty"` +} + +// GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the downstream username. +// See the response schema for +// [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +type GitHubUsernameAttribute string + +const ( + // GitHubUsernameID specifies using the `id` attribute from the GitHub user as the downstream username. + GitHubUsernameID GitHubUsernameAttribute = "id" + + // GitHubUsernameLogin specifies using the `login` attribute from the GitHub user as the downstream username. + GitHubUsernameLogin GitHubUsernameAttribute = "login" + + // GitHubUsernameLoginAndID specifies combining the `login` and `id` attributes from the GitHub user as the + // downstream username, separated by a colon. Example: "my-login:1234" + GitHubUsernameLoginAndID GitHubUsernameAttribute = "login:id" +) + +// GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the downstream group +// names. See the response schema for +// [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +type GitHubGroupNameAttribute string + +const ( + // GitHubUseTeamNameForGrouypName specifies using the GitHub team's `name` attribute as the downstream group name. + GitHubUseTeamNameForGrouypName GitHubGroupNameAttribute = "name" + + // GitHubUseTeamSlugForGroupName specifies using the GitHub team's `slug` attribute as the downstream group name. + GitHubUseTeamSlugForGroupName GitHubGroupNameAttribute = "slug" +) + +// GitHubClaims allows customization of the username and groups claims +type GitHubClaims struct { + // Username configures which property of the GitHub user record shall determine the username in Kubernetes. + // + // Can be either "id", "login", or "login:id". Defaults to "login:id". + // + // GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + // and may not start or end with hyphens. GitHub users are allowed to change their login name, + // although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + // then a second user might change their name from "baz" to "foo" in order to take the old + // username of the first user. For this reason, it is not as safe to make authorization decisions + // based only on the user's login attribute. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these usernames are presented to Kubernetes. + // + // Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + // unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + // from GitHub. Note that colons are not allowed in GitHub login attributes or ID numbers, so the colon in the + // "login:id" name will always be the login:id separator colon. + // + // See the response schema for + // [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + // + // +kubebuilder:default="login:id" + // +kubebuilder:validation:Enum={"id","login","login:id"} + Username GitHubUsernameAttribute `json:"username"` + + // Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + // + // Can be either "name" or "slug". Defaults to "slug". + // + // GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + // + // GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + // + // Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + // forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + // or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + // the team name or slug. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these group names are presented to Kubernetes. + // + // See the response schema for + // [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + // + // +kubebuilder:default=slug + // +kubebuilder:validation:Enum=name;slug + Groups GitHubGroupNameAttribute `json:"groups"` +} + +// GitHubClientSpec contains information about the GitHub client that this identity provider will use +// for web-based login flows. +type GitHubClientSpec struct { + // SecretName contains the name of a namespace-local Secret object that provides the clientID and + // clientSecret for an GitHub App or GitHub OAuth2 client. + // + // This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + SecretName string `json:"secretName"` +} + +// GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider. +type GitHubIdentityProviderSpec struct { + // GitHubApi allows configuration for GitHub Enterprise Server + // + // +kubebuilder:default={} + GitHubApi GitHubAPIConfig `json:"gitHubAPI,omitempty"` + + // Claims allows customization of the username and groups claims + // + // +optional + Claims GitHubClaims `json:"claims,omitempty"` + + // AllowedOrganizations, when specified, indicates that only users with membership in at least one of the listed + // GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + // teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + // provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + // + // The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + // otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + // within that organization. + // + // If no organizations are listed, you must set gitHubOrganizationLoginPolicy: AllOrganizationsAllowed + // + // +optional + AllowedOrganizations []string `json:"allowedOrganizations,omitempty"` + + // GitHubOrganizationLoginPolicy must be set to "AllOrganizationsAllowed" if allowedOrganizations is empty. + // + // This field only exists to ensure that Pinniped administrators are aware that an empty list of + // allowedOrganizations means all GitHub users are allowed to log in. + // + // +kubebuilder:default=AllowedOrganizationsOnly + // +kubebuilder:validation:Enum=AllowedOrganizationsOnly;AllOrganizationsAllowed + // +optional + GitHubOrganizationLoginPolicy GitHubOrganizationLoginPolicy `json:"gitHubOrganizationLoginPolicy"` + + // Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). + Client GitHubClientSpec `json:"client"` +} + +// GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. +// This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. +// +// Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured +// as OIDCClients. +// +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps +// +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.gitHubAPI.host` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type GitHubIdentityProvider struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec for configuring the identity provider. + Spec GitHubIdentityProviderSpec `json:"spec"` + + // Status of the identity provider. + Status GitHubIdentityProviderStatus `json:"status,omitempty"` +} + +// GitHubIdentityProviderList lists GitHubIdentityProvider objects. +// +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type GitHubIdentityProviderList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []GitHubIdentityProvider `json:"items"` +} diff --git a/generated/1.22/apis/supervisor/idp/v1alpha1/types_tls.go b/generated/1.22/apis/supervisor/idp/v1alpha1/types_tls.go index 1413a262cc..49b49373cd 100644 --- a/generated/1.22/apis/supervisor/idp/v1alpha1/types_tls.go +++ b/generated/1.22/apis/supervisor/idp/v1alpha1/types_tls.go @@ -1,9 +1,9 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 -// Configuration for TLS parameters related to identity provider integration. +// TLSSpec provides TLS configuration for identity provider integration. type TLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. // +optional diff --git a/generated/1.22/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.22/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index b0cb168b54..724643e7c2 100644 --- a/generated/1.22/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.22/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -203,6 +203,167 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) { + *out = *in + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(TLSSpec) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAPIConfig. +func (in *GitHubAPIConfig) DeepCopy() *GitHubAPIConfig { + if in == nil { + return nil + } + out := new(GitHubAPIConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubClaims) DeepCopyInto(out *GitHubClaims) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClaims. +func (in *GitHubClaims) DeepCopy() *GitHubClaims { + if in == nil { + return nil + } + out := new(GitHubClaims) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubClientSpec) DeepCopyInto(out *GitHubClientSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClientSpec. +func (in *GitHubClientSpec) DeepCopy() *GitHubClientSpec { + if in == nil { + return nil + } + out := new(GitHubClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProvider) DeepCopyInto(out *GitHubIdentityProvider) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProvider. +func (in *GitHubIdentityProvider) DeepCopy() *GitHubIdentityProvider { + if in == nil { + return nil + } + out := new(GitHubIdentityProvider) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *GitHubIdentityProvider) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderList) DeepCopyInto(out *GitHubIdentityProviderList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]GitHubIdentityProvider, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderList. +func (in *GitHubIdentityProviderList) DeepCopy() *GitHubIdentityProviderList { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *GitHubIdentityProviderList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderSpec) DeepCopyInto(out *GitHubIdentityProviderSpec) { + *out = *in + in.GitHubApi.DeepCopyInto(&out.GitHubApi) + out.Claims = in.Claims + if in.AllowedOrganizations != nil { + in, out := &in.AllowedOrganizations, &out.AllowedOrganizations + *out = make([]string, len(*in)) + copy(*out, *in) + } + out.Client = in.Client + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderSpec. +func (in *GitHubIdentityProviderSpec) DeepCopy() *GitHubIdentityProviderSpec { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderStatus) DeepCopyInto(out *GitHubIdentityProviderStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]v1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderStatus. +func (in *GitHubIdentityProviderStatus) DeepCopy() *GitHubIdentityProviderStatus { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *LDAPIdentityProvider) DeepCopyInto(out *LDAPIdentityProvider) { *out = *in diff --git a/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go b/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go new file mode 100644 index 0000000000..15b3395ceb --- /dev/null +++ b/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go @@ -0,0 +1,129 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeGitHubIdentityProviders implements GitHubIdentityProviderInterface +type FakeGitHubIdentityProviders struct { + Fake *FakeIDPV1alpha1 + ns string +} + +var githubidentityprovidersResource = schema.GroupVersionResource{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "githubidentityproviders"} + +var githubidentityprovidersKind = schema.GroupVersionKind{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "GitHubIdentityProvider"} + +// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any. +func (c *FakeGitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(githubidentityprovidersResource, c.ns, name), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors. +func (c *FakeGitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(githubidentityprovidersResource, githubidentityprovidersKind, c.ns, opts), &v1alpha1.GitHubIdentityProviderList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.GitHubIdentityProviderList{ListMeta: obj.(*v1alpha1.GitHubIdentityProviderList).ListMeta} + for _, item := range obj.(*v1alpha1.GitHubIdentityProviderList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders. +func (c *FakeGitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(githubidentityprovidersResource, c.ns, opts)) + +} + +// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *FakeGitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *FakeGitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeGitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(githubidentityprovidersResource, "status", c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs. +func (c *FakeGitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteAction(githubidentityprovidersResource, c.ns, name), &v1alpha1.GitHubIdentityProvider{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeGitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(githubidentityprovidersResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha1.GitHubIdentityProviderList{}) + return err +} + +// Patch applies the patch and returns the patched gitHubIdentityProvider. +func (c *FakeGitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(githubidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} diff --git a/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go b/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go index 510424f40d..e237120198 100644 --- a/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go +++ b/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go @@ -19,6 +19,10 @@ func (c *FakeIDPV1alpha1) ActiveDirectoryIdentityProviders(namespace string) v1a return &FakeActiveDirectoryIdentityProviders{c, namespace} } +func (c *FakeIDPV1alpha1) GitHubIdentityProviders(namespace string) v1alpha1.GitHubIdentityProviderInterface { + return &FakeGitHubIdentityProviders{c, namespace} +} + func (c *FakeIDPV1alpha1) LDAPIdentityProviders(namespace string) v1alpha1.LDAPIdentityProviderInterface { return &FakeLDAPIdentityProviders{c, namespace} } diff --git a/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go b/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go index 79be098d6c..a7acc8120f 100644 --- a/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go +++ b/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go @@ -7,6 +7,8 @@ package v1alpha1 type ActiveDirectoryIdentityProviderExpansion interface{} +type GitHubIdentityProviderExpansion interface{} + type LDAPIdentityProviderExpansion interface{} type OIDCIdentityProviderExpansion interface{} diff --git a/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go b/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 0000000000..30b6147791 --- /dev/null +++ b/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,182 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + "time" + + v1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/idp/v1alpha1" + scheme "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// GitHubIdentityProvidersGetter has a method to return a GitHubIdentityProviderInterface. +// A group's client should implement this interface. +type GitHubIdentityProvidersGetter interface { + GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface +} + +// GitHubIdentityProviderInterface has methods to work with GitHubIdentityProvider resources. +type GitHubIdentityProviderInterface interface { + Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (*v1alpha1.GitHubIdentityProvider, error) + Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) + UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.GitHubIdentityProvider, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.GitHubIdentityProviderList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) + GitHubIdentityProviderExpansion +} + +// gitHubIdentityProviders implements GitHubIdentityProviderInterface +type gitHubIdentityProviders struct { + client rest.Interface + ns string +} + +// newGitHubIdentityProviders returns a GitHubIdentityProviders +func newGitHubIdentityProviders(c *IDPV1alpha1Client, namespace string) *gitHubIdentityProviders { + return &gitHubIdentityProviders{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any. +func (c *gitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors. +func (c *gitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.GitHubIdentityProviderList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders. +func (c *gitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *gitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Post(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *gitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(gitHubIdentityProvider.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *gitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(gitHubIdentityProvider.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs. +func (c *gitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *gitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched gitHubIdentityProvider. +func (c *gitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go b/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go index 297d8dd8e1..c28811807c 100644 --- a/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go +++ b/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go @@ -14,6 +14,7 @@ import ( type IDPV1alpha1Interface interface { RESTClient() rest.Interface ActiveDirectoryIdentityProvidersGetter + GitHubIdentityProvidersGetter LDAPIdentityProvidersGetter OIDCIdentityProvidersGetter } @@ -27,6 +28,10 @@ func (c *IDPV1alpha1Client) ActiveDirectoryIdentityProviders(namespace string) A return newActiveDirectoryIdentityProviders(c, namespace) } +func (c *IDPV1alpha1Client) GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface { + return newGitHubIdentityProviders(c, namespace) +} + func (c *IDPV1alpha1Client) LDAPIdentityProviders(namespace string) LDAPIdentityProviderInterface { return newLDAPIdentityProviders(c, namespace) } diff --git a/generated/1.22/client/supervisor/informers/externalversions/generic.go b/generated/1.22/client/supervisor/informers/externalversions/generic.go index 476951729d..d1c5950307 100644 --- a/generated/1.22/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.22/client/supervisor/informers/externalversions/generic.go @@ -49,6 +49,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource // Group=idp.supervisor.pinniped.dev, Version=v1alpha1 case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().ActiveDirectoryIdentityProviders().Informer()}, nil + case idpv1alpha1.SchemeGroupVersion.WithResource("githubidentityproviders"): + return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().GitHubIdentityProviders().Informer()}, nil case idpv1alpha1.SchemeGroupVersion.WithResource("ldapidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().LDAPIdentityProviders().Informer()}, nil case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): diff --git a/generated/1.22/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go b/generated/1.22/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 0000000000..a480860fbc --- /dev/null +++ b/generated/1.22/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,77 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + time "time" + + idpv1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/idp/v1alpha1" + versioned "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned" + internalinterfaces "go.pinniped.dev/generated/1.22/client/supervisor/informers/externalversions/internalinterfaces" + v1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/listers/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// GitHubIdentityProviderInformer provides access to a shared informer and lister for +// GitHubIdentityProviders. +type GitHubIdentityProviderInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.GitHubIdentityProviderLister +} + +type gitHubIdentityProviderInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredGitHubIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().GitHubIdentityProviders(namespace).List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().GitHubIdentityProviders(namespace).Watch(context.TODO(), options) + }, + }, + &idpv1alpha1.GitHubIdentityProvider{}, + resyncPeriod, + indexers, + ) +} + +func (f *gitHubIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredGitHubIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *gitHubIdentityProviderInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&idpv1alpha1.GitHubIdentityProvider{}, f.defaultInformer) +} + +func (f *gitHubIdentityProviderInformer) Lister() v1alpha1.GitHubIdentityProviderLister { + return v1alpha1.NewGitHubIdentityProviderLister(f.Informer().GetIndexer()) +} diff --git a/generated/1.22/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go b/generated/1.22/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go index 2ad60604b6..c71d10967d 100644 --- a/generated/1.22/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go +++ b/generated/1.22/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go @@ -13,6 +13,8 @@ import ( type Interface interface { // ActiveDirectoryIdentityProviders returns a ActiveDirectoryIdentityProviderInformer. ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProviderInformer + // GitHubIdentityProviders returns a GitHubIdentityProviderInformer. + GitHubIdentityProviders() GitHubIdentityProviderInformer // LDAPIdentityProviders returns a LDAPIdentityProviderInformer. LDAPIdentityProviders() LDAPIdentityProviderInformer // OIDCIdentityProviders returns a OIDCIdentityProviderInformer. @@ -35,6 +37,11 @@ func (v *version) ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProv return &activeDirectoryIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } +// GitHubIdentityProviders returns a GitHubIdentityProviderInformer. +func (v *version) GitHubIdentityProviders() GitHubIdentityProviderInformer { + return &gitHubIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} + // LDAPIdentityProviders returns a LDAPIdentityProviderInformer. func (v *version) LDAPIdentityProviders() LDAPIdentityProviderInformer { return &lDAPIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} diff --git a/generated/1.22/client/supervisor/listers/idp/v1alpha1/expansion_generated.go b/generated/1.22/client/supervisor/listers/idp/v1alpha1/expansion_generated.go index b491a9e8d4..470c06abb0 100644 --- a/generated/1.22/client/supervisor/listers/idp/v1alpha1/expansion_generated.go +++ b/generated/1.22/client/supervisor/listers/idp/v1alpha1/expansion_generated.go @@ -13,6 +13,14 @@ type ActiveDirectoryIdentityProviderListerExpansion interface{} // ActiveDirectoryIdentityProviderNamespaceLister. type ActiveDirectoryIdentityProviderNamespaceListerExpansion interface{} +// GitHubIdentityProviderListerExpansion allows custom methods to be added to +// GitHubIdentityProviderLister. +type GitHubIdentityProviderListerExpansion interface{} + +// GitHubIdentityProviderNamespaceListerExpansion allows custom methods to be added to +// GitHubIdentityProviderNamespaceLister. +type GitHubIdentityProviderNamespaceListerExpansion interface{} + // LDAPIdentityProviderListerExpansion allows custom methods to be added to // LDAPIdentityProviderLister. type LDAPIdentityProviderListerExpansion interface{} diff --git a/generated/1.22/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go b/generated/1.22/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 0000000000..54bf48ac54 --- /dev/null +++ b/generated/1.22/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,86 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/idp/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// GitHubIdentityProviderLister helps list GitHubIdentityProviders. +// All objects returned here must be treated as read-only. +type GitHubIdentityProviderLister interface { + // List lists all GitHubIdentityProviders in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) + // GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders. + GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister + GitHubIdentityProviderListerExpansion +} + +// gitHubIdentityProviderLister implements the GitHubIdentityProviderLister interface. +type gitHubIdentityProviderLister struct { + indexer cache.Indexer +} + +// NewGitHubIdentityProviderLister returns a new GitHubIdentityProviderLister. +func NewGitHubIdentityProviderLister(indexer cache.Indexer) GitHubIdentityProviderLister { + return &gitHubIdentityProviderLister{indexer: indexer} +} + +// List lists all GitHubIdentityProviders in the indexer. +func (s *gitHubIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider)) + }) + return ret, err +} + +// GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders. +func (s *gitHubIdentityProviderLister) GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister { + return gitHubIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// GitHubIdentityProviderNamespaceLister helps list and get GitHubIdentityProviders. +// All objects returned here must be treated as read-only. +type GitHubIdentityProviderNamespaceLister interface { + // List lists all GitHubIdentityProviders in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) + // Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha1.GitHubIdentityProvider, error) + GitHubIdentityProviderNamespaceListerExpansion +} + +// gitHubIdentityProviderNamespaceLister implements the GitHubIdentityProviderNamespaceLister +// interface. +type gitHubIdentityProviderNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all GitHubIdentityProviders in the indexer for a given namespace. +func (s gitHubIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider)) + }) + return ret, err +} + +// Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name. +func (s gitHubIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.GitHubIdentityProvider, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("githubidentityprovider"), name) + } + return obj.(*v1alpha1.GitHubIdentityProvider), nil +} diff --git a/generated/1.22/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml b/generated/1.22/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml new file mode 100644 index 0000000000..8cc51b06f4 --- /dev/null +++ b/generated/1.22/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml @@ -0,0 +1,301 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: githubidentityproviders.idp.supervisor.pinniped.dev +spec: + group: idp.supervisor.pinniped.dev + names: + categories: + - pinniped + - pinniped-idp + - pinniped-idps + kind: GitHubIdentityProvider + listKind: GitHubIdentityProviderList + plural: githubidentityproviders + singular: githubidentityprovider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.gitHubAPI.host + name: Host + type: string + - jsonPath: .status.phase + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. + This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. + + + Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured + as OIDCClients. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec for configuring the identity provider. + properties: + allowedOrganizations: + description: |- + AllowedOrganizations, when specified, indicates that only users with membership in at least one of the listed + GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + + + The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + within that organization. + + + If no organizations are listed, you must set gitHubOrganizationLoginPolicy: AllOrganizationsAllowed + items: + type: string + type: array + claims: + description: Claims allows customization of the username and groups + claims + properties: + groups: + default: slug + description: |- + Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + + + Can be either "name" or "slug". Defaults to "slug". + + + GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + + + GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + + + Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + the team name or slug. + + + If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + FederationDomain to further customize how these group names are presented to Kubernetes. + + + See the response schema for + [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + enum: + - name + - slug + type: string + username: + default: login:id + description: |- + Username configures which property of the GitHub user record shall determine the username in Kubernetes. + + + Can be either "id", "login", or "login:id". Defaults to "login:id". + + + GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + and may not start or end with hyphens. GitHub users are allowed to change their login name, + although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + then a second user might change their name from "baz" to "foo" in order to take the old + username of the first user. For this reason, it is not as safe to make authorization decisions + based only on the user's login attribute. + + + If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + FederationDomain to further customize how these usernames are presented to Kubernetes. + + + Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + from GitHub. Note that colons are not allowed in GitHub login attributes or ID numbers, so the colon in the + "login:id" name will always be the login:id separator colon. + + + See the response schema for + [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + enum: + - id + - login + - login:id + type: string + required: + - groups + - username + type: object + client: + description: Client identifies the secret with credentials for a GitHub + App or GitHub OAuth2 App (a GitHub client). + properties: + secretName: + description: |- + SecretName contains the name of a namespace-local Secret object that provides the clientID and + clientSecret for an GitHub App or GitHub OAuth2 client. + + + This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + type: string + required: + - secretName + type: object + gitHubAPI: + default: {} + description: GitHubApi allows configuration for GitHub Enterprise + Server + properties: + host: + default: github.com + description: |- + Host is required only for GitHub Enterprise Server. + Defaults to using GitHub's public API (github.com). + type: string + tls: + description: TLS configuration for GitHub Enterprise Server. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM + bundle). If omitted, a default set of system roots will + be trusted. + type: string + type: object + type: object + gitHubOrganizationLoginPolicy: + default: AllowedOrganizationsOnly + description: |- + GitHubOrganizationLoginPolicy must be set to "AllOrganizationsAllowed" if allowedOrganizations is empty. + + + This field only exists to ensure that Pinniped administrators are aware that an empty list of + allowedOrganizations means all GitHub users are allowed to log in. + enum: + - AllowedOrganizationsOnly + - AllOrganizationsAllowed + type: string + required: + - client + type: object + status: + description: Status of the identity provider. + properties: + conditions: + description: Conditions represents the observations of an identity + provider's current state. + items: + description: |- + Condition contains details for one aspect of the current state of this API Resource. + --- + This struct is intended for direct use as an array at the field path .status.conditions. For example, + type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + + + // other fields + } + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + phase: + default: Pending + description: Phase summarizes the overall status of the GitHubIdentityProvider. + enum: + - Pending + - Ready + - Error + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/generated/1.23/README.adoc b/generated/1.23/README.adoc index 8b0a616155..961da08bf1 100644 --- a/generated/1.23/README.adoc +++ b/generated/1.23/README.adoc @@ -1366,6 +1366,199 @@ Status of an Active Directory identity provider. |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubapiconfig"] +==== GitHubAPIConfig + +GitHubAPIConfig allows configuration for GitHub Enterprise Server + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`host`* __string__ | Host is required only for GitHub Enterprise Server. Defaults to using GitHub's public API (github.com). +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubclaims"] +==== GitHubClaims + +GitHubClaims allows customization of the username and groups claims + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. + + +Can be either "id", "login", or "login:id". Defaults to "login:id". + + +GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, and may not start or end with hyphens. GitHub users are allowed to change their login name, although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", then a second user might change their name from "baz" to "foo" in order to take the old username of the first user. For this reason, it is not as safe to make authorization decisions based only on the user's login attribute. + + +If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these usernames are presented to Kubernetes. + + +Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value from GitHub. Note that colons are not allowed in GitHub login attributes or ID numbers, so the colon in the "login:id" name will always be the login:id separator colon. + + +See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +| *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + + +Can be either "name" or "slug". Defaults to "slug". + + +GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + + +GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + + +Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters or single hyphens, so the first forward slash `/` will be the separator between the organization login name and the team name or slug. + + +If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these group names are presented to Kubernetes. + + +See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubclientspec"] +==== GitHubClientSpec + +GitHubClientSpec contains information about the GitHub client that this identity provider will use for web-based login flows. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and clientSecret for an GitHub App or GitHub OAuth2 client. + + +This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubgroupnameattribute"] +==== GitHubGroupNameAttribute (string) + +GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the downstream group names. See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubidentityprovider"] +==== GitHubIdentityProvider + +GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. + Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured as OIDCClients. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubidentityproviderlist[$$GitHubIdentityProviderList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]__ | Spec for configuring the identity provider. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]__ | Status of the identity provider. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubidentityproviderphase"] +==== GitHubIdentityProviderPhase (string) + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubidentityproviderspec"] +==== GitHubIdentityProviderSpec + +GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`gitHubAPI`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]__ | GitHubApi allows configuration for GitHub Enterprise Server +| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]__ | Claims allows customization of the username and groups claims +| *`allowedOrganizations`* __string array__ | AllowedOrganizations, when specified, indicates that only users with membership in at least one of the listed GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + + +The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams within that organization. + + +If no organizations are listed, you must set gitHubOrganizationLoginPolicy: AllOrganizationsAllowed +| *`gitHubOrganizationLoginPolicy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githuborganizationloginpolicy[$$GitHubOrganizationLoginPolicy$$]__ | GitHubOrganizationLoginPolicy must be set to "AllOrganizationsAllowed" if allowedOrganizations is empty. + + +This field only exists to ensure that Pinniped administrators are aware that an empty list of allowedOrganizations means all GitHub users are allowed to log in. +| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubclientspec[$$GitHubClientSpec$$]__ | Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus"] +==== GitHubIdentityProviderStatus + +GitHubIdentityProviderStatus is the status of an GitHub identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubidentityproviderphase[$$GitHubIdentityProviderPhase$$]__ | Phase summarizes the overall status of the GitHubIdentityProvider. +| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#condition-v1-meta[$$Condition$$] array__ | Conditions represents the observations of an identity provider's current state. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githuborganizationloginpolicy"] +==== GitHubOrganizationLoginPolicy (string) + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubusernameattribute"] +==== GitHubUsernameAttribute (string) + +GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the downstream username. See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$] +**** + + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-ldapidentityprovider"] ==== LDAPIdentityProvider @@ -1686,11 +1879,12 @@ Parameter is a key/value pair which represents a parameter in an HTTP request. [id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-tlsspec"] ==== TLSSpec -Configuration for TLS parameters related to identity provider integration. +TLSSpec provides TLS configuration for identity provider integration. .Appears In: **** - xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderspec[$$ActiveDirectoryIdentityProviderSpec$$] +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$] - xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$] - xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec[$$OIDCIdentityProviderSpec$$] **** diff --git a/generated/1.23/apis/supervisor/idp/v1alpha1/register.go b/generated/1.23/apis/supervisor/idp/v1alpha1/register.go index 8829a86385..705be8076c 100644 --- a/generated/1.23/apis/supervisor/idp/v1alpha1/register.go +++ b/generated/1.23/apis/supervisor/idp/v1alpha1/register.go @@ -1,4 +1,4 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -36,6 +36,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { &LDAPIdentityProviderList{}, &ActiveDirectoryIdentityProvider{}, &ActiveDirectoryIdentityProviderList{}, + &GitHubIdentityProvider{}, + &GitHubIdentityProviderList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.23/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go b/generated/1.23/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go new file mode 100644 index 0000000000..92bd19724b --- /dev/null +++ b/generated/1.23/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go @@ -0,0 +1,231 @@ +// Copyright 2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +type GitHubIdentityProviderPhase string + +const ( + // GitHubPhasePending is the default phase for newly-created GitHubIdentityProvider resources. + GitHubPhasePending GitHubIdentityProviderPhase = "Pending" + + // GitHubPhaseReady is the phase for an GitHubIdentityProvider resource in a healthy state. + GitHubPhaseReady GitHubIdentityProviderPhase = "Ready" + + // GitHubPhaseError is the phase for an GitHubIdentityProvider in an unhealthy state. + GitHubPhaseError GitHubIdentityProviderPhase = "Error" +) + +type GitHubOrganizationLoginPolicy string + +const ( + // GitHubOrganizationLoginPolicyAllOrgsAllowed means any GitHub user is allowed to log in using this identity + // provider, regardless of their organization membership or lack thereof. + GitHubOrganizationLoginPolicyAllOrgsAllowed GitHubOrganizationLoginPolicy = "AllOrganizationsAllowed" + + // GitHubOrganizationLoginPolicyAllowedOrgsOnly means only those users with membership in the listed GitHub + // organizations are allowed to log in. + GitHubOrganizationLoginPolicyAllowedOrgsOnly GitHubOrganizationLoginPolicy = "AllowedOrganizationsOnly" +) + +// GitHubIdentityProviderStatus is the status of an GitHub identity provider. +type GitHubIdentityProviderStatus struct { + // Phase summarizes the overall status of the GitHubIdentityProvider. + // + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase GitHubIdentityProviderPhase `json:"phase,omitempty"` + + // Conditions represents the observations of an identity provider's current state. + // + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` +} + +// GitHubAPIConfig allows configuration for GitHub Enterprise Server +type GitHubAPIConfig struct { + // Host is required only for GitHub Enterprise Server. + // Defaults to using GitHub's public API (github.com). + // + // +kubebuilder:default="github.com" + // +optional + Host string `json:"host"` + + // TLS configuration for GitHub Enterprise Server. + // + // +optional + TLS *TLSSpec `json:"tls,omitempty"` +} + +// GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the downstream username. +// See the response schema for +// [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +type GitHubUsernameAttribute string + +const ( + // GitHubUsernameID specifies using the `id` attribute from the GitHub user as the downstream username. + GitHubUsernameID GitHubUsernameAttribute = "id" + + // GitHubUsernameLogin specifies using the `login` attribute from the GitHub user as the downstream username. + GitHubUsernameLogin GitHubUsernameAttribute = "login" + + // GitHubUsernameLoginAndID specifies combining the `login` and `id` attributes from the GitHub user as the + // downstream username, separated by a colon. Example: "my-login:1234" + GitHubUsernameLoginAndID GitHubUsernameAttribute = "login:id" +) + +// GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the downstream group +// names. See the response schema for +// [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +type GitHubGroupNameAttribute string + +const ( + // GitHubUseTeamNameForGrouypName specifies using the GitHub team's `name` attribute as the downstream group name. + GitHubUseTeamNameForGrouypName GitHubGroupNameAttribute = "name" + + // GitHubUseTeamSlugForGroupName specifies using the GitHub team's `slug` attribute as the downstream group name. + GitHubUseTeamSlugForGroupName GitHubGroupNameAttribute = "slug" +) + +// GitHubClaims allows customization of the username and groups claims +type GitHubClaims struct { + // Username configures which property of the GitHub user record shall determine the username in Kubernetes. + // + // Can be either "id", "login", or "login:id". Defaults to "login:id". + // + // GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + // and may not start or end with hyphens. GitHub users are allowed to change their login name, + // although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + // then a second user might change their name from "baz" to "foo" in order to take the old + // username of the first user. For this reason, it is not as safe to make authorization decisions + // based only on the user's login attribute. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these usernames are presented to Kubernetes. + // + // Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + // unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + // from GitHub. Note that colons are not allowed in GitHub login attributes or ID numbers, so the colon in the + // "login:id" name will always be the login:id separator colon. + // + // See the response schema for + // [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + // + // +kubebuilder:default="login:id" + // +kubebuilder:validation:Enum={"id","login","login:id"} + Username GitHubUsernameAttribute `json:"username"` + + // Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + // + // Can be either "name" or "slug". Defaults to "slug". + // + // GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + // + // GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + // + // Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + // forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + // or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + // the team name or slug. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these group names are presented to Kubernetes. + // + // See the response schema for + // [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + // + // +kubebuilder:default=slug + // +kubebuilder:validation:Enum=name;slug + Groups GitHubGroupNameAttribute `json:"groups"` +} + +// GitHubClientSpec contains information about the GitHub client that this identity provider will use +// for web-based login flows. +type GitHubClientSpec struct { + // SecretName contains the name of a namespace-local Secret object that provides the clientID and + // clientSecret for an GitHub App or GitHub OAuth2 client. + // + // This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + SecretName string `json:"secretName"` +} + +// GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider. +type GitHubIdentityProviderSpec struct { + // GitHubApi allows configuration for GitHub Enterprise Server + // + // +kubebuilder:default={} + GitHubApi GitHubAPIConfig `json:"gitHubAPI,omitempty"` + + // Claims allows customization of the username and groups claims + // + // +optional + Claims GitHubClaims `json:"claims,omitempty"` + + // AllowedOrganizations, when specified, indicates that only users with membership in at least one of the listed + // GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + // teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + // provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + // + // The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + // otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + // within that organization. + // + // If no organizations are listed, you must set gitHubOrganizationLoginPolicy: AllOrganizationsAllowed + // + // +optional + AllowedOrganizations []string `json:"allowedOrganizations,omitempty"` + + // GitHubOrganizationLoginPolicy must be set to "AllOrganizationsAllowed" if allowedOrganizations is empty. + // + // This field only exists to ensure that Pinniped administrators are aware that an empty list of + // allowedOrganizations means all GitHub users are allowed to log in. + // + // +kubebuilder:default=AllowedOrganizationsOnly + // +kubebuilder:validation:Enum=AllowedOrganizationsOnly;AllOrganizationsAllowed + // +optional + GitHubOrganizationLoginPolicy GitHubOrganizationLoginPolicy `json:"gitHubOrganizationLoginPolicy"` + + // Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). + Client GitHubClientSpec `json:"client"` +} + +// GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. +// This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. +// +// Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured +// as OIDCClients. +// +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps +// +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.gitHubAPI.host` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type GitHubIdentityProvider struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec for configuring the identity provider. + Spec GitHubIdentityProviderSpec `json:"spec"` + + // Status of the identity provider. + Status GitHubIdentityProviderStatus `json:"status,omitempty"` +} + +// GitHubIdentityProviderList lists GitHubIdentityProvider objects. +// +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type GitHubIdentityProviderList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []GitHubIdentityProvider `json:"items"` +} diff --git a/generated/1.23/apis/supervisor/idp/v1alpha1/types_tls.go b/generated/1.23/apis/supervisor/idp/v1alpha1/types_tls.go index 1413a262cc..49b49373cd 100644 --- a/generated/1.23/apis/supervisor/idp/v1alpha1/types_tls.go +++ b/generated/1.23/apis/supervisor/idp/v1alpha1/types_tls.go @@ -1,9 +1,9 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 -// Configuration for TLS parameters related to identity provider integration. +// TLSSpec provides TLS configuration for identity provider integration. type TLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. // +optional diff --git a/generated/1.23/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.23/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index b0cb168b54..724643e7c2 100644 --- a/generated/1.23/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.23/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -203,6 +203,167 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) { + *out = *in + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(TLSSpec) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAPIConfig. +func (in *GitHubAPIConfig) DeepCopy() *GitHubAPIConfig { + if in == nil { + return nil + } + out := new(GitHubAPIConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubClaims) DeepCopyInto(out *GitHubClaims) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClaims. +func (in *GitHubClaims) DeepCopy() *GitHubClaims { + if in == nil { + return nil + } + out := new(GitHubClaims) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubClientSpec) DeepCopyInto(out *GitHubClientSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClientSpec. +func (in *GitHubClientSpec) DeepCopy() *GitHubClientSpec { + if in == nil { + return nil + } + out := new(GitHubClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProvider) DeepCopyInto(out *GitHubIdentityProvider) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProvider. +func (in *GitHubIdentityProvider) DeepCopy() *GitHubIdentityProvider { + if in == nil { + return nil + } + out := new(GitHubIdentityProvider) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *GitHubIdentityProvider) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderList) DeepCopyInto(out *GitHubIdentityProviderList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]GitHubIdentityProvider, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderList. +func (in *GitHubIdentityProviderList) DeepCopy() *GitHubIdentityProviderList { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *GitHubIdentityProviderList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderSpec) DeepCopyInto(out *GitHubIdentityProviderSpec) { + *out = *in + in.GitHubApi.DeepCopyInto(&out.GitHubApi) + out.Claims = in.Claims + if in.AllowedOrganizations != nil { + in, out := &in.AllowedOrganizations, &out.AllowedOrganizations + *out = make([]string, len(*in)) + copy(*out, *in) + } + out.Client = in.Client + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderSpec. +func (in *GitHubIdentityProviderSpec) DeepCopy() *GitHubIdentityProviderSpec { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderStatus) DeepCopyInto(out *GitHubIdentityProviderStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]v1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderStatus. +func (in *GitHubIdentityProviderStatus) DeepCopy() *GitHubIdentityProviderStatus { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *LDAPIdentityProvider) DeepCopyInto(out *LDAPIdentityProvider) { *out = *in diff --git a/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go b/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go new file mode 100644 index 0000000000..0e91cb7397 --- /dev/null +++ b/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go @@ -0,0 +1,129 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeGitHubIdentityProviders implements GitHubIdentityProviderInterface +type FakeGitHubIdentityProviders struct { + Fake *FakeIDPV1alpha1 + ns string +} + +var githubidentityprovidersResource = schema.GroupVersionResource{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "githubidentityproviders"} + +var githubidentityprovidersKind = schema.GroupVersionKind{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "GitHubIdentityProvider"} + +// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any. +func (c *FakeGitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(githubidentityprovidersResource, c.ns, name), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors. +func (c *FakeGitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(githubidentityprovidersResource, githubidentityprovidersKind, c.ns, opts), &v1alpha1.GitHubIdentityProviderList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.GitHubIdentityProviderList{ListMeta: obj.(*v1alpha1.GitHubIdentityProviderList).ListMeta} + for _, item := range obj.(*v1alpha1.GitHubIdentityProviderList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders. +func (c *FakeGitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(githubidentityprovidersResource, c.ns, opts)) + +} + +// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *FakeGitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *FakeGitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeGitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(githubidentityprovidersResource, "status", c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs. +func (c *FakeGitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteActionWithOptions(githubidentityprovidersResource, c.ns, name, opts), &v1alpha1.GitHubIdentityProvider{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeGitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(githubidentityprovidersResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha1.GitHubIdentityProviderList{}) + return err +} + +// Patch applies the patch and returns the patched gitHubIdentityProvider. +func (c *FakeGitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(githubidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} diff --git a/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go b/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go index 0ae4b8aa4f..db75247da6 100644 --- a/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go +++ b/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go @@ -19,6 +19,10 @@ func (c *FakeIDPV1alpha1) ActiveDirectoryIdentityProviders(namespace string) v1a return &FakeActiveDirectoryIdentityProviders{c, namespace} } +func (c *FakeIDPV1alpha1) GitHubIdentityProviders(namespace string) v1alpha1.GitHubIdentityProviderInterface { + return &FakeGitHubIdentityProviders{c, namespace} +} + func (c *FakeIDPV1alpha1) LDAPIdentityProviders(namespace string) v1alpha1.LDAPIdentityProviderInterface { return &FakeLDAPIdentityProviders{c, namespace} } diff --git a/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go b/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go index 79be098d6c..a7acc8120f 100644 --- a/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go +++ b/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go @@ -7,6 +7,8 @@ package v1alpha1 type ActiveDirectoryIdentityProviderExpansion interface{} +type GitHubIdentityProviderExpansion interface{} + type LDAPIdentityProviderExpansion interface{} type OIDCIdentityProviderExpansion interface{} diff --git a/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go b/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 0000000000..8f954e7c53 --- /dev/null +++ b/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,182 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + "time" + + v1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/idp/v1alpha1" + scheme "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// GitHubIdentityProvidersGetter has a method to return a GitHubIdentityProviderInterface. +// A group's client should implement this interface. +type GitHubIdentityProvidersGetter interface { + GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface +} + +// GitHubIdentityProviderInterface has methods to work with GitHubIdentityProvider resources. +type GitHubIdentityProviderInterface interface { + Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (*v1alpha1.GitHubIdentityProvider, error) + Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) + UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.GitHubIdentityProvider, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.GitHubIdentityProviderList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) + GitHubIdentityProviderExpansion +} + +// gitHubIdentityProviders implements GitHubIdentityProviderInterface +type gitHubIdentityProviders struct { + client rest.Interface + ns string +} + +// newGitHubIdentityProviders returns a GitHubIdentityProviders +func newGitHubIdentityProviders(c *IDPV1alpha1Client, namespace string) *gitHubIdentityProviders { + return &gitHubIdentityProviders{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any. +func (c *gitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors. +func (c *gitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.GitHubIdentityProviderList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders. +func (c *gitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *gitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Post(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *gitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(gitHubIdentityProvider.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *gitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(gitHubIdentityProvider.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs. +func (c *gitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *gitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched gitHubIdentityProvider. +func (c *gitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go b/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go index 0dbcbbe3aa..141fd4a7f2 100644 --- a/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go +++ b/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go @@ -16,6 +16,7 @@ import ( type IDPV1alpha1Interface interface { RESTClient() rest.Interface ActiveDirectoryIdentityProvidersGetter + GitHubIdentityProvidersGetter LDAPIdentityProvidersGetter OIDCIdentityProvidersGetter } @@ -29,6 +30,10 @@ func (c *IDPV1alpha1Client) ActiveDirectoryIdentityProviders(namespace string) A return newActiveDirectoryIdentityProviders(c, namespace) } +func (c *IDPV1alpha1Client) GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface { + return newGitHubIdentityProviders(c, namespace) +} + func (c *IDPV1alpha1Client) LDAPIdentityProviders(namespace string) LDAPIdentityProviderInterface { return newLDAPIdentityProviders(c, namespace) } diff --git a/generated/1.23/client/supervisor/informers/externalversions/generic.go b/generated/1.23/client/supervisor/informers/externalversions/generic.go index 9852477783..4765b9eb01 100644 --- a/generated/1.23/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.23/client/supervisor/informers/externalversions/generic.go @@ -49,6 +49,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource // Group=idp.supervisor.pinniped.dev, Version=v1alpha1 case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().ActiveDirectoryIdentityProviders().Informer()}, nil + case idpv1alpha1.SchemeGroupVersion.WithResource("githubidentityproviders"): + return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().GitHubIdentityProviders().Informer()}, nil case idpv1alpha1.SchemeGroupVersion.WithResource("ldapidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().LDAPIdentityProviders().Informer()}, nil case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): diff --git a/generated/1.23/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go b/generated/1.23/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 0000000000..b76d66c69d --- /dev/null +++ b/generated/1.23/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,77 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + time "time" + + idpv1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/idp/v1alpha1" + versioned "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned" + internalinterfaces "go.pinniped.dev/generated/1.23/client/supervisor/informers/externalversions/internalinterfaces" + v1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/listers/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// GitHubIdentityProviderInformer provides access to a shared informer and lister for +// GitHubIdentityProviders. +type GitHubIdentityProviderInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.GitHubIdentityProviderLister +} + +type gitHubIdentityProviderInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredGitHubIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().GitHubIdentityProviders(namespace).List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().GitHubIdentityProviders(namespace).Watch(context.TODO(), options) + }, + }, + &idpv1alpha1.GitHubIdentityProvider{}, + resyncPeriod, + indexers, + ) +} + +func (f *gitHubIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredGitHubIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *gitHubIdentityProviderInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&idpv1alpha1.GitHubIdentityProvider{}, f.defaultInformer) +} + +func (f *gitHubIdentityProviderInformer) Lister() v1alpha1.GitHubIdentityProviderLister { + return v1alpha1.NewGitHubIdentityProviderLister(f.Informer().GetIndexer()) +} diff --git a/generated/1.23/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go b/generated/1.23/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go index 554a4a0595..37345b8297 100644 --- a/generated/1.23/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go +++ b/generated/1.23/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go @@ -13,6 +13,8 @@ import ( type Interface interface { // ActiveDirectoryIdentityProviders returns a ActiveDirectoryIdentityProviderInformer. ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProviderInformer + // GitHubIdentityProviders returns a GitHubIdentityProviderInformer. + GitHubIdentityProviders() GitHubIdentityProviderInformer // LDAPIdentityProviders returns a LDAPIdentityProviderInformer. LDAPIdentityProviders() LDAPIdentityProviderInformer // OIDCIdentityProviders returns a OIDCIdentityProviderInformer. @@ -35,6 +37,11 @@ func (v *version) ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProv return &activeDirectoryIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } +// GitHubIdentityProviders returns a GitHubIdentityProviderInformer. +func (v *version) GitHubIdentityProviders() GitHubIdentityProviderInformer { + return &gitHubIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} + // LDAPIdentityProviders returns a LDAPIdentityProviderInformer. func (v *version) LDAPIdentityProviders() LDAPIdentityProviderInformer { return &lDAPIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} diff --git a/generated/1.23/client/supervisor/listers/idp/v1alpha1/expansion_generated.go b/generated/1.23/client/supervisor/listers/idp/v1alpha1/expansion_generated.go index b491a9e8d4..470c06abb0 100644 --- a/generated/1.23/client/supervisor/listers/idp/v1alpha1/expansion_generated.go +++ b/generated/1.23/client/supervisor/listers/idp/v1alpha1/expansion_generated.go @@ -13,6 +13,14 @@ type ActiveDirectoryIdentityProviderListerExpansion interface{} // ActiveDirectoryIdentityProviderNamespaceLister. type ActiveDirectoryIdentityProviderNamespaceListerExpansion interface{} +// GitHubIdentityProviderListerExpansion allows custom methods to be added to +// GitHubIdentityProviderLister. +type GitHubIdentityProviderListerExpansion interface{} + +// GitHubIdentityProviderNamespaceListerExpansion allows custom methods to be added to +// GitHubIdentityProviderNamespaceLister. +type GitHubIdentityProviderNamespaceListerExpansion interface{} + // LDAPIdentityProviderListerExpansion allows custom methods to be added to // LDAPIdentityProviderLister. type LDAPIdentityProviderListerExpansion interface{} diff --git a/generated/1.23/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go b/generated/1.23/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 0000000000..2331324228 --- /dev/null +++ b/generated/1.23/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,86 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/idp/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// GitHubIdentityProviderLister helps list GitHubIdentityProviders. +// All objects returned here must be treated as read-only. +type GitHubIdentityProviderLister interface { + // List lists all GitHubIdentityProviders in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) + // GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders. + GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister + GitHubIdentityProviderListerExpansion +} + +// gitHubIdentityProviderLister implements the GitHubIdentityProviderLister interface. +type gitHubIdentityProviderLister struct { + indexer cache.Indexer +} + +// NewGitHubIdentityProviderLister returns a new GitHubIdentityProviderLister. +func NewGitHubIdentityProviderLister(indexer cache.Indexer) GitHubIdentityProviderLister { + return &gitHubIdentityProviderLister{indexer: indexer} +} + +// List lists all GitHubIdentityProviders in the indexer. +func (s *gitHubIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider)) + }) + return ret, err +} + +// GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders. +func (s *gitHubIdentityProviderLister) GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister { + return gitHubIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// GitHubIdentityProviderNamespaceLister helps list and get GitHubIdentityProviders. +// All objects returned here must be treated as read-only. +type GitHubIdentityProviderNamespaceLister interface { + // List lists all GitHubIdentityProviders in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) + // Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha1.GitHubIdentityProvider, error) + GitHubIdentityProviderNamespaceListerExpansion +} + +// gitHubIdentityProviderNamespaceLister implements the GitHubIdentityProviderNamespaceLister +// interface. +type gitHubIdentityProviderNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all GitHubIdentityProviders in the indexer for a given namespace. +func (s gitHubIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider)) + }) + return ret, err +} + +// Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name. +func (s gitHubIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.GitHubIdentityProvider, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("githubidentityprovider"), name) + } + return obj.(*v1alpha1.GitHubIdentityProvider), nil +} diff --git a/generated/1.23/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml b/generated/1.23/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml new file mode 100644 index 0000000000..d10a330731 --- /dev/null +++ b/generated/1.23/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml @@ -0,0 +1,295 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: githubidentityproviders.idp.supervisor.pinniped.dev +spec: + group: idp.supervisor.pinniped.dev + names: + categories: + - pinniped + - pinniped-idp + - pinniped-idps + kind: GitHubIdentityProvider + listKind: GitHubIdentityProviderList + plural: githubidentityproviders + singular: githubidentityprovider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.gitHubAPI.host + name: Host + type: string + - jsonPath: .status.phase + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. + This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. + + + Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured + as OIDCClients. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec for configuring the identity provider. + properties: + allowedOrganizations: + description: |- + AllowedOrganizations, when specified, indicates that only users with membership in at least one of the listed + GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + + + The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + within that organization. + + + If no organizations are listed, you must set gitHubOrganizationLoginPolicy: AllOrganizationsAllowed + items: + type: string + type: array + claims: + description: Claims allows customization of the username and groups + claims + properties: + groups: + default: slug + description: |- + Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + + + Can be either "name" or "slug". Defaults to "slug". + + + GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + + + GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + + + Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + the team name or slug. + + + If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + FederationDomain to further customize how these group names are presented to Kubernetes. + + + See the response schema for + [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + enum: + - name + - slug + type: string + username: + default: login:id + description: |- + Username configures which property of the GitHub user record shall determine the username in Kubernetes. + + + Can be either "id", "login", or "login:id". Defaults to "login:id". + + + GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + and may not start or end with hyphens. GitHub users are allowed to change their login name, + although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + then a second user might change their name from "baz" to "foo" in order to take the old + username of the first user. For this reason, it is not as safe to make authorization decisions + based only on the user's login attribute. + + + If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + FederationDomain to further customize how these usernames are presented to Kubernetes. + + + Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + from GitHub. Note that colons are not allowed in GitHub login attributes or ID numbers, so the colon in the + "login:id" name will always be the login:id separator colon. + + + See the response schema for + [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + enum: + - id + - login + - login:id + type: string + required: + - groups + - username + type: object + client: + description: Client identifies the secret with credentials for a GitHub + App or GitHub OAuth2 App (a GitHub client). + properties: + secretName: + description: |- + SecretName contains the name of a namespace-local Secret object that provides the clientID and + clientSecret for an GitHub App or GitHub OAuth2 client. + + + This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + type: string + required: + - secretName + type: object + gitHubAPI: + default: {} + description: GitHubApi allows configuration for GitHub Enterprise + Server + properties: + host: + default: github.com + description: |- + Host is required only for GitHub Enterprise Server. + Defaults to using GitHub's public API (github.com). + type: string + tls: + description: TLS configuration for GitHub Enterprise Server. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM + bundle). If omitted, a default set of system roots will + be trusted. + type: string + type: object + type: object + gitHubOrganizationLoginPolicy: + default: AllowedOrganizationsOnly + description: |- + GitHubOrganizationLoginPolicy must be set to "AllOrganizationsAllowed" if allowedOrganizations is empty. + + + This field only exists to ensure that Pinniped administrators are aware that an empty list of + allowedOrganizations means all GitHub users are allowed to log in. + enum: + - AllowedOrganizationsOnly + - AllOrganizationsAllowed + type: string + required: + - client + type: object + status: + description: Status of the identity provider. + properties: + conditions: + description: Conditions represents the observations of an identity + provider's current state. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + phase: + default: Pending + description: Phase summarizes the overall status of the GitHubIdentityProvider. + enum: + - Pending + - Ready + - Error + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/generated/1.24/README.adoc b/generated/1.24/README.adoc index 89c550839f..29dfa83ae6 100644 --- a/generated/1.24/README.adoc +++ b/generated/1.24/README.adoc @@ -1366,6 +1366,199 @@ Status of an Active Directory identity provider. |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubapiconfig"] +==== GitHubAPIConfig + +GitHubAPIConfig allows configuration for GitHub Enterprise Server + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`host`* __string__ | Host is required only for GitHub Enterprise Server. Defaults to using GitHub's public API (github.com). +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubclaims"] +==== GitHubClaims + +GitHubClaims allows customization of the username and groups claims + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. + + +Can be either "id", "login", or "login:id". Defaults to "login:id". + + +GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, and may not start or end with hyphens. GitHub users are allowed to change their login name, although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", then a second user might change their name from "baz" to "foo" in order to take the old username of the first user. For this reason, it is not as safe to make authorization decisions based only on the user's login attribute. + + +If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these usernames are presented to Kubernetes. + + +Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value from GitHub. Note that colons are not allowed in GitHub login attributes or ID numbers, so the colon in the "login:id" name will always be the login:id separator colon. + + +See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +| *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + + +Can be either "name" or "slug". Defaults to "slug". + + +GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + + +GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + + +Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters or single hyphens, so the first forward slash `/` will be the separator between the organization login name and the team name or slug. + + +If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these group names are presented to Kubernetes. + + +See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubclientspec"] +==== GitHubClientSpec + +GitHubClientSpec contains information about the GitHub client that this identity provider will use for web-based login flows. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and clientSecret for an GitHub App or GitHub OAuth2 client. + + +This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubgroupnameattribute"] +==== GitHubGroupNameAttribute (string) + +GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the downstream group names. See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityprovider"] +==== GitHubIdentityProvider + +GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. + Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured as OIDCClients. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderlist[$$GitHubIdentityProviderList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]__ | Spec for configuring the identity provider. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]__ | Status of the identity provider. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderphase"] +==== GitHubIdentityProviderPhase (string) + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderspec"] +==== GitHubIdentityProviderSpec + +GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`gitHubAPI`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]__ | GitHubApi allows configuration for GitHub Enterprise Server +| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]__ | Claims allows customization of the username and groups claims +| *`allowedOrganizations`* __string array__ | AllowedOrganizations, when specified, indicates that only users with membership in at least one of the listed GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + + +The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams within that organization. + + +If no organizations are listed, you must set gitHubOrganizationLoginPolicy: AllOrganizationsAllowed +| *`gitHubOrganizationLoginPolicy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githuborganizationloginpolicy[$$GitHubOrganizationLoginPolicy$$]__ | GitHubOrganizationLoginPolicy must be set to "AllOrganizationsAllowed" if allowedOrganizations is empty. + + +This field only exists to ensure that Pinniped administrators are aware that an empty list of allowedOrganizations means all GitHub users are allowed to log in. +| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubclientspec[$$GitHubClientSpec$$]__ | Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus"] +==== GitHubIdentityProviderStatus + +GitHubIdentityProviderStatus is the status of an GitHub identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderphase[$$GitHubIdentityProviderPhase$$]__ | Phase summarizes the overall status of the GitHubIdentityProvider. +| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#condition-v1-meta[$$Condition$$] array__ | Conditions represents the observations of an identity provider's current state. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githuborganizationloginpolicy"] +==== GitHubOrganizationLoginPolicy (string) + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubusernameattribute"] +==== GitHubUsernameAttribute (string) + +GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the downstream username. See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$] +**** + + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-ldapidentityprovider"] ==== LDAPIdentityProvider @@ -1686,11 +1879,12 @@ Parameter is a key/value pair which represents a parameter in an HTTP request. [id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-tlsspec"] ==== TLSSpec -Configuration for TLS parameters related to identity provider integration. +TLSSpec provides TLS configuration for identity provider integration. .Appears In: **** - xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderspec[$$ActiveDirectoryIdentityProviderSpec$$] +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$] - xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$] - xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec[$$OIDCIdentityProviderSpec$$] **** diff --git a/generated/1.24/apis/supervisor/idp/v1alpha1/register.go b/generated/1.24/apis/supervisor/idp/v1alpha1/register.go index 8829a86385..705be8076c 100644 --- a/generated/1.24/apis/supervisor/idp/v1alpha1/register.go +++ b/generated/1.24/apis/supervisor/idp/v1alpha1/register.go @@ -1,4 +1,4 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -36,6 +36,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { &LDAPIdentityProviderList{}, &ActiveDirectoryIdentityProvider{}, &ActiveDirectoryIdentityProviderList{}, + &GitHubIdentityProvider{}, + &GitHubIdentityProviderList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.24/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go b/generated/1.24/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go new file mode 100644 index 0000000000..92bd19724b --- /dev/null +++ b/generated/1.24/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go @@ -0,0 +1,231 @@ +// Copyright 2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +type GitHubIdentityProviderPhase string + +const ( + // GitHubPhasePending is the default phase for newly-created GitHubIdentityProvider resources. + GitHubPhasePending GitHubIdentityProviderPhase = "Pending" + + // GitHubPhaseReady is the phase for an GitHubIdentityProvider resource in a healthy state. + GitHubPhaseReady GitHubIdentityProviderPhase = "Ready" + + // GitHubPhaseError is the phase for an GitHubIdentityProvider in an unhealthy state. + GitHubPhaseError GitHubIdentityProviderPhase = "Error" +) + +type GitHubOrganizationLoginPolicy string + +const ( + // GitHubOrganizationLoginPolicyAllOrgsAllowed means any GitHub user is allowed to log in using this identity + // provider, regardless of their organization membership or lack thereof. + GitHubOrganizationLoginPolicyAllOrgsAllowed GitHubOrganizationLoginPolicy = "AllOrganizationsAllowed" + + // GitHubOrganizationLoginPolicyAllowedOrgsOnly means only those users with membership in the listed GitHub + // organizations are allowed to log in. + GitHubOrganizationLoginPolicyAllowedOrgsOnly GitHubOrganizationLoginPolicy = "AllowedOrganizationsOnly" +) + +// GitHubIdentityProviderStatus is the status of an GitHub identity provider. +type GitHubIdentityProviderStatus struct { + // Phase summarizes the overall status of the GitHubIdentityProvider. + // + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase GitHubIdentityProviderPhase `json:"phase,omitempty"` + + // Conditions represents the observations of an identity provider's current state. + // + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` +} + +// GitHubAPIConfig allows configuration for GitHub Enterprise Server +type GitHubAPIConfig struct { + // Host is required only for GitHub Enterprise Server. + // Defaults to using GitHub's public API (github.com). + // + // +kubebuilder:default="github.com" + // +optional + Host string `json:"host"` + + // TLS configuration for GitHub Enterprise Server. + // + // +optional + TLS *TLSSpec `json:"tls,omitempty"` +} + +// GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the downstream username. +// See the response schema for +// [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +type GitHubUsernameAttribute string + +const ( + // GitHubUsernameID specifies using the `id` attribute from the GitHub user as the downstream username. + GitHubUsernameID GitHubUsernameAttribute = "id" + + // GitHubUsernameLogin specifies using the `login` attribute from the GitHub user as the downstream username. + GitHubUsernameLogin GitHubUsernameAttribute = "login" + + // GitHubUsernameLoginAndID specifies combining the `login` and `id` attributes from the GitHub user as the + // downstream username, separated by a colon. Example: "my-login:1234" + GitHubUsernameLoginAndID GitHubUsernameAttribute = "login:id" +) + +// GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the downstream group +// names. See the response schema for +// [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +type GitHubGroupNameAttribute string + +const ( + // GitHubUseTeamNameForGrouypName specifies using the GitHub team's `name` attribute as the downstream group name. + GitHubUseTeamNameForGrouypName GitHubGroupNameAttribute = "name" + + // GitHubUseTeamSlugForGroupName specifies using the GitHub team's `slug` attribute as the downstream group name. + GitHubUseTeamSlugForGroupName GitHubGroupNameAttribute = "slug" +) + +// GitHubClaims allows customization of the username and groups claims +type GitHubClaims struct { + // Username configures which property of the GitHub user record shall determine the username in Kubernetes. + // + // Can be either "id", "login", or "login:id". Defaults to "login:id". + // + // GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + // and may not start or end with hyphens. GitHub users are allowed to change their login name, + // although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + // then a second user might change their name from "baz" to "foo" in order to take the old + // username of the first user. For this reason, it is not as safe to make authorization decisions + // based only on the user's login attribute. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these usernames are presented to Kubernetes. + // + // Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + // unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + // from GitHub. Note that colons are not allowed in GitHub login attributes or ID numbers, so the colon in the + // "login:id" name will always be the login:id separator colon. + // + // See the response schema for + // [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + // + // +kubebuilder:default="login:id" + // +kubebuilder:validation:Enum={"id","login","login:id"} + Username GitHubUsernameAttribute `json:"username"` + + // Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + // + // Can be either "name" or "slug". Defaults to "slug". + // + // GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + // + // GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + // + // Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + // forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + // or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + // the team name or slug. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these group names are presented to Kubernetes. + // + // See the response schema for + // [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + // + // +kubebuilder:default=slug + // +kubebuilder:validation:Enum=name;slug + Groups GitHubGroupNameAttribute `json:"groups"` +} + +// GitHubClientSpec contains information about the GitHub client that this identity provider will use +// for web-based login flows. +type GitHubClientSpec struct { + // SecretName contains the name of a namespace-local Secret object that provides the clientID and + // clientSecret for an GitHub App or GitHub OAuth2 client. + // + // This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + SecretName string `json:"secretName"` +} + +// GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider. +type GitHubIdentityProviderSpec struct { + // GitHubApi allows configuration for GitHub Enterprise Server + // + // +kubebuilder:default={} + GitHubApi GitHubAPIConfig `json:"gitHubAPI,omitempty"` + + // Claims allows customization of the username and groups claims + // + // +optional + Claims GitHubClaims `json:"claims,omitempty"` + + // AllowedOrganizations, when specified, indicates that only users with membership in at least one of the listed + // GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + // teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + // provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + // + // The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + // otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + // within that organization. + // + // If no organizations are listed, you must set gitHubOrganizationLoginPolicy: AllOrganizationsAllowed + // + // +optional + AllowedOrganizations []string `json:"allowedOrganizations,omitempty"` + + // GitHubOrganizationLoginPolicy must be set to "AllOrganizationsAllowed" if allowedOrganizations is empty. + // + // This field only exists to ensure that Pinniped administrators are aware that an empty list of + // allowedOrganizations means all GitHub users are allowed to log in. + // + // +kubebuilder:default=AllowedOrganizationsOnly + // +kubebuilder:validation:Enum=AllowedOrganizationsOnly;AllOrganizationsAllowed + // +optional + GitHubOrganizationLoginPolicy GitHubOrganizationLoginPolicy `json:"gitHubOrganizationLoginPolicy"` + + // Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). + Client GitHubClientSpec `json:"client"` +} + +// GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. +// This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. +// +// Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured +// as OIDCClients. +// +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps +// +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.gitHubAPI.host` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type GitHubIdentityProvider struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec for configuring the identity provider. + Spec GitHubIdentityProviderSpec `json:"spec"` + + // Status of the identity provider. + Status GitHubIdentityProviderStatus `json:"status,omitempty"` +} + +// GitHubIdentityProviderList lists GitHubIdentityProvider objects. +// +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type GitHubIdentityProviderList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []GitHubIdentityProvider `json:"items"` +} diff --git a/generated/1.24/apis/supervisor/idp/v1alpha1/types_tls.go b/generated/1.24/apis/supervisor/idp/v1alpha1/types_tls.go index 1413a262cc..49b49373cd 100644 --- a/generated/1.24/apis/supervisor/idp/v1alpha1/types_tls.go +++ b/generated/1.24/apis/supervisor/idp/v1alpha1/types_tls.go @@ -1,9 +1,9 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 -// Configuration for TLS parameters related to identity provider integration. +// TLSSpec provides TLS configuration for identity provider integration. type TLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. // +optional diff --git a/generated/1.24/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.24/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index b0cb168b54..724643e7c2 100644 --- a/generated/1.24/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.24/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -203,6 +203,167 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) { + *out = *in + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(TLSSpec) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAPIConfig. +func (in *GitHubAPIConfig) DeepCopy() *GitHubAPIConfig { + if in == nil { + return nil + } + out := new(GitHubAPIConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubClaims) DeepCopyInto(out *GitHubClaims) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClaims. +func (in *GitHubClaims) DeepCopy() *GitHubClaims { + if in == nil { + return nil + } + out := new(GitHubClaims) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubClientSpec) DeepCopyInto(out *GitHubClientSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClientSpec. +func (in *GitHubClientSpec) DeepCopy() *GitHubClientSpec { + if in == nil { + return nil + } + out := new(GitHubClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProvider) DeepCopyInto(out *GitHubIdentityProvider) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProvider. +func (in *GitHubIdentityProvider) DeepCopy() *GitHubIdentityProvider { + if in == nil { + return nil + } + out := new(GitHubIdentityProvider) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *GitHubIdentityProvider) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderList) DeepCopyInto(out *GitHubIdentityProviderList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]GitHubIdentityProvider, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderList. +func (in *GitHubIdentityProviderList) DeepCopy() *GitHubIdentityProviderList { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *GitHubIdentityProviderList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderSpec) DeepCopyInto(out *GitHubIdentityProviderSpec) { + *out = *in + in.GitHubApi.DeepCopyInto(&out.GitHubApi) + out.Claims = in.Claims + if in.AllowedOrganizations != nil { + in, out := &in.AllowedOrganizations, &out.AllowedOrganizations + *out = make([]string, len(*in)) + copy(*out, *in) + } + out.Client = in.Client + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderSpec. +func (in *GitHubIdentityProviderSpec) DeepCopy() *GitHubIdentityProviderSpec { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderStatus) DeepCopyInto(out *GitHubIdentityProviderStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]v1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderStatus. +func (in *GitHubIdentityProviderStatus) DeepCopy() *GitHubIdentityProviderStatus { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *LDAPIdentityProvider) DeepCopyInto(out *LDAPIdentityProvider) { *out = *in diff --git a/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go b/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go new file mode 100644 index 0000000000..d93e826c1f --- /dev/null +++ b/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go @@ -0,0 +1,129 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeGitHubIdentityProviders implements GitHubIdentityProviderInterface +type FakeGitHubIdentityProviders struct { + Fake *FakeIDPV1alpha1 + ns string +} + +var githubidentityprovidersResource = schema.GroupVersionResource{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "githubidentityproviders"} + +var githubidentityprovidersKind = schema.GroupVersionKind{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "GitHubIdentityProvider"} + +// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any. +func (c *FakeGitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(githubidentityprovidersResource, c.ns, name), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors. +func (c *FakeGitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(githubidentityprovidersResource, githubidentityprovidersKind, c.ns, opts), &v1alpha1.GitHubIdentityProviderList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.GitHubIdentityProviderList{ListMeta: obj.(*v1alpha1.GitHubIdentityProviderList).ListMeta} + for _, item := range obj.(*v1alpha1.GitHubIdentityProviderList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders. +func (c *FakeGitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(githubidentityprovidersResource, c.ns, opts)) + +} + +// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *FakeGitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *FakeGitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeGitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(githubidentityprovidersResource, "status", c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs. +func (c *FakeGitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteActionWithOptions(githubidentityprovidersResource, c.ns, name, opts), &v1alpha1.GitHubIdentityProvider{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeGitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(githubidentityprovidersResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha1.GitHubIdentityProviderList{}) + return err +} + +// Patch applies the patch and returns the patched gitHubIdentityProvider. +func (c *FakeGitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(githubidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} diff --git a/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go b/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go index c4da0d643a..daa1387839 100644 --- a/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go +++ b/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go @@ -19,6 +19,10 @@ func (c *FakeIDPV1alpha1) ActiveDirectoryIdentityProviders(namespace string) v1a return &FakeActiveDirectoryIdentityProviders{c, namespace} } +func (c *FakeIDPV1alpha1) GitHubIdentityProviders(namespace string) v1alpha1.GitHubIdentityProviderInterface { + return &FakeGitHubIdentityProviders{c, namespace} +} + func (c *FakeIDPV1alpha1) LDAPIdentityProviders(namespace string) v1alpha1.LDAPIdentityProviderInterface { return &FakeLDAPIdentityProviders{c, namespace} } diff --git a/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go b/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go index 79be098d6c..a7acc8120f 100644 --- a/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go +++ b/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go @@ -7,6 +7,8 @@ package v1alpha1 type ActiveDirectoryIdentityProviderExpansion interface{} +type GitHubIdentityProviderExpansion interface{} + type LDAPIdentityProviderExpansion interface{} type OIDCIdentityProviderExpansion interface{} diff --git a/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go b/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 0000000000..2ee66b57f4 --- /dev/null +++ b/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,182 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + "time" + + v1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/idp/v1alpha1" + scheme "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// GitHubIdentityProvidersGetter has a method to return a GitHubIdentityProviderInterface. +// A group's client should implement this interface. +type GitHubIdentityProvidersGetter interface { + GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface +} + +// GitHubIdentityProviderInterface has methods to work with GitHubIdentityProvider resources. +type GitHubIdentityProviderInterface interface { + Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (*v1alpha1.GitHubIdentityProvider, error) + Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) + UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.GitHubIdentityProvider, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.GitHubIdentityProviderList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) + GitHubIdentityProviderExpansion +} + +// gitHubIdentityProviders implements GitHubIdentityProviderInterface +type gitHubIdentityProviders struct { + client rest.Interface + ns string +} + +// newGitHubIdentityProviders returns a GitHubIdentityProviders +func newGitHubIdentityProviders(c *IDPV1alpha1Client, namespace string) *gitHubIdentityProviders { + return &gitHubIdentityProviders{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any. +func (c *gitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors. +func (c *gitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.GitHubIdentityProviderList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders. +func (c *gitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *gitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Post(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *gitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(gitHubIdentityProvider.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *gitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(gitHubIdentityProvider.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs. +func (c *gitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *gitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched gitHubIdentityProvider. +func (c *gitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go b/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go index 697a152c16..8a72bfb692 100644 --- a/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go +++ b/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go @@ -16,6 +16,7 @@ import ( type IDPV1alpha1Interface interface { RESTClient() rest.Interface ActiveDirectoryIdentityProvidersGetter + GitHubIdentityProvidersGetter LDAPIdentityProvidersGetter OIDCIdentityProvidersGetter } @@ -29,6 +30,10 @@ func (c *IDPV1alpha1Client) ActiveDirectoryIdentityProviders(namespace string) A return newActiveDirectoryIdentityProviders(c, namespace) } +func (c *IDPV1alpha1Client) GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface { + return newGitHubIdentityProviders(c, namespace) +} + func (c *IDPV1alpha1Client) LDAPIdentityProviders(namespace string) LDAPIdentityProviderInterface { return newLDAPIdentityProviders(c, namespace) } diff --git a/generated/1.24/client/supervisor/informers/externalversions/generic.go b/generated/1.24/client/supervisor/informers/externalversions/generic.go index 1a4058e498..2f28e53562 100644 --- a/generated/1.24/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.24/client/supervisor/informers/externalversions/generic.go @@ -49,6 +49,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource // Group=idp.supervisor.pinniped.dev, Version=v1alpha1 case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().ActiveDirectoryIdentityProviders().Informer()}, nil + case idpv1alpha1.SchemeGroupVersion.WithResource("githubidentityproviders"): + return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().GitHubIdentityProviders().Informer()}, nil case idpv1alpha1.SchemeGroupVersion.WithResource("ldapidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().LDAPIdentityProviders().Informer()}, nil case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): diff --git a/generated/1.24/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go b/generated/1.24/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 0000000000..c38cf993be --- /dev/null +++ b/generated/1.24/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,77 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + time "time" + + idpv1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/idp/v1alpha1" + versioned "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned" + internalinterfaces "go.pinniped.dev/generated/1.24/client/supervisor/informers/externalversions/internalinterfaces" + v1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/listers/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// GitHubIdentityProviderInformer provides access to a shared informer and lister for +// GitHubIdentityProviders. +type GitHubIdentityProviderInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.GitHubIdentityProviderLister +} + +type gitHubIdentityProviderInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredGitHubIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().GitHubIdentityProviders(namespace).List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().GitHubIdentityProviders(namespace).Watch(context.TODO(), options) + }, + }, + &idpv1alpha1.GitHubIdentityProvider{}, + resyncPeriod, + indexers, + ) +} + +func (f *gitHubIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredGitHubIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *gitHubIdentityProviderInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&idpv1alpha1.GitHubIdentityProvider{}, f.defaultInformer) +} + +func (f *gitHubIdentityProviderInformer) Lister() v1alpha1.GitHubIdentityProviderLister { + return v1alpha1.NewGitHubIdentityProviderLister(f.Informer().GetIndexer()) +} diff --git a/generated/1.24/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go b/generated/1.24/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go index b7cf724a67..32df7ee819 100644 --- a/generated/1.24/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go +++ b/generated/1.24/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go @@ -13,6 +13,8 @@ import ( type Interface interface { // ActiveDirectoryIdentityProviders returns a ActiveDirectoryIdentityProviderInformer. ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProviderInformer + // GitHubIdentityProviders returns a GitHubIdentityProviderInformer. + GitHubIdentityProviders() GitHubIdentityProviderInformer // LDAPIdentityProviders returns a LDAPIdentityProviderInformer. LDAPIdentityProviders() LDAPIdentityProviderInformer // OIDCIdentityProviders returns a OIDCIdentityProviderInformer. @@ -35,6 +37,11 @@ func (v *version) ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProv return &activeDirectoryIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } +// GitHubIdentityProviders returns a GitHubIdentityProviderInformer. +func (v *version) GitHubIdentityProviders() GitHubIdentityProviderInformer { + return &gitHubIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} + // LDAPIdentityProviders returns a LDAPIdentityProviderInformer. func (v *version) LDAPIdentityProviders() LDAPIdentityProviderInformer { return &lDAPIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} diff --git a/generated/1.24/client/supervisor/listers/idp/v1alpha1/expansion_generated.go b/generated/1.24/client/supervisor/listers/idp/v1alpha1/expansion_generated.go index b491a9e8d4..470c06abb0 100644 --- a/generated/1.24/client/supervisor/listers/idp/v1alpha1/expansion_generated.go +++ b/generated/1.24/client/supervisor/listers/idp/v1alpha1/expansion_generated.go @@ -13,6 +13,14 @@ type ActiveDirectoryIdentityProviderListerExpansion interface{} // ActiveDirectoryIdentityProviderNamespaceLister. type ActiveDirectoryIdentityProviderNamespaceListerExpansion interface{} +// GitHubIdentityProviderListerExpansion allows custom methods to be added to +// GitHubIdentityProviderLister. +type GitHubIdentityProviderListerExpansion interface{} + +// GitHubIdentityProviderNamespaceListerExpansion allows custom methods to be added to +// GitHubIdentityProviderNamespaceLister. +type GitHubIdentityProviderNamespaceListerExpansion interface{} + // LDAPIdentityProviderListerExpansion allows custom methods to be added to // LDAPIdentityProviderLister. type LDAPIdentityProviderListerExpansion interface{} diff --git a/generated/1.24/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go b/generated/1.24/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 0000000000..b1364368a9 --- /dev/null +++ b/generated/1.24/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,86 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/idp/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// GitHubIdentityProviderLister helps list GitHubIdentityProviders. +// All objects returned here must be treated as read-only. +type GitHubIdentityProviderLister interface { + // List lists all GitHubIdentityProviders in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) + // GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders. + GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister + GitHubIdentityProviderListerExpansion +} + +// gitHubIdentityProviderLister implements the GitHubIdentityProviderLister interface. +type gitHubIdentityProviderLister struct { + indexer cache.Indexer +} + +// NewGitHubIdentityProviderLister returns a new GitHubIdentityProviderLister. +func NewGitHubIdentityProviderLister(indexer cache.Indexer) GitHubIdentityProviderLister { + return &gitHubIdentityProviderLister{indexer: indexer} +} + +// List lists all GitHubIdentityProviders in the indexer. +func (s *gitHubIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider)) + }) + return ret, err +} + +// GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders. +func (s *gitHubIdentityProviderLister) GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister { + return gitHubIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// GitHubIdentityProviderNamespaceLister helps list and get GitHubIdentityProviders. +// All objects returned here must be treated as read-only. +type GitHubIdentityProviderNamespaceLister interface { + // List lists all GitHubIdentityProviders in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) + // Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha1.GitHubIdentityProvider, error) + GitHubIdentityProviderNamespaceListerExpansion +} + +// gitHubIdentityProviderNamespaceLister implements the GitHubIdentityProviderNamespaceLister +// interface. +type gitHubIdentityProviderNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all GitHubIdentityProviders in the indexer for a given namespace. +func (s gitHubIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider)) + }) + return ret, err +} + +// Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name. +func (s gitHubIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.GitHubIdentityProvider, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("githubidentityprovider"), name) + } + return obj.(*v1alpha1.GitHubIdentityProvider), nil +} diff --git a/generated/1.24/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml b/generated/1.24/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml new file mode 100644 index 0000000000..d10a330731 --- /dev/null +++ b/generated/1.24/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml @@ -0,0 +1,295 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: githubidentityproviders.idp.supervisor.pinniped.dev +spec: + group: idp.supervisor.pinniped.dev + names: + categories: + - pinniped + - pinniped-idp + - pinniped-idps + kind: GitHubIdentityProvider + listKind: GitHubIdentityProviderList + plural: githubidentityproviders + singular: githubidentityprovider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.gitHubAPI.host + name: Host + type: string + - jsonPath: .status.phase + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. + This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. + + + Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured + as OIDCClients. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec for configuring the identity provider. + properties: + allowedOrganizations: + description: |- + AllowedOrganizations, when specified, indicates that only users with membership in at least one of the listed + GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + + + The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + within that organization. + + + If no organizations are listed, you must set gitHubOrganizationLoginPolicy: AllOrganizationsAllowed + items: + type: string + type: array + claims: + description: Claims allows customization of the username and groups + claims + properties: + groups: + default: slug + description: |- + Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + + + Can be either "name" or "slug". Defaults to "slug". + + + GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + + + GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + + + Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + the team name or slug. + + + If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + FederationDomain to further customize how these group names are presented to Kubernetes. + + + See the response schema for + [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + enum: + - name + - slug + type: string + username: + default: login:id + description: |- + Username configures which property of the GitHub user record shall determine the username in Kubernetes. + + + Can be either "id", "login", or "login:id". Defaults to "login:id". + + + GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + and may not start or end with hyphens. GitHub users are allowed to change their login name, + although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + then a second user might change their name from "baz" to "foo" in order to take the old + username of the first user. For this reason, it is not as safe to make authorization decisions + based only on the user's login attribute. + + + If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + FederationDomain to further customize how these usernames are presented to Kubernetes. + + + Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + from GitHub. Note that colons are not allowed in GitHub login attributes or ID numbers, so the colon in the + "login:id" name will always be the login:id separator colon. + + + See the response schema for + [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + enum: + - id + - login + - login:id + type: string + required: + - groups + - username + type: object + client: + description: Client identifies the secret with credentials for a GitHub + App or GitHub OAuth2 App (a GitHub client). + properties: + secretName: + description: |- + SecretName contains the name of a namespace-local Secret object that provides the clientID and + clientSecret for an GitHub App or GitHub OAuth2 client. + + + This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + type: string + required: + - secretName + type: object + gitHubAPI: + default: {} + description: GitHubApi allows configuration for GitHub Enterprise + Server + properties: + host: + default: github.com + description: |- + Host is required only for GitHub Enterprise Server. + Defaults to using GitHub's public API (github.com). + type: string + tls: + description: TLS configuration for GitHub Enterprise Server. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM + bundle). If omitted, a default set of system roots will + be trusted. + type: string + type: object + type: object + gitHubOrganizationLoginPolicy: + default: AllowedOrganizationsOnly + description: |- + GitHubOrganizationLoginPolicy must be set to "AllOrganizationsAllowed" if allowedOrganizations is empty. + + + This field only exists to ensure that Pinniped administrators are aware that an empty list of + allowedOrganizations means all GitHub users are allowed to log in. + enum: + - AllowedOrganizationsOnly + - AllOrganizationsAllowed + type: string + required: + - client + type: object + status: + description: Status of the identity provider. + properties: + conditions: + description: Conditions represents the observations of an identity + provider's current state. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + phase: + default: Pending + description: Phase summarizes the overall status of the GitHubIdentityProvider. + enum: + - Pending + - Ready + - Error + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/generated/1.25/README.adoc b/generated/1.25/README.adoc index 0f44a75388..5b178a6d69 100644 --- a/generated/1.25/README.adoc +++ b/generated/1.25/README.adoc @@ -1366,6 +1366,199 @@ Status of an Active Directory identity provider. |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubapiconfig"] +==== GitHubAPIConfig + +GitHubAPIConfig allows configuration for GitHub Enterprise Server + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`host`* __string__ | Host is required only for GitHub Enterprise Server. Defaults to using GitHub's public API (github.com). +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubclaims"] +==== GitHubClaims + +GitHubClaims allows customization of the username and groups claims + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. + + +Can be either "id", "login", or "login:id". Defaults to "login:id". + + +GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, and may not start or end with hyphens. GitHub users are allowed to change their login name, although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", then a second user might change their name from "baz" to "foo" in order to take the old username of the first user. For this reason, it is not as safe to make authorization decisions based only on the user's login attribute. + + +If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these usernames are presented to Kubernetes. + + +Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value from GitHub. Note that colons are not allowed in GitHub login attributes or ID numbers, so the colon in the "login:id" name will always be the login:id separator colon. + + +See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +| *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + + +Can be either "name" or "slug". Defaults to "slug". + + +GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + + +GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + + +Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters or single hyphens, so the first forward slash `/` will be the separator between the organization login name and the team name or slug. + + +If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these group names are presented to Kubernetes. + + +See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubclientspec"] +==== GitHubClientSpec + +GitHubClientSpec contains information about the GitHub client that this identity provider will use for web-based login flows. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and clientSecret for an GitHub App or GitHub OAuth2 client. + + +This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubgroupnameattribute"] +==== GitHubGroupNameAttribute (string) + +GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the downstream group names. See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityprovider"] +==== GitHubIdentityProvider + +GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. + Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured as OIDCClients. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderlist[$$GitHubIdentityProviderList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]__ | Spec for configuring the identity provider. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]__ | Status of the identity provider. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderphase"] +==== GitHubIdentityProviderPhase (string) + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderspec"] +==== GitHubIdentityProviderSpec + +GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`gitHubAPI`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]__ | GitHubApi allows configuration for GitHub Enterprise Server +| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]__ | Claims allows customization of the username and groups claims +| *`allowedOrganizations`* __string array__ | AllowedOrganizations, when specified, indicates that only users with membership in at least one of the listed GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + + +The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams within that organization. + + +If no organizations are listed, you must set gitHubOrganizationLoginPolicy: AllOrganizationsAllowed +| *`gitHubOrganizationLoginPolicy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githuborganizationloginpolicy[$$GitHubOrganizationLoginPolicy$$]__ | GitHubOrganizationLoginPolicy must be set to "AllOrganizationsAllowed" if allowedOrganizations is empty. + + +This field only exists to ensure that Pinniped administrators are aware that an empty list of allowedOrganizations means all GitHub users are allowed to log in. +| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubclientspec[$$GitHubClientSpec$$]__ | Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus"] +==== GitHubIdentityProviderStatus + +GitHubIdentityProviderStatus is the status of an GitHub identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderphase[$$GitHubIdentityProviderPhase$$]__ | Phase summarizes the overall status of the GitHubIdentityProvider. +| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#condition-v1-meta[$$Condition$$] array__ | Conditions represents the observations of an identity provider's current state. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githuborganizationloginpolicy"] +==== GitHubOrganizationLoginPolicy (string) + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubusernameattribute"] +==== GitHubUsernameAttribute (string) + +GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the downstream username. See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$] +**** + + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-ldapidentityprovider"] ==== LDAPIdentityProvider @@ -1686,11 +1879,12 @@ Parameter is a key/value pair which represents a parameter in an HTTP request. [id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-tlsspec"] ==== TLSSpec -Configuration for TLS parameters related to identity provider integration. +TLSSpec provides TLS configuration for identity provider integration. .Appears In: **** - xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderspec[$$ActiveDirectoryIdentityProviderSpec$$] +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$] - xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$] - xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec[$$OIDCIdentityProviderSpec$$] **** diff --git a/generated/1.25/apis/supervisor/idp/v1alpha1/register.go b/generated/1.25/apis/supervisor/idp/v1alpha1/register.go index 8829a86385..705be8076c 100644 --- a/generated/1.25/apis/supervisor/idp/v1alpha1/register.go +++ b/generated/1.25/apis/supervisor/idp/v1alpha1/register.go @@ -1,4 +1,4 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -36,6 +36,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { &LDAPIdentityProviderList{}, &ActiveDirectoryIdentityProvider{}, &ActiveDirectoryIdentityProviderList{}, + &GitHubIdentityProvider{}, + &GitHubIdentityProviderList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.25/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go b/generated/1.25/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go new file mode 100644 index 0000000000..92bd19724b --- /dev/null +++ b/generated/1.25/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go @@ -0,0 +1,231 @@ +// Copyright 2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +type GitHubIdentityProviderPhase string + +const ( + // GitHubPhasePending is the default phase for newly-created GitHubIdentityProvider resources. + GitHubPhasePending GitHubIdentityProviderPhase = "Pending" + + // GitHubPhaseReady is the phase for an GitHubIdentityProvider resource in a healthy state. + GitHubPhaseReady GitHubIdentityProviderPhase = "Ready" + + // GitHubPhaseError is the phase for an GitHubIdentityProvider in an unhealthy state. + GitHubPhaseError GitHubIdentityProviderPhase = "Error" +) + +type GitHubOrganizationLoginPolicy string + +const ( + // GitHubOrganizationLoginPolicyAllOrgsAllowed means any GitHub user is allowed to log in using this identity + // provider, regardless of their organization membership or lack thereof. + GitHubOrganizationLoginPolicyAllOrgsAllowed GitHubOrganizationLoginPolicy = "AllOrganizationsAllowed" + + // GitHubOrganizationLoginPolicyAllowedOrgsOnly means only those users with membership in the listed GitHub + // organizations are allowed to log in. + GitHubOrganizationLoginPolicyAllowedOrgsOnly GitHubOrganizationLoginPolicy = "AllowedOrganizationsOnly" +) + +// GitHubIdentityProviderStatus is the status of an GitHub identity provider. +type GitHubIdentityProviderStatus struct { + // Phase summarizes the overall status of the GitHubIdentityProvider. + // + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase GitHubIdentityProviderPhase `json:"phase,omitempty"` + + // Conditions represents the observations of an identity provider's current state. + // + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` +} + +// GitHubAPIConfig allows configuration for GitHub Enterprise Server +type GitHubAPIConfig struct { + // Host is required only for GitHub Enterprise Server. + // Defaults to using GitHub's public API (github.com). + // + // +kubebuilder:default="github.com" + // +optional + Host string `json:"host"` + + // TLS configuration for GitHub Enterprise Server. + // + // +optional + TLS *TLSSpec `json:"tls,omitempty"` +} + +// GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the downstream username. +// See the response schema for +// [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +type GitHubUsernameAttribute string + +const ( + // GitHubUsernameID specifies using the `id` attribute from the GitHub user as the downstream username. + GitHubUsernameID GitHubUsernameAttribute = "id" + + // GitHubUsernameLogin specifies using the `login` attribute from the GitHub user as the downstream username. + GitHubUsernameLogin GitHubUsernameAttribute = "login" + + // GitHubUsernameLoginAndID specifies combining the `login` and `id` attributes from the GitHub user as the + // downstream username, separated by a colon. Example: "my-login:1234" + GitHubUsernameLoginAndID GitHubUsernameAttribute = "login:id" +) + +// GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the downstream group +// names. See the response schema for +// [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +type GitHubGroupNameAttribute string + +const ( + // GitHubUseTeamNameForGrouypName specifies using the GitHub team's `name` attribute as the downstream group name. + GitHubUseTeamNameForGrouypName GitHubGroupNameAttribute = "name" + + // GitHubUseTeamSlugForGroupName specifies using the GitHub team's `slug` attribute as the downstream group name. + GitHubUseTeamSlugForGroupName GitHubGroupNameAttribute = "slug" +) + +// GitHubClaims allows customization of the username and groups claims +type GitHubClaims struct { + // Username configures which property of the GitHub user record shall determine the username in Kubernetes. + // + // Can be either "id", "login", or "login:id". Defaults to "login:id". + // + // GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + // and may not start or end with hyphens. GitHub users are allowed to change their login name, + // although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + // then a second user might change their name from "baz" to "foo" in order to take the old + // username of the first user. For this reason, it is not as safe to make authorization decisions + // based only on the user's login attribute. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these usernames are presented to Kubernetes. + // + // Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + // unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + // from GitHub. Note that colons are not allowed in GitHub login attributes or ID numbers, so the colon in the + // "login:id" name will always be the login:id separator colon. + // + // See the response schema for + // [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + // + // +kubebuilder:default="login:id" + // +kubebuilder:validation:Enum={"id","login","login:id"} + Username GitHubUsernameAttribute `json:"username"` + + // Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + // + // Can be either "name" or "slug". Defaults to "slug". + // + // GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + // + // GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + // + // Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + // forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + // or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + // the team name or slug. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these group names are presented to Kubernetes. + // + // See the response schema for + // [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + // + // +kubebuilder:default=slug + // +kubebuilder:validation:Enum=name;slug + Groups GitHubGroupNameAttribute `json:"groups"` +} + +// GitHubClientSpec contains information about the GitHub client that this identity provider will use +// for web-based login flows. +type GitHubClientSpec struct { + // SecretName contains the name of a namespace-local Secret object that provides the clientID and + // clientSecret for an GitHub App or GitHub OAuth2 client. + // + // This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + SecretName string `json:"secretName"` +} + +// GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider. +type GitHubIdentityProviderSpec struct { + // GitHubApi allows configuration for GitHub Enterprise Server + // + // +kubebuilder:default={} + GitHubApi GitHubAPIConfig `json:"gitHubAPI,omitempty"` + + // Claims allows customization of the username and groups claims + // + // +optional + Claims GitHubClaims `json:"claims,omitempty"` + + // AllowedOrganizations, when specified, indicates that only users with membership in at least one of the listed + // GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + // teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + // provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + // + // The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + // otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + // within that organization. + // + // If no organizations are listed, you must set gitHubOrganizationLoginPolicy: AllOrganizationsAllowed + // + // +optional + AllowedOrganizations []string `json:"allowedOrganizations,omitempty"` + + // GitHubOrganizationLoginPolicy must be set to "AllOrganizationsAllowed" if allowedOrganizations is empty. + // + // This field only exists to ensure that Pinniped administrators are aware that an empty list of + // allowedOrganizations means all GitHub users are allowed to log in. + // + // +kubebuilder:default=AllowedOrganizationsOnly + // +kubebuilder:validation:Enum=AllowedOrganizationsOnly;AllOrganizationsAllowed + // +optional + GitHubOrganizationLoginPolicy GitHubOrganizationLoginPolicy `json:"gitHubOrganizationLoginPolicy"` + + // Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). + Client GitHubClientSpec `json:"client"` +} + +// GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. +// This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. +// +// Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured +// as OIDCClients. +// +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps +// +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.gitHubAPI.host` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type GitHubIdentityProvider struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec for configuring the identity provider. + Spec GitHubIdentityProviderSpec `json:"spec"` + + // Status of the identity provider. + Status GitHubIdentityProviderStatus `json:"status,omitempty"` +} + +// GitHubIdentityProviderList lists GitHubIdentityProvider objects. +// +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type GitHubIdentityProviderList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []GitHubIdentityProvider `json:"items"` +} diff --git a/generated/1.25/apis/supervisor/idp/v1alpha1/types_tls.go b/generated/1.25/apis/supervisor/idp/v1alpha1/types_tls.go index 1413a262cc..49b49373cd 100644 --- a/generated/1.25/apis/supervisor/idp/v1alpha1/types_tls.go +++ b/generated/1.25/apis/supervisor/idp/v1alpha1/types_tls.go @@ -1,9 +1,9 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 -// Configuration for TLS parameters related to identity provider integration. +// TLSSpec provides TLS configuration for identity provider integration. type TLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. // +optional diff --git a/generated/1.25/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.25/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index b0cb168b54..724643e7c2 100644 --- a/generated/1.25/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.25/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -203,6 +203,167 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) { + *out = *in + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(TLSSpec) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAPIConfig. +func (in *GitHubAPIConfig) DeepCopy() *GitHubAPIConfig { + if in == nil { + return nil + } + out := new(GitHubAPIConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubClaims) DeepCopyInto(out *GitHubClaims) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClaims. +func (in *GitHubClaims) DeepCopy() *GitHubClaims { + if in == nil { + return nil + } + out := new(GitHubClaims) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubClientSpec) DeepCopyInto(out *GitHubClientSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClientSpec. +func (in *GitHubClientSpec) DeepCopy() *GitHubClientSpec { + if in == nil { + return nil + } + out := new(GitHubClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProvider) DeepCopyInto(out *GitHubIdentityProvider) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProvider. +func (in *GitHubIdentityProvider) DeepCopy() *GitHubIdentityProvider { + if in == nil { + return nil + } + out := new(GitHubIdentityProvider) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *GitHubIdentityProvider) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderList) DeepCopyInto(out *GitHubIdentityProviderList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]GitHubIdentityProvider, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderList. +func (in *GitHubIdentityProviderList) DeepCopy() *GitHubIdentityProviderList { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *GitHubIdentityProviderList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderSpec) DeepCopyInto(out *GitHubIdentityProviderSpec) { + *out = *in + in.GitHubApi.DeepCopyInto(&out.GitHubApi) + out.Claims = in.Claims + if in.AllowedOrganizations != nil { + in, out := &in.AllowedOrganizations, &out.AllowedOrganizations + *out = make([]string, len(*in)) + copy(*out, *in) + } + out.Client = in.Client + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderSpec. +func (in *GitHubIdentityProviderSpec) DeepCopy() *GitHubIdentityProviderSpec { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderStatus) DeepCopyInto(out *GitHubIdentityProviderStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]v1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderStatus. +func (in *GitHubIdentityProviderStatus) DeepCopy() *GitHubIdentityProviderStatus { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *LDAPIdentityProvider) DeepCopyInto(out *LDAPIdentityProvider) { *out = *in diff --git a/generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go b/generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go new file mode 100644 index 0000000000..45c58d6c99 --- /dev/null +++ b/generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go @@ -0,0 +1,129 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.25/apis/supervisor/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeGitHubIdentityProviders implements GitHubIdentityProviderInterface +type FakeGitHubIdentityProviders struct { + Fake *FakeIDPV1alpha1 + ns string +} + +var githubidentityprovidersResource = schema.GroupVersionResource{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "githubidentityproviders"} + +var githubidentityprovidersKind = schema.GroupVersionKind{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "GitHubIdentityProvider"} + +// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any. +func (c *FakeGitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(githubidentityprovidersResource, c.ns, name), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors. +func (c *FakeGitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(githubidentityprovidersResource, githubidentityprovidersKind, c.ns, opts), &v1alpha1.GitHubIdentityProviderList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.GitHubIdentityProviderList{ListMeta: obj.(*v1alpha1.GitHubIdentityProviderList).ListMeta} + for _, item := range obj.(*v1alpha1.GitHubIdentityProviderList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders. +func (c *FakeGitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(githubidentityprovidersResource, c.ns, opts)) + +} + +// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *FakeGitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *FakeGitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeGitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(githubidentityprovidersResource, "status", c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs. +func (c *FakeGitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteActionWithOptions(githubidentityprovidersResource, c.ns, name, opts), &v1alpha1.GitHubIdentityProvider{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeGitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(githubidentityprovidersResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha1.GitHubIdentityProviderList{}) + return err +} + +// Patch applies the patch and returns the patched gitHubIdentityProvider. +func (c *FakeGitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(githubidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} diff --git a/generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go b/generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go index 0f1478ec27..b24e48b6b4 100644 --- a/generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go +++ b/generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go @@ -19,6 +19,10 @@ func (c *FakeIDPV1alpha1) ActiveDirectoryIdentityProviders(namespace string) v1a return &FakeActiveDirectoryIdentityProviders{c, namespace} } +func (c *FakeIDPV1alpha1) GitHubIdentityProviders(namespace string) v1alpha1.GitHubIdentityProviderInterface { + return &FakeGitHubIdentityProviders{c, namespace} +} + func (c *FakeIDPV1alpha1) LDAPIdentityProviders(namespace string) v1alpha1.LDAPIdentityProviderInterface { return &FakeLDAPIdentityProviders{c, namespace} } diff --git a/generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go b/generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go index 79be098d6c..a7acc8120f 100644 --- a/generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go +++ b/generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go @@ -7,6 +7,8 @@ package v1alpha1 type ActiveDirectoryIdentityProviderExpansion interface{} +type GitHubIdentityProviderExpansion interface{} + type LDAPIdentityProviderExpansion interface{} type OIDCIdentityProviderExpansion interface{} diff --git a/generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go b/generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 0000000000..38f338582d --- /dev/null +++ b/generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,182 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + "time" + + v1alpha1 "go.pinniped.dev/generated/1.25/apis/supervisor/idp/v1alpha1" + scheme "go.pinniped.dev/generated/1.25/client/supervisor/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// GitHubIdentityProvidersGetter has a method to return a GitHubIdentityProviderInterface. +// A group's client should implement this interface. +type GitHubIdentityProvidersGetter interface { + GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface +} + +// GitHubIdentityProviderInterface has methods to work with GitHubIdentityProvider resources. +type GitHubIdentityProviderInterface interface { + Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (*v1alpha1.GitHubIdentityProvider, error) + Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) + UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.GitHubIdentityProvider, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.GitHubIdentityProviderList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) + GitHubIdentityProviderExpansion +} + +// gitHubIdentityProviders implements GitHubIdentityProviderInterface +type gitHubIdentityProviders struct { + client rest.Interface + ns string +} + +// newGitHubIdentityProviders returns a GitHubIdentityProviders +func newGitHubIdentityProviders(c *IDPV1alpha1Client, namespace string) *gitHubIdentityProviders { + return &gitHubIdentityProviders{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any. +func (c *gitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors. +func (c *gitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.GitHubIdentityProviderList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders. +func (c *gitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *gitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Post(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *gitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(gitHubIdentityProvider.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *gitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(gitHubIdentityProvider.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs. +func (c *gitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *gitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched gitHubIdentityProvider. +func (c *gitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go b/generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go index 0b5b9aa4b3..2ac25cfa4f 100644 --- a/generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go +++ b/generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go @@ -16,6 +16,7 @@ import ( type IDPV1alpha1Interface interface { RESTClient() rest.Interface ActiveDirectoryIdentityProvidersGetter + GitHubIdentityProvidersGetter LDAPIdentityProvidersGetter OIDCIdentityProvidersGetter } @@ -29,6 +30,10 @@ func (c *IDPV1alpha1Client) ActiveDirectoryIdentityProviders(namespace string) A return newActiveDirectoryIdentityProviders(c, namespace) } +func (c *IDPV1alpha1Client) GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface { + return newGitHubIdentityProviders(c, namespace) +} + func (c *IDPV1alpha1Client) LDAPIdentityProviders(namespace string) LDAPIdentityProviderInterface { return newLDAPIdentityProviders(c, namespace) } diff --git a/generated/1.25/client/supervisor/informers/externalversions/generic.go b/generated/1.25/client/supervisor/informers/externalversions/generic.go index 0fed0e6a53..3f465b9495 100644 --- a/generated/1.25/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.25/client/supervisor/informers/externalversions/generic.go @@ -49,6 +49,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource // Group=idp.supervisor.pinniped.dev, Version=v1alpha1 case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().ActiveDirectoryIdentityProviders().Informer()}, nil + case idpv1alpha1.SchemeGroupVersion.WithResource("githubidentityproviders"): + return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().GitHubIdentityProviders().Informer()}, nil case idpv1alpha1.SchemeGroupVersion.WithResource("ldapidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().LDAPIdentityProviders().Informer()}, nil case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): diff --git a/generated/1.25/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go b/generated/1.25/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 0000000000..68089ae74b --- /dev/null +++ b/generated/1.25/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,77 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + time "time" + + idpv1alpha1 "go.pinniped.dev/generated/1.25/apis/supervisor/idp/v1alpha1" + versioned "go.pinniped.dev/generated/1.25/client/supervisor/clientset/versioned" + internalinterfaces "go.pinniped.dev/generated/1.25/client/supervisor/informers/externalversions/internalinterfaces" + v1alpha1 "go.pinniped.dev/generated/1.25/client/supervisor/listers/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// GitHubIdentityProviderInformer provides access to a shared informer and lister for +// GitHubIdentityProviders. +type GitHubIdentityProviderInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.GitHubIdentityProviderLister +} + +type gitHubIdentityProviderInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredGitHubIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().GitHubIdentityProviders(namespace).List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().GitHubIdentityProviders(namespace).Watch(context.TODO(), options) + }, + }, + &idpv1alpha1.GitHubIdentityProvider{}, + resyncPeriod, + indexers, + ) +} + +func (f *gitHubIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredGitHubIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *gitHubIdentityProviderInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&idpv1alpha1.GitHubIdentityProvider{}, f.defaultInformer) +} + +func (f *gitHubIdentityProviderInformer) Lister() v1alpha1.GitHubIdentityProviderLister { + return v1alpha1.NewGitHubIdentityProviderLister(f.Informer().GetIndexer()) +} diff --git a/generated/1.25/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go b/generated/1.25/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go index 61c46ea002..f25b7995f3 100644 --- a/generated/1.25/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go +++ b/generated/1.25/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go @@ -13,6 +13,8 @@ import ( type Interface interface { // ActiveDirectoryIdentityProviders returns a ActiveDirectoryIdentityProviderInformer. ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProviderInformer + // GitHubIdentityProviders returns a GitHubIdentityProviderInformer. + GitHubIdentityProviders() GitHubIdentityProviderInformer // LDAPIdentityProviders returns a LDAPIdentityProviderInformer. LDAPIdentityProviders() LDAPIdentityProviderInformer // OIDCIdentityProviders returns a OIDCIdentityProviderInformer. @@ -35,6 +37,11 @@ func (v *version) ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProv return &activeDirectoryIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } +// GitHubIdentityProviders returns a GitHubIdentityProviderInformer. +func (v *version) GitHubIdentityProviders() GitHubIdentityProviderInformer { + return &gitHubIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} + // LDAPIdentityProviders returns a LDAPIdentityProviderInformer. func (v *version) LDAPIdentityProviders() LDAPIdentityProviderInformer { return &lDAPIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} diff --git a/generated/1.25/client/supervisor/listers/idp/v1alpha1/expansion_generated.go b/generated/1.25/client/supervisor/listers/idp/v1alpha1/expansion_generated.go index b491a9e8d4..470c06abb0 100644 --- a/generated/1.25/client/supervisor/listers/idp/v1alpha1/expansion_generated.go +++ b/generated/1.25/client/supervisor/listers/idp/v1alpha1/expansion_generated.go @@ -13,6 +13,14 @@ type ActiveDirectoryIdentityProviderListerExpansion interface{} // ActiveDirectoryIdentityProviderNamespaceLister. type ActiveDirectoryIdentityProviderNamespaceListerExpansion interface{} +// GitHubIdentityProviderListerExpansion allows custom methods to be added to +// GitHubIdentityProviderLister. +type GitHubIdentityProviderListerExpansion interface{} + +// GitHubIdentityProviderNamespaceListerExpansion allows custom methods to be added to +// GitHubIdentityProviderNamespaceLister. +type GitHubIdentityProviderNamespaceListerExpansion interface{} + // LDAPIdentityProviderListerExpansion allows custom methods to be added to // LDAPIdentityProviderLister. type LDAPIdentityProviderListerExpansion interface{} diff --git a/generated/1.25/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go b/generated/1.25/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 0000000000..080cc47436 --- /dev/null +++ b/generated/1.25/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,86 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.25/apis/supervisor/idp/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// GitHubIdentityProviderLister helps list GitHubIdentityProviders. +// All objects returned here must be treated as read-only. +type GitHubIdentityProviderLister interface { + // List lists all GitHubIdentityProviders in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) + // GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders. + GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister + GitHubIdentityProviderListerExpansion +} + +// gitHubIdentityProviderLister implements the GitHubIdentityProviderLister interface. +type gitHubIdentityProviderLister struct { + indexer cache.Indexer +} + +// NewGitHubIdentityProviderLister returns a new GitHubIdentityProviderLister. +func NewGitHubIdentityProviderLister(indexer cache.Indexer) GitHubIdentityProviderLister { + return &gitHubIdentityProviderLister{indexer: indexer} +} + +// List lists all GitHubIdentityProviders in the indexer. +func (s *gitHubIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider)) + }) + return ret, err +} + +// GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders. +func (s *gitHubIdentityProviderLister) GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister { + return gitHubIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// GitHubIdentityProviderNamespaceLister helps list and get GitHubIdentityProviders. +// All objects returned here must be treated as read-only. +type GitHubIdentityProviderNamespaceLister interface { + // List lists all GitHubIdentityProviders in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) + // Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha1.GitHubIdentityProvider, error) + GitHubIdentityProviderNamespaceListerExpansion +} + +// gitHubIdentityProviderNamespaceLister implements the GitHubIdentityProviderNamespaceLister +// interface. +type gitHubIdentityProviderNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all GitHubIdentityProviders in the indexer for a given namespace. +func (s gitHubIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider)) + }) + return ret, err +} + +// Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name. +func (s gitHubIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.GitHubIdentityProvider, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("githubidentityprovider"), name) + } + return obj.(*v1alpha1.GitHubIdentityProvider), nil +} diff --git a/generated/1.25/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml b/generated/1.25/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml new file mode 100644 index 0000000000..d10a330731 --- /dev/null +++ b/generated/1.25/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml @@ -0,0 +1,295 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: githubidentityproviders.idp.supervisor.pinniped.dev +spec: + group: idp.supervisor.pinniped.dev + names: + categories: + - pinniped + - pinniped-idp + - pinniped-idps + kind: GitHubIdentityProvider + listKind: GitHubIdentityProviderList + plural: githubidentityproviders + singular: githubidentityprovider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.gitHubAPI.host + name: Host + type: string + - jsonPath: .status.phase + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. + This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. + + + Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured + as OIDCClients. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec for configuring the identity provider. + properties: + allowedOrganizations: + description: |- + AllowedOrganizations, when specified, indicates that only users with membership in at least one of the listed + GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + + + The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + within that organization. + + + If no organizations are listed, you must set gitHubOrganizationLoginPolicy: AllOrganizationsAllowed + items: + type: string + type: array + claims: + description: Claims allows customization of the username and groups + claims + properties: + groups: + default: slug + description: |- + Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + + + Can be either "name" or "slug". Defaults to "slug". + + + GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + + + GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + + + Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + the team name or slug. + + + If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + FederationDomain to further customize how these group names are presented to Kubernetes. + + + See the response schema for + [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + enum: + - name + - slug + type: string + username: + default: login:id + description: |- + Username configures which property of the GitHub user record shall determine the username in Kubernetes. + + + Can be either "id", "login", or "login:id". Defaults to "login:id". + + + GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + and may not start or end with hyphens. GitHub users are allowed to change their login name, + although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + then a second user might change their name from "baz" to "foo" in order to take the old + username of the first user. For this reason, it is not as safe to make authorization decisions + based only on the user's login attribute. + + + If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + FederationDomain to further customize how these usernames are presented to Kubernetes. + + + Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + from GitHub. Note that colons are not allowed in GitHub login attributes or ID numbers, so the colon in the + "login:id" name will always be the login:id separator colon. + + + See the response schema for + [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + enum: + - id + - login + - login:id + type: string + required: + - groups + - username + type: object + client: + description: Client identifies the secret with credentials for a GitHub + App or GitHub OAuth2 App (a GitHub client). + properties: + secretName: + description: |- + SecretName contains the name of a namespace-local Secret object that provides the clientID and + clientSecret for an GitHub App or GitHub OAuth2 client. + + + This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + type: string + required: + - secretName + type: object + gitHubAPI: + default: {} + description: GitHubApi allows configuration for GitHub Enterprise + Server + properties: + host: + default: github.com + description: |- + Host is required only for GitHub Enterprise Server. + Defaults to using GitHub's public API (github.com). + type: string + tls: + description: TLS configuration for GitHub Enterprise Server. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM + bundle). If omitted, a default set of system roots will + be trusted. + type: string + type: object + type: object + gitHubOrganizationLoginPolicy: + default: AllowedOrganizationsOnly + description: |- + GitHubOrganizationLoginPolicy must be set to "AllOrganizationsAllowed" if allowedOrganizations is empty. + + + This field only exists to ensure that Pinniped administrators are aware that an empty list of + allowedOrganizations means all GitHub users are allowed to log in. + enum: + - AllowedOrganizationsOnly + - AllOrganizationsAllowed + type: string + required: + - client + type: object + status: + description: Status of the identity provider. + properties: + conditions: + description: Conditions represents the observations of an identity + provider's current state. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + phase: + default: Pending + description: Phase summarizes the overall status of the GitHubIdentityProvider. + enum: + - Pending + - Ready + - Error + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/generated/1.26/README.adoc b/generated/1.26/README.adoc index 406eac4047..c42351cc65 100644 --- a/generated/1.26/README.adoc +++ b/generated/1.26/README.adoc @@ -1366,6 +1366,199 @@ Status of an Active Directory identity provider. |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubapiconfig"] +==== GitHubAPIConfig + +GitHubAPIConfig allows configuration for GitHub Enterprise Server + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`host`* __string__ | Host is required only for GitHub Enterprise Server. Defaults to using GitHub's public API (github.com). +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubclaims"] +==== GitHubClaims + +GitHubClaims allows customization of the username and groups claims + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. + + +Can be either "id", "login", or "login:id". Defaults to "login:id". + + +GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, and may not start or end with hyphens. GitHub users are allowed to change their login name, although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", then a second user might change their name from "baz" to "foo" in order to take the old username of the first user. For this reason, it is not as safe to make authorization decisions based only on the user's login attribute. + + +If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these usernames are presented to Kubernetes. + + +Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value from GitHub. Note that colons are not allowed in GitHub login attributes or ID numbers, so the colon in the "login:id" name will always be the login:id separator colon. + + +See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +| *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + + +Can be either "name" or "slug". Defaults to "slug". + + +GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + + +GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + + +Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters or single hyphens, so the first forward slash `/` will be the separator between the organization login name and the team name or slug. + + +If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these group names are presented to Kubernetes. + + +See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubclientspec"] +==== GitHubClientSpec + +GitHubClientSpec contains information about the GitHub client that this identity provider will use for web-based login flows. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and clientSecret for an GitHub App or GitHub OAuth2 client. + + +This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubgroupnameattribute"] +==== GitHubGroupNameAttribute (string) + +GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the downstream group names. See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityprovider"] +==== GitHubIdentityProvider + +GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. + Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured as OIDCClients. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderlist[$$GitHubIdentityProviderList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]__ | Spec for configuring the identity provider. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]__ | Status of the identity provider. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderphase"] +==== GitHubIdentityProviderPhase (string) + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderspec"] +==== GitHubIdentityProviderSpec + +GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`gitHubAPI`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]__ | GitHubApi allows configuration for GitHub Enterprise Server +| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]__ | Claims allows customization of the username and groups claims +| *`allowedOrganizations`* __string array__ | AllowedOrganizations, when specified, indicates that only users with membership in at least one of the listed GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + + +The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams within that organization. + + +If no organizations are listed, you must set gitHubOrganizationLoginPolicy: AllOrganizationsAllowed +| *`gitHubOrganizationLoginPolicy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githuborganizationloginpolicy[$$GitHubOrganizationLoginPolicy$$]__ | GitHubOrganizationLoginPolicy must be set to "AllOrganizationsAllowed" if allowedOrganizations is empty. + + +This field only exists to ensure that Pinniped administrators are aware that an empty list of allowedOrganizations means all GitHub users are allowed to log in. +| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubclientspec[$$GitHubClientSpec$$]__ | Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus"] +==== GitHubIdentityProviderStatus + +GitHubIdentityProviderStatus is the status of an GitHub identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderphase[$$GitHubIdentityProviderPhase$$]__ | Phase summarizes the overall status of the GitHubIdentityProvider. +| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#condition-v1-meta[$$Condition$$] array__ | Conditions represents the observations of an identity provider's current state. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githuborganizationloginpolicy"] +==== GitHubOrganizationLoginPolicy (string) + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubusernameattribute"] +==== GitHubUsernameAttribute (string) + +GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the downstream username. See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$] +**** + + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-ldapidentityprovider"] ==== LDAPIdentityProvider @@ -1686,11 +1879,12 @@ Parameter is a key/value pair which represents a parameter in an HTTP request. [id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-tlsspec"] ==== TLSSpec -Configuration for TLS parameters related to identity provider integration. +TLSSpec provides TLS configuration for identity provider integration. .Appears In: **** - xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderspec[$$ActiveDirectoryIdentityProviderSpec$$] +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$] - xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$] - xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec[$$OIDCIdentityProviderSpec$$] **** diff --git a/generated/1.26/apis/supervisor/idp/v1alpha1/register.go b/generated/1.26/apis/supervisor/idp/v1alpha1/register.go index 8829a86385..705be8076c 100644 --- a/generated/1.26/apis/supervisor/idp/v1alpha1/register.go +++ b/generated/1.26/apis/supervisor/idp/v1alpha1/register.go @@ -1,4 +1,4 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -36,6 +36,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { &LDAPIdentityProviderList{}, &ActiveDirectoryIdentityProvider{}, &ActiveDirectoryIdentityProviderList{}, + &GitHubIdentityProvider{}, + &GitHubIdentityProviderList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.26/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go b/generated/1.26/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go new file mode 100644 index 0000000000..92bd19724b --- /dev/null +++ b/generated/1.26/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go @@ -0,0 +1,231 @@ +// Copyright 2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +type GitHubIdentityProviderPhase string + +const ( + // GitHubPhasePending is the default phase for newly-created GitHubIdentityProvider resources. + GitHubPhasePending GitHubIdentityProviderPhase = "Pending" + + // GitHubPhaseReady is the phase for an GitHubIdentityProvider resource in a healthy state. + GitHubPhaseReady GitHubIdentityProviderPhase = "Ready" + + // GitHubPhaseError is the phase for an GitHubIdentityProvider in an unhealthy state. + GitHubPhaseError GitHubIdentityProviderPhase = "Error" +) + +type GitHubOrganizationLoginPolicy string + +const ( + // GitHubOrganizationLoginPolicyAllOrgsAllowed means any GitHub user is allowed to log in using this identity + // provider, regardless of their organization membership or lack thereof. + GitHubOrganizationLoginPolicyAllOrgsAllowed GitHubOrganizationLoginPolicy = "AllOrganizationsAllowed" + + // GitHubOrganizationLoginPolicyAllowedOrgsOnly means only those users with membership in the listed GitHub + // organizations are allowed to log in. + GitHubOrganizationLoginPolicyAllowedOrgsOnly GitHubOrganizationLoginPolicy = "AllowedOrganizationsOnly" +) + +// GitHubIdentityProviderStatus is the status of an GitHub identity provider. +type GitHubIdentityProviderStatus struct { + // Phase summarizes the overall status of the GitHubIdentityProvider. + // + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase GitHubIdentityProviderPhase `json:"phase,omitempty"` + + // Conditions represents the observations of an identity provider's current state. + // + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` +} + +// GitHubAPIConfig allows configuration for GitHub Enterprise Server +type GitHubAPIConfig struct { + // Host is required only for GitHub Enterprise Server. + // Defaults to using GitHub's public API (github.com). + // + // +kubebuilder:default="github.com" + // +optional + Host string `json:"host"` + + // TLS configuration for GitHub Enterprise Server. + // + // +optional + TLS *TLSSpec `json:"tls,omitempty"` +} + +// GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the downstream username. +// See the response schema for +// [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +type GitHubUsernameAttribute string + +const ( + // GitHubUsernameID specifies using the `id` attribute from the GitHub user as the downstream username. + GitHubUsernameID GitHubUsernameAttribute = "id" + + // GitHubUsernameLogin specifies using the `login` attribute from the GitHub user as the downstream username. + GitHubUsernameLogin GitHubUsernameAttribute = "login" + + // GitHubUsernameLoginAndID specifies combining the `login` and `id` attributes from the GitHub user as the + // downstream username, separated by a colon. Example: "my-login:1234" + GitHubUsernameLoginAndID GitHubUsernameAttribute = "login:id" +) + +// GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the downstream group +// names. See the response schema for +// [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +type GitHubGroupNameAttribute string + +const ( + // GitHubUseTeamNameForGrouypName specifies using the GitHub team's `name` attribute as the downstream group name. + GitHubUseTeamNameForGrouypName GitHubGroupNameAttribute = "name" + + // GitHubUseTeamSlugForGroupName specifies using the GitHub team's `slug` attribute as the downstream group name. + GitHubUseTeamSlugForGroupName GitHubGroupNameAttribute = "slug" +) + +// GitHubClaims allows customization of the username and groups claims +type GitHubClaims struct { + // Username configures which property of the GitHub user record shall determine the username in Kubernetes. + // + // Can be either "id", "login", or "login:id". Defaults to "login:id". + // + // GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + // and may not start or end with hyphens. GitHub users are allowed to change their login name, + // although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + // then a second user might change their name from "baz" to "foo" in order to take the old + // username of the first user. For this reason, it is not as safe to make authorization decisions + // based only on the user's login attribute. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these usernames are presented to Kubernetes. + // + // Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + // unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + // from GitHub. Note that colons are not allowed in GitHub login attributes or ID numbers, so the colon in the + // "login:id" name will always be the login:id separator colon. + // + // See the response schema for + // [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + // + // +kubebuilder:default="login:id" + // +kubebuilder:validation:Enum={"id","login","login:id"} + Username GitHubUsernameAttribute `json:"username"` + + // Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + // + // Can be either "name" or "slug". Defaults to "slug". + // + // GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + // + // GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + // + // Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + // forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + // or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + // the team name or slug. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these group names are presented to Kubernetes. + // + // See the response schema for + // [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + // + // +kubebuilder:default=slug + // +kubebuilder:validation:Enum=name;slug + Groups GitHubGroupNameAttribute `json:"groups"` +} + +// GitHubClientSpec contains information about the GitHub client that this identity provider will use +// for web-based login flows. +type GitHubClientSpec struct { + // SecretName contains the name of a namespace-local Secret object that provides the clientID and + // clientSecret for an GitHub App or GitHub OAuth2 client. + // + // This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + SecretName string `json:"secretName"` +} + +// GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider. +type GitHubIdentityProviderSpec struct { + // GitHubApi allows configuration for GitHub Enterprise Server + // + // +kubebuilder:default={} + GitHubApi GitHubAPIConfig `json:"gitHubAPI,omitempty"` + + // Claims allows customization of the username and groups claims + // + // +optional + Claims GitHubClaims `json:"claims,omitempty"` + + // AllowedOrganizations, when specified, indicates that only users with membership in at least one of the listed + // GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + // teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + // provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + // + // The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + // otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + // within that organization. + // + // If no organizations are listed, you must set gitHubOrganizationLoginPolicy: AllOrganizationsAllowed + // + // +optional + AllowedOrganizations []string `json:"allowedOrganizations,omitempty"` + + // GitHubOrganizationLoginPolicy must be set to "AllOrganizationsAllowed" if allowedOrganizations is empty. + // + // This field only exists to ensure that Pinniped administrators are aware that an empty list of + // allowedOrganizations means all GitHub users are allowed to log in. + // + // +kubebuilder:default=AllowedOrganizationsOnly + // +kubebuilder:validation:Enum=AllowedOrganizationsOnly;AllOrganizationsAllowed + // +optional + GitHubOrganizationLoginPolicy GitHubOrganizationLoginPolicy `json:"gitHubOrganizationLoginPolicy"` + + // Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). + Client GitHubClientSpec `json:"client"` +} + +// GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. +// This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. +// +// Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured +// as OIDCClients. +// +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps +// +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.gitHubAPI.host` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type GitHubIdentityProvider struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec for configuring the identity provider. + Spec GitHubIdentityProviderSpec `json:"spec"` + + // Status of the identity provider. + Status GitHubIdentityProviderStatus `json:"status,omitempty"` +} + +// GitHubIdentityProviderList lists GitHubIdentityProvider objects. +// +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type GitHubIdentityProviderList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []GitHubIdentityProvider `json:"items"` +} diff --git a/generated/1.26/apis/supervisor/idp/v1alpha1/types_tls.go b/generated/1.26/apis/supervisor/idp/v1alpha1/types_tls.go index 1413a262cc..49b49373cd 100644 --- a/generated/1.26/apis/supervisor/idp/v1alpha1/types_tls.go +++ b/generated/1.26/apis/supervisor/idp/v1alpha1/types_tls.go @@ -1,9 +1,9 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 -// Configuration for TLS parameters related to identity provider integration. +// TLSSpec provides TLS configuration for identity provider integration. type TLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. // +optional diff --git a/generated/1.26/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.26/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index b0cb168b54..724643e7c2 100644 --- a/generated/1.26/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.26/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -203,6 +203,167 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) { + *out = *in + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(TLSSpec) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAPIConfig. +func (in *GitHubAPIConfig) DeepCopy() *GitHubAPIConfig { + if in == nil { + return nil + } + out := new(GitHubAPIConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubClaims) DeepCopyInto(out *GitHubClaims) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClaims. +func (in *GitHubClaims) DeepCopy() *GitHubClaims { + if in == nil { + return nil + } + out := new(GitHubClaims) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubClientSpec) DeepCopyInto(out *GitHubClientSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClientSpec. +func (in *GitHubClientSpec) DeepCopy() *GitHubClientSpec { + if in == nil { + return nil + } + out := new(GitHubClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProvider) DeepCopyInto(out *GitHubIdentityProvider) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProvider. +func (in *GitHubIdentityProvider) DeepCopy() *GitHubIdentityProvider { + if in == nil { + return nil + } + out := new(GitHubIdentityProvider) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *GitHubIdentityProvider) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderList) DeepCopyInto(out *GitHubIdentityProviderList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]GitHubIdentityProvider, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderList. +func (in *GitHubIdentityProviderList) DeepCopy() *GitHubIdentityProviderList { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *GitHubIdentityProviderList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderSpec) DeepCopyInto(out *GitHubIdentityProviderSpec) { + *out = *in + in.GitHubApi.DeepCopyInto(&out.GitHubApi) + out.Claims = in.Claims + if in.AllowedOrganizations != nil { + in, out := &in.AllowedOrganizations, &out.AllowedOrganizations + *out = make([]string, len(*in)) + copy(*out, *in) + } + out.Client = in.Client + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderSpec. +func (in *GitHubIdentityProviderSpec) DeepCopy() *GitHubIdentityProviderSpec { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderStatus) DeepCopyInto(out *GitHubIdentityProviderStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]v1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderStatus. +func (in *GitHubIdentityProviderStatus) DeepCopy() *GitHubIdentityProviderStatus { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *LDAPIdentityProvider) DeepCopyInto(out *LDAPIdentityProvider) { *out = *in diff --git a/generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go b/generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go new file mode 100644 index 0000000000..305fc8f539 --- /dev/null +++ b/generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go @@ -0,0 +1,129 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.26/apis/supervisor/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeGitHubIdentityProviders implements GitHubIdentityProviderInterface +type FakeGitHubIdentityProviders struct { + Fake *FakeIDPV1alpha1 + ns string +} + +var githubidentityprovidersResource = schema.GroupVersionResource{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "githubidentityproviders"} + +var githubidentityprovidersKind = schema.GroupVersionKind{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "GitHubIdentityProvider"} + +// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any. +func (c *FakeGitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(githubidentityprovidersResource, c.ns, name), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors. +func (c *FakeGitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(githubidentityprovidersResource, githubidentityprovidersKind, c.ns, opts), &v1alpha1.GitHubIdentityProviderList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.GitHubIdentityProviderList{ListMeta: obj.(*v1alpha1.GitHubIdentityProviderList).ListMeta} + for _, item := range obj.(*v1alpha1.GitHubIdentityProviderList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders. +func (c *FakeGitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(githubidentityprovidersResource, c.ns, opts)) + +} + +// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *FakeGitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *FakeGitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeGitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(githubidentityprovidersResource, "status", c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs. +func (c *FakeGitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteActionWithOptions(githubidentityprovidersResource, c.ns, name, opts), &v1alpha1.GitHubIdentityProvider{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeGitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(githubidentityprovidersResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha1.GitHubIdentityProviderList{}) + return err +} + +// Patch applies the patch and returns the patched gitHubIdentityProvider. +func (c *FakeGitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(githubidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} diff --git a/generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go b/generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go index 9f99394f6a..3af2f787bf 100644 --- a/generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go +++ b/generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go @@ -19,6 +19,10 @@ func (c *FakeIDPV1alpha1) ActiveDirectoryIdentityProviders(namespace string) v1a return &FakeActiveDirectoryIdentityProviders{c, namespace} } +func (c *FakeIDPV1alpha1) GitHubIdentityProviders(namespace string) v1alpha1.GitHubIdentityProviderInterface { + return &FakeGitHubIdentityProviders{c, namespace} +} + func (c *FakeIDPV1alpha1) LDAPIdentityProviders(namespace string) v1alpha1.LDAPIdentityProviderInterface { return &FakeLDAPIdentityProviders{c, namespace} } diff --git a/generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go b/generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go index 79be098d6c..a7acc8120f 100644 --- a/generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go +++ b/generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go @@ -7,6 +7,8 @@ package v1alpha1 type ActiveDirectoryIdentityProviderExpansion interface{} +type GitHubIdentityProviderExpansion interface{} + type LDAPIdentityProviderExpansion interface{} type OIDCIdentityProviderExpansion interface{} diff --git a/generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go b/generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 0000000000..c83e386e49 --- /dev/null +++ b/generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,182 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + "time" + + v1alpha1 "go.pinniped.dev/generated/1.26/apis/supervisor/idp/v1alpha1" + scheme "go.pinniped.dev/generated/1.26/client/supervisor/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// GitHubIdentityProvidersGetter has a method to return a GitHubIdentityProviderInterface. +// A group's client should implement this interface. +type GitHubIdentityProvidersGetter interface { + GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface +} + +// GitHubIdentityProviderInterface has methods to work with GitHubIdentityProvider resources. +type GitHubIdentityProviderInterface interface { + Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (*v1alpha1.GitHubIdentityProvider, error) + Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) + UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.GitHubIdentityProvider, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.GitHubIdentityProviderList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) + GitHubIdentityProviderExpansion +} + +// gitHubIdentityProviders implements GitHubIdentityProviderInterface +type gitHubIdentityProviders struct { + client rest.Interface + ns string +} + +// newGitHubIdentityProviders returns a GitHubIdentityProviders +func newGitHubIdentityProviders(c *IDPV1alpha1Client, namespace string) *gitHubIdentityProviders { + return &gitHubIdentityProviders{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any. +func (c *gitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors. +func (c *gitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.GitHubIdentityProviderList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders. +func (c *gitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *gitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Post(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *gitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(gitHubIdentityProvider.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *gitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(gitHubIdentityProvider.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs. +func (c *gitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *gitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched gitHubIdentityProvider. +func (c *gitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go b/generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go index d6c8bd42b2..a1e8d6ce3b 100644 --- a/generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go +++ b/generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go @@ -16,6 +16,7 @@ import ( type IDPV1alpha1Interface interface { RESTClient() rest.Interface ActiveDirectoryIdentityProvidersGetter + GitHubIdentityProvidersGetter LDAPIdentityProvidersGetter OIDCIdentityProvidersGetter } @@ -29,6 +30,10 @@ func (c *IDPV1alpha1Client) ActiveDirectoryIdentityProviders(namespace string) A return newActiveDirectoryIdentityProviders(c, namespace) } +func (c *IDPV1alpha1Client) GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface { + return newGitHubIdentityProviders(c, namespace) +} + func (c *IDPV1alpha1Client) LDAPIdentityProviders(namespace string) LDAPIdentityProviderInterface { return newLDAPIdentityProviders(c, namespace) } diff --git a/generated/1.26/client/supervisor/informers/externalversions/generic.go b/generated/1.26/client/supervisor/informers/externalversions/generic.go index a9c2b1bc40..fa7dc16950 100644 --- a/generated/1.26/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.26/client/supervisor/informers/externalversions/generic.go @@ -49,6 +49,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource // Group=idp.supervisor.pinniped.dev, Version=v1alpha1 case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().ActiveDirectoryIdentityProviders().Informer()}, nil + case idpv1alpha1.SchemeGroupVersion.WithResource("githubidentityproviders"): + return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().GitHubIdentityProviders().Informer()}, nil case idpv1alpha1.SchemeGroupVersion.WithResource("ldapidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().LDAPIdentityProviders().Informer()}, nil case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): diff --git a/generated/1.26/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go b/generated/1.26/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 0000000000..f869684240 --- /dev/null +++ b/generated/1.26/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,77 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + time "time" + + idpv1alpha1 "go.pinniped.dev/generated/1.26/apis/supervisor/idp/v1alpha1" + versioned "go.pinniped.dev/generated/1.26/client/supervisor/clientset/versioned" + internalinterfaces "go.pinniped.dev/generated/1.26/client/supervisor/informers/externalversions/internalinterfaces" + v1alpha1 "go.pinniped.dev/generated/1.26/client/supervisor/listers/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// GitHubIdentityProviderInformer provides access to a shared informer and lister for +// GitHubIdentityProviders. +type GitHubIdentityProviderInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.GitHubIdentityProviderLister +} + +type gitHubIdentityProviderInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredGitHubIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().GitHubIdentityProviders(namespace).List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().GitHubIdentityProviders(namespace).Watch(context.TODO(), options) + }, + }, + &idpv1alpha1.GitHubIdentityProvider{}, + resyncPeriod, + indexers, + ) +} + +func (f *gitHubIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredGitHubIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *gitHubIdentityProviderInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&idpv1alpha1.GitHubIdentityProvider{}, f.defaultInformer) +} + +func (f *gitHubIdentityProviderInformer) Lister() v1alpha1.GitHubIdentityProviderLister { + return v1alpha1.NewGitHubIdentityProviderLister(f.Informer().GetIndexer()) +} diff --git a/generated/1.26/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go b/generated/1.26/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go index 8edaafa4a3..1c89e4b1d7 100644 --- a/generated/1.26/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go +++ b/generated/1.26/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go @@ -13,6 +13,8 @@ import ( type Interface interface { // ActiveDirectoryIdentityProviders returns a ActiveDirectoryIdentityProviderInformer. ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProviderInformer + // GitHubIdentityProviders returns a GitHubIdentityProviderInformer. + GitHubIdentityProviders() GitHubIdentityProviderInformer // LDAPIdentityProviders returns a LDAPIdentityProviderInformer. LDAPIdentityProviders() LDAPIdentityProviderInformer // OIDCIdentityProviders returns a OIDCIdentityProviderInformer. @@ -35,6 +37,11 @@ func (v *version) ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProv return &activeDirectoryIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } +// GitHubIdentityProviders returns a GitHubIdentityProviderInformer. +func (v *version) GitHubIdentityProviders() GitHubIdentityProviderInformer { + return &gitHubIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} + // LDAPIdentityProviders returns a LDAPIdentityProviderInformer. func (v *version) LDAPIdentityProviders() LDAPIdentityProviderInformer { return &lDAPIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} diff --git a/generated/1.26/client/supervisor/listers/idp/v1alpha1/expansion_generated.go b/generated/1.26/client/supervisor/listers/idp/v1alpha1/expansion_generated.go index b491a9e8d4..470c06abb0 100644 --- a/generated/1.26/client/supervisor/listers/idp/v1alpha1/expansion_generated.go +++ b/generated/1.26/client/supervisor/listers/idp/v1alpha1/expansion_generated.go @@ -13,6 +13,14 @@ type ActiveDirectoryIdentityProviderListerExpansion interface{} // ActiveDirectoryIdentityProviderNamespaceLister. type ActiveDirectoryIdentityProviderNamespaceListerExpansion interface{} +// GitHubIdentityProviderListerExpansion allows custom methods to be added to +// GitHubIdentityProviderLister. +type GitHubIdentityProviderListerExpansion interface{} + +// GitHubIdentityProviderNamespaceListerExpansion allows custom methods to be added to +// GitHubIdentityProviderNamespaceLister. +type GitHubIdentityProviderNamespaceListerExpansion interface{} + // LDAPIdentityProviderListerExpansion allows custom methods to be added to // LDAPIdentityProviderLister. type LDAPIdentityProviderListerExpansion interface{} diff --git a/generated/1.26/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go b/generated/1.26/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 0000000000..a11c30dc53 --- /dev/null +++ b/generated/1.26/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,86 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.26/apis/supervisor/idp/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// GitHubIdentityProviderLister helps list GitHubIdentityProviders. +// All objects returned here must be treated as read-only. +type GitHubIdentityProviderLister interface { + // List lists all GitHubIdentityProviders in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) + // GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders. + GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister + GitHubIdentityProviderListerExpansion +} + +// gitHubIdentityProviderLister implements the GitHubIdentityProviderLister interface. +type gitHubIdentityProviderLister struct { + indexer cache.Indexer +} + +// NewGitHubIdentityProviderLister returns a new GitHubIdentityProviderLister. +func NewGitHubIdentityProviderLister(indexer cache.Indexer) GitHubIdentityProviderLister { + return &gitHubIdentityProviderLister{indexer: indexer} +} + +// List lists all GitHubIdentityProviders in the indexer. +func (s *gitHubIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider)) + }) + return ret, err +} + +// GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders. +func (s *gitHubIdentityProviderLister) GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister { + return gitHubIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// GitHubIdentityProviderNamespaceLister helps list and get GitHubIdentityProviders. +// All objects returned here must be treated as read-only. +type GitHubIdentityProviderNamespaceLister interface { + // List lists all GitHubIdentityProviders in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) + // Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha1.GitHubIdentityProvider, error) + GitHubIdentityProviderNamespaceListerExpansion +} + +// gitHubIdentityProviderNamespaceLister implements the GitHubIdentityProviderNamespaceLister +// interface. +type gitHubIdentityProviderNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all GitHubIdentityProviders in the indexer for a given namespace. +func (s gitHubIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider)) + }) + return ret, err +} + +// Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name. +func (s gitHubIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.GitHubIdentityProvider, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("githubidentityprovider"), name) + } + return obj.(*v1alpha1.GitHubIdentityProvider), nil +} diff --git a/generated/1.26/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml b/generated/1.26/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml new file mode 100644 index 0000000000..d10a330731 --- /dev/null +++ b/generated/1.26/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml @@ -0,0 +1,295 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: githubidentityproviders.idp.supervisor.pinniped.dev +spec: + group: idp.supervisor.pinniped.dev + names: + categories: + - pinniped + - pinniped-idp + - pinniped-idps + kind: GitHubIdentityProvider + listKind: GitHubIdentityProviderList + plural: githubidentityproviders + singular: githubidentityprovider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.gitHubAPI.host + name: Host + type: string + - jsonPath: .status.phase + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. + This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. + + + Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured + as OIDCClients. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec for configuring the identity provider. + properties: + allowedOrganizations: + description: |- + AllowedOrganizations, when specified, indicates that only users with membership in at least one of the listed + GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + + + The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + within that organization. + + + If no organizations are listed, you must set gitHubOrganizationLoginPolicy: AllOrganizationsAllowed + items: + type: string + type: array + claims: + description: Claims allows customization of the username and groups + claims + properties: + groups: + default: slug + description: |- + Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + + + Can be either "name" or "slug". Defaults to "slug". + + + GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + + + GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + + + Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + the team name or slug. + + + If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + FederationDomain to further customize how these group names are presented to Kubernetes. + + + See the response schema for + [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + enum: + - name + - slug + type: string + username: + default: login:id + description: |- + Username configures which property of the GitHub user record shall determine the username in Kubernetes. + + + Can be either "id", "login", or "login:id". Defaults to "login:id". + + + GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + and may not start or end with hyphens. GitHub users are allowed to change their login name, + although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + then a second user might change their name from "baz" to "foo" in order to take the old + username of the first user. For this reason, it is not as safe to make authorization decisions + based only on the user's login attribute. + + + If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + FederationDomain to further customize how these usernames are presented to Kubernetes. + + + Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + from GitHub. Note that colons are not allowed in GitHub login attributes or ID numbers, so the colon in the + "login:id" name will always be the login:id separator colon. + + + See the response schema for + [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + enum: + - id + - login + - login:id + type: string + required: + - groups + - username + type: object + client: + description: Client identifies the secret with credentials for a GitHub + App or GitHub OAuth2 App (a GitHub client). + properties: + secretName: + description: |- + SecretName contains the name of a namespace-local Secret object that provides the clientID and + clientSecret for an GitHub App or GitHub OAuth2 client. + + + This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + type: string + required: + - secretName + type: object + gitHubAPI: + default: {} + description: GitHubApi allows configuration for GitHub Enterprise + Server + properties: + host: + default: github.com + description: |- + Host is required only for GitHub Enterprise Server. + Defaults to using GitHub's public API (github.com). + type: string + tls: + description: TLS configuration for GitHub Enterprise Server. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM + bundle). If omitted, a default set of system roots will + be trusted. + type: string + type: object + type: object + gitHubOrganizationLoginPolicy: + default: AllowedOrganizationsOnly + description: |- + GitHubOrganizationLoginPolicy must be set to "AllOrganizationsAllowed" if allowedOrganizations is empty. + + + This field only exists to ensure that Pinniped administrators are aware that an empty list of + allowedOrganizations means all GitHub users are allowed to log in. + enum: + - AllowedOrganizationsOnly + - AllOrganizationsAllowed + type: string + required: + - client + type: object + status: + description: Status of the identity provider. + properties: + conditions: + description: Conditions represents the observations of an identity + provider's current state. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + phase: + default: Pending + description: Phase summarizes the overall status of the GitHubIdentityProvider. + enum: + - Pending + - Ready + - Error + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/generated/1.27/README.adoc b/generated/1.27/README.adoc index 9bafbbbffc..c8e5913b2c 100644 --- a/generated/1.27/README.adoc +++ b/generated/1.27/README.adoc @@ -1366,6 +1366,199 @@ Status of an Active Directory identity provider. |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubapiconfig"] +==== GitHubAPIConfig + +GitHubAPIConfig allows configuration for GitHub Enterprise Server + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`host`* __string__ | Host is required only for GitHub Enterprise Server. Defaults to using GitHub's public API (github.com). +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubclaims"] +==== GitHubClaims + +GitHubClaims allows customization of the username and groups claims + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. + + +Can be either "id", "login", or "login:id". Defaults to "login:id". + + +GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, and may not start or end with hyphens. GitHub users are allowed to change their login name, although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", then a second user might change their name from "baz" to "foo" in order to take the old username of the first user. For this reason, it is not as safe to make authorization decisions based only on the user's login attribute. + + +If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these usernames are presented to Kubernetes. + + +Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value from GitHub. Note that colons are not allowed in GitHub login attributes or ID numbers, so the colon in the "login:id" name will always be the login:id separator colon. + + +See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +| *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + + +Can be either "name" or "slug". Defaults to "slug". + + +GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + + +GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + + +Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters or single hyphens, so the first forward slash `/` will be the separator between the organization login name and the team name or slug. + + +If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these group names are presented to Kubernetes. + + +See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubclientspec"] +==== GitHubClientSpec + +GitHubClientSpec contains information about the GitHub client that this identity provider will use for web-based login flows. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and clientSecret for an GitHub App or GitHub OAuth2 client. + + +This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubgroupnameattribute"] +==== GitHubGroupNameAttribute (string) + +GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the downstream group names. See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityprovider"] +==== GitHubIdentityProvider + +GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. + Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured as OIDCClients. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityproviderlist[$$GitHubIdentityProviderList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]__ | Spec for configuring the identity provider. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]__ | Status of the identity provider. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityproviderphase"] +==== GitHubIdentityProviderPhase (string) + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityproviderspec"] +==== GitHubIdentityProviderSpec + +GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`gitHubAPI`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]__ | GitHubApi allows configuration for GitHub Enterprise Server +| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]__ | Claims allows customization of the username and groups claims +| *`allowedOrganizations`* __string array__ | AllowedOrganizations, when specified, indicates that only users with membership in at least one of the listed GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + + +The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams within that organization. + + +If no organizations are listed, you must set gitHubOrganizationLoginPolicy: AllOrganizationsAllowed +| *`gitHubOrganizationLoginPolicy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githuborganizationloginpolicy[$$GitHubOrganizationLoginPolicy$$]__ | GitHubOrganizationLoginPolicy must be set to "AllOrganizationsAllowed" if allowedOrganizations is empty. + + +This field only exists to ensure that Pinniped administrators are aware that an empty list of allowedOrganizations means all GitHub users are allowed to log in. +| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubclientspec[$$GitHubClientSpec$$]__ | Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus"] +==== GitHubIdentityProviderStatus + +GitHubIdentityProviderStatus is the status of an GitHub identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityproviderphase[$$GitHubIdentityProviderPhase$$]__ | Phase summarizes the overall status of the GitHubIdentityProvider. +| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#condition-v1-meta[$$Condition$$] array__ | Conditions represents the observations of an identity provider's current state. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githuborganizationloginpolicy"] +==== GitHubOrganizationLoginPolicy (string) + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubusernameattribute"] +==== GitHubUsernameAttribute (string) + +GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the downstream username. See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$] +**** + + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-ldapidentityprovider"] ==== LDAPIdentityProvider @@ -1686,11 +1879,12 @@ Parameter is a key/value pair which represents a parameter in an HTTP request. [id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-tlsspec"] ==== TLSSpec -Configuration for TLS parameters related to identity provider integration. +TLSSpec provides TLS configuration for identity provider integration. .Appears In: **** - xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderspec[$$ActiveDirectoryIdentityProviderSpec$$] +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$] - xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$] - xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec[$$OIDCIdentityProviderSpec$$] **** diff --git a/generated/1.27/apis/supervisor/idp/v1alpha1/register.go b/generated/1.27/apis/supervisor/idp/v1alpha1/register.go index 8829a86385..705be8076c 100644 --- a/generated/1.27/apis/supervisor/idp/v1alpha1/register.go +++ b/generated/1.27/apis/supervisor/idp/v1alpha1/register.go @@ -1,4 +1,4 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -36,6 +36,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { &LDAPIdentityProviderList{}, &ActiveDirectoryIdentityProvider{}, &ActiveDirectoryIdentityProviderList{}, + &GitHubIdentityProvider{}, + &GitHubIdentityProviderList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.27/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go b/generated/1.27/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go new file mode 100644 index 0000000000..92bd19724b --- /dev/null +++ b/generated/1.27/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go @@ -0,0 +1,231 @@ +// Copyright 2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +type GitHubIdentityProviderPhase string + +const ( + // GitHubPhasePending is the default phase for newly-created GitHubIdentityProvider resources. + GitHubPhasePending GitHubIdentityProviderPhase = "Pending" + + // GitHubPhaseReady is the phase for an GitHubIdentityProvider resource in a healthy state. + GitHubPhaseReady GitHubIdentityProviderPhase = "Ready" + + // GitHubPhaseError is the phase for an GitHubIdentityProvider in an unhealthy state. + GitHubPhaseError GitHubIdentityProviderPhase = "Error" +) + +type GitHubOrganizationLoginPolicy string + +const ( + // GitHubOrganizationLoginPolicyAllOrgsAllowed means any GitHub user is allowed to log in using this identity + // provider, regardless of their organization membership or lack thereof. + GitHubOrganizationLoginPolicyAllOrgsAllowed GitHubOrganizationLoginPolicy = "AllOrganizationsAllowed" + + // GitHubOrganizationLoginPolicyAllowedOrgsOnly means only those users with membership in the listed GitHub + // organizations are allowed to log in. + GitHubOrganizationLoginPolicyAllowedOrgsOnly GitHubOrganizationLoginPolicy = "AllowedOrganizationsOnly" +) + +// GitHubIdentityProviderStatus is the status of an GitHub identity provider. +type GitHubIdentityProviderStatus struct { + // Phase summarizes the overall status of the GitHubIdentityProvider. + // + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase GitHubIdentityProviderPhase `json:"phase,omitempty"` + + // Conditions represents the observations of an identity provider's current state. + // + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` +} + +// GitHubAPIConfig allows configuration for GitHub Enterprise Server +type GitHubAPIConfig struct { + // Host is required only for GitHub Enterprise Server. + // Defaults to using GitHub's public API (github.com). + // + // +kubebuilder:default="github.com" + // +optional + Host string `json:"host"` + + // TLS configuration for GitHub Enterprise Server. + // + // +optional + TLS *TLSSpec `json:"tls,omitempty"` +} + +// GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the downstream username. +// See the response schema for +// [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +type GitHubUsernameAttribute string + +const ( + // GitHubUsernameID specifies using the `id` attribute from the GitHub user as the downstream username. + GitHubUsernameID GitHubUsernameAttribute = "id" + + // GitHubUsernameLogin specifies using the `login` attribute from the GitHub user as the downstream username. + GitHubUsernameLogin GitHubUsernameAttribute = "login" + + // GitHubUsernameLoginAndID specifies combining the `login` and `id` attributes from the GitHub user as the + // downstream username, separated by a colon. Example: "my-login:1234" + GitHubUsernameLoginAndID GitHubUsernameAttribute = "login:id" +) + +// GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the downstream group +// names. See the response schema for +// [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +type GitHubGroupNameAttribute string + +const ( + // GitHubUseTeamNameForGrouypName specifies using the GitHub team's `name` attribute as the downstream group name. + GitHubUseTeamNameForGrouypName GitHubGroupNameAttribute = "name" + + // GitHubUseTeamSlugForGroupName specifies using the GitHub team's `slug` attribute as the downstream group name. + GitHubUseTeamSlugForGroupName GitHubGroupNameAttribute = "slug" +) + +// GitHubClaims allows customization of the username and groups claims +type GitHubClaims struct { + // Username configures which property of the GitHub user record shall determine the username in Kubernetes. + // + // Can be either "id", "login", or "login:id". Defaults to "login:id". + // + // GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + // and may not start or end with hyphens. GitHub users are allowed to change their login name, + // although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + // then a second user might change their name from "baz" to "foo" in order to take the old + // username of the first user. For this reason, it is not as safe to make authorization decisions + // based only on the user's login attribute. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these usernames are presented to Kubernetes. + // + // Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + // unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + // from GitHub. Note that colons are not allowed in GitHub login attributes or ID numbers, so the colon in the + // "login:id" name will always be the login:id separator colon. + // + // See the response schema for + // [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + // + // +kubebuilder:default="login:id" + // +kubebuilder:validation:Enum={"id","login","login:id"} + Username GitHubUsernameAttribute `json:"username"` + + // Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + // + // Can be either "name" or "slug". Defaults to "slug". + // + // GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + // + // GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + // + // Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + // forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + // or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + // the team name or slug. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these group names are presented to Kubernetes. + // + // See the response schema for + // [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + // + // +kubebuilder:default=slug + // +kubebuilder:validation:Enum=name;slug + Groups GitHubGroupNameAttribute `json:"groups"` +} + +// GitHubClientSpec contains information about the GitHub client that this identity provider will use +// for web-based login flows. +type GitHubClientSpec struct { + // SecretName contains the name of a namespace-local Secret object that provides the clientID and + // clientSecret for an GitHub App or GitHub OAuth2 client. + // + // This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + SecretName string `json:"secretName"` +} + +// GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider. +type GitHubIdentityProviderSpec struct { + // GitHubApi allows configuration for GitHub Enterprise Server + // + // +kubebuilder:default={} + GitHubApi GitHubAPIConfig `json:"gitHubAPI,omitempty"` + + // Claims allows customization of the username and groups claims + // + // +optional + Claims GitHubClaims `json:"claims,omitempty"` + + // AllowedOrganizations, when specified, indicates that only users with membership in at least one of the listed + // GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + // teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + // provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + // + // The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + // otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + // within that organization. + // + // If no organizations are listed, you must set gitHubOrganizationLoginPolicy: AllOrganizationsAllowed + // + // +optional + AllowedOrganizations []string `json:"allowedOrganizations,omitempty"` + + // GitHubOrganizationLoginPolicy must be set to "AllOrganizationsAllowed" if allowedOrganizations is empty. + // + // This field only exists to ensure that Pinniped administrators are aware that an empty list of + // allowedOrganizations means all GitHub users are allowed to log in. + // + // +kubebuilder:default=AllowedOrganizationsOnly + // +kubebuilder:validation:Enum=AllowedOrganizationsOnly;AllOrganizationsAllowed + // +optional + GitHubOrganizationLoginPolicy GitHubOrganizationLoginPolicy `json:"gitHubOrganizationLoginPolicy"` + + // Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). + Client GitHubClientSpec `json:"client"` +} + +// GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. +// This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. +// +// Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured +// as OIDCClients. +// +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps +// +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.gitHubAPI.host` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type GitHubIdentityProvider struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec for configuring the identity provider. + Spec GitHubIdentityProviderSpec `json:"spec"` + + // Status of the identity provider. + Status GitHubIdentityProviderStatus `json:"status,omitempty"` +} + +// GitHubIdentityProviderList lists GitHubIdentityProvider objects. +// +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type GitHubIdentityProviderList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []GitHubIdentityProvider `json:"items"` +} diff --git a/generated/1.27/apis/supervisor/idp/v1alpha1/types_tls.go b/generated/1.27/apis/supervisor/idp/v1alpha1/types_tls.go index 1413a262cc..49b49373cd 100644 --- a/generated/1.27/apis/supervisor/idp/v1alpha1/types_tls.go +++ b/generated/1.27/apis/supervisor/idp/v1alpha1/types_tls.go @@ -1,9 +1,9 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 -// Configuration for TLS parameters related to identity provider integration. +// TLSSpec provides TLS configuration for identity provider integration. type TLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. // +optional diff --git a/generated/1.27/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.27/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index b0cb168b54..724643e7c2 100644 --- a/generated/1.27/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.27/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -203,6 +203,167 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) { + *out = *in + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(TLSSpec) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAPIConfig. +func (in *GitHubAPIConfig) DeepCopy() *GitHubAPIConfig { + if in == nil { + return nil + } + out := new(GitHubAPIConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubClaims) DeepCopyInto(out *GitHubClaims) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClaims. +func (in *GitHubClaims) DeepCopy() *GitHubClaims { + if in == nil { + return nil + } + out := new(GitHubClaims) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubClientSpec) DeepCopyInto(out *GitHubClientSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClientSpec. +func (in *GitHubClientSpec) DeepCopy() *GitHubClientSpec { + if in == nil { + return nil + } + out := new(GitHubClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProvider) DeepCopyInto(out *GitHubIdentityProvider) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProvider. +func (in *GitHubIdentityProvider) DeepCopy() *GitHubIdentityProvider { + if in == nil { + return nil + } + out := new(GitHubIdentityProvider) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *GitHubIdentityProvider) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderList) DeepCopyInto(out *GitHubIdentityProviderList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]GitHubIdentityProvider, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderList. +func (in *GitHubIdentityProviderList) DeepCopy() *GitHubIdentityProviderList { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *GitHubIdentityProviderList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderSpec) DeepCopyInto(out *GitHubIdentityProviderSpec) { + *out = *in + in.GitHubApi.DeepCopyInto(&out.GitHubApi) + out.Claims = in.Claims + if in.AllowedOrganizations != nil { + in, out := &in.AllowedOrganizations, &out.AllowedOrganizations + *out = make([]string, len(*in)) + copy(*out, *in) + } + out.Client = in.Client + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderSpec. +func (in *GitHubIdentityProviderSpec) DeepCopy() *GitHubIdentityProviderSpec { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderStatus) DeepCopyInto(out *GitHubIdentityProviderStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]v1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderStatus. +func (in *GitHubIdentityProviderStatus) DeepCopy() *GitHubIdentityProviderStatus { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *LDAPIdentityProvider) DeepCopyInto(out *LDAPIdentityProvider) { *out = *in diff --git a/generated/1.27/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go b/generated/1.27/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go new file mode 100644 index 0000000000..0f5fc1d903 --- /dev/null +++ b/generated/1.27/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go @@ -0,0 +1,128 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.27/apis/supervisor/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeGitHubIdentityProviders implements GitHubIdentityProviderInterface +type FakeGitHubIdentityProviders struct { + Fake *FakeIDPV1alpha1 + ns string +} + +var githubidentityprovidersResource = v1alpha1.SchemeGroupVersion.WithResource("githubidentityproviders") + +var githubidentityprovidersKind = v1alpha1.SchemeGroupVersion.WithKind("GitHubIdentityProvider") + +// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any. +func (c *FakeGitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(githubidentityprovidersResource, c.ns, name), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors. +func (c *FakeGitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(githubidentityprovidersResource, githubidentityprovidersKind, c.ns, opts), &v1alpha1.GitHubIdentityProviderList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.GitHubIdentityProviderList{ListMeta: obj.(*v1alpha1.GitHubIdentityProviderList).ListMeta} + for _, item := range obj.(*v1alpha1.GitHubIdentityProviderList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders. +func (c *FakeGitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(githubidentityprovidersResource, c.ns, opts)) + +} + +// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *FakeGitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *FakeGitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeGitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(githubidentityprovidersResource, "status", c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs. +func (c *FakeGitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteActionWithOptions(githubidentityprovidersResource, c.ns, name, opts), &v1alpha1.GitHubIdentityProvider{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeGitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(githubidentityprovidersResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha1.GitHubIdentityProviderList{}) + return err +} + +// Patch applies the patch and returns the patched gitHubIdentityProvider. +func (c *FakeGitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(githubidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} diff --git a/generated/1.27/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go b/generated/1.27/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go index a40338a690..f29ec9e31d 100644 --- a/generated/1.27/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go +++ b/generated/1.27/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go @@ -19,6 +19,10 @@ func (c *FakeIDPV1alpha1) ActiveDirectoryIdentityProviders(namespace string) v1a return &FakeActiveDirectoryIdentityProviders{c, namespace} } +func (c *FakeIDPV1alpha1) GitHubIdentityProviders(namespace string) v1alpha1.GitHubIdentityProviderInterface { + return &FakeGitHubIdentityProviders{c, namespace} +} + func (c *FakeIDPV1alpha1) LDAPIdentityProviders(namespace string) v1alpha1.LDAPIdentityProviderInterface { return &FakeLDAPIdentityProviders{c, namespace} } diff --git a/generated/1.27/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go b/generated/1.27/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go index 79be098d6c..a7acc8120f 100644 --- a/generated/1.27/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go +++ b/generated/1.27/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go @@ -7,6 +7,8 @@ package v1alpha1 type ActiveDirectoryIdentityProviderExpansion interface{} +type GitHubIdentityProviderExpansion interface{} + type LDAPIdentityProviderExpansion interface{} type OIDCIdentityProviderExpansion interface{} diff --git a/generated/1.27/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go b/generated/1.27/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 0000000000..e56865cd41 --- /dev/null +++ b/generated/1.27/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,182 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + "time" + + v1alpha1 "go.pinniped.dev/generated/1.27/apis/supervisor/idp/v1alpha1" + scheme "go.pinniped.dev/generated/1.27/client/supervisor/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// GitHubIdentityProvidersGetter has a method to return a GitHubIdentityProviderInterface. +// A group's client should implement this interface. +type GitHubIdentityProvidersGetter interface { + GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface +} + +// GitHubIdentityProviderInterface has methods to work with GitHubIdentityProvider resources. +type GitHubIdentityProviderInterface interface { + Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (*v1alpha1.GitHubIdentityProvider, error) + Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) + UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.GitHubIdentityProvider, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.GitHubIdentityProviderList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) + GitHubIdentityProviderExpansion +} + +// gitHubIdentityProviders implements GitHubIdentityProviderInterface +type gitHubIdentityProviders struct { + client rest.Interface + ns string +} + +// newGitHubIdentityProviders returns a GitHubIdentityProviders +func newGitHubIdentityProviders(c *IDPV1alpha1Client, namespace string) *gitHubIdentityProviders { + return &gitHubIdentityProviders{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any. +func (c *gitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors. +func (c *gitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.GitHubIdentityProviderList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders. +func (c *gitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *gitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Post(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *gitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(gitHubIdentityProvider.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *gitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(gitHubIdentityProvider.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs. +func (c *gitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *gitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched gitHubIdentityProvider. +func (c *gitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/generated/1.27/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go b/generated/1.27/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go index c9eec1efdf..48afb2a22d 100644 --- a/generated/1.27/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go +++ b/generated/1.27/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go @@ -16,6 +16,7 @@ import ( type IDPV1alpha1Interface interface { RESTClient() rest.Interface ActiveDirectoryIdentityProvidersGetter + GitHubIdentityProvidersGetter LDAPIdentityProvidersGetter OIDCIdentityProvidersGetter } @@ -29,6 +30,10 @@ func (c *IDPV1alpha1Client) ActiveDirectoryIdentityProviders(namespace string) A return newActiveDirectoryIdentityProviders(c, namespace) } +func (c *IDPV1alpha1Client) GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface { + return newGitHubIdentityProviders(c, namespace) +} + func (c *IDPV1alpha1Client) LDAPIdentityProviders(namespace string) LDAPIdentityProviderInterface { return newLDAPIdentityProviders(c, namespace) } diff --git a/generated/1.27/client/supervisor/informers/externalversions/generic.go b/generated/1.27/client/supervisor/informers/externalversions/generic.go index 535476ff35..72a959fb9e 100644 --- a/generated/1.27/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.27/client/supervisor/informers/externalversions/generic.go @@ -49,6 +49,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource // Group=idp.supervisor.pinniped.dev, Version=v1alpha1 case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().ActiveDirectoryIdentityProviders().Informer()}, nil + case idpv1alpha1.SchemeGroupVersion.WithResource("githubidentityproviders"): + return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().GitHubIdentityProviders().Informer()}, nil case idpv1alpha1.SchemeGroupVersion.WithResource("ldapidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().LDAPIdentityProviders().Informer()}, nil case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): diff --git a/generated/1.27/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go b/generated/1.27/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 0000000000..b65004f2cb --- /dev/null +++ b/generated/1.27/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,77 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + time "time" + + idpv1alpha1 "go.pinniped.dev/generated/1.27/apis/supervisor/idp/v1alpha1" + versioned "go.pinniped.dev/generated/1.27/client/supervisor/clientset/versioned" + internalinterfaces "go.pinniped.dev/generated/1.27/client/supervisor/informers/externalversions/internalinterfaces" + v1alpha1 "go.pinniped.dev/generated/1.27/client/supervisor/listers/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// GitHubIdentityProviderInformer provides access to a shared informer and lister for +// GitHubIdentityProviders. +type GitHubIdentityProviderInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.GitHubIdentityProviderLister +} + +type gitHubIdentityProviderInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredGitHubIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().GitHubIdentityProviders(namespace).List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().GitHubIdentityProviders(namespace).Watch(context.TODO(), options) + }, + }, + &idpv1alpha1.GitHubIdentityProvider{}, + resyncPeriod, + indexers, + ) +} + +func (f *gitHubIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredGitHubIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *gitHubIdentityProviderInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&idpv1alpha1.GitHubIdentityProvider{}, f.defaultInformer) +} + +func (f *gitHubIdentityProviderInformer) Lister() v1alpha1.GitHubIdentityProviderLister { + return v1alpha1.NewGitHubIdentityProviderLister(f.Informer().GetIndexer()) +} diff --git a/generated/1.27/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go b/generated/1.27/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go index 1dd4554112..3466abdd50 100644 --- a/generated/1.27/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go +++ b/generated/1.27/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go @@ -13,6 +13,8 @@ import ( type Interface interface { // ActiveDirectoryIdentityProviders returns a ActiveDirectoryIdentityProviderInformer. ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProviderInformer + // GitHubIdentityProviders returns a GitHubIdentityProviderInformer. + GitHubIdentityProviders() GitHubIdentityProviderInformer // LDAPIdentityProviders returns a LDAPIdentityProviderInformer. LDAPIdentityProviders() LDAPIdentityProviderInformer // OIDCIdentityProviders returns a OIDCIdentityProviderInformer. @@ -35,6 +37,11 @@ func (v *version) ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProv return &activeDirectoryIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } +// GitHubIdentityProviders returns a GitHubIdentityProviderInformer. +func (v *version) GitHubIdentityProviders() GitHubIdentityProviderInformer { + return &gitHubIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} + // LDAPIdentityProviders returns a LDAPIdentityProviderInformer. func (v *version) LDAPIdentityProviders() LDAPIdentityProviderInformer { return &lDAPIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} diff --git a/generated/1.27/client/supervisor/listers/idp/v1alpha1/expansion_generated.go b/generated/1.27/client/supervisor/listers/idp/v1alpha1/expansion_generated.go index b491a9e8d4..470c06abb0 100644 --- a/generated/1.27/client/supervisor/listers/idp/v1alpha1/expansion_generated.go +++ b/generated/1.27/client/supervisor/listers/idp/v1alpha1/expansion_generated.go @@ -13,6 +13,14 @@ type ActiveDirectoryIdentityProviderListerExpansion interface{} // ActiveDirectoryIdentityProviderNamespaceLister. type ActiveDirectoryIdentityProviderNamespaceListerExpansion interface{} +// GitHubIdentityProviderListerExpansion allows custom methods to be added to +// GitHubIdentityProviderLister. +type GitHubIdentityProviderListerExpansion interface{} + +// GitHubIdentityProviderNamespaceListerExpansion allows custom methods to be added to +// GitHubIdentityProviderNamespaceLister. +type GitHubIdentityProviderNamespaceListerExpansion interface{} + // LDAPIdentityProviderListerExpansion allows custom methods to be added to // LDAPIdentityProviderLister. type LDAPIdentityProviderListerExpansion interface{} diff --git a/generated/1.27/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go b/generated/1.27/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 0000000000..8cb38e379d --- /dev/null +++ b/generated/1.27/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,86 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.27/apis/supervisor/idp/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// GitHubIdentityProviderLister helps list GitHubIdentityProviders. +// All objects returned here must be treated as read-only. +type GitHubIdentityProviderLister interface { + // List lists all GitHubIdentityProviders in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) + // GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders. + GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister + GitHubIdentityProviderListerExpansion +} + +// gitHubIdentityProviderLister implements the GitHubIdentityProviderLister interface. +type gitHubIdentityProviderLister struct { + indexer cache.Indexer +} + +// NewGitHubIdentityProviderLister returns a new GitHubIdentityProviderLister. +func NewGitHubIdentityProviderLister(indexer cache.Indexer) GitHubIdentityProviderLister { + return &gitHubIdentityProviderLister{indexer: indexer} +} + +// List lists all GitHubIdentityProviders in the indexer. +func (s *gitHubIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider)) + }) + return ret, err +} + +// GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders. +func (s *gitHubIdentityProviderLister) GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister { + return gitHubIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// GitHubIdentityProviderNamespaceLister helps list and get GitHubIdentityProviders. +// All objects returned here must be treated as read-only. +type GitHubIdentityProviderNamespaceLister interface { + // List lists all GitHubIdentityProviders in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) + // Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha1.GitHubIdentityProvider, error) + GitHubIdentityProviderNamespaceListerExpansion +} + +// gitHubIdentityProviderNamespaceLister implements the GitHubIdentityProviderNamespaceLister +// interface. +type gitHubIdentityProviderNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all GitHubIdentityProviders in the indexer for a given namespace. +func (s gitHubIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider)) + }) + return ret, err +} + +// Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name. +func (s gitHubIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.GitHubIdentityProvider, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("githubidentityprovider"), name) + } + return obj.(*v1alpha1.GitHubIdentityProvider), nil +} diff --git a/generated/1.27/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml b/generated/1.27/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml new file mode 100644 index 0000000000..d10a330731 --- /dev/null +++ b/generated/1.27/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml @@ -0,0 +1,295 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: githubidentityproviders.idp.supervisor.pinniped.dev +spec: + group: idp.supervisor.pinniped.dev + names: + categories: + - pinniped + - pinniped-idp + - pinniped-idps + kind: GitHubIdentityProvider + listKind: GitHubIdentityProviderList + plural: githubidentityproviders + singular: githubidentityprovider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.gitHubAPI.host + name: Host + type: string + - jsonPath: .status.phase + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. + This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. + + + Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured + as OIDCClients. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec for configuring the identity provider. + properties: + allowedOrganizations: + description: |- + AllowedOrganizations, when specified, indicates that only users with membership in at least one of the listed + GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + + + The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + within that organization. + + + If no organizations are listed, you must set gitHubOrganizationLoginPolicy: AllOrganizationsAllowed + items: + type: string + type: array + claims: + description: Claims allows customization of the username and groups + claims + properties: + groups: + default: slug + description: |- + Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + + + Can be either "name" or "slug". Defaults to "slug". + + + GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + + + GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + + + Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + the team name or slug. + + + If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + FederationDomain to further customize how these group names are presented to Kubernetes. + + + See the response schema for + [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + enum: + - name + - slug + type: string + username: + default: login:id + description: |- + Username configures which property of the GitHub user record shall determine the username in Kubernetes. + + + Can be either "id", "login", or "login:id". Defaults to "login:id". + + + GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + and may not start or end with hyphens. GitHub users are allowed to change their login name, + although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + then a second user might change their name from "baz" to "foo" in order to take the old + username of the first user. For this reason, it is not as safe to make authorization decisions + based only on the user's login attribute. + + + If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + FederationDomain to further customize how these usernames are presented to Kubernetes. + + + Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + from GitHub. Note that colons are not allowed in GitHub login attributes or ID numbers, so the colon in the + "login:id" name will always be the login:id separator colon. + + + See the response schema for + [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + enum: + - id + - login + - login:id + type: string + required: + - groups + - username + type: object + client: + description: Client identifies the secret with credentials for a GitHub + App or GitHub OAuth2 App (a GitHub client). + properties: + secretName: + description: |- + SecretName contains the name of a namespace-local Secret object that provides the clientID and + clientSecret for an GitHub App or GitHub OAuth2 client. + + + This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + type: string + required: + - secretName + type: object + gitHubAPI: + default: {} + description: GitHubApi allows configuration for GitHub Enterprise + Server + properties: + host: + default: github.com + description: |- + Host is required only for GitHub Enterprise Server. + Defaults to using GitHub's public API (github.com). + type: string + tls: + description: TLS configuration for GitHub Enterprise Server. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM + bundle). If omitted, a default set of system roots will + be trusted. + type: string + type: object + type: object + gitHubOrganizationLoginPolicy: + default: AllowedOrganizationsOnly + description: |- + GitHubOrganizationLoginPolicy must be set to "AllOrganizationsAllowed" if allowedOrganizations is empty. + + + This field only exists to ensure that Pinniped administrators are aware that an empty list of + allowedOrganizations means all GitHub users are allowed to log in. + enum: + - AllowedOrganizationsOnly + - AllOrganizationsAllowed + type: string + required: + - client + type: object + status: + description: Status of the identity provider. + properties: + conditions: + description: Conditions represents the observations of an identity + provider's current state. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + phase: + default: Pending + description: Phase summarizes the overall status of the GitHubIdentityProvider. + enum: + - Pending + - Ready + - Error + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/generated/1.28/README.adoc b/generated/1.28/README.adoc index 0aedac991d..9338b01e6a 100644 --- a/generated/1.28/README.adoc +++ b/generated/1.28/README.adoc @@ -1366,6 +1366,199 @@ Status of an Active Directory identity provider. |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubapiconfig"] +==== GitHubAPIConfig + +GitHubAPIConfig allows configuration for GitHub Enterprise Server + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`host`* __string__ | Host is required only for GitHub Enterprise Server. Defaults to using GitHub's public API (github.com). +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubclaims"] +==== GitHubClaims + +GitHubClaims allows customization of the username and groups claims + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. + + +Can be either "id", "login", or "login:id". Defaults to "login:id". + + +GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, and may not start or end with hyphens. GitHub users are allowed to change their login name, although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", then a second user might change their name from "baz" to "foo" in order to take the old username of the first user. For this reason, it is not as safe to make authorization decisions based only on the user's login attribute. + + +If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these usernames are presented to Kubernetes. + + +Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value from GitHub. Note that colons are not allowed in GitHub login attributes or ID numbers, so the colon in the "login:id" name will always be the login:id separator colon. + + +See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +| *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + + +Can be either "name" or "slug". Defaults to "slug". + + +GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + + +GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + + +Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters or single hyphens, so the first forward slash `/` will be the separator between the organization login name and the team name or slug. + + +If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these group names are presented to Kubernetes. + + +See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubclientspec"] +==== GitHubClientSpec + +GitHubClientSpec contains information about the GitHub client that this identity provider will use for web-based login flows. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and clientSecret for an GitHub App or GitHub OAuth2 client. + + +This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubgroupnameattribute"] +==== GitHubGroupNameAttribute (string) + +GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the downstream group names. See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubidentityprovider"] +==== GitHubIdentityProvider + +GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. + Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured as OIDCClients. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubidentityproviderlist[$$GitHubIdentityProviderList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]__ | Spec for configuring the identity provider. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]__ | Status of the identity provider. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubidentityproviderphase"] +==== GitHubIdentityProviderPhase (string) + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubidentityproviderspec"] +==== GitHubIdentityProviderSpec + +GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`gitHubAPI`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]__ | GitHubApi allows configuration for GitHub Enterprise Server +| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]__ | Claims allows customization of the username and groups claims +| *`allowedOrganizations`* __string array__ | AllowedOrganizations, when specified, indicates that only users with membership in at least one of the listed GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + + +The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams within that organization. + + +If no organizations are listed, you must set gitHubOrganizationLoginPolicy: AllOrganizationsAllowed +| *`gitHubOrganizationLoginPolicy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githuborganizationloginpolicy[$$GitHubOrganizationLoginPolicy$$]__ | GitHubOrganizationLoginPolicy must be set to "AllOrganizationsAllowed" if allowedOrganizations is empty. + + +This field only exists to ensure that Pinniped administrators are aware that an empty list of allowedOrganizations means all GitHub users are allowed to log in. +| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubclientspec[$$GitHubClientSpec$$]__ | Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus"] +==== GitHubIdentityProviderStatus + +GitHubIdentityProviderStatus is the status of an GitHub identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubidentityproviderphase[$$GitHubIdentityProviderPhase$$]__ | Phase summarizes the overall status of the GitHubIdentityProvider. +| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#condition-v1-meta[$$Condition$$] array__ | Conditions represents the observations of an identity provider's current state. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githuborganizationloginpolicy"] +==== GitHubOrganizationLoginPolicy (string) + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubusernameattribute"] +==== GitHubUsernameAttribute (string) + +GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the downstream username. See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$] +**** + + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-ldapidentityprovider"] ==== LDAPIdentityProvider @@ -1686,11 +1879,12 @@ Parameter is a key/value pair which represents a parameter in an HTTP request. [id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-tlsspec"] ==== TLSSpec -Configuration for TLS parameters related to identity provider integration. +TLSSpec provides TLS configuration for identity provider integration. .Appears In: **** - xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderspec[$$ActiveDirectoryIdentityProviderSpec$$] +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$] - xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$] - xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec[$$OIDCIdentityProviderSpec$$] **** diff --git a/generated/1.28/apis/supervisor/idp/v1alpha1/register.go b/generated/1.28/apis/supervisor/idp/v1alpha1/register.go index 8829a86385..705be8076c 100644 --- a/generated/1.28/apis/supervisor/idp/v1alpha1/register.go +++ b/generated/1.28/apis/supervisor/idp/v1alpha1/register.go @@ -1,4 +1,4 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -36,6 +36,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { &LDAPIdentityProviderList{}, &ActiveDirectoryIdentityProvider{}, &ActiveDirectoryIdentityProviderList{}, + &GitHubIdentityProvider{}, + &GitHubIdentityProviderList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.28/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go b/generated/1.28/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go new file mode 100644 index 0000000000..92bd19724b --- /dev/null +++ b/generated/1.28/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go @@ -0,0 +1,231 @@ +// Copyright 2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +type GitHubIdentityProviderPhase string + +const ( + // GitHubPhasePending is the default phase for newly-created GitHubIdentityProvider resources. + GitHubPhasePending GitHubIdentityProviderPhase = "Pending" + + // GitHubPhaseReady is the phase for an GitHubIdentityProvider resource in a healthy state. + GitHubPhaseReady GitHubIdentityProviderPhase = "Ready" + + // GitHubPhaseError is the phase for an GitHubIdentityProvider in an unhealthy state. + GitHubPhaseError GitHubIdentityProviderPhase = "Error" +) + +type GitHubOrganizationLoginPolicy string + +const ( + // GitHubOrganizationLoginPolicyAllOrgsAllowed means any GitHub user is allowed to log in using this identity + // provider, regardless of their organization membership or lack thereof. + GitHubOrganizationLoginPolicyAllOrgsAllowed GitHubOrganizationLoginPolicy = "AllOrganizationsAllowed" + + // GitHubOrganizationLoginPolicyAllowedOrgsOnly means only those users with membership in the listed GitHub + // organizations are allowed to log in. + GitHubOrganizationLoginPolicyAllowedOrgsOnly GitHubOrganizationLoginPolicy = "AllowedOrganizationsOnly" +) + +// GitHubIdentityProviderStatus is the status of an GitHub identity provider. +type GitHubIdentityProviderStatus struct { + // Phase summarizes the overall status of the GitHubIdentityProvider. + // + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase GitHubIdentityProviderPhase `json:"phase,omitempty"` + + // Conditions represents the observations of an identity provider's current state. + // + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` +} + +// GitHubAPIConfig allows configuration for GitHub Enterprise Server +type GitHubAPIConfig struct { + // Host is required only for GitHub Enterprise Server. + // Defaults to using GitHub's public API (github.com). + // + // +kubebuilder:default="github.com" + // +optional + Host string `json:"host"` + + // TLS configuration for GitHub Enterprise Server. + // + // +optional + TLS *TLSSpec `json:"tls,omitempty"` +} + +// GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the downstream username. +// See the response schema for +// [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +type GitHubUsernameAttribute string + +const ( + // GitHubUsernameID specifies using the `id` attribute from the GitHub user as the downstream username. + GitHubUsernameID GitHubUsernameAttribute = "id" + + // GitHubUsernameLogin specifies using the `login` attribute from the GitHub user as the downstream username. + GitHubUsernameLogin GitHubUsernameAttribute = "login" + + // GitHubUsernameLoginAndID specifies combining the `login` and `id` attributes from the GitHub user as the + // downstream username, separated by a colon. Example: "my-login:1234" + GitHubUsernameLoginAndID GitHubUsernameAttribute = "login:id" +) + +// GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the downstream group +// names. See the response schema for +// [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +type GitHubGroupNameAttribute string + +const ( + // GitHubUseTeamNameForGrouypName specifies using the GitHub team's `name` attribute as the downstream group name. + GitHubUseTeamNameForGrouypName GitHubGroupNameAttribute = "name" + + // GitHubUseTeamSlugForGroupName specifies using the GitHub team's `slug` attribute as the downstream group name. + GitHubUseTeamSlugForGroupName GitHubGroupNameAttribute = "slug" +) + +// GitHubClaims allows customization of the username and groups claims +type GitHubClaims struct { + // Username configures which property of the GitHub user record shall determine the username in Kubernetes. + // + // Can be either "id", "login", or "login:id". Defaults to "login:id". + // + // GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + // and may not start or end with hyphens. GitHub users are allowed to change their login name, + // although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + // then a second user might change their name from "baz" to "foo" in order to take the old + // username of the first user. For this reason, it is not as safe to make authorization decisions + // based only on the user's login attribute. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these usernames are presented to Kubernetes. + // + // Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + // unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + // from GitHub. Note that colons are not allowed in GitHub login attributes or ID numbers, so the colon in the + // "login:id" name will always be the login:id separator colon. + // + // See the response schema for + // [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + // + // +kubebuilder:default="login:id" + // +kubebuilder:validation:Enum={"id","login","login:id"} + Username GitHubUsernameAttribute `json:"username"` + + // Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + // + // Can be either "name" or "slug". Defaults to "slug". + // + // GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + // + // GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + // + // Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + // forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + // or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + // the team name or slug. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these group names are presented to Kubernetes. + // + // See the response schema for + // [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + // + // +kubebuilder:default=slug + // +kubebuilder:validation:Enum=name;slug + Groups GitHubGroupNameAttribute `json:"groups"` +} + +// GitHubClientSpec contains information about the GitHub client that this identity provider will use +// for web-based login flows. +type GitHubClientSpec struct { + // SecretName contains the name of a namespace-local Secret object that provides the clientID and + // clientSecret for an GitHub App or GitHub OAuth2 client. + // + // This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + SecretName string `json:"secretName"` +} + +// GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider. +type GitHubIdentityProviderSpec struct { + // GitHubApi allows configuration for GitHub Enterprise Server + // + // +kubebuilder:default={} + GitHubApi GitHubAPIConfig `json:"gitHubAPI,omitempty"` + + // Claims allows customization of the username and groups claims + // + // +optional + Claims GitHubClaims `json:"claims,omitempty"` + + // AllowedOrganizations, when specified, indicates that only users with membership in at least one of the listed + // GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + // teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + // provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + // + // The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + // otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + // within that organization. + // + // If no organizations are listed, you must set gitHubOrganizationLoginPolicy: AllOrganizationsAllowed + // + // +optional + AllowedOrganizations []string `json:"allowedOrganizations,omitempty"` + + // GitHubOrganizationLoginPolicy must be set to "AllOrganizationsAllowed" if allowedOrganizations is empty. + // + // This field only exists to ensure that Pinniped administrators are aware that an empty list of + // allowedOrganizations means all GitHub users are allowed to log in. + // + // +kubebuilder:default=AllowedOrganizationsOnly + // +kubebuilder:validation:Enum=AllowedOrganizationsOnly;AllOrganizationsAllowed + // +optional + GitHubOrganizationLoginPolicy GitHubOrganizationLoginPolicy `json:"gitHubOrganizationLoginPolicy"` + + // Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). + Client GitHubClientSpec `json:"client"` +} + +// GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. +// This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. +// +// Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured +// as OIDCClients. +// +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps +// +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.gitHubAPI.host` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type GitHubIdentityProvider struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec for configuring the identity provider. + Spec GitHubIdentityProviderSpec `json:"spec"` + + // Status of the identity provider. + Status GitHubIdentityProviderStatus `json:"status,omitempty"` +} + +// GitHubIdentityProviderList lists GitHubIdentityProvider objects. +// +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type GitHubIdentityProviderList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []GitHubIdentityProvider `json:"items"` +} diff --git a/generated/1.28/apis/supervisor/idp/v1alpha1/types_tls.go b/generated/1.28/apis/supervisor/idp/v1alpha1/types_tls.go index 1413a262cc..49b49373cd 100644 --- a/generated/1.28/apis/supervisor/idp/v1alpha1/types_tls.go +++ b/generated/1.28/apis/supervisor/idp/v1alpha1/types_tls.go @@ -1,9 +1,9 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 -// Configuration for TLS parameters related to identity provider integration. +// TLSSpec provides TLS configuration for identity provider integration. type TLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. // +optional diff --git a/generated/1.28/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.28/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index b0cb168b54..724643e7c2 100644 --- a/generated/1.28/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.28/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -203,6 +203,167 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) { + *out = *in + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(TLSSpec) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAPIConfig. +func (in *GitHubAPIConfig) DeepCopy() *GitHubAPIConfig { + if in == nil { + return nil + } + out := new(GitHubAPIConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubClaims) DeepCopyInto(out *GitHubClaims) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClaims. +func (in *GitHubClaims) DeepCopy() *GitHubClaims { + if in == nil { + return nil + } + out := new(GitHubClaims) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubClientSpec) DeepCopyInto(out *GitHubClientSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClientSpec. +func (in *GitHubClientSpec) DeepCopy() *GitHubClientSpec { + if in == nil { + return nil + } + out := new(GitHubClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProvider) DeepCopyInto(out *GitHubIdentityProvider) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProvider. +func (in *GitHubIdentityProvider) DeepCopy() *GitHubIdentityProvider { + if in == nil { + return nil + } + out := new(GitHubIdentityProvider) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *GitHubIdentityProvider) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderList) DeepCopyInto(out *GitHubIdentityProviderList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]GitHubIdentityProvider, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderList. +func (in *GitHubIdentityProviderList) DeepCopy() *GitHubIdentityProviderList { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *GitHubIdentityProviderList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderSpec) DeepCopyInto(out *GitHubIdentityProviderSpec) { + *out = *in + in.GitHubApi.DeepCopyInto(&out.GitHubApi) + out.Claims = in.Claims + if in.AllowedOrganizations != nil { + in, out := &in.AllowedOrganizations, &out.AllowedOrganizations + *out = make([]string, len(*in)) + copy(*out, *in) + } + out.Client = in.Client + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderSpec. +func (in *GitHubIdentityProviderSpec) DeepCopy() *GitHubIdentityProviderSpec { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderStatus) DeepCopyInto(out *GitHubIdentityProviderStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]v1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderStatus. +func (in *GitHubIdentityProviderStatus) DeepCopy() *GitHubIdentityProviderStatus { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *LDAPIdentityProvider) DeepCopyInto(out *LDAPIdentityProvider) { *out = *in diff --git a/generated/1.28/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go b/generated/1.28/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go new file mode 100644 index 0000000000..fa7edc00e7 --- /dev/null +++ b/generated/1.28/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go @@ -0,0 +1,128 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.28/apis/supervisor/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeGitHubIdentityProviders implements GitHubIdentityProviderInterface +type FakeGitHubIdentityProviders struct { + Fake *FakeIDPV1alpha1 + ns string +} + +var githubidentityprovidersResource = v1alpha1.SchemeGroupVersion.WithResource("githubidentityproviders") + +var githubidentityprovidersKind = v1alpha1.SchemeGroupVersion.WithKind("GitHubIdentityProvider") + +// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any. +func (c *FakeGitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(githubidentityprovidersResource, c.ns, name), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors. +func (c *FakeGitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(githubidentityprovidersResource, githubidentityprovidersKind, c.ns, opts), &v1alpha1.GitHubIdentityProviderList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.GitHubIdentityProviderList{ListMeta: obj.(*v1alpha1.GitHubIdentityProviderList).ListMeta} + for _, item := range obj.(*v1alpha1.GitHubIdentityProviderList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders. +func (c *FakeGitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(githubidentityprovidersResource, c.ns, opts)) + +} + +// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *FakeGitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *FakeGitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeGitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(githubidentityprovidersResource, "status", c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs. +func (c *FakeGitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteActionWithOptions(githubidentityprovidersResource, c.ns, name, opts), &v1alpha1.GitHubIdentityProvider{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeGitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(githubidentityprovidersResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha1.GitHubIdentityProviderList{}) + return err +} + +// Patch applies the patch and returns the patched gitHubIdentityProvider. +func (c *FakeGitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(githubidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} diff --git a/generated/1.28/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go b/generated/1.28/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go index ba8d3172b8..739569ea5b 100644 --- a/generated/1.28/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go +++ b/generated/1.28/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go @@ -19,6 +19,10 @@ func (c *FakeIDPV1alpha1) ActiveDirectoryIdentityProviders(namespace string) v1a return &FakeActiveDirectoryIdentityProviders{c, namespace} } +func (c *FakeIDPV1alpha1) GitHubIdentityProviders(namespace string) v1alpha1.GitHubIdentityProviderInterface { + return &FakeGitHubIdentityProviders{c, namespace} +} + func (c *FakeIDPV1alpha1) LDAPIdentityProviders(namespace string) v1alpha1.LDAPIdentityProviderInterface { return &FakeLDAPIdentityProviders{c, namespace} } diff --git a/generated/1.28/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go b/generated/1.28/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go index 79be098d6c..a7acc8120f 100644 --- a/generated/1.28/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go +++ b/generated/1.28/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go @@ -7,6 +7,8 @@ package v1alpha1 type ActiveDirectoryIdentityProviderExpansion interface{} +type GitHubIdentityProviderExpansion interface{} + type LDAPIdentityProviderExpansion interface{} type OIDCIdentityProviderExpansion interface{} diff --git a/generated/1.28/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go b/generated/1.28/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 0000000000..6fc738ddb8 --- /dev/null +++ b/generated/1.28/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,182 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + "time" + + v1alpha1 "go.pinniped.dev/generated/1.28/apis/supervisor/idp/v1alpha1" + scheme "go.pinniped.dev/generated/1.28/client/supervisor/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// GitHubIdentityProvidersGetter has a method to return a GitHubIdentityProviderInterface. +// A group's client should implement this interface. +type GitHubIdentityProvidersGetter interface { + GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface +} + +// GitHubIdentityProviderInterface has methods to work with GitHubIdentityProvider resources. +type GitHubIdentityProviderInterface interface { + Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (*v1alpha1.GitHubIdentityProvider, error) + Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) + UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.GitHubIdentityProvider, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.GitHubIdentityProviderList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) + GitHubIdentityProviderExpansion +} + +// gitHubIdentityProviders implements GitHubIdentityProviderInterface +type gitHubIdentityProviders struct { + client rest.Interface + ns string +} + +// newGitHubIdentityProviders returns a GitHubIdentityProviders +func newGitHubIdentityProviders(c *IDPV1alpha1Client, namespace string) *gitHubIdentityProviders { + return &gitHubIdentityProviders{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any. +func (c *gitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors. +func (c *gitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.GitHubIdentityProviderList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders. +func (c *gitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *gitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Post(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *gitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(gitHubIdentityProvider.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *gitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(gitHubIdentityProvider.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs. +func (c *gitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *gitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched gitHubIdentityProvider. +func (c *gitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/generated/1.28/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go b/generated/1.28/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go index 270c3aa756..88e24b3b7b 100644 --- a/generated/1.28/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go +++ b/generated/1.28/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go @@ -16,6 +16,7 @@ import ( type IDPV1alpha1Interface interface { RESTClient() rest.Interface ActiveDirectoryIdentityProvidersGetter + GitHubIdentityProvidersGetter LDAPIdentityProvidersGetter OIDCIdentityProvidersGetter } @@ -29,6 +30,10 @@ func (c *IDPV1alpha1Client) ActiveDirectoryIdentityProviders(namespace string) A return newActiveDirectoryIdentityProviders(c, namespace) } +func (c *IDPV1alpha1Client) GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface { + return newGitHubIdentityProviders(c, namespace) +} + func (c *IDPV1alpha1Client) LDAPIdentityProviders(namespace string) LDAPIdentityProviderInterface { return newLDAPIdentityProviders(c, namespace) } diff --git a/generated/1.28/client/supervisor/informers/externalversions/generic.go b/generated/1.28/client/supervisor/informers/externalversions/generic.go index 424728ebfa..942d4fcfd9 100644 --- a/generated/1.28/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.28/client/supervisor/informers/externalversions/generic.go @@ -49,6 +49,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource // Group=idp.supervisor.pinniped.dev, Version=v1alpha1 case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().ActiveDirectoryIdentityProviders().Informer()}, nil + case idpv1alpha1.SchemeGroupVersion.WithResource("githubidentityproviders"): + return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().GitHubIdentityProviders().Informer()}, nil case idpv1alpha1.SchemeGroupVersion.WithResource("ldapidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().LDAPIdentityProviders().Informer()}, nil case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): diff --git a/generated/1.28/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go b/generated/1.28/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 0000000000..adf7523844 --- /dev/null +++ b/generated/1.28/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,77 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + time "time" + + idpv1alpha1 "go.pinniped.dev/generated/1.28/apis/supervisor/idp/v1alpha1" + versioned "go.pinniped.dev/generated/1.28/client/supervisor/clientset/versioned" + internalinterfaces "go.pinniped.dev/generated/1.28/client/supervisor/informers/externalversions/internalinterfaces" + v1alpha1 "go.pinniped.dev/generated/1.28/client/supervisor/listers/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// GitHubIdentityProviderInformer provides access to a shared informer and lister for +// GitHubIdentityProviders. +type GitHubIdentityProviderInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.GitHubIdentityProviderLister +} + +type gitHubIdentityProviderInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredGitHubIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().GitHubIdentityProviders(namespace).List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().GitHubIdentityProviders(namespace).Watch(context.TODO(), options) + }, + }, + &idpv1alpha1.GitHubIdentityProvider{}, + resyncPeriod, + indexers, + ) +} + +func (f *gitHubIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredGitHubIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *gitHubIdentityProviderInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&idpv1alpha1.GitHubIdentityProvider{}, f.defaultInformer) +} + +func (f *gitHubIdentityProviderInformer) Lister() v1alpha1.GitHubIdentityProviderLister { + return v1alpha1.NewGitHubIdentityProviderLister(f.Informer().GetIndexer()) +} diff --git a/generated/1.28/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go b/generated/1.28/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go index a467489088..b3649bb662 100644 --- a/generated/1.28/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go +++ b/generated/1.28/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go @@ -13,6 +13,8 @@ import ( type Interface interface { // ActiveDirectoryIdentityProviders returns a ActiveDirectoryIdentityProviderInformer. ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProviderInformer + // GitHubIdentityProviders returns a GitHubIdentityProviderInformer. + GitHubIdentityProviders() GitHubIdentityProviderInformer // LDAPIdentityProviders returns a LDAPIdentityProviderInformer. LDAPIdentityProviders() LDAPIdentityProviderInformer // OIDCIdentityProviders returns a OIDCIdentityProviderInformer. @@ -35,6 +37,11 @@ func (v *version) ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProv return &activeDirectoryIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } +// GitHubIdentityProviders returns a GitHubIdentityProviderInformer. +func (v *version) GitHubIdentityProviders() GitHubIdentityProviderInformer { + return &gitHubIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} + // LDAPIdentityProviders returns a LDAPIdentityProviderInformer. func (v *version) LDAPIdentityProviders() LDAPIdentityProviderInformer { return &lDAPIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} diff --git a/generated/1.28/client/supervisor/listers/idp/v1alpha1/expansion_generated.go b/generated/1.28/client/supervisor/listers/idp/v1alpha1/expansion_generated.go index b491a9e8d4..470c06abb0 100644 --- a/generated/1.28/client/supervisor/listers/idp/v1alpha1/expansion_generated.go +++ b/generated/1.28/client/supervisor/listers/idp/v1alpha1/expansion_generated.go @@ -13,6 +13,14 @@ type ActiveDirectoryIdentityProviderListerExpansion interface{} // ActiveDirectoryIdentityProviderNamespaceLister. type ActiveDirectoryIdentityProviderNamespaceListerExpansion interface{} +// GitHubIdentityProviderListerExpansion allows custom methods to be added to +// GitHubIdentityProviderLister. +type GitHubIdentityProviderListerExpansion interface{} + +// GitHubIdentityProviderNamespaceListerExpansion allows custom methods to be added to +// GitHubIdentityProviderNamespaceLister. +type GitHubIdentityProviderNamespaceListerExpansion interface{} + // LDAPIdentityProviderListerExpansion allows custom methods to be added to // LDAPIdentityProviderLister. type LDAPIdentityProviderListerExpansion interface{} diff --git a/generated/1.28/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go b/generated/1.28/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 0000000000..fafffc48b1 --- /dev/null +++ b/generated/1.28/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,86 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.28/apis/supervisor/idp/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// GitHubIdentityProviderLister helps list GitHubIdentityProviders. +// All objects returned here must be treated as read-only. +type GitHubIdentityProviderLister interface { + // List lists all GitHubIdentityProviders in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) + // GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders. + GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister + GitHubIdentityProviderListerExpansion +} + +// gitHubIdentityProviderLister implements the GitHubIdentityProviderLister interface. +type gitHubIdentityProviderLister struct { + indexer cache.Indexer +} + +// NewGitHubIdentityProviderLister returns a new GitHubIdentityProviderLister. +func NewGitHubIdentityProviderLister(indexer cache.Indexer) GitHubIdentityProviderLister { + return &gitHubIdentityProviderLister{indexer: indexer} +} + +// List lists all GitHubIdentityProviders in the indexer. +func (s *gitHubIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider)) + }) + return ret, err +} + +// GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders. +func (s *gitHubIdentityProviderLister) GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister { + return gitHubIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// GitHubIdentityProviderNamespaceLister helps list and get GitHubIdentityProviders. +// All objects returned here must be treated as read-only. +type GitHubIdentityProviderNamespaceLister interface { + // List lists all GitHubIdentityProviders in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) + // Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha1.GitHubIdentityProvider, error) + GitHubIdentityProviderNamespaceListerExpansion +} + +// gitHubIdentityProviderNamespaceLister implements the GitHubIdentityProviderNamespaceLister +// interface. +type gitHubIdentityProviderNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all GitHubIdentityProviders in the indexer for a given namespace. +func (s gitHubIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider)) + }) + return ret, err +} + +// Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name. +func (s gitHubIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.GitHubIdentityProvider, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("githubidentityprovider"), name) + } + return obj.(*v1alpha1.GitHubIdentityProvider), nil +} diff --git a/generated/1.28/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml b/generated/1.28/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml new file mode 100644 index 0000000000..d10a330731 --- /dev/null +++ b/generated/1.28/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml @@ -0,0 +1,295 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: githubidentityproviders.idp.supervisor.pinniped.dev +spec: + group: idp.supervisor.pinniped.dev + names: + categories: + - pinniped + - pinniped-idp + - pinniped-idps + kind: GitHubIdentityProvider + listKind: GitHubIdentityProviderList + plural: githubidentityproviders + singular: githubidentityprovider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.gitHubAPI.host + name: Host + type: string + - jsonPath: .status.phase + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. + This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. + + + Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured + as OIDCClients. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec for configuring the identity provider. + properties: + allowedOrganizations: + description: |- + AllowedOrganizations, when specified, indicates that only users with membership in at least one of the listed + GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + + + The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + within that organization. + + + If no organizations are listed, you must set gitHubOrganizationLoginPolicy: AllOrganizationsAllowed + items: + type: string + type: array + claims: + description: Claims allows customization of the username and groups + claims + properties: + groups: + default: slug + description: |- + Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + + + Can be either "name" or "slug". Defaults to "slug". + + + GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + + + GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + + + Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + the team name or slug. + + + If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + FederationDomain to further customize how these group names are presented to Kubernetes. + + + See the response schema for + [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + enum: + - name + - slug + type: string + username: + default: login:id + description: |- + Username configures which property of the GitHub user record shall determine the username in Kubernetes. + + + Can be either "id", "login", or "login:id". Defaults to "login:id". + + + GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + and may not start or end with hyphens. GitHub users are allowed to change their login name, + although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + then a second user might change their name from "baz" to "foo" in order to take the old + username of the first user. For this reason, it is not as safe to make authorization decisions + based only on the user's login attribute. + + + If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + FederationDomain to further customize how these usernames are presented to Kubernetes. + + + Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + from GitHub. Note that colons are not allowed in GitHub login attributes or ID numbers, so the colon in the + "login:id" name will always be the login:id separator colon. + + + See the response schema for + [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + enum: + - id + - login + - login:id + type: string + required: + - groups + - username + type: object + client: + description: Client identifies the secret with credentials for a GitHub + App or GitHub OAuth2 App (a GitHub client). + properties: + secretName: + description: |- + SecretName contains the name of a namespace-local Secret object that provides the clientID and + clientSecret for an GitHub App or GitHub OAuth2 client. + + + This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + type: string + required: + - secretName + type: object + gitHubAPI: + default: {} + description: GitHubApi allows configuration for GitHub Enterprise + Server + properties: + host: + default: github.com + description: |- + Host is required only for GitHub Enterprise Server. + Defaults to using GitHub's public API (github.com). + type: string + tls: + description: TLS configuration for GitHub Enterprise Server. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM + bundle). If omitted, a default set of system roots will + be trusted. + type: string + type: object + type: object + gitHubOrganizationLoginPolicy: + default: AllowedOrganizationsOnly + description: |- + GitHubOrganizationLoginPolicy must be set to "AllOrganizationsAllowed" if allowedOrganizations is empty. + + + This field only exists to ensure that Pinniped administrators are aware that an empty list of + allowedOrganizations means all GitHub users are allowed to log in. + enum: + - AllowedOrganizationsOnly + - AllOrganizationsAllowed + type: string + required: + - client + type: object + status: + description: Status of the identity provider. + properties: + conditions: + description: Conditions represents the observations of an identity + provider's current state. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + phase: + default: Pending + description: Phase summarizes the overall status of the GitHubIdentityProvider. + enum: + - Pending + - Ready + - Error + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/generated/1.29/README.adoc b/generated/1.29/README.adoc index 71e2ffc09a..b7042fa534 100644 --- a/generated/1.29/README.adoc +++ b/generated/1.29/README.adoc @@ -1366,6 +1366,199 @@ Status of an Active Directory identity provider. |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubapiconfig"] +==== GitHubAPIConfig + +GitHubAPIConfig allows configuration for GitHub Enterprise Server + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`host`* __string__ | Host is required only for GitHub Enterprise Server. Defaults to using GitHub's public API (github.com). +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubclaims"] +==== GitHubClaims + +GitHubClaims allows customization of the username and groups claims + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. + + +Can be either "id", "login", or "login:id". Defaults to "login:id". + + +GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, and may not start or end with hyphens. GitHub users are allowed to change their login name, although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", then a second user might change their name from "baz" to "foo" in order to take the old username of the first user. For this reason, it is not as safe to make authorization decisions based only on the user's login attribute. + + +If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these usernames are presented to Kubernetes. + + +Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value from GitHub. Note that colons are not allowed in GitHub login attributes or ID numbers, so the colon in the "login:id" name will always be the login:id separator colon. + + +See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +| *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + + +Can be either "name" or "slug". Defaults to "slug". + + +GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + + +GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + + +Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters or single hyphens, so the first forward slash `/` will be the separator between the organization login name and the team name or slug. + + +If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these group names are presented to Kubernetes. + + +See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubclientspec"] +==== GitHubClientSpec + +GitHubClientSpec contains information about the GitHub client that this identity provider will use for web-based login flows. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and clientSecret for an GitHub App or GitHub OAuth2 client. + + +This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubgroupnameattribute"] +==== GitHubGroupNameAttribute (string) + +GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the downstream group names. See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityprovider"] +==== GitHubIdentityProvider + +GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. + Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured as OIDCClients. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderlist[$$GitHubIdentityProviderList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]__ | Spec for configuring the identity provider. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]__ | Status of the identity provider. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderphase"] +==== GitHubIdentityProviderPhase (string) + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderspec"] +==== GitHubIdentityProviderSpec + +GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`gitHubAPI`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]__ | GitHubApi allows configuration for GitHub Enterprise Server +| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]__ | Claims allows customization of the username and groups claims +| *`allowedOrganizations`* __string array__ | AllowedOrganizations, when specified, indicates that only users with membership in at least one of the listed GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + + +The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams within that organization. + + +If no organizations are listed, you must set gitHubOrganizationLoginPolicy: AllOrganizationsAllowed +| *`gitHubOrganizationLoginPolicy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githuborganizationloginpolicy[$$GitHubOrganizationLoginPolicy$$]__ | GitHubOrganizationLoginPolicy must be set to "AllOrganizationsAllowed" if allowedOrganizations is empty. + + +This field only exists to ensure that Pinniped administrators are aware that an empty list of allowedOrganizations means all GitHub users are allowed to log in. +| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubclientspec[$$GitHubClientSpec$$]__ | Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus"] +==== GitHubIdentityProviderStatus + +GitHubIdentityProviderStatus is the status of an GitHub identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderphase[$$GitHubIdentityProviderPhase$$]__ | Phase summarizes the overall status of the GitHubIdentityProvider. +| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#condition-v1-meta[$$Condition$$] array__ | Conditions represents the observations of an identity provider's current state. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githuborganizationloginpolicy"] +==== GitHubOrganizationLoginPolicy (string) + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubusernameattribute"] +==== GitHubUsernameAttribute (string) + +GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the downstream username. See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$] +**** + + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-ldapidentityprovider"] ==== LDAPIdentityProvider @@ -1686,11 +1879,12 @@ Parameter is a key/value pair which represents a parameter in an HTTP request. [id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-tlsspec"] ==== TLSSpec -Configuration for TLS parameters related to identity provider integration. +TLSSpec provides TLS configuration for identity provider integration. .Appears In: **** - xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderspec[$$ActiveDirectoryIdentityProviderSpec$$] +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$] - xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$] - xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec[$$OIDCIdentityProviderSpec$$] **** diff --git a/generated/1.29/apis/supervisor/idp/v1alpha1/register.go b/generated/1.29/apis/supervisor/idp/v1alpha1/register.go index 8829a86385..705be8076c 100644 --- a/generated/1.29/apis/supervisor/idp/v1alpha1/register.go +++ b/generated/1.29/apis/supervisor/idp/v1alpha1/register.go @@ -1,4 +1,4 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -36,6 +36,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { &LDAPIdentityProviderList{}, &ActiveDirectoryIdentityProvider{}, &ActiveDirectoryIdentityProviderList{}, + &GitHubIdentityProvider{}, + &GitHubIdentityProviderList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.29/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go b/generated/1.29/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go new file mode 100644 index 0000000000..92bd19724b --- /dev/null +++ b/generated/1.29/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go @@ -0,0 +1,231 @@ +// Copyright 2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +type GitHubIdentityProviderPhase string + +const ( + // GitHubPhasePending is the default phase for newly-created GitHubIdentityProvider resources. + GitHubPhasePending GitHubIdentityProviderPhase = "Pending" + + // GitHubPhaseReady is the phase for an GitHubIdentityProvider resource in a healthy state. + GitHubPhaseReady GitHubIdentityProviderPhase = "Ready" + + // GitHubPhaseError is the phase for an GitHubIdentityProvider in an unhealthy state. + GitHubPhaseError GitHubIdentityProviderPhase = "Error" +) + +type GitHubOrganizationLoginPolicy string + +const ( + // GitHubOrganizationLoginPolicyAllOrgsAllowed means any GitHub user is allowed to log in using this identity + // provider, regardless of their organization membership or lack thereof. + GitHubOrganizationLoginPolicyAllOrgsAllowed GitHubOrganizationLoginPolicy = "AllOrganizationsAllowed" + + // GitHubOrganizationLoginPolicyAllowedOrgsOnly means only those users with membership in the listed GitHub + // organizations are allowed to log in. + GitHubOrganizationLoginPolicyAllowedOrgsOnly GitHubOrganizationLoginPolicy = "AllowedOrganizationsOnly" +) + +// GitHubIdentityProviderStatus is the status of an GitHub identity provider. +type GitHubIdentityProviderStatus struct { + // Phase summarizes the overall status of the GitHubIdentityProvider. + // + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase GitHubIdentityProviderPhase `json:"phase,omitempty"` + + // Conditions represents the observations of an identity provider's current state. + // + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` +} + +// GitHubAPIConfig allows configuration for GitHub Enterprise Server +type GitHubAPIConfig struct { + // Host is required only for GitHub Enterprise Server. + // Defaults to using GitHub's public API (github.com). + // + // +kubebuilder:default="github.com" + // +optional + Host string `json:"host"` + + // TLS configuration for GitHub Enterprise Server. + // + // +optional + TLS *TLSSpec `json:"tls,omitempty"` +} + +// GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the downstream username. +// See the response schema for +// [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +type GitHubUsernameAttribute string + +const ( + // GitHubUsernameID specifies using the `id` attribute from the GitHub user as the downstream username. + GitHubUsernameID GitHubUsernameAttribute = "id" + + // GitHubUsernameLogin specifies using the `login` attribute from the GitHub user as the downstream username. + GitHubUsernameLogin GitHubUsernameAttribute = "login" + + // GitHubUsernameLoginAndID specifies combining the `login` and `id` attributes from the GitHub user as the + // downstream username, separated by a colon. Example: "my-login:1234" + GitHubUsernameLoginAndID GitHubUsernameAttribute = "login:id" +) + +// GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the downstream group +// names. See the response schema for +// [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +type GitHubGroupNameAttribute string + +const ( + // GitHubUseTeamNameForGrouypName specifies using the GitHub team's `name` attribute as the downstream group name. + GitHubUseTeamNameForGrouypName GitHubGroupNameAttribute = "name" + + // GitHubUseTeamSlugForGroupName specifies using the GitHub team's `slug` attribute as the downstream group name. + GitHubUseTeamSlugForGroupName GitHubGroupNameAttribute = "slug" +) + +// GitHubClaims allows customization of the username and groups claims +type GitHubClaims struct { + // Username configures which property of the GitHub user record shall determine the username in Kubernetes. + // + // Can be either "id", "login", or "login:id". Defaults to "login:id". + // + // GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + // and may not start or end with hyphens. GitHub users are allowed to change their login name, + // although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + // then a second user might change their name from "baz" to "foo" in order to take the old + // username of the first user. For this reason, it is not as safe to make authorization decisions + // based only on the user's login attribute. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these usernames are presented to Kubernetes. + // + // Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + // unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + // from GitHub. Note that colons are not allowed in GitHub login attributes or ID numbers, so the colon in the + // "login:id" name will always be the login:id separator colon. + // + // See the response schema for + // [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + // + // +kubebuilder:default="login:id" + // +kubebuilder:validation:Enum={"id","login","login:id"} + Username GitHubUsernameAttribute `json:"username"` + + // Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + // + // Can be either "name" or "slug". Defaults to "slug". + // + // GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + // + // GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + // + // Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + // forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + // or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + // the team name or slug. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these group names are presented to Kubernetes. + // + // See the response schema for + // [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + // + // +kubebuilder:default=slug + // +kubebuilder:validation:Enum=name;slug + Groups GitHubGroupNameAttribute `json:"groups"` +} + +// GitHubClientSpec contains information about the GitHub client that this identity provider will use +// for web-based login flows. +type GitHubClientSpec struct { + // SecretName contains the name of a namespace-local Secret object that provides the clientID and + // clientSecret for an GitHub App or GitHub OAuth2 client. + // + // This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + SecretName string `json:"secretName"` +} + +// GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider. +type GitHubIdentityProviderSpec struct { + // GitHubApi allows configuration for GitHub Enterprise Server + // + // +kubebuilder:default={} + GitHubApi GitHubAPIConfig `json:"gitHubAPI,omitempty"` + + // Claims allows customization of the username and groups claims + // + // +optional + Claims GitHubClaims `json:"claims,omitempty"` + + // AllowedOrganizations, when specified, indicates that only users with membership in at least one of the listed + // GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + // teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + // provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + // + // The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + // otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + // within that organization. + // + // If no organizations are listed, you must set gitHubOrganizationLoginPolicy: AllOrganizationsAllowed + // + // +optional + AllowedOrganizations []string `json:"allowedOrganizations,omitempty"` + + // GitHubOrganizationLoginPolicy must be set to "AllOrganizationsAllowed" if allowedOrganizations is empty. + // + // This field only exists to ensure that Pinniped administrators are aware that an empty list of + // allowedOrganizations means all GitHub users are allowed to log in. + // + // +kubebuilder:default=AllowedOrganizationsOnly + // +kubebuilder:validation:Enum=AllowedOrganizationsOnly;AllOrganizationsAllowed + // +optional + GitHubOrganizationLoginPolicy GitHubOrganizationLoginPolicy `json:"gitHubOrganizationLoginPolicy"` + + // Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). + Client GitHubClientSpec `json:"client"` +} + +// GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. +// This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. +// +// Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured +// as OIDCClients. +// +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps +// +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.gitHubAPI.host` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type GitHubIdentityProvider struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec for configuring the identity provider. + Spec GitHubIdentityProviderSpec `json:"spec"` + + // Status of the identity provider. + Status GitHubIdentityProviderStatus `json:"status,omitempty"` +} + +// GitHubIdentityProviderList lists GitHubIdentityProvider objects. +// +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type GitHubIdentityProviderList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []GitHubIdentityProvider `json:"items"` +} diff --git a/generated/1.29/apis/supervisor/idp/v1alpha1/types_tls.go b/generated/1.29/apis/supervisor/idp/v1alpha1/types_tls.go index 1413a262cc..49b49373cd 100644 --- a/generated/1.29/apis/supervisor/idp/v1alpha1/types_tls.go +++ b/generated/1.29/apis/supervisor/idp/v1alpha1/types_tls.go @@ -1,9 +1,9 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 -// Configuration for TLS parameters related to identity provider integration. +// TLSSpec provides TLS configuration for identity provider integration. type TLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. // +optional diff --git a/generated/1.29/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.29/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index b0cb168b54..724643e7c2 100644 --- a/generated/1.29/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.29/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -203,6 +203,167 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) { + *out = *in + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(TLSSpec) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAPIConfig. +func (in *GitHubAPIConfig) DeepCopy() *GitHubAPIConfig { + if in == nil { + return nil + } + out := new(GitHubAPIConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubClaims) DeepCopyInto(out *GitHubClaims) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClaims. +func (in *GitHubClaims) DeepCopy() *GitHubClaims { + if in == nil { + return nil + } + out := new(GitHubClaims) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubClientSpec) DeepCopyInto(out *GitHubClientSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClientSpec. +func (in *GitHubClientSpec) DeepCopy() *GitHubClientSpec { + if in == nil { + return nil + } + out := new(GitHubClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProvider) DeepCopyInto(out *GitHubIdentityProvider) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProvider. +func (in *GitHubIdentityProvider) DeepCopy() *GitHubIdentityProvider { + if in == nil { + return nil + } + out := new(GitHubIdentityProvider) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *GitHubIdentityProvider) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderList) DeepCopyInto(out *GitHubIdentityProviderList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]GitHubIdentityProvider, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderList. +func (in *GitHubIdentityProviderList) DeepCopy() *GitHubIdentityProviderList { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *GitHubIdentityProviderList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderSpec) DeepCopyInto(out *GitHubIdentityProviderSpec) { + *out = *in + in.GitHubApi.DeepCopyInto(&out.GitHubApi) + out.Claims = in.Claims + if in.AllowedOrganizations != nil { + in, out := &in.AllowedOrganizations, &out.AllowedOrganizations + *out = make([]string, len(*in)) + copy(*out, *in) + } + out.Client = in.Client + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderSpec. +func (in *GitHubIdentityProviderSpec) DeepCopy() *GitHubIdentityProviderSpec { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderStatus) DeepCopyInto(out *GitHubIdentityProviderStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]v1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderStatus. +func (in *GitHubIdentityProviderStatus) DeepCopy() *GitHubIdentityProviderStatus { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *LDAPIdentityProvider) DeepCopyInto(out *LDAPIdentityProvider) { *out = *in diff --git a/generated/1.29/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go b/generated/1.29/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go new file mode 100644 index 0000000000..67b4c883a0 --- /dev/null +++ b/generated/1.29/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go @@ -0,0 +1,128 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.29/apis/supervisor/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeGitHubIdentityProviders implements GitHubIdentityProviderInterface +type FakeGitHubIdentityProviders struct { + Fake *FakeIDPV1alpha1 + ns string +} + +var githubidentityprovidersResource = v1alpha1.SchemeGroupVersion.WithResource("githubidentityproviders") + +var githubidentityprovidersKind = v1alpha1.SchemeGroupVersion.WithKind("GitHubIdentityProvider") + +// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any. +func (c *FakeGitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(githubidentityprovidersResource, c.ns, name), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors. +func (c *FakeGitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(githubidentityprovidersResource, githubidentityprovidersKind, c.ns, opts), &v1alpha1.GitHubIdentityProviderList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.GitHubIdentityProviderList{ListMeta: obj.(*v1alpha1.GitHubIdentityProviderList).ListMeta} + for _, item := range obj.(*v1alpha1.GitHubIdentityProviderList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders. +func (c *FakeGitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(githubidentityprovidersResource, c.ns, opts)) + +} + +// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *FakeGitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *FakeGitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeGitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(githubidentityprovidersResource, "status", c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs. +func (c *FakeGitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteActionWithOptions(githubidentityprovidersResource, c.ns, name, opts), &v1alpha1.GitHubIdentityProvider{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeGitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(githubidentityprovidersResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha1.GitHubIdentityProviderList{}) + return err +} + +// Patch applies the patch and returns the patched gitHubIdentityProvider. +func (c *FakeGitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(githubidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} diff --git a/generated/1.29/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go b/generated/1.29/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go index b171331a53..683018c4a9 100644 --- a/generated/1.29/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go +++ b/generated/1.29/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go @@ -19,6 +19,10 @@ func (c *FakeIDPV1alpha1) ActiveDirectoryIdentityProviders(namespace string) v1a return &FakeActiveDirectoryIdentityProviders{c, namespace} } +func (c *FakeIDPV1alpha1) GitHubIdentityProviders(namespace string) v1alpha1.GitHubIdentityProviderInterface { + return &FakeGitHubIdentityProviders{c, namespace} +} + func (c *FakeIDPV1alpha1) LDAPIdentityProviders(namespace string) v1alpha1.LDAPIdentityProviderInterface { return &FakeLDAPIdentityProviders{c, namespace} } diff --git a/generated/1.29/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go b/generated/1.29/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go index 79be098d6c..a7acc8120f 100644 --- a/generated/1.29/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go +++ b/generated/1.29/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go @@ -7,6 +7,8 @@ package v1alpha1 type ActiveDirectoryIdentityProviderExpansion interface{} +type GitHubIdentityProviderExpansion interface{} + type LDAPIdentityProviderExpansion interface{} type OIDCIdentityProviderExpansion interface{} diff --git a/generated/1.29/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go b/generated/1.29/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 0000000000..6bb8347033 --- /dev/null +++ b/generated/1.29/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,182 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + "time" + + v1alpha1 "go.pinniped.dev/generated/1.29/apis/supervisor/idp/v1alpha1" + scheme "go.pinniped.dev/generated/1.29/client/supervisor/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// GitHubIdentityProvidersGetter has a method to return a GitHubIdentityProviderInterface. +// A group's client should implement this interface. +type GitHubIdentityProvidersGetter interface { + GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface +} + +// GitHubIdentityProviderInterface has methods to work with GitHubIdentityProvider resources. +type GitHubIdentityProviderInterface interface { + Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (*v1alpha1.GitHubIdentityProvider, error) + Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) + UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.GitHubIdentityProvider, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.GitHubIdentityProviderList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) + GitHubIdentityProviderExpansion +} + +// gitHubIdentityProviders implements GitHubIdentityProviderInterface +type gitHubIdentityProviders struct { + client rest.Interface + ns string +} + +// newGitHubIdentityProviders returns a GitHubIdentityProviders +func newGitHubIdentityProviders(c *IDPV1alpha1Client, namespace string) *gitHubIdentityProviders { + return &gitHubIdentityProviders{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any. +func (c *gitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors. +func (c *gitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.GitHubIdentityProviderList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders. +func (c *gitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *gitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Post(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *gitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(gitHubIdentityProvider.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *gitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(gitHubIdentityProvider.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs. +func (c *gitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *gitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched gitHubIdentityProvider. +func (c *gitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/generated/1.29/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go b/generated/1.29/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go index 1146d0dc13..f84063db47 100644 --- a/generated/1.29/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go +++ b/generated/1.29/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go @@ -16,6 +16,7 @@ import ( type IDPV1alpha1Interface interface { RESTClient() rest.Interface ActiveDirectoryIdentityProvidersGetter + GitHubIdentityProvidersGetter LDAPIdentityProvidersGetter OIDCIdentityProvidersGetter } @@ -29,6 +30,10 @@ func (c *IDPV1alpha1Client) ActiveDirectoryIdentityProviders(namespace string) A return newActiveDirectoryIdentityProviders(c, namespace) } +func (c *IDPV1alpha1Client) GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface { + return newGitHubIdentityProviders(c, namespace) +} + func (c *IDPV1alpha1Client) LDAPIdentityProviders(namespace string) LDAPIdentityProviderInterface { return newLDAPIdentityProviders(c, namespace) } diff --git a/generated/1.29/client/supervisor/informers/externalversions/generic.go b/generated/1.29/client/supervisor/informers/externalversions/generic.go index 7f6c3edfe2..eaa915525e 100644 --- a/generated/1.29/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.29/client/supervisor/informers/externalversions/generic.go @@ -49,6 +49,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource // Group=idp.supervisor.pinniped.dev, Version=v1alpha1 case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().ActiveDirectoryIdentityProviders().Informer()}, nil + case idpv1alpha1.SchemeGroupVersion.WithResource("githubidentityproviders"): + return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().GitHubIdentityProviders().Informer()}, nil case idpv1alpha1.SchemeGroupVersion.WithResource("ldapidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().LDAPIdentityProviders().Informer()}, nil case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): diff --git a/generated/1.29/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go b/generated/1.29/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 0000000000..b0b2334216 --- /dev/null +++ b/generated/1.29/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,77 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + time "time" + + idpv1alpha1 "go.pinniped.dev/generated/1.29/apis/supervisor/idp/v1alpha1" + versioned "go.pinniped.dev/generated/1.29/client/supervisor/clientset/versioned" + internalinterfaces "go.pinniped.dev/generated/1.29/client/supervisor/informers/externalversions/internalinterfaces" + v1alpha1 "go.pinniped.dev/generated/1.29/client/supervisor/listers/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// GitHubIdentityProviderInformer provides access to a shared informer and lister for +// GitHubIdentityProviders. +type GitHubIdentityProviderInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.GitHubIdentityProviderLister +} + +type gitHubIdentityProviderInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredGitHubIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().GitHubIdentityProviders(namespace).List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().GitHubIdentityProviders(namespace).Watch(context.TODO(), options) + }, + }, + &idpv1alpha1.GitHubIdentityProvider{}, + resyncPeriod, + indexers, + ) +} + +func (f *gitHubIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredGitHubIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *gitHubIdentityProviderInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&idpv1alpha1.GitHubIdentityProvider{}, f.defaultInformer) +} + +func (f *gitHubIdentityProviderInformer) Lister() v1alpha1.GitHubIdentityProviderLister { + return v1alpha1.NewGitHubIdentityProviderLister(f.Informer().GetIndexer()) +} diff --git a/generated/1.29/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go b/generated/1.29/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go index 8e6ee3f4b0..39eece2602 100644 --- a/generated/1.29/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go +++ b/generated/1.29/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go @@ -13,6 +13,8 @@ import ( type Interface interface { // ActiveDirectoryIdentityProviders returns a ActiveDirectoryIdentityProviderInformer. ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProviderInformer + // GitHubIdentityProviders returns a GitHubIdentityProviderInformer. + GitHubIdentityProviders() GitHubIdentityProviderInformer // LDAPIdentityProviders returns a LDAPIdentityProviderInformer. LDAPIdentityProviders() LDAPIdentityProviderInformer // OIDCIdentityProviders returns a OIDCIdentityProviderInformer. @@ -35,6 +37,11 @@ func (v *version) ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProv return &activeDirectoryIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } +// GitHubIdentityProviders returns a GitHubIdentityProviderInformer. +func (v *version) GitHubIdentityProviders() GitHubIdentityProviderInformer { + return &gitHubIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} + // LDAPIdentityProviders returns a LDAPIdentityProviderInformer. func (v *version) LDAPIdentityProviders() LDAPIdentityProviderInformer { return &lDAPIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} diff --git a/generated/1.29/client/supervisor/listers/idp/v1alpha1/expansion_generated.go b/generated/1.29/client/supervisor/listers/idp/v1alpha1/expansion_generated.go index b491a9e8d4..470c06abb0 100644 --- a/generated/1.29/client/supervisor/listers/idp/v1alpha1/expansion_generated.go +++ b/generated/1.29/client/supervisor/listers/idp/v1alpha1/expansion_generated.go @@ -13,6 +13,14 @@ type ActiveDirectoryIdentityProviderListerExpansion interface{} // ActiveDirectoryIdentityProviderNamespaceLister. type ActiveDirectoryIdentityProviderNamespaceListerExpansion interface{} +// GitHubIdentityProviderListerExpansion allows custom methods to be added to +// GitHubIdentityProviderLister. +type GitHubIdentityProviderListerExpansion interface{} + +// GitHubIdentityProviderNamespaceListerExpansion allows custom methods to be added to +// GitHubIdentityProviderNamespaceLister. +type GitHubIdentityProviderNamespaceListerExpansion interface{} + // LDAPIdentityProviderListerExpansion allows custom methods to be added to // LDAPIdentityProviderLister. type LDAPIdentityProviderListerExpansion interface{} diff --git a/generated/1.29/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go b/generated/1.29/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 0000000000..63a6fcec75 --- /dev/null +++ b/generated/1.29/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,86 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.29/apis/supervisor/idp/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// GitHubIdentityProviderLister helps list GitHubIdentityProviders. +// All objects returned here must be treated as read-only. +type GitHubIdentityProviderLister interface { + // List lists all GitHubIdentityProviders in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) + // GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders. + GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister + GitHubIdentityProviderListerExpansion +} + +// gitHubIdentityProviderLister implements the GitHubIdentityProviderLister interface. +type gitHubIdentityProviderLister struct { + indexer cache.Indexer +} + +// NewGitHubIdentityProviderLister returns a new GitHubIdentityProviderLister. +func NewGitHubIdentityProviderLister(indexer cache.Indexer) GitHubIdentityProviderLister { + return &gitHubIdentityProviderLister{indexer: indexer} +} + +// List lists all GitHubIdentityProviders in the indexer. +func (s *gitHubIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider)) + }) + return ret, err +} + +// GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders. +func (s *gitHubIdentityProviderLister) GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister { + return gitHubIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// GitHubIdentityProviderNamespaceLister helps list and get GitHubIdentityProviders. +// All objects returned here must be treated as read-only. +type GitHubIdentityProviderNamespaceLister interface { + // List lists all GitHubIdentityProviders in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) + // Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha1.GitHubIdentityProvider, error) + GitHubIdentityProviderNamespaceListerExpansion +} + +// gitHubIdentityProviderNamespaceLister implements the GitHubIdentityProviderNamespaceLister +// interface. +type gitHubIdentityProviderNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all GitHubIdentityProviders in the indexer for a given namespace. +func (s gitHubIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider)) + }) + return ret, err +} + +// Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name. +func (s gitHubIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.GitHubIdentityProvider, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("githubidentityprovider"), name) + } + return obj.(*v1alpha1.GitHubIdentityProvider), nil +} diff --git a/generated/1.29/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml b/generated/1.29/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml new file mode 100644 index 0000000000..d10a330731 --- /dev/null +++ b/generated/1.29/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml @@ -0,0 +1,295 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: githubidentityproviders.idp.supervisor.pinniped.dev +spec: + group: idp.supervisor.pinniped.dev + names: + categories: + - pinniped + - pinniped-idp + - pinniped-idps + kind: GitHubIdentityProvider + listKind: GitHubIdentityProviderList + plural: githubidentityproviders + singular: githubidentityprovider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.gitHubAPI.host + name: Host + type: string + - jsonPath: .status.phase + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. + This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. + + + Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured + as OIDCClients. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec for configuring the identity provider. + properties: + allowedOrganizations: + description: |- + AllowedOrganizations, when specified, indicates that only users with membership in at least one of the listed + GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + + + The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + within that organization. + + + If no organizations are listed, you must set gitHubOrganizationLoginPolicy: AllOrganizationsAllowed + items: + type: string + type: array + claims: + description: Claims allows customization of the username and groups + claims + properties: + groups: + default: slug + description: |- + Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + + + Can be either "name" or "slug". Defaults to "slug". + + + GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + + + GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + + + Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + the team name or slug. + + + If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + FederationDomain to further customize how these group names are presented to Kubernetes. + + + See the response schema for + [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + enum: + - name + - slug + type: string + username: + default: login:id + description: |- + Username configures which property of the GitHub user record shall determine the username in Kubernetes. + + + Can be either "id", "login", or "login:id". Defaults to "login:id". + + + GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + and may not start or end with hyphens. GitHub users are allowed to change their login name, + although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + then a second user might change their name from "baz" to "foo" in order to take the old + username of the first user. For this reason, it is not as safe to make authorization decisions + based only on the user's login attribute. + + + If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + FederationDomain to further customize how these usernames are presented to Kubernetes. + + + Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + from GitHub. Note that colons are not allowed in GitHub login attributes or ID numbers, so the colon in the + "login:id" name will always be the login:id separator colon. + + + See the response schema for + [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + enum: + - id + - login + - login:id + type: string + required: + - groups + - username + type: object + client: + description: Client identifies the secret with credentials for a GitHub + App or GitHub OAuth2 App (a GitHub client). + properties: + secretName: + description: |- + SecretName contains the name of a namespace-local Secret object that provides the clientID and + clientSecret for an GitHub App or GitHub OAuth2 client. + + + This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + type: string + required: + - secretName + type: object + gitHubAPI: + default: {} + description: GitHubApi allows configuration for GitHub Enterprise + Server + properties: + host: + default: github.com + description: |- + Host is required only for GitHub Enterprise Server. + Defaults to using GitHub's public API (github.com). + type: string + tls: + description: TLS configuration for GitHub Enterprise Server. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM + bundle). If omitted, a default set of system roots will + be trusted. + type: string + type: object + type: object + gitHubOrganizationLoginPolicy: + default: AllowedOrganizationsOnly + description: |- + GitHubOrganizationLoginPolicy must be set to "AllOrganizationsAllowed" if allowedOrganizations is empty. + + + This field only exists to ensure that Pinniped administrators are aware that an empty list of + allowedOrganizations means all GitHub users are allowed to log in. + enum: + - AllowedOrganizationsOnly + - AllOrganizationsAllowed + type: string + required: + - client + type: object + status: + description: Status of the identity provider. + properties: + conditions: + description: Conditions represents the observations of an identity + provider's current state. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + phase: + default: Pending + description: Phase summarizes the overall status of the GitHubIdentityProvider. + enum: + - Pending + - Ready + - Error + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/generated/latest/README.adoc b/generated/latest/README.adoc index 71e2ffc09a..b7042fa534 100644 --- a/generated/latest/README.adoc +++ b/generated/latest/README.adoc @@ -1366,6 +1366,199 @@ Status of an Active Directory identity provider. |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubapiconfig"] +==== GitHubAPIConfig + +GitHubAPIConfig allows configuration for GitHub Enterprise Server + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`host`* __string__ | Host is required only for GitHub Enterprise Server. Defaults to using GitHub's public API (github.com). +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubclaims"] +==== GitHubClaims + +GitHubClaims allows customization of the username and groups claims + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. + + +Can be either "id", "login", or "login:id". Defaults to "login:id". + + +GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, and may not start or end with hyphens. GitHub users are allowed to change their login name, although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", then a second user might change their name from "baz" to "foo" in order to take the old username of the first user. For this reason, it is not as safe to make authorization decisions based only on the user's login attribute. + + +If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these usernames are presented to Kubernetes. + + +Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value from GitHub. Note that colons are not allowed in GitHub login attributes or ID numbers, so the colon in the "login:id" name will always be the login:id separator colon. + + +See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +| *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + + +Can be either "name" or "slug". Defaults to "slug". + + +GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + + +GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + + +Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters or single hyphens, so the first forward slash `/` will be the separator between the organization login name and the team name or slug. + + +If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these group names are presented to Kubernetes. + + +See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubclientspec"] +==== GitHubClientSpec + +GitHubClientSpec contains information about the GitHub client that this identity provider will use for web-based login flows. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and clientSecret for an GitHub App or GitHub OAuth2 client. + + +This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubgroupnameattribute"] +==== GitHubGroupNameAttribute (string) + +GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the downstream group names. See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityprovider"] +==== GitHubIdentityProvider + +GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. + Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured as OIDCClients. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderlist[$$GitHubIdentityProviderList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]__ | Spec for configuring the identity provider. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]__ | Status of the identity provider. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderphase"] +==== GitHubIdentityProviderPhase (string) + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderspec"] +==== GitHubIdentityProviderSpec + +GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`gitHubAPI`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]__ | GitHubApi allows configuration for GitHub Enterprise Server +| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]__ | Claims allows customization of the username and groups claims +| *`allowedOrganizations`* __string array__ | AllowedOrganizations, when specified, indicates that only users with membership in at least one of the listed GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + + +The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams within that organization. + + +If no organizations are listed, you must set gitHubOrganizationLoginPolicy: AllOrganizationsAllowed +| *`gitHubOrganizationLoginPolicy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githuborganizationloginpolicy[$$GitHubOrganizationLoginPolicy$$]__ | GitHubOrganizationLoginPolicy must be set to "AllOrganizationsAllowed" if allowedOrganizations is empty. + + +This field only exists to ensure that Pinniped administrators are aware that an empty list of allowedOrganizations means all GitHub users are allowed to log in. +| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubclientspec[$$GitHubClientSpec$$]__ | Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus"] +==== GitHubIdentityProviderStatus + +GitHubIdentityProviderStatus is the status of an GitHub identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderphase[$$GitHubIdentityProviderPhase$$]__ | Phase summarizes the overall status of the GitHubIdentityProvider. +| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#condition-v1-meta[$$Condition$$] array__ | Conditions represents the observations of an identity provider's current state. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githuborganizationloginpolicy"] +==== GitHubOrganizationLoginPolicy (string) + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubusernameattribute"] +==== GitHubUsernameAttribute (string) + +GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the downstream username. See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$] +**** + + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-ldapidentityprovider"] ==== LDAPIdentityProvider @@ -1686,11 +1879,12 @@ Parameter is a key/value pair which represents a parameter in an HTTP request. [id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-tlsspec"] ==== TLSSpec -Configuration for TLS parameters related to identity provider integration. +TLSSpec provides TLS configuration for identity provider integration. .Appears In: **** - xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderspec[$$ActiveDirectoryIdentityProviderSpec$$] +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$] - xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$] - xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec[$$OIDCIdentityProviderSpec$$] **** diff --git a/generated/latest/apis/supervisor/idp/v1alpha1/register.go b/generated/latest/apis/supervisor/idp/v1alpha1/register.go index 8829a86385..705be8076c 100644 --- a/generated/latest/apis/supervisor/idp/v1alpha1/register.go +++ b/generated/latest/apis/supervisor/idp/v1alpha1/register.go @@ -1,4 +1,4 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -36,6 +36,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { &LDAPIdentityProviderList{}, &ActiveDirectoryIdentityProvider{}, &ActiveDirectoryIdentityProviderList{}, + &GitHubIdentityProvider{}, + &GitHubIdentityProviderList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/latest/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go b/generated/latest/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go new file mode 100644 index 0000000000..92bd19724b --- /dev/null +++ b/generated/latest/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go @@ -0,0 +1,231 @@ +// Copyright 2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +type GitHubIdentityProviderPhase string + +const ( + // GitHubPhasePending is the default phase for newly-created GitHubIdentityProvider resources. + GitHubPhasePending GitHubIdentityProviderPhase = "Pending" + + // GitHubPhaseReady is the phase for an GitHubIdentityProvider resource in a healthy state. + GitHubPhaseReady GitHubIdentityProviderPhase = "Ready" + + // GitHubPhaseError is the phase for an GitHubIdentityProvider in an unhealthy state. + GitHubPhaseError GitHubIdentityProviderPhase = "Error" +) + +type GitHubOrganizationLoginPolicy string + +const ( + // GitHubOrganizationLoginPolicyAllOrgsAllowed means any GitHub user is allowed to log in using this identity + // provider, regardless of their organization membership or lack thereof. + GitHubOrganizationLoginPolicyAllOrgsAllowed GitHubOrganizationLoginPolicy = "AllOrganizationsAllowed" + + // GitHubOrganizationLoginPolicyAllowedOrgsOnly means only those users with membership in the listed GitHub + // organizations are allowed to log in. + GitHubOrganizationLoginPolicyAllowedOrgsOnly GitHubOrganizationLoginPolicy = "AllowedOrganizationsOnly" +) + +// GitHubIdentityProviderStatus is the status of an GitHub identity provider. +type GitHubIdentityProviderStatus struct { + // Phase summarizes the overall status of the GitHubIdentityProvider. + // + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase GitHubIdentityProviderPhase `json:"phase,omitempty"` + + // Conditions represents the observations of an identity provider's current state. + // + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` +} + +// GitHubAPIConfig allows configuration for GitHub Enterprise Server +type GitHubAPIConfig struct { + // Host is required only for GitHub Enterprise Server. + // Defaults to using GitHub's public API (github.com). + // + // +kubebuilder:default="github.com" + // +optional + Host string `json:"host"` + + // TLS configuration for GitHub Enterprise Server. + // + // +optional + TLS *TLSSpec `json:"tls,omitempty"` +} + +// GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the downstream username. +// See the response schema for +// [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +type GitHubUsernameAttribute string + +const ( + // GitHubUsernameID specifies using the `id` attribute from the GitHub user as the downstream username. + GitHubUsernameID GitHubUsernameAttribute = "id" + + // GitHubUsernameLogin specifies using the `login` attribute from the GitHub user as the downstream username. + GitHubUsernameLogin GitHubUsernameAttribute = "login" + + // GitHubUsernameLoginAndID specifies combining the `login` and `id` attributes from the GitHub user as the + // downstream username, separated by a colon. Example: "my-login:1234" + GitHubUsernameLoginAndID GitHubUsernameAttribute = "login:id" +) + +// GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the downstream group +// names. See the response schema for +// [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +type GitHubGroupNameAttribute string + +const ( + // GitHubUseTeamNameForGrouypName specifies using the GitHub team's `name` attribute as the downstream group name. + GitHubUseTeamNameForGrouypName GitHubGroupNameAttribute = "name" + + // GitHubUseTeamSlugForGroupName specifies using the GitHub team's `slug` attribute as the downstream group name. + GitHubUseTeamSlugForGroupName GitHubGroupNameAttribute = "slug" +) + +// GitHubClaims allows customization of the username and groups claims +type GitHubClaims struct { + // Username configures which property of the GitHub user record shall determine the username in Kubernetes. + // + // Can be either "id", "login", or "login:id". Defaults to "login:id". + // + // GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + // and may not start or end with hyphens. GitHub users are allowed to change their login name, + // although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + // then a second user might change their name from "baz" to "foo" in order to take the old + // username of the first user. For this reason, it is not as safe to make authorization decisions + // based only on the user's login attribute. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these usernames are presented to Kubernetes. + // + // Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + // unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + // from GitHub. Note that colons are not allowed in GitHub login attributes or ID numbers, so the colon in the + // "login:id" name will always be the login:id separator colon. + // + // See the response schema for + // [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + // + // +kubebuilder:default="login:id" + // +kubebuilder:validation:Enum={"id","login","login:id"} + Username GitHubUsernameAttribute `json:"username"` + + // Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + // + // Can be either "name" or "slug". Defaults to "slug". + // + // GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + // + // GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + // + // Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + // forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + // or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + // the team name or slug. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these group names are presented to Kubernetes. + // + // See the response schema for + // [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + // + // +kubebuilder:default=slug + // +kubebuilder:validation:Enum=name;slug + Groups GitHubGroupNameAttribute `json:"groups"` +} + +// GitHubClientSpec contains information about the GitHub client that this identity provider will use +// for web-based login flows. +type GitHubClientSpec struct { + // SecretName contains the name of a namespace-local Secret object that provides the clientID and + // clientSecret for an GitHub App or GitHub OAuth2 client. + // + // This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + SecretName string `json:"secretName"` +} + +// GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider. +type GitHubIdentityProviderSpec struct { + // GitHubApi allows configuration for GitHub Enterprise Server + // + // +kubebuilder:default={} + GitHubApi GitHubAPIConfig `json:"gitHubAPI,omitempty"` + + // Claims allows customization of the username and groups claims + // + // +optional + Claims GitHubClaims `json:"claims,omitempty"` + + // AllowedOrganizations, when specified, indicates that only users with membership in at least one of the listed + // GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + // teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + // provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + // + // The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + // otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + // within that organization. + // + // If no organizations are listed, you must set gitHubOrganizationLoginPolicy: AllOrganizationsAllowed + // + // +optional + AllowedOrganizations []string `json:"allowedOrganizations,omitempty"` + + // GitHubOrganizationLoginPolicy must be set to "AllOrganizationsAllowed" if allowedOrganizations is empty. + // + // This field only exists to ensure that Pinniped administrators are aware that an empty list of + // allowedOrganizations means all GitHub users are allowed to log in. + // + // +kubebuilder:default=AllowedOrganizationsOnly + // +kubebuilder:validation:Enum=AllowedOrganizationsOnly;AllOrganizationsAllowed + // +optional + GitHubOrganizationLoginPolicy GitHubOrganizationLoginPolicy `json:"gitHubOrganizationLoginPolicy"` + + // Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). + Client GitHubClientSpec `json:"client"` +} + +// GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. +// This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. +// +// Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured +// as OIDCClients. +// +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps +// +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.gitHubAPI.host` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type GitHubIdentityProvider struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec for configuring the identity provider. + Spec GitHubIdentityProviderSpec `json:"spec"` + + // Status of the identity provider. + Status GitHubIdentityProviderStatus `json:"status,omitempty"` +} + +// GitHubIdentityProviderList lists GitHubIdentityProvider objects. +// +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type GitHubIdentityProviderList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []GitHubIdentityProvider `json:"items"` +} diff --git a/generated/latest/apis/supervisor/idp/v1alpha1/types_tls.go b/generated/latest/apis/supervisor/idp/v1alpha1/types_tls.go index 1413a262cc..49b49373cd 100644 --- a/generated/latest/apis/supervisor/idp/v1alpha1/types_tls.go +++ b/generated/latest/apis/supervisor/idp/v1alpha1/types_tls.go @@ -1,9 +1,9 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 -// Configuration for TLS parameters related to identity provider integration. +// TLSSpec provides TLS configuration for identity provider integration. type TLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. // +optional diff --git a/generated/latest/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/latest/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index b0cb168b54..724643e7c2 100644 --- a/generated/latest/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/latest/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -203,6 +203,167 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) { + *out = *in + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(TLSSpec) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAPIConfig. +func (in *GitHubAPIConfig) DeepCopy() *GitHubAPIConfig { + if in == nil { + return nil + } + out := new(GitHubAPIConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubClaims) DeepCopyInto(out *GitHubClaims) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClaims. +func (in *GitHubClaims) DeepCopy() *GitHubClaims { + if in == nil { + return nil + } + out := new(GitHubClaims) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubClientSpec) DeepCopyInto(out *GitHubClientSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClientSpec. +func (in *GitHubClientSpec) DeepCopy() *GitHubClientSpec { + if in == nil { + return nil + } + out := new(GitHubClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProvider) DeepCopyInto(out *GitHubIdentityProvider) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProvider. +func (in *GitHubIdentityProvider) DeepCopy() *GitHubIdentityProvider { + if in == nil { + return nil + } + out := new(GitHubIdentityProvider) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *GitHubIdentityProvider) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderList) DeepCopyInto(out *GitHubIdentityProviderList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]GitHubIdentityProvider, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderList. +func (in *GitHubIdentityProviderList) DeepCopy() *GitHubIdentityProviderList { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *GitHubIdentityProviderList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderSpec) DeepCopyInto(out *GitHubIdentityProviderSpec) { + *out = *in + in.GitHubApi.DeepCopyInto(&out.GitHubApi) + out.Claims = in.Claims + if in.AllowedOrganizations != nil { + in, out := &in.AllowedOrganizations, &out.AllowedOrganizations + *out = make([]string, len(*in)) + copy(*out, *in) + } + out.Client = in.Client + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderSpec. +func (in *GitHubIdentityProviderSpec) DeepCopy() *GitHubIdentityProviderSpec { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderStatus) DeepCopyInto(out *GitHubIdentityProviderStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]v1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderStatus. +func (in *GitHubIdentityProviderStatus) DeepCopy() *GitHubIdentityProviderStatus { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *LDAPIdentityProvider) DeepCopyInto(out *LDAPIdentityProvider) { *out = *in diff --git a/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go b/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go new file mode 100644 index 0000000000..92a26af6b7 --- /dev/null +++ b/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go @@ -0,0 +1,128 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeGitHubIdentityProviders implements GitHubIdentityProviderInterface +type FakeGitHubIdentityProviders struct { + Fake *FakeIDPV1alpha1 + ns string +} + +var githubidentityprovidersResource = v1alpha1.SchemeGroupVersion.WithResource("githubidentityproviders") + +var githubidentityprovidersKind = v1alpha1.SchemeGroupVersion.WithKind("GitHubIdentityProvider") + +// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any. +func (c *FakeGitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(githubidentityprovidersResource, c.ns, name), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors. +func (c *FakeGitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(githubidentityprovidersResource, githubidentityprovidersKind, c.ns, opts), &v1alpha1.GitHubIdentityProviderList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.GitHubIdentityProviderList{ListMeta: obj.(*v1alpha1.GitHubIdentityProviderList).ListMeta} + for _, item := range obj.(*v1alpha1.GitHubIdentityProviderList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders. +func (c *FakeGitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(githubidentityprovidersResource, c.ns, opts)) + +} + +// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *FakeGitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *FakeGitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeGitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(githubidentityprovidersResource, "status", c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs. +func (c *FakeGitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteActionWithOptions(githubidentityprovidersResource, c.ns, name, opts), &v1alpha1.GitHubIdentityProvider{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeGitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(githubidentityprovidersResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha1.GitHubIdentityProviderList{}) + return err +} + +// Patch applies the patch and returns the patched gitHubIdentityProvider. +func (c *FakeGitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(githubidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} diff --git a/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go b/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go index 4c12669cb5..66ac8e9796 100644 --- a/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go +++ b/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go @@ -19,6 +19,10 @@ func (c *FakeIDPV1alpha1) ActiveDirectoryIdentityProviders(namespace string) v1a return &FakeActiveDirectoryIdentityProviders{c, namespace} } +func (c *FakeIDPV1alpha1) GitHubIdentityProviders(namespace string) v1alpha1.GitHubIdentityProviderInterface { + return &FakeGitHubIdentityProviders{c, namespace} +} + func (c *FakeIDPV1alpha1) LDAPIdentityProviders(namespace string) v1alpha1.LDAPIdentityProviderInterface { return &FakeLDAPIdentityProviders{c, namespace} } diff --git a/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go b/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go index 79be098d6c..a7acc8120f 100644 --- a/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go +++ b/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go @@ -7,6 +7,8 @@ package v1alpha1 type ActiveDirectoryIdentityProviderExpansion interface{} +type GitHubIdentityProviderExpansion interface{} + type LDAPIdentityProviderExpansion interface{} type OIDCIdentityProviderExpansion interface{} diff --git a/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go b/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 0000000000..1fdb602701 --- /dev/null +++ b/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,182 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + "time" + + v1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" + scheme "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// GitHubIdentityProvidersGetter has a method to return a GitHubIdentityProviderInterface. +// A group's client should implement this interface. +type GitHubIdentityProvidersGetter interface { + GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface +} + +// GitHubIdentityProviderInterface has methods to work with GitHubIdentityProvider resources. +type GitHubIdentityProviderInterface interface { + Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (*v1alpha1.GitHubIdentityProvider, error) + Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) + UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.GitHubIdentityProvider, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.GitHubIdentityProviderList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) + GitHubIdentityProviderExpansion +} + +// gitHubIdentityProviders implements GitHubIdentityProviderInterface +type gitHubIdentityProviders struct { + client rest.Interface + ns string +} + +// newGitHubIdentityProviders returns a GitHubIdentityProviders +func newGitHubIdentityProviders(c *IDPV1alpha1Client, namespace string) *gitHubIdentityProviders { + return &gitHubIdentityProviders{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any. +func (c *gitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors. +func (c *gitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.GitHubIdentityProviderList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders. +func (c *gitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *gitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Post(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *gitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(gitHubIdentityProvider.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *gitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(gitHubIdentityProvider.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs. +func (c *gitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *gitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched gitHubIdentityProvider. +func (c *gitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go b/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go index 92f07c525c..f97dc2b579 100644 --- a/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go +++ b/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go @@ -16,6 +16,7 @@ import ( type IDPV1alpha1Interface interface { RESTClient() rest.Interface ActiveDirectoryIdentityProvidersGetter + GitHubIdentityProvidersGetter LDAPIdentityProvidersGetter OIDCIdentityProvidersGetter } @@ -29,6 +30,10 @@ func (c *IDPV1alpha1Client) ActiveDirectoryIdentityProviders(namespace string) A return newActiveDirectoryIdentityProviders(c, namespace) } +func (c *IDPV1alpha1Client) GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface { + return newGitHubIdentityProviders(c, namespace) +} + func (c *IDPV1alpha1Client) LDAPIdentityProviders(namespace string) LDAPIdentityProviderInterface { return newLDAPIdentityProviders(c, namespace) } diff --git a/generated/latest/client/supervisor/informers/externalversions/generic.go b/generated/latest/client/supervisor/informers/externalversions/generic.go index 1a0ceca9dd..ac9a51d093 100644 --- a/generated/latest/client/supervisor/informers/externalversions/generic.go +++ b/generated/latest/client/supervisor/informers/externalversions/generic.go @@ -49,6 +49,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource // Group=idp.supervisor.pinniped.dev, Version=v1alpha1 case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().ActiveDirectoryIdentityProviders().Informer()}, nil + case idpv1alpha1.SchemeGroupVersion.WithResource("githubidentityproviders"): + return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().GitHubIdentityProviders().Informer()}, nil case idpv1alpha1.SchemeGroupVersion.WithResource("ldapidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().LDAPIdentityProviders().Informer()}, nil case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): diff --git a/generated/latest/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go b/generated/latest/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 0000000000..1fed31c5e9 --- /dev/null +++ b/generated/latest/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,77 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + time "time" + + idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" + versioned "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" + internalinterfaces "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/internalinterfaces" + v1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/listers/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// GitHubIdentityProviderInformer provides access to a shared informer and lister for +// GitHubIdentityProviders. +type GitHubIdentityProviderInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.GitHubIdentityProviderLister +} + +type gitHubIdentityProviderInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredGitHubIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().GitHubIdentityProviders(namespace).List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().GitHubIdentityProviders(namespace).Watch(context.TODO(), options) + }, + }, + &idpv1alpha1.GitHubIdentityProvider{}, + resyncPeriod, + indexers, + ) +} + +func (f *gitHubIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredGitHubIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *gitHubIdentityProviderInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&idpv1alpha1.GitHubIdentityProvider{}, f.defaultInformer) +} + +func (f *gitHubIdentityProviderInformer) Lister() v1alpha1.GitHubIdentityProviderLister { + return v1alpha1.NewGitHubIdentityProviderLister(f.Informer().GetIndexer()) +} diff --git a/generated/latest/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go b/generated/latest/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go index 60166e32e7..aad59963b4 100644 --- a/generated/latest/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go +++ b/generated/latest/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go @@ -13,6 +13,8 @@ import ( type Interface interface { // ActiveDirectoryIdentityProviders returns a ActiveDirectoryIdentityProviderInformer. ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProviderInformer + // GitHubIdentityProviders returns a GitHubIdentityProviderInformer. + GitHubIdentityProviders() GitHubIdentityProviderInformer // LDAPIdentityProviders returns a LDAPIdentityProviderInformer. LDAPIdentityProviders() LDAPIdentityProviderInformer // OIDCIdentityProviders returns a OIDCIdentityProviderInformer. @@ -35,6 +37,11 @@ func (v *version) ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProv return &activeDirectoryIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } +// GitHubIdentityProviders returns a GitHubIdentityProviderInformer. +func (v *version) GitHubIdentityProviders() GitHubIdentityProviderInformer { + return &gitHubIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} + // LDAPIdentityProviders returns a LDAPIdentityProviderInformer. func (v *version) LDAPIdentityProviders() LDAPIdentityProviderInformer { return &lDAPIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} diff --git a/generated/latest/client/supervisor/listers/idp/v1alpha1/expansion_generated.go b/generated/latest/client/supervisor/listers/idp/v1alpha1/expansion_generated.go index b491a9e8d4..470c06abb0 100644 --- a/generated/latest/client/supervisor/listers/idp/v1alpha1/expansion_generated.go +++ b/generated/latest/client/supervisor/listers/idp/v1alpha1/expansion_generated.go @@ -13,6 +13,14 @@ type ActiveDirectoryIdentityProviderListerExpansion interface{} // ActiveDirectoryIdentityProviderNamespaceLister. type ActiveDirectoryIdentityProviderNamespaceListerExpansion interface{} +// GitHubIdentityProviderListerExpansion allows custom methods to be added to +// GitHubIdentityProviderLister. +type GitHubIdentityProviderListerExpansion interface{} + +// GitHubIdentityProviderNamespaceListerExpansion allows custom methods to be added to +// GitHubIdentityProviderNamespaceLister. +type GitHubIdentityProviderNamespaceListerExpansion interface{} + // LDAPIdentityProviderListerExpansion allows custom methods to be added to // LDAPIdentityProviderLister. type LDAPIdentityProviderListerExpansion interface{} diff --git a/generated/latest/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go b/generated/latest/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 0000000000..51564bc9a6 --- /dev/null +++ b/generated/latest/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,86 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// GitHubIdentityProviderLister helps list GitHubIdentityProviders. +// All objects returned here must be treated as read-only. +type GitHubIdentityProviderLister interface { + // List lists all GitHubIdentityProviders in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) + // GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders. + GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister + GitHubIdentityProviderListerExpansion +} + +// gitHubIdentityProviderLister implements the GitHubIdentityProviderLister interface. +type gitHubIdentityProviderLister struct { + indexer cache.Indexer +} + +// NewGitHubIdentityProviderLister returns a new GitHubIdentityProviderLister. +func NewGitHubIdentityProviderLister(indexer cache.Indexer) GitHubIdentityProviderLister { + return &gitHubIdentityProviderLister{indexer: indexer} +} + +// List lists all GitHubIdentityProviders in the indexer. +func (s *gitHubIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider)) + }) + return ret, err +} + +// GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders. +func (s *gitHubIdentityProviderLister) GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister { + return gitHubIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// GitHubIdentityProviderNamespaceLister helps list and get GitHubIdentityProviders. +// All objects returned here must be treated as read-only. +type GitHubIdentityProviderNamespaceLister interface { + // List lists all GitHubIdentityProviders in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) + // Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha1.GitHubIdentityProvider, error) + GitHubIdentityProviderNamespaceListerExpansion +} + +// gitHubIdentityProviderNamespaceLister implements the GitHubIdentityProviderNamespaceLister +// interface. +type gitHubIdentityProviderNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all GitHubIdentityProviders in the indexer for a given namespace. +func (s gitHubIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider)) + }) + return ret, err +} + +// Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name. +func (s gitHubIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.GitHubIdentityProvider, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("githubidentityprovider"), name) + } + return obj.(*v1alpha1.GitHubIdentityProvider), nil +} diff --git a/test/integration/kube_api_discovery_test.go b/test/integration/kube_api_discovery_test.go index f7756f3936..df3a3479b5 100644 --- a/test/integration/kube_api_discovery_test.go +++ b/test/integration/kube_api_discovery_test.go @@ -248,6 +248,20 @@ func TestGetAPIResourceList(t *testing.T) { //nolint:gocyclo // each t.Run is pr Kind: "ActiveDirectoryIdentityProvider", Verbs: []string{"get", "patch", "update"}, }, + { + Name: "githubidentityproviders", + SingularName: "githubidentityprovider", + Namespaced: true, + Kind: "GitHubIdentityProvider", + Verbs: []string{"delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"}, + Categories: []string{"pinniped", "pinniped-idp", "pinniped-idps"}, + }, + { + Name: "githubidentityproviders/status", + Namespaced: true, + Kind: "GitHubIdentityProvider", + Verbs: []string{"get", "patch", "update"}, + }, }, }, }, @@ -438,7 +452,7 @@ func TestGetAPIResourceList(t *testing.T) { //nolint:gocyclo // each t.Run is pr } // manually update this value whenever you add additional fields to an API resource and then run the generator - totalExpectedAPIFields := 260 + totalExpectedAPIFields := 284 // Because we are parsing text from `kubectl explain` and because the format of that text can change // over time, make a rudimentary assertion that this test exercised the whole tree of all fields of all @@ -579,6 +593,13 @@ func TestCRDAdditionalPrinterColumns_Parallel(t *testing.T) { {Name: "Age", Type: "date", JSONPath: ".metadata.creationTimestamp"}, }, }, + addSuffix("githubidentityproviders.idp.supervisor"): { + "v1alpha1": []apiextensionsv1.CustomResourceColumnDefinition{ + {Name: "Host", Type: "string", JSONPath: ".spec.gitHubAPI.host"}, + {Name: "Status", Type: "string", JSONPath: ".status.phase"}, + {Name: "Age", Type: "date", JSONPath: ".metadata.creationTimestamp"}, + }, + }, addSuffix("oidcclients.config.supervisor"): { "v1alpha1": []apiextensionsv1.CustomResourceColumnDefinition{ {Name: "Privileged Scopes", Type: "string", JSONPath: `.spec.allowedScopes[?(@ == "pinniped:request-audience")]`}, @@ -589,8 +610,19 @@ func TestCRDAdditionalPrinterColumns_Parallel(t *testing.T) { }, } - actualPinnipedCRDCount := 0 - expectedPinnipedCRDCount := 8 // the current number of CRDs that we ship as part of Pinniped + // the current CRDs that we ship as part of Pinniped + expectedPinnipedCRDNames := []string{ + "activedirectoryidentityproviders.idp.supervisor.pinniped.dev", + "credentialissuers.config.concierge.pinniped.dev", + "federationdomains.config.supervisor.pinniped.dev", + "githubidentityproviders.idp.supervisor.pinniped.dev", + "jwtauthenticators.authentication.concierge.pinniped.dev", + "ldapidentityproviders.idp.supervisor.pinniped.dev", + "oidcclients.config.supervisor.pinniped.dev", + "oidcidentityproviders.idp.supervisor.pinniped.dev", + "webhookauthenticators.authentication.concierge.pinniped.dev"} + + actualPinnipedCRDNames := make([]string, 0) for _, crd := range crdList.Items { if !strings.Contains(crd.Spec.Group, env.APIGroupSuffix) { @@ -598,7 +630,7 @@ func TestCRDAdditionalPrinterColumns_Parallel(t *testing.T) { } // Found a Pinniped CRD, so let's check it for AdditionalPrinterColumns. - actualPinnipedCRDCount++ + actualPinnipedCRDNames = append(actualPinnipedCRDNames, crd.Name) for _, version := range crd.Spec.Versions { expectedColumns, ok := expectedColumnsPerCRDVersion[crd.Name][version.Name] @@ -612,7 +644,7 @@ func TestCRDAdditionalPrinterColumns_Parallel(t *testing.T) { } // Make sure that the logic of this test did not accidentally skip a CRD that it should have interrogated. - require.Equal(t, expectedPinnipedCRDCount, actualPinnipedCRDCount, + require.ElementsMatch(t, expectedPinnipedCRDNames, actualPinnipedCRDNames, "did not find expected number of Pinniped CRDs to check for additionalPrinterColumns") }