From 8ea393e3dee0b6f121d8da5b02190719246464d9 Mon Sep 17 00:00:00 2001 From: Joshua Casey Date: Wed, 31 Jul 2024 15:17:00 -0500 Subject: [PATCH 1/6] Move prepare_controllers alongside Concierge server code --- .../server}/prepare_controllers.go | 4 +--- internal/concierge/server/server.go | 5 ++--- 2 files changed, 3 insertions(+), 6 deletions(-) rename internal/{controllermanager => concierge/server}/prepare_controllers.go (98%) diff --git a/internal/controllermanager/prepare_controllers.go b/internal/concierge/server/prepare_controllers.go similarity index 98% rename from internal/controllermanager/prepare_controllers.go rename to internal/concierge/server/prepare_controllers.go index b3aa5468c..5b5c9cf02 100644 --- a/internal/controllermanager/prepare_controllers.go +++ b/internal/concierge/server/prepare_controllers.go @@ -1,9 +1,7 @@ // Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -// Package controllermanager provides an entrypoint into running all of the controllers that run as -// a part of Pinniped. -package controllermanager +package server import ( "fmt" diff --git a/internal/concierge/server/server.go b/internal/concierge/server/server.go index 67629c6ab..cf829379c 100644 --- a/internal/concierge/server/server.go +++ b/internal/concierge/server/server.go @@ -32,7 +32,6 @@ import ( "go.pinniped.dev/internal/config/featuregates" "go.pinniped.dev/internal/controller/authenticator/authncache" "go.pinniped.dev/internal/controllerinit" - "go.pinniped.dev/internal/controllermanager" "go.pinniped.dev/internal/crypto/ptls" "go.pinniped.dev/internal/downward" "go.pinniped.dev/internal/dynamiccert" @@ -152,8 +151,8 @@ func (a *App) runServer(ctx context.Context) error { // Prepare to start the controllers, but defer actually starting them until the // post start hook of the aggregated API server. - buildControllers, err := controllermanager.PrepareControllers( - &controllermanager.Config{ + buildControllers, err := PrepareControllers( + &Config{ ServerInstallationInfo: podInfo, APIGroupSuffix: *cfg.APIGroupSuffix, NamesConfig: &cfg.NamesConfig, From cfb51b33374a76feb8b20e0306dc47d5a045433c Mon Sep 17 00:00:00 2001 From: Joshua Casey Date: Wed, 31 Jul 2024 16:04:08 -0500 Subject: [PATCH 2/6] Rename certsManagerController to certsCreatorController --- internal/concierge/server/prepare_controllers.go | 4 ++-- .../apicerts/{certs_manager.go => certs_creator.go} | 10 +++++----- .../{certs_manager_test.go => certs_creator_test.go} | 4 ++-- .../localuserauthenticator/localuserauthenticator.go | 2 +- internal/supervisor/server/server.go | 2 +- 5 files changed, 11 insertions(+), 11 deletions(-) rename internal/controller/apicerts/{certs_manager.go => certs_creator.go} (95%) rename internal/controller/apicerts/{certs_manager_test.go => certs_creator_test.go} (99%) diff --git a/internal/concierge/server/prepare_controllers.go b/internal/concierge/server/prepare_controllers.go index 5b5c9cf02..9cda1929d 100644 --- a/internal/concierge/server/prepare_controllers.go +++ b/internal/concierge/server/prepare_controllers.go @@ -146,7 +146,7 @@ func PrepareControllers(c *Config) (controllerinit.RunnerBuilder, error) { //nol // API certs controllers are responsible for managing the TLS certificates used to serve Pinniped's API. WithController( - apicerts.NewCertsManagerController( + apicerts.NewCertsCreatorController( c.ServerInstallationInfo.Namespace, c.NamesConfig.ServingCertificateSecret, c.Labels, @@ -300,7 +300,7 @@ func PrepareControllers(c *Config) (controllerinit.RunnerBuilder, error) { //nol singletonWorker, ). WithController( - apicerts.NewCertsManagerController( + apicerts.NewCertsCreatorController( c.ServerInstallationInfo.Namespace, c.NamesConfig.ImpersonationSignerSecret, c.Labels, diff --git a/internal/controller/apicerts/certs_manager.go b/internal/controller/apicerts/certs_creator.go similarity index 95% rename from internal/controller/apicerts/certs_manager.go rename to internal/controller/apicerts/certs_creator.go index e462794e4..8df8837e5 100644 --- a/internal/controller/apicerts/certs_manager.go +++ b/internal/controller/apicerts/certs_creator.go @@ -26,7 +26,7 @@ const ( TLSCertificateChainSecretKey = "tlsCertificateChain" ) -type certsManagerController struct { +type certsCreatorController struct { namespace string certsSecretResourceName string certsSecretLabels map[string]string @@ -41,7 +41,7 @@ type certsManagerController struct { serviceNameForGeneratedCertCommonName string } -func NewCertsManagerController( +func NewCertsCreatorController( namespace string, certsSecretResourceName string, certsSecretLabels map[string]string, @@ -56,7 +56,7 @@ func NewCertsManagerController( return controllerlib.New( controllerlib.Config{ Name: "certs-manager-controller", - Syncer: &certsManagerController{ + Syncer: &certsCreatorController{ namespace: namespace, certsSecretResourceName: certsSecretResourceName, certsSecretLabels: certsSecretLabels, @@ -80,7 +80,7 @@ func NewCertsManagerController( ) } -func (c *certsManagerController) Sync(ctx controllerlib.Context) error { +func (c *certsCreatorController) Sync(ctx controllerlib.Context) error { // Try to get the secret from the informer cache. _, err := c.secretInformer.Lister().Secrets(c.namespace).Get(c.certsSecretResourceName) notFound := apierrors.IsNotFound(err) @@ -140,6 +140,6 @@ func (c *certsManagerController) Sync(ctx controllerlib.Context) error { return fmt.Errorf("could not create secret: %w", err) } - plog.Info("certsManagerController Sync successfully created secret") + plog.Info("certsCreatorController Sync successfully created secret") return nil } diff --git a/internal/controller/apicerts/certs_manager_test.go b/internal/controller/apicerts/certs_creator_test.go similarity index 99% rename from internal/controller/apicerts/certs_manager_test.go rename to internal/controller/apicerts/certs_creator_test.go index e51c618f3..aacdaf41d 100644 --- a/internal/controller/apicerts/certs_manager_test.go +++ b/internal/controller/apicerts/certs_creator_test.go @@ -39,7 +39,7 @@ func TestManagerControllerOptions(t *testing.T) { observableWithInformerOption = testutil.NewObservableWithInformerOption() observableWithInitialEventOption = testutil.NewObservableWithInitialEventOption() secretsInformer := k8sinformers.NewSharedInformerFactory(nil, 0).Core().V1().Secrets() - _ = NewCertsManagerController( + _ = NewCertsCreatorController( installedInNamespace, certsSecretResourceName, make(map[string]string), @@ -134,7 +134,7 @@ func TestManagerControllerSync(t *testing.T) { // nested Before's can keep adding things to the informer caches. var startInformersAndController = func(serviceName string) { // Set this at the last second to allow for injection of server override. - subject = NewCertsManagerController( + subject = NewCertsCreatorController( installedInNamespace, certsSecretResourceName, map[string]string{ diff --git a/internal/localuserauthenticator/localuserauthenticator.go b/internal/localuserauthenticator/localuserauthenticator.go index 33ee42b25..0840d3f93 100644 --- a/internal/localuserauthenticator/localuserauthenticator.go +++ b/internal/localuserauthenticator/localuserauthenticator.go @@ -293,7 +293,7 @@ func startControllers( controllerManager := controllerlib. NewManager(). WithController( - apicerts.NewCertsManagerController( + apicerts.NewCertsCreatorController( namespace, certsSecretResourceName, map[string]string{ diff --git a/internal/supervisor/server/server.go b/internal/supervisor/server/server.go index a87160486..e0e87499d 100644 --- a/internal/supervisor/server/server.go +++ b/internal/supervisor/server/server.go @@ -349,7 +349,7 @@ func prepareControllers( ), singletonWorker). WithController( - apicerts.NewCertsManagerController( + apicerts.NewCertsCreatorController( podInfo.Namespace, certificateName, cfg.Labels, From 2e996aaecdea394a4a663e37b899ae4ff383b162 Mon Sep 17 00:00:00 2001 From: Joshua Casey Date: Thu, 1 Aug 2024 10:16:16 -0500 Subject: [PATCH 3/6] Refactor: Use secret.Data instead of secret.StringData --- .../controller/apicerts/apiservice_updater.go | 8 +++++++- internal/controller/apicerts/certs_creator.go | 10 +++++----- .../controller/apicerts/certs_creator_test.go | 16 ++++++++-------- .../controller/apicerts/update_api_service.go | 9 +++++++-- 4 files changed, 27 insertions(+), 16 deletions(-) diff --git a/internal/controller/apicerts/apiservice_updater.go b/internal/controller/apicerts/apiservice_updater.go index f938b436e..15373ec9f 100644 --- a/internal/controller/apicerts/apiservice_updater.go +++ b/internal/controller/apicerts/apiservice_updater.go @@ -64,7 +64,13 @@ func (c *apiServiceUpdaterController) Sync(ctx controllerlib.Context) error { } // Update the APIService to give it the new CA bundle. - if err := UpdateAPIService(ctx.Context, c.aggregatorClient, c.apiServiceName, c.namespace, certSecret.Data[CACertificateSecretKey]); err != nil { + if err := UpdateAPIService( + ctx.Context, + c.aggregatorClient, + c.apiServiceName, + c.namespace, + certSecret.Data[CACertificateSecretKey], + ); err != nil { return fmt.Errorf("could not update the API service: %w", err) } diff --git a/internal/controller/apicerts/certs_creator.go b/internal/controller/apicerts/certs_creator.go index 8df8837e5..bd2e0e6fc 100644 --- a/internal/controller/apicerts/certs_creator.go +++ b/internal/controller/apicerts/certs_creator.go @@ -110,9 +110,9 @@ func (c *certsCreatorController) Sync(ctx controllerlib.Context) error { Namespace: c.namespace, Labels: c.certsSecretLabels, }, - StringData: map[string]string{ - CACertificateSecretKey: string(ca.Bundle()), - CACertificatePrivateKeySecretKey: string(caPrivateKeyPEM), + Data: map[string][]byte{ + CACertificateSecretKey: ca.Bundle(), + CACertificatePrivateKeySecretKey: caPrivateKeyPEM, }, } @@ -131,8 +131,8 @@ func (c *certsCreatorController) Sync(ctx controllerlib.Context) error { return fmt.Errorf("could not PEM encode serving certificate: %w", err) } - secret.StringData[tlsPrivateKeySecretKey] = string(tlsPrivateKeyPEM) - secret.StringData[TLSCertificateChainSecretKey] = string(tlsCertChainPEM) + secret.Data[tlsPrivateKeySecretKey] = tlsPrivateKeyPEM + secret.Data[TLSCertificateChainSecretKey] = tlsCertChainPEM } _, err = c.k8sClient.CoreV1().Secrets(c.namespace).Create(ctx.Context, &secret, metav1.CreateOptions{}) diff --git a/internal/controller/apicerts/certs_creator_test.go b/internal/controller/apicerts/certs_creator_test.go index aacdaf41d..16668f79c 100644 --- a/internal/controller/apicerts/certs_creator_test.go +++ b/internal/controller/apicerts/certs_creator_test.go @@ -208,15 +208,15 @@ func TestManagerControllerSync(t *testing.T) { "myLabelKey1": "myLabelValue1", "myLabelKey2": "myLabelValue2", }, actualSecret.Labels) - actualCACert := actualSecret.StringData["caCertificate"] - actualCAPrivateKey := actualSecret.StringData["caCertificatePrivateKey"] - actualPrivateKey := actualSecret.StringData["tlsPrivateKey"] - actualCertChain := actualSecret.StringData["tlsCertificateChain"] + actualCACert := string(actualSecret.Data["caCertificate"]) + actualCAPrivateKey := string(actualSecret.Data["caCertificatePrivateKey"]) + actualPrivateKey := string(actualSecret.Data["tlsPrivateKey"]) + actualCertChain := string(actualSecret.Data["tlsCertificateChain"]) r.NotEmpty(actualCACert) r.NotEmpty(actualCAPrivateKey) r.NotEmpty(actualPrivateKey) r.NotEmpty(actualCertChain) - r.Len(actualSecret.StringData, 4) + r.Len(actualSecret.Data, 4) validCACert := testutil.ValidateServerCertificate(t, actualCACert, actualCACert) validCACert.RequireMatchesPrivateKey(actualCAPrivateKey) @@ -247,11 +247,11 @@ func TestManagerControllerSync(t *testing.T) { "myLabelKey1": "myLabelValue1", "myLabelKey2": "myLabelValue2", }, actualSecret.Labels) - actualCACert := actualSecret.StringData["caCertificate"] - actualCAPrivateKey := actualSecret.StringData["caCertificatePrivateKey"] + actualCACert := string(actualSecret.Data["caCertificate"]) + actualCAPrivateKey := string(actualSecret.Data["caCertificatePrivateKey"]) r.NotEmpty(actualCACert) r.NotEmpty(actualCAPrivateKey) - r.Len(actualSecret.StringData, 2) + r.Len(actualSecret.Data, 2) validCACert := testutil.ValidateServerCertificate(t, actualCACert, actualCACert) validCACert.RequireMatchesPrivateKey(actualCAPrivateKey) diff --git a/internal/controller/apicerts/update_api_service.go b/internal/controller/apicerts/update_api_service.go index 25566e71b..87e007cdd 100644 --- a/internal/controller/apicerts/update_api_service.go +++ b/internal/controller/apicerts/update_api_service.go @@ -1,4 +1,4 @@ -// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package apicerts @@ -14,7 +14,12 @@ import ( ) // UpdateAPIService updates the APIService's CA bundle. -func UpdateAPIService(ctx context.Context, aggregatorClient aggregatorclient.Interface, apiServiceName, serviceNamespace string, aggregatedAPIServerCA []byte) error { +func UpdateAPIService( + ctx context.Context, + aggregatorClient aggregatorclient.Interface, + apiServiceName, serviceNamespace string, + aggregatedAPIServerCA []byte, +) error { apiServices := aggregatorClient.ApiregistrationV1().APIServices() if err := retry.RetryOnConflict(retry.DefaultRetry, func() error { From e6a0f94f8f9217a5023063b41af6502f4dd3b052 Mon Sep 17 00:00:00 2001 From: Joshua Casey Date: Thu, 1 Aug 2024 11:35:57 -0500 Subject: [PATCH 4/6] Restrict which packages are aware of the keys used in Pinniped-generated certificate secrets --- .../concierge/server/prepare_controllers.go | 8 +- .../controller/apicerts/apiservice_updater.go | 7 +- .../apicerts/apiservice_updater_test.go | 14 ++- internal/controller/apicerts/certs_creator.go | 18 ++-- internal/controller/apicerts/certs_expirer.go | 12 ++- .../controller/apicerts/certs_expirer_test.go | 14 +-- .../controller/apicerts/certs_observer.go | 5 +- .../apicerts/certs_observer_test.go | 18 ++-- .../apicerts/retrieve_from_secret.go | 30 +++++++ .../apicerts/retrieve_from_secret_test.go | 87 +++++++++++++++++++ .../apicerts/testdata/private_key_prefix.txt | 0 .../impersonatorconfig/impersonator_config.go | 6 +- .../impersonator_config_test.go | 11 ++- .../localuserauthenticator.go | 1 + internal/supervisor/server/server.go | 4 +- 15 files changed, 196 insertions(+), 39 deletions(-) create mode 100644 internal/controller/apicerts/retrieve_from_secret.go create mode 100644 internal/controller/apicerts/retrieve_from_secret_test.go create mode 100644 internal/controller/apicerts/testdata/private_key_prefix.txt diff --git a/internal/concierge/server/prepare_controllers.go b/internal/concierge/server/prepare_controllers.go index 9cda1929d..95e9de615 100644 --- a/internal/concierge/server/prepare_controllers.go +++ b/internal/concierge/server/prepare_controllers.go @@ -164,6 +164,7 @@ func PrepareControllers(c *Config) (controllerinit.RunnerBuilder, error) { //nol apicerts.NewAPIServiceUpdaterController( c.ServerInstallationInfo.Namespace, c.NamesConfig.ServingCertificateSecret, + apicerts.RetrieveCAFromSecret, loginConciergeGroupData.APIServiceName(), client.Aggregation, informers.installationNamespaceK8s.Core().V1().Secrets(), @@ -175,6 +176,7 @@ func PrepareControllers(c *Config) (controllerinit.RunnerBuilder, error) { //nol apicerts.NewAPIServiceUpdaterController( c.ServerInstallationInfo.Namespace, c.NamesConfig.ServingCertificateSecret, + apicerts.RetrieveCAFromSecret, identityConciergeGroupData.APIServiceName(), client.Aggregation, informers.installationNamespaceK8s.Core().V1().Secrets(), @@ -186,6 +188,7 @@ func PrepareControllers(c *Config) (controllerinit.RunnerBuilder, error) { //nol apicerts.NewCertsObserverController( c.ServerInstallationInfo.Namespace, c.NamesConfig.ServingCertificateSecret, + apicerts.RetrieveCertificateFromSecret, c.DynamicServingCertProvider, informers.installationNamespaceK8s.Core().V1().Secrets(), controllerlib.WithInformer, @@ -200,7 +203,7 @@ func PrepareControllers(c *Config) (controllerinit.RunnerBuilder, error) { //nol informers.installationNamespaceK8s.Core().V1().Secrets(), controllerlib.WithInformer, c.ServingCertRenewBefore, - apicerts.TLSCertificateChainSecretKey, + apicerts.RetrieveCertificateFromSecret, plog.New(), ), singletonWorker, @@ -293,6 +296,7 @@ func PrepareControllers(c *Config) (controllerinit.RunnerBuilder, error) { //nol clock.RealClock{}, impersonator.New, c.NamesConfig.ImpersonationSignerSecret, + apicerts.RetrieveCAFromSecret, c.ImpersonationSigningCertProvider, plog.New(), c.ImpersonationProxyTokenCache, @@ -322,7 +326,7 @@ func PrepareControllers(c *Config) (controllerinit.RunnerBuilder, error) { //nol informers.installationNamespaceK8s.Core().V1().Secrets(), controllerlib.WithInformer, 365*24*time.Hour-time.Hour, // 1 year minus 1 hour hard coded value (i.e. wait until the last moment to break the signer) - apicerts.CACertificateSecretKey, + apicerts.RetrieveCAFromSecret, plog.New(), ), singletonWorker, diff --git a/internal/controller/apicerts/apiservice_updater.go b/internal/controller/apicerts/apiservice_updater.go index 15373ec9f..6e557fdc7 100644 --- a/internal/controller/apicerts/apiservice_updater.go +++ b/internal/controller/apicerts/apiservice_updater.go @@ -18,6 +18,7 @@ import ( type apiServiceUpdaterController struct { namespace string certsSecretResourceName string + certificateRetriever RetrieveFromSecretFunc aggregatorClient aggregatorclient.Interface secretInformer corev1informers.SecretInformer apiServiceName string @@ -26,6 +27,7 @@ type apiServiceUpdaterController struct { func NewAPIServiceUpdaterController( namespace string, certsSecretResourceName string, + certificateRetriever RetrieveFromSecretFunc, apiServiceName string, aggregatorClient aggregatorclient.Interface, secretInformer corev1informers.SecretInformer, @@ -37,6 +39,7 @@ func NewAPIServiceUpdaterController( Syncer: &apiServiceUpdaterController{ namespace: namespace, certsSecretResourceName: certsSecretResourceName, + certificateRetriever: certificateRetriever, aggregatorClient: aggregatorClient, secretInformer: secretInformer, apiServiceName: apiServiceName, @@ -63,13 +66,15 @@ func (c *apiServiceUpdaterController) Sync(ctx controllerlib.Context) error { return nil } + caCertPEM, _ := c.certificateRetriever(certSecret) + // Update the APIService to give it the new CA bundle. if err := UpdateAPIService( ctx.Context, c.aggregatorClient, c.apiServiceName, c.namespace, - certSecret.Data[CACertificateSecretKey], + caCertPEM, ); err != nil { return fmt.Errorf("could not update the API service: %w", err) } diff --git a/internal/controller/apicerts/apiservice_updater_test.go b/internal/controller/apicerts/apiservice_updater_test.go index 985d8570a..a10cfc975 100644 --- a/internal/controller/apicerts/apiservice_updater_test.go +++ b/internal/controller/apicerts/apiservice_updater_test.go @@ -1,4 +1,4 @@ -// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package apicerts @@ -42,6 +42,9 @@ func TestAPIServiceUpdaterControllerOptions(t *testing.T) { _ = NewAPIServiceUpdaterController( installedInNamespace, certsSecretResourceName, + func(secret *corev1.Secret) ([]byte, []byte) { + return secret.Data["some-key-for-ca-certificate"], []byte("this value does not matter") + }, loginv1alpha1.SchemeGroupVersion.Version+"."+loginv1alpha1.GroupName, nil, secretsInformer, @@ -122,6 +125,9 @@ func TestAPIServiceUpdaterControllerSync(t *testing.T) { subject = NewAPIServiceUpdaterController( installedInNamespace, certsSecretResourceName, + func(secret *corev1.Secret) ([]byte, []byte) { + return secret.Data["some-key-for-ca-certificate"], []byte("this value does not matter") + }, loginv1alpha1.SchemeGroupVersion.Version+"."+loginv1alpha1.GroupName, aggregatorAPIClient, kubeInformers.Core().V1().Secrets(), @@ -185,9 +191,9 @@ func TestAPIServiceUpdaterControllerSync(t *testing.T) { Namespace: installedInNamespace, }, Data: map[string][]byte{ - "caCertificate": []byte("fake CA cert"), - "tlsPrivateKey": []byte("fake private key"), - "tlsCertificateChain": []byte("fake cert chain"), + "some-key-for-ca-certificate": []byte("fake CA cert"), + "serving-cert-key-EXTRA": []byte("fake cert chain"), + "private-key-EXTRA": []byte("fake private key"), }, } err := kubeInformerClient.Tracker().Add(apiServingCertSecret) diff --git a/internal/controller/apicerts/certs_creator.go b/internal/controller/apicerts/certs_creator.go index bd2e0e6fc..73696067d 100644 --- a/internal/controller/apicerts/certs_creator.go +++ b/internal/controller/apicerts/certs_creator.go @@ -19,11 +19,17 @@ import ( "go.pinniped.dev/internal/plog" ) +// The following key names are unexported, to prevent a leaky abstraction. +// Even the string literals should only be used in a very limited set of places: +// - The unit tests for this file +// - The unit tests for retrieve_from_secret.go +// - Integration tests +// Comment must end in a period, so here's a period: . const ( - CACertificateSecretKey = "caCertificate" - CACertificatePrivateKeySecretKey = "caCertificatePrivateKey" + caCertificateSecretKey = "caCertificate" + caCertificatePrivateKeySecretKey = "caCertificatePrivateKey" + tlsCertificateChainSecretKey = "tlsCertificateChain" tlsPrivateKeySecretKey = "tlsPrivateKey" - TLSCertificateChainSecretKey = "tlsCertificateChain" ) type certsCreatorController struct { @@ -111,8 +117,8 @@ func (c *certsCreatorController) Sync(ctx controllerlib.Context) error { Labels: c.certsSecretLabels, }, Data: map[string][]byte{ - CACertificateSecretKey: ca.Bundle(), - CACertificatePrivateKeySecretKey: caPrivateKeyPEM, + caCertificateSecretKey: ca.Bundle(), + caCertificatePrivateKeySecretKey: caPrivateKeyPEM, }, } @@ -132,7 +138,7 @@ func (c *certsCreatorController) Sync(ctx controllerlib.Context) error { } secret.Data[tlsPrivateKeySecretKey] = tlsPrivateKeyPEM - secret.Data[TLSCertificateChainSecretKey] = tlsCertChainPEM + secret.Data[tlsCertificateChainSecretKey] = tlsCertChainPEM } _, err = c.k8sClient.CoreV1().Secrets(c.namespace).Create(ctx.Context, &secret, metav1.CreateOptions{}) diff --git a/internal/controller/apicerts/certs_expirer.go b/internal/controller/apicerts/certs_expirer.go index a6edbe62b..9b7777d90 100644 --- a/internal/controller/apicerts/certs_expirer.go +++ b/internal/controller/apicerts/certs_expirer.go @@ -31,7 +31,7 @@ type certsExpirerController struct { // this controller will start to try to rotate it. renewBefore time.Duration - secretKey string + certificateRetriever RetrieveFromSecretFunc logger plog.Logger } @@ -46,7 +46,7 @@ func NewCertsExpirerController( secretInformer corev1informers.SecretInformer, withInformer pinnipedcontroller.WithInformerOptionFunc, renewBefore time.Duration, - secretKey string, + certificateRetriever RetrieveFromSecretFunc, logger plog.Logger, ) controllerlib.Controller { const name = "certs-expirer-controller" @@ -59,7 +59,7 @@ func NewCertsExpirerController( k8sClient: k8sClient, secretInformer: secretInformer, renewBefore: renewBefore, - secretKey: secretKey, + certificateRetriever: certificateRetriever, logger: logger.WithName(name), }, }, @@ -83,7 +83,6 @@ func (c *certsExpirerController) Sync(ctx controllerlib.Context) error { "controller", ctx.Name, "namespace", c.namespace, "name", c.certsSecretResourceName, - "key", c.secretKey, "renewBefore", c.renewBefore.String(), ) return nil @@ -91,7 +90,7 @@ func (c *certsExpirerController) Sync(ctx controllerlib.Context) error { notBefore, notAfter, err := c.getCertBounds(secret) if err != nil { - return fmt.Errorf("failed to get cert bounds for secret %q with key %q: %w", secret.Name, c.secretKey, err) + return fmt.Errorf("failed to get cert bounds for secret %q: %w", secret.Name, err) } certAge := time.Since(notBefore) @@ -100,7 +99,6 @@ func (c *certsExpirerController) Sync(ctx controllerlib.Context) error { "controller", ctx.Name, "namespace", c.namespace, "name", c.certsSecretResourceName, - "key", c.secretKey, "renewBefore", c.renewBefore.String(), "notBefore", notBefore.String(), "notAfter", notAfter.String(), @@ -130,7 +128,7 @@ func (c *certsExpirerController) Sync(ctx controllerlib.Context) error { // getCertBounds returns the NotBefore and NotAfter fields of the TLS // certificate in the provided secret, or an error. func (c *certsExpirerController) getCertBounds(secret *corev1.Secret) (time.Time, time.Time, error) { - certPEM := secret.Data[c.secretKey] + certPEM, _ := c.certificateRetriever(secret) if certPEM == nil { return time.Time{}, time.Time{}, constable.Error("failed to find certificate") } diff --git a/internal/controller/apicerts/certs_expirer_test.go b/internal/controller/apicerts/certs_expirer_test.go index ddafd230d..665f35996 100644 --- a/internal/controller/apicerts/certs_expirer_test.go +++ b/internal/controller/apicerts/certs_expirer_test.go @@ -102,8 +102,8 @@ func TestExpirerControllerFilters(t *testing.T) { nil, // k8sClient, not needed secretsInformer, withInformer.WithInformer, - 0, // renewBefore, not needed - "", // not needed + 0, // renewBefore, not needed + nil, // not needed logger, ) @@ -134,14 +134,14 @@ func TestExpirerControllerSync(t *testing.T) { }{ { name: "secret does not exist", - wantLog: `{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","logger":"certs-expirer-controller","caller":"apicerts/certs_expirer.go:$apicerts.(*certsExpirerController).Sync","message":"secret does not exist yet or was deleted","controller":"","namespace":"some-namespace","name":"some-resource-name","key":"some-awesome-key","renewBefore":"0s"}`, + wantLog: `{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","logger":"certs-expirer-controller","caller":"apicerts/certs_expirer.go:$apicerts.(*certsExpirerController).Sync","message":"secret does not exist yet or was deleted","controller":"","namespace":"some-namespace","name":"some-resource-name","renewBefore":"0s"}`, wantDelete: false, }, { name: "secret missing key", fillSecretData: func(t *testing.T, m map[string][]byte) {}, wantDelete: false, - wantError: `failed to get cert bounds for secret "some-resource-name" with key "some-awesome-key": failed to find certificate`, + wantError: `failed to get cert bounds for secret "some-resource-name": failed to find certificate`, }, { name: "lifetime below threshold", @@ -214,7 +214,7 @@ func TestExpirerControllerSync(t *testing.T) { require.NoError(t, err) }, wantDelete: false, - wantError: `failed to get cert bounds for secret "some-resource-name" with key "some-awesome-key": failed to decode certificate PEM`, + wantError: `failed to get cert bounds for secret "some-resource-name": failed to decode certificate PEM`, }, } for _, test := range tests { @@ -265,7 +265,9 @@ func TestExpirerControllerSync(t *testing.T) { kubeInformers.Core().V1().Secrets(), controllerlib.WithInformer, test.renewBefore, - fakeTestKey, + func(secret *corev1.Secret) ([]byte, []byte) { + return secret.Data[fakeTestKey], nil + }, logger, ) diff --git a/internal/controller/apicerts/certs_observer.go b/internal/controller/apicerts/certs_observer.go index 631928afe..2637ffd12 100644 --- a/internal/controller/apicerts/certs_observer.go +++ b/internal/controller/apicerts/certs_observer.go @@ -18,6 +18,7 @@ import ( type certsObserverController struct { namespace string certsSecretResourceName string + certificateRetriever RetrieveFromSecretFunc dynamicCertProvider dynamiccert.Private secretInformer corev1informers.SecretInformer } @@ -25,6 +26,7 @@ type certsObserverController struct { func NewCertsObserverController( namespace string, certsSecretResourceName string, + certificateRetriever RetrieveFromSecretFunc, dynamicCertProvider dynamiccert.Private, secretInformer corev1informers.SecretInformer, withInformer pinnipedcontroller.WithInformerOptionFunc, @@ -35,6 +37,7 @@ func NewCertsObserverController( Syncer: &certsObserverController{ namespace: namespace, certsSecretResourceName: certsSecretResourceName, + certificateRetriever: certificateRetriever, dynamicCertProvider: dynamicCertProvider, secretInformer: secretInformer, }, @@ -62,7 +65,7 @@ func (c *certsObserverController) Sync(_ controllerlib.Context) error { } // Mutate the in-memory cert provider to update with the latest cert values. - if err := c.dynamicCertProvider.SetCertKeyContent(certSecret.Data[TLSCertificateChainSecretKey], certSecret.Data[tlsPrivateKeySecretKey]); err != nil { + if err := c.dynamicCertProvider.SetCertKeyContent(c.certificateRetriever(certSecret)); err != nil { return fmt.Errorf("failed to set serving cert/key content from secret %s/%s: %w", c.namespace, c.certsSecretResourceName, err) } diff --git a/internal/controller/apicerts/certs_observer_test.go b/internal/controller/apicerts/certs_observer_test.go index ccb11929e..c4f031b6d 100644 --- a/internal/controller/apicerts/certs_observer_test.go +++ b/internal/controller/apicerts/certs_observer_test.go @@ -5,6 +5,7 @@ package apicerts import ( "context" + _ "embed" "strings" "testing" "time" @@ -23,6 +24,9 @@ import ( "go.pinniped.dev/internal/testutil" ) +//go:embed testdata/private_key_prefix.txt +var privateKeyPrefix string + func TestObserverControllerInformerFilters(t *testing.T) { spec.Run(t, "informer filters", func(t *testing.T, when spec.G, it spec.S) { const installedInNamespace = "some-namespace" @@ -40,6 +44,7 @@ func TestObserverControllerInformerFilters(t *testing.T) { installedInNamespace, certsSecretResourceName, nil, + nil, secretsInformer, observableWithInformerOption.WithInformer, // make it possible to observe the behavior of the Filters ) @@ -119,6 +124,9 @@ func TestObserverControllerSync(t *testing.T) { subject = NewCertsObserverController( installedInNamespace, certsSecretResourceName, + func(secret *corev1.Secret) ([]byte, []byte) { + return secret.Data["some-key-for-certificate"], secret.Data["some-key-for-private-key"] + }, dynamicCertProvider, kubeInformers.Core().V1().Secrets(), controllerlib.WithInformer, @@ -202,7 +210,7 @@ func TestObserverControllerSync(t *testing.T) { ca, err := certauthority.Load(string(caCrt), string(caKey)) require.NoError(t, err) - pem, err := ca.IssueServerCertPEM(nil, nil, time.Hour) + servingCert, err := ca.IssueServerCertPEM(nil, nil, time.Hour) require.NoError(t, err) apiServingCertSecret := &corev1.Secret{ @@ -211,9 +219,9 @@ func TestObserverControllerSync(t *testing.T) { Namespace: installedInNamespace, }, Data: map[string][]byte{ - "caCertificate": []byte("fake cert"), - "tlsPrivateKey": pem.KeyPEM, - "tlsCertificateChain": pem.CertPEM, + "some-pretend-ca-EXTRA": []byte("fake cert"), + "some-key-for-certificate": servingCert.CertPEM, + "some-key-for-private-key": servingCert.KeyPEM, }, } err = kubeInformerClient.Tracker().Add(apiServingCertSecret) @@ -234,7 +242,7 @@ func TestObserverControllerSync(t *testing.T) { actualCertChain, actualKey = dynamicCertProvider.CurrentCertKeyContent() r.True(strings.HasPrefix(string(actualCertChain), `-----BEGIN CERTIFICATE-----`), "not a cert:\n%s", string(actualCertChain)) - r.True(strings.HasPrefix(string(actualKey), `-----BEGIN PRIVATE KEY-----`), "not a key:\n%s", string(actualKey)) + r.True(strings.HasPrefix(string(actualKey), privateKeyPrefix), "not a key:\n%s", string(actualKey)) }) }) diff --git a/internal/controller/apicerts/retrieve_from_secret.go b/internal/controller/apicerts/retrieve_from_secret.go new file mode 100644 index 000000000..6657609d3 --- /dev/null +++ b/internal/controller/apicerts/retrieve_from_secret.go @@ -0,0 +1,30 @@ +// Copyright 2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package apicerts + +import ( + corev1 "k8s.io/api/core/v1" +) + +type RetrieveFromSecretFunc func(secret *corev1.Secret) ([]byte, []byte) + +func RetrieveCAFromSecret(secret *corev1.Secret) ([]byte, []byte) { + if secret == nil { + return nil, nil + } + + return secret.Data[caCertificateSecretKey], secret.Data[caCertificatePrivateKeySecretKey] +} + +func RetrieveCertificateFromSecret(secret *corev1.Secret) ([]byte, []byte) { + if secret == nil { + return nil, nil + } + + return secret.Data[tlsCertificateChainSecretKey], secret.Data[tlsPrivateKeySecretKey] +} + +// Ensure matching function signature at compile time. +var _ RetrieveFromSecretFunc = RetrieveCAFromSecret +var _ RetrieveFromSecretFunc = RetrieveCertificateFromSecret diff --git a/internal/controller/apicerts/retrieve_from_secret_test.go b/internal/controller/apicerts/retrieve_from_secret_test.go new file mode 100644 index 000000000..0daacbb51 --- /dev/null +++ b/internal/controller/apicerts/retrieve_from_secret_test.go @@ -0,0 +1,87 @@ +// Copyright 2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package apicerts + +import ( + "testing" + + "github.com/stretchr/testify/require" + corev1 "k8s.io/api/core/v1" +) + +func TestRetrieveCAFromSecret(t *testing.T) { + tests := []struct { + name string + secret *corev1.Secret + wantCertificate []byte + wantPrivateKey []byte + }{ + { + name: "nil input returns empty", + secret: nil, + }, + { + name: "empty secret returns empty", + secret: &corev1.Secret{}, + }, + { + name: "populated secret returns values", + secret: &corev1.Secret{ + Data: map[string][]byte{ + "caCertificate": []byte("foo"), + "caCertificatePrivateKey": []byte("bar"), + "baz": []byte("quz"), + }, + }, + wantCertificate: []byte("foo"), + wantPrivateKey: []byte("bar"), + }, + } + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + actualCert, actualKey := RetrieveCAFromSecret(test.secret) + + require.Equal(t, test.wantCertificate, actualCert) + require.Equal(t, test.wantPrivateKey, actualKey) + }) + } +} + +func TestRetrieveCertificateFromSecret(t *testing.T) { + tests := []struct { + name string + secret *corev1.Secret + wantCertificate []byte + wantPrivateKey []byte + }{ + { + name: "nil input returns empty", + secret: nil, + }, + { + name: "empty secret returns empty", + secret: &corev1.Secret{}, + }, + { + name: "populated secret returns values", + secret: &corev1.Secret{ + Data: map[string][]byte{ + "tlsCertificateChain": []byte("foo"), + "tlsPrivateKey": []byte("bar"), + "baz": []byte("quz"), + }, + }, + wantCertificate: []byte("foo"), + wantPrivateKey: []byte("bar"), + }, + } + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + actualCert, actualKey := RetrieveCertificateFromSecret(test.secret) + + require.Equal(t, test.wantCertificate, actualCert) + require.Equal(t, test.wantPrivateKey, actualKey) + }) + } +} diff --git a/internal/controller/apicerts/testdata/private_key_prefix.txt b/internal/controller/apicerts/testdata/private_key_prefix.txt new file mode 100644 index 000000000..e69de29bb diff --git a/internal/controller/impersonatorconfig/impersonator_config.go b/internal/controller/impersonatorconfig/impersonator_config.go index 9b215fd55..08e3fd0ad 100644 --- a/internal/controller/impersonatorconfig/impersonator_config.go +++ b/internal/controller/impersonatorconfig/impersonator_config.go @@ -67,6 +67,7 @@ type impersonatorConfigController struct { tlsSecretName string caSecretName string impersonationSignerSecretName string + impersonationSignerCertRetriever apicerts.RetrieveFromSecretFunc k8sClient kubernetes.Interface pinnipedAPIClient conciergeclientset.Interface @@ -107,6 +108,7 @@ func NewImpersonatorConfigController( clock clock.Clock, impersonatorFunc impersonator.FactoryFunc, impersonationSignerSecretName string, + impersonationSignerCertRetriever apicerts.RetrieveFromSecretFunc, impersonationSigningCertProvider dynamiccert.Provider, log plog.Logger, impersonationProxyTokenCache tokenclient.ExpiringSingletonTokenCacheGet, @@ -125,6 +127,7 @@ func NewImpersonatorConfigController( tlsSecretName: tlsSecretName, caSecretName: caSecretName, impersonationSignerSecretName: impersonationSignerSecretName, + impersonationSignerCertRetriever: impersonationSignerCertRetriever, k8sClient: k8sClient, pinnipedAPIClient: pinnipedAPIClient, credIssuerInformer: credentialIssuerInformer, @@ -1116,8 +1119,7 @@ func (c *impersonatorConfigController) loadSignerCA() error { return fmt.Errorf("could not load the impersonator's credential signing secret: %w", err) } - certPEM := signingCertSecret.Data[apicerts.CACertificateSecretKey] - keyPEM := signingCertSecret.Data[apicerts.CACertificatePrivateKeySecretKey] + certPEM, keyPEM := c.impersonationSignerCertRetriever(signingCertSecret) if err := c.impersonationSigningCertProvider.SetCertKeyContent(certPEM, keyPEM); err != nil { return fmt.Errorf("could not set the impersonator's credential signing secret: %w", err) diff --git a/internal/controller/impersonatorconfig/impersonator_config_test.go b/internal/controller/impersonatorconfig/impersonator_config_test.go index 6d0587e93..24f8eca6e 100644 --- a/internal/controller/impersonatorconfig/impersonator_config_test.go +++ b/internal/controller/impersonatorconfig/impersonator_config_test.go @@ -39,7 +39,6 @@ import ( conciergefake "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/fake" conciergeinformers "go.pinniped.dev/generated/latest/client/concierge/informers/externalversions" "go.pinniped.dev/internal/certauthority" - "go.pinniped.dev/internal/controller/apicerts" "go.pinniped.dev/internal/controllerlib" "go.pinniped.dev/internal/dynamiccert" "go.pinniped.dev/internal/kubeclient" @@ -95,6 +94,7 @@ func TestImpersonatorConfigControllerOptions(t *testing.T) { nil, caSignerName, nil, + nil, logger, nil, ) @@ -588,6 +588,9 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { clocktesting.NewFakeClock(frozenNow), impersonatorFunc, mTLSClientCertCASecretName, + func(secret *corev1.Secret) ([]byte, []byte) { + return secret.Data["some-key-for-ca-certificate"], secret.Data["some-key-for-ca-private-key"] + }, mTLSClientCertProvider, logger, fakeExpiringSingletonTokenCacheGet, @@ -675,8 +678,8 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { var newSigningKeySecret = func(resourceName string, certPEM, keyPEM []byte) *corev1.Secret { return newSecretWithData(resourceName, map[string][]byte{ - apicerts.CACertificateSecretKey: certPEM, - apicerts.CACertificatePrivateKeySecretKey: keyPEM, + "some-key-for-ca-certificate": certPEM, + "some-key-for-ca-private-key": keyPEM, }) } @@ -4095,7 +4098,7 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("the cert is invalid", func() { it.Before(func() { - mTLSClientCertCASecret.Data[apicerts.CACertificateSecretKey] = []byte("not a valid PEM formatted cert") + mTLSClientCertCASecret.Data["some-key-for-ca-certificate"] = []byte("not a valid PEM formatted cert") addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient) }) diff --git a/internal/localuserauthenticator/localuserauthenticator.go b/internal/localuserauthenticator/localuserauthenticator.go index 0840d3f93..cf11eaf07 100644 --- a/internal/localuserauthenticator/localuserauthenticator.go +++ b/internal/localuserauthenticator/localuserauthenticator.go @@ -313,6 +313,7 @@ func startControllers( apicerts.NewCertsObserverController( namespace, certsSecretResourceName, + apicerts.RetrieveCertificateFromSecret, dynamicCertProvider, kubeInformers.Core().V1().Secrets(), controllerlib.WithInformer, diff --git a/internal/supervisor/server/server.go b/internal/supervisor/server/server.go index e0e87499d..45f9dbe22 100644 --- a/internal/supervisor/server/server.go +++ b/internal/supervisor/server/server.go @@ -367,6 +367,7 @@ func prepareControllers( apicerts.NewAPIServiceUpdaterController( podInfo.Namespace, certificateName, + apicerts.RetrieveCAFromSecret, clientSecretSupervisorGroupData.APIServiceName(), aggregatorClient, secretInformer, @@ -378,6 +379,7 @@ func prepareControllers( apicerts.NewCertsObserverController( podInfo.Namespace, certificateName, + apicerts.RetrieveCertificateFromSecret, dynamicServingCertProvider, secretInformer, controllerlib.WithInformer, @@ -392,7 +394,7 @@ func prepareControllers( secretInformer, controllerlib.WithInformer, 9*30*24*time.Hour, // about 9 months - apicerts.TLSCertificateChainSecretKey, + apicerts.RetrieveCertificateFromSecret, plog.New(), ), singletonWorker, From 46bbe5bc753ae7442eafc09b6c066afbc13418ec Mon Sep 17 00:00:00 2001 From: Joshua Casey Date: Thu, 1 Aug 2024 12:19:34 -0500 Subject: [PATCH 5/6] Fix typos --- internal/controller/apicerts/certs_creator.go | 2 +- internal/controller/apicerts/certs_observer_test.go | 2 ++ internal/controller/apicerts/testdata/private_key_prefix.txt | 1 + 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/internal/controller/apicerts/certs_creator.go b/internal/controller/apicerts/certs_creator.go index 73696067d..04f03f8f0 100644 --- a/internal/controller/apicerts/certs_creator.go +++ b/internal/controller/apicerts/certs_creator.go @@ -61,7 +61,7 @@ func NewCertsCreatorController( ) controllerlib.Controller { return controllerlib.New( controllerlib.Config{ - Name: "certs-manager-controller", + Name: "certs-creator-controller", Syncer: &certsCreatorController{ namespace: namespace, certsSecretResourceName: certsSecretResourceName, diff --git a/internal/controller/apicerts/certs_observer_test.go b/internal/controller/apicerts/certs_observer_test.go index c4f031b6d..9a512a028 100644 --- a/internal/controller/apicerts/certs_observer_test.go +++ b/internal/controller/apicerts/certs_observer_test.go @@ -242,6 +242,8 @@ func TestObserverControllerSync(t *testing.T) { actualCertChain, actualKey = dynamicCertProvider.CurrentCertKeyContent() r.True(strings.HasPrefix(string(actualCertChain), `-----BEGIN CERTIFICATE-----`), "not a cert:\n%s", string(actualCertChain)) + // Confirm that the embed worked successfully + r.True(len(privateKeyPrefix) > 0, "privateKeyPrefix should be non-empty") r.True(strings.HasPrefix(string(actualKey), privateKeyPrefix), "not a key:\n%s", string(actualKey)) }) }) diff --git a/internal/controller/apicerts/testdata/private_key_prefix.txt b/internal/controller/apicerts/testdata/private_key_prefix.txt index e69de29bb..e3063f32e 100644 --- a/internal/controller/apicerts/testdata/private_key_prefix.txt +++ b/internal/controller/apicerts/testdata/private_key_prefix.txt @@ -0,0 +1 @@ +-----BEGIN PRIVATE KEY----- From 1958bb8fb0c53cc6297cb2e09382312840264e52 Mon Sep 17 00:00:00 2001 From: Joshua Casey Date: Thu, 1 Aug 2024 23:08:00 -0500 Subject: [PATCH 6/6] Clarify documentation for the advertised CA bundle of the impersonation proxy --- .../config/v1alpha1/types_credentialissuer.go.tmpl | 9 ++++++--- ...onfig.concierge.pinniped.dev_credentialissuers.yaml | 6 +++++- generated/1.25/README.adoc | 10 +++++++--- .../config/v1alpha1/types_credentialissuer.go | 9 ++++++--- ...onfig.concierge.pinniped.dev_credentialissuers.yaml | 6 +++++- generated/1.26/README.adoc | 10 +++++++--- .../config/v1alpha1/types_credentialissuer.go | 9 ++++++--- ...onfig.concierge.pinniped.dev_credentialissuers.yaml | 6 +++++- generated/1.27/README.adoc | 10 +++++++--- .../config/v1alpha1/types_credentialissuer.go | 9 ++++++--- ...onfig.concierge.pinniped.dev_credentialissuers.yaml | 6 +++++- generated/1.28/README.adoc | 10 +++++++--- .../config/v1alpha1/types_credentialissuer.go | 9 ++++++--- ...onfig.concierge.pinniped.dev_credentialissuers.yaml | 6 +++++- generated/1.29/README.adoc | 10 +++++++--- .../config/v1alpha1/types_credentialissuer.go | 9 ++++++--- ...onfig.concierge.pinniped.dev_credentialissuers.yaml | 6 +++++- generated/1.30/README.adoc | 10 +++++++--- .../config/v1alpha1/types_credentialissuer.go | 9 ++++++--- ...onfig.concierge.pinniped.dev_credentialissuers.yaml | 6 +++++- generated/1.31/README.adoc | 10 +++++++--- .../config/v1alpha1/types_credentialissuer.go | 9 ++++++--- ...onfig.concierge.pinniped.dev_credentialissuers.yaml | 6 +++++- generated/latest/README.adoc | 10 +++++++--- .../config/v1alpha1/types_credentialissuer.go | 9 ++++++--- 25 files changed, 150 insertions(+), 59 deletions(-) diff --git a/apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl b/apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl index de976f5c1..6b908a90d 100644 --- a/apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl +++ b/apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl @@ -83,16 +83,16 @@ const ( ) // ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should -// serve TLS. +// serve TLS and what CA bundle to advertise for TLS verification. // // If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret -// for a field called "ca.crt", which will be used as the CertificateAuthorityData. +// for a field called "ca.crt", which will be used as the CA bundle to advertise for TLS verification. // // If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for // the impersonation proxy endpoint. type ImpersonationProxyTLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). - // Used to advertise the CA bundle for the impersonation proxy endpoint. + // Used to advertise the CA bundle for TLS verification. // // +optional CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` @@ -100,6 +100,9 @@ type ImpersonationProxyTLSSpec struct { // SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains // the TLS serving certificate for the Concierge impersonation proxy endpoint. // + // If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check this secret for + // a field called "ca.crt", which will be used as the CA bundle to advertise for TLS verification. + // // +kubebuilder:validation:MinLength=1 SecretName string `json:"secretName,omitempty"` } diff --git a/deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml b/deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml index 6897b7968..225ce3fed 100644 --- a/deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml @@ -115,12 +115,16 @@ spec: certificateAuthorityData: description: |- X.509 Certificate Authority (base64-encoded PEM bundle). - Used to advertise the CA bundle for the impersonation proxy endpoint. + Used to advertise the CA bundle for TLS verification. type: string secretName: description: |- SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the Concierge impersonation proxy endpoint. + + + If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check this secret for + a field called "ca.crt", which will be used as the CA bundle to advertise for TLS verification. minLength: 1 type: string type: object diff --git a/generated/1.25/README.adoc b/generated/1.25/README.adoc index 92794f1b1..cf55f2c86 100644 --- a/generated/1.25/README.adoc +++ b/generated/1.25/README.adoc @@ -622,11 +622,11 @@ If this field is empty, the impersonation proxy will generate its own TLS certif ==== ImpersonationProxyTLSSpec ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should -serve TLS. +serve TLS and what CA bundle to advertise for TLS verification. If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret -for a field called "ca.crt", which will be used as the CertificateAuthorityData. +for a field called "ca.crt", which will be used as the CA bundle to advertise for TLS verification. If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for @@ -641,9 +641,13 @@ the impersonation proxy endpoint. |=== | Field | Description | *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). + -Used to advertise the CA bundle for the impersonation proxy endpoint. + +Used to advertise the CA bundle for TLS verification. + | *`secretName`* __string__ | SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the Concierge impersonation proxy endpoint. + + + +If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check this secret for + +a field called "ca.crt", which will be used as the CA bundle to advertise for TLS verification. + |=== diff --git a/generated/1.25/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.25/apis/concierge/config/v1alpha1/types_credentialissuer.go index de976f5c1..6b908a90d 100644 --- a/generated/1.25/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/1.25/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -83,16 +83,16 @@ const ( ) // ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should -// serve TLS. +// serve TLS and what CA bundle to advertise for TLS verification. // // If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret -// for a field called "ca.crt", which will be used as the CertificateAuthorityData. +// for a field called "ca.crt", which will be used as the CA bundle to advertise for TLS verification. // // If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for // the impersonation proxy endpoint. type ImpersonationProxyTLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). - // Used to advertise the CA bundle for the impersonation proxy endpoint. + // Used to advertise the CA bundle for TLS verification. // // +optional CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` @@ -100,6 +100,9 @@ type ImpersonationProxyTLSSpec struct { // SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains // the TLS serving certificate for the Concierge impersonation proxy endpoint. // + // If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check this secret for + // a field called "ca.crt", which will be used as the CA bundle to advertise for TLS verification. + // // +kubebuilder:validation:MinLength=1 SecretName string `json:"secretName,omitempty"` } diff --git a/generated/1.25/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.25/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 6897b7968..225ce3fed 100644 --- a/generated/1.25/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.25/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -115,12 +115,16 @@ spec: certificateAuthorityData: description: |- X.509 Certificate Authority (base64-encoded PEM bundle). - Used to advertise the CA bundle for the impersonation proxy endpoint. + Used to advertise the CA bundle for TLS verification. type: string secretName: description: |- SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the Concierge impersonation proxy endpoint. + + + If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check this secret for + a field called "ca.crt", which will be used as the CA bundle to advertise for TLS verification. minLength: 1 type: string type: object diff --git a/generated/1.26/README.adoc b/generated/1.26/README.adoc index 2e291f103..b2a4a2013 100644 --- a/generated/1.26/README.adoc +++ b/generated/1.26/README.adoc @@ -622,11 +622,11 @@ If this field is empty, the impersonation proxy will generate its own TLS certif ==== ImpersonationProxyTLSSpec ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should -serve TLS. +serve TLS and what CA bundle to advertise for TLS verification. If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret -for a field called "ca.crt", which will be used as the CertificateAuthorityData. +for a field called "ca.crt", which will be used as the CA bundle to advertise for TLS verification. If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for @@ -641,9 +641,13 @@ the impersonation proxy endpoint. |=== | Field | Description | *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). + -Used to advertise the CA bundle for the impersonation proxy endpoint. + +Used to advertise the CA bundle for TLS verification. + | *`secretName`* __string__ | SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the Concierge impersonation proxy endpoint. + + + +If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check this secret for + +a field called "ca.crt", which will be used as the CA bundle to advertise for TLS verification. + |=== diff --git a/generated/1.26/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.26/apis/concierge/config/v1alpha1/types_credentialissuer.go index de976f5c1..6b908a90d 100644 --- a/generated/1.26/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/1.26/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -83,16 +83,16 @@ const ( ) // ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should -// serve TLS. +// serve TLS and what CA bundle to advertise for TLS verification. // // If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret -// for a field called "ca.crt", which will be used as the CertificateAuthorityData. +// for a field called "ca.crt", which will be used as the CA bundle to advertise for TLS verification. // // If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for // the impersonation proxy endpoint. type ImpersonationProxyTLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). - // Used to advertise the CA bundle for the impersonation proxy endpoint. + // Used to advertise the CA bundle for TLS verification. // // +optional CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` @@ -100,6 +100,9 @@ type ImpersonationProxyTLSSpec struct { // SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains // the TLS serving certificate for the Concierge impersonation proxy endpoint. // + // If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check this secret for + // a field called "ca.crt", which will be used as the CA bundle to advertise for TLS verification. + // // +kubebuilder:validation:MinLength=1 SecretName string `json:"secretName,omitempty"` } diff --git a/generated/1.26/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.26/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 6897b7968..225ce3fed 100644 --- a/generated/1.26/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.26/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -115,12 +115,16 @@ spec: certificateAuthorityData: description: |- X.509 Certificate Authority (base64-encoded PEM bundle). - Used to advertise the CA bundle for the impersonation proxy endpoint. + Used to advertise the CA bundle for TLS verification. type: string secretName: description: |- SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the Concierge impersonation proxy endpoint. + + + If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check this secret for + a field called "ca.crt", which will be used as the CA bundle to advertise for TLS verification. minLength: 1 type: string type: object diff --git a/generated/1.27/README.adoc b/generated/1.27/README.adoc index c92144a04..6d06f5f7c 100644 --- a/generated/1.27/README.adoc +++ b/generated/1.27/README.adoc @@ -622,11 +622,11 @@ If this field is empty, the impersonation proxy will generate its own TLS certif ==== ImpersonationProxyTLSSpec ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should -serve TLS. +serve TLS and what CA bundle to advertise for TLS verification. If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret -for a field called "ca.crt", which will be used as the CertificateAuthorityData. +for a field called "ca.crt", which will be used as the CA bundle to advertise for TLS verification. If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for @@ -641,9 +641,13 @@ the impersonation proxy endpoint. |=== | Field | Description | *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). + -Used to advertise the CA bundle for the impersonation proxy endpoint. + +Used to advertise the CA bundle for TLS verification. + | *`secretName`* __string__ | SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the Concierge impersonation proxy endpoint. + + + +If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check this secret for + +a field called "ca.crt", which will be used as the CA bundle to advertise for TLS verification. + |=== diff --git a/generated/1.27/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.27/apis/concierge/config/v1alpha1/types_credentialissuer.go index de976f5c1..6b908a90d 100644 --- a/generated/1.27/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/1.27/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -83,16 +83,16 @@ const ( ) // ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should -// serve TLS. +// serve TLS and what CA bundle to advertise for TLS verification. // // If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret -// for a field called "ca.crt", which will be used as the CertificateAuthorityData. +// for a field called "ca.crt", which will be used as the CA bundle to advertise for TLS verification. // // If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for // the impersonation proxy endpoint. type ImpersonationProxyTLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). - // Used to advertise the CA bundle for the impersonation proxy endpoint. + // Used to advertise the CA bundle for TLS verification. // // +optional CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` @@ -100,6 +100,9 @@ type ImpersonationProxyTLSSpec struct { // SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains // the TLS serving certificate for the Concierge impersonation proxy endpoint. // + // If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check this secret for + // a field called "ca.crt", which will be used as the CA bundle to advertise for TLS verification. + // // +kubebuilder:validation:MinLength=1 SecretName string `json:"secretName,omitempty"` } diff --git a/generated/1.27/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.27/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 6897b7968..225ce3fed 100644 --- a/generated/1.27/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.27/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -115,12 +115,16 @@ spec: certificateAuthorityData: description: |- X.509 Certificate Authority (base64-encoded PEM bundle). - Used to advertise the CA bundle for the impersonation proxy endpoint. + Used to advertise the CA bundle for TLS verification. type: string secretName: description: |- SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the Concierge impersonation proxy endpoint. + + + If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check this secret for + a field called "ca.crt", which will be used as the CA bundle to advertise for TLS verification. minLength: 1 type: string type: object diff --git a/generated/1.28/README.adoc b/generated/1.28/README.adoc index 11bab11c0..f1c5bf84b 100644 --- a/generated/1.28/README.adoc +++ b/generated/1.28/README.adoc @@ -622,11 +622,11 @@ If this field is empty, the impersonation proxy will generate its own TLS certif ==== ImpersonationProxyTLSSpec ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should -serve TLS. +serve TLS and what CA bundle to advertise for TLS verification. If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret -for a field called "ca.crt", which will be used as the CertificateAuthorityData. +for a field called "ca.crt", which will be used as the CA bundle to advertise for TLS verification. If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for @@ -641,9 +641,13 @@ the impersonation proxy endpoint. |=== | Field | Description | *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). + -Used to advertise the CA bundle for the impersonation proxy endpoint. + +Used to advertise the CA bundle for TLS verification. + | *`secretName`* __string__ | SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the Concierge impersonation proxy endpoint. + + + +If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check this secret for + +a field called "ca.crt", which will be used as the CA bundle to advertise for TLS verification. + |=== diff --git a/generated/1.28/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.28/apis/concierge/config/v1alpha1/types_credentialissuer.go index de976f5c1..6b908a90d 100644 --- a/generated/1.28/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/1.28/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -83,16 +83,16 @@ const ( ) // ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should -// serve TLS. +// serve TLS and what CA bundle to advertise for TLS verification. // // If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret -// for a field called "ca.crt", which will be used as the CertificateAuthorityData. +// for a field called "ca.crt", which will be used as the CA bundle to advertise for TLS verification. // // If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for // the impersonation proxy endpoint. type ImpersonationProxyTLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). - // Used to advertise the CA bundle for the impersonation proxy endpoint. + // Used to advertise the CA bundle for TLS verification. // // +optional CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` @@ -100,6 +100,9 @@ type ImpersonationProxyTLSSpec struct { // SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains // the TLS serving certificate for the Concierge impersonation proxy endpoint. // + // If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check this secret for + // a field called "ca.crt", which will be used as the CA bundle to advertise for TLS verification. + // // +kubebuilder:validation:MinLength=1 SecretName string `json:"secretName,omitempty"` } diff --git a/generated/1.28/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.28/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 6897b7968..225ce3fed 100644 --- a/generated/1.28/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.28/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -115,12 +115,16 @@ spec: certificateAuthorityData: description: |- X.509 Certificate Authority (base64-encoded PEM bundle). - Used to advertise the CA bundle for the impersonation proxy endpoint. + Used to advertise the CA bundle for TLS verification. type: string secretName: description: |- SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the Concierge impersonation proxy endpoint. + + + If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check this secret for + a field called "ca.crt", which will be used as the CA bundle to advertise for TLS verification. minLength: 1 type: string type: object diff --git a/generated/1.29/README.adoc b/generated/1.29/README.adoc index 17c21cf5c..b5361cb24 100644 --- a/generated/1.29/README.adoc +++ b/generated/1.29/README.adoc @@ -622,11 +622,11 @@ If this field is empty, the impersonation proxy will generate its own TLS certif ==== ImpersonationProxyTLSSpec ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should -serve TLS. +serve TLS and what CA bundle to advertise for TLS verification. If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret -for a field called "ca.crt", which will be used as the CertificateAuthorityData. +for a field called "ca.crt", which will be used as the CA bundle to advertise for TLS verification. If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for @@ -641,9 +641,13 @@ the impersonation proxy endpoint. |=== | Field | Description | *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). + -Used to advertise the CA bundle for the impersonation proxy endpoint. + +Used to advertise the CA bundle for TLS verification. + | *`secretName`* __string__ | SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the Concierge impersonation proxy endpoint. + + + +If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check this secret for + +a field called "ca.crt", which will be used as the CA bundle to advertise for TLS verification. + |=== diff --git a/generated/1.29/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.29/apis/concierge/config/v1alpha1/types_credentialissuer.go index de976f5c1..6b908a90d 100644 --- a/generated/1.29/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/1.29/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -83,16 +83,16 @@ const ( ) // ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should -// serve TLS. +// serve TLS and what CA bundle to advertise for TLS verification. // // If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret -// for a field called "ca.crt", which will be used as the CertificateAuthorityData. +// for a field called "ca.crt", which will be used as the CA bundle to advertise for TLS verification. // // If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for // the impersonation proxy endpoint. type ImpersonationProxyTLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). - // Used to advertise the CA bundle for the impersonation proxy endpoint. + // Used to advertise the CA bundle for TLS verification. // // +optional CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` @@ -100,6 +100,9 @@ type ImpersonationProxyTLSSpec struct { // SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains // the TLS serving certificate for the Concierge impersonation proxy endpoint. // + // If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check this secret for + // a field called "ca.crt", which will be used as the CA bundle to advertise for TLS verification. + // // +kubebuilder:validation:MinLength=1 SecretName string `json:"secretName,omitempty"` } diff --git a/generated/1.29/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.29/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 6897b7968..225ce3fed 100644 --- a/generated/1.29/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.29/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -115,12 +115,16 @@ spec: certificateAuthorityData: description: |- X.509 Certificate Authority (base64-encoded PEM bundle). - Used to advertise the CA bundle for the impersonation proxy endpoint. + Used to advertise the CA bundle for TLS verification. type: string secretName: description: |- SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the Concierge impersonation proxy endpoint. + + + If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check this secret for + a field called "ca.crt", which will be used as the CA bundle to advertise for TLS verification. minLength: 1 type: string type: object diff --git a/generated/1.30/README.adoc b/generated/1.30/README.adoc index 0659827b6..b384536a0 100644 --- a/generated/1.30/README.adoc +++ b/generated/1.30/README.adoc @@ -622,11 +622,11 @@ If this field is empty, the impersonation proxy will generate its own TLS certif ==== ImpersonationProxyTLSSpec ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should -serve TLS. +serve TLS and what CA bundle to advertise for TLS verification. If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret -for a field called "ca.crt", which will be used as the CertificateAuthorityData. +for a field called "ca.crt", which will be used as the CA bundle to advertise for TLS verification. If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for @@ -641,9 +641,13 @@ the impersonation proxy endpoint. |=== | Field | Description | *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). + -Used to advertise the CA bundle for the impersonation proxy endpoint. + +Used to advertise the CA bundle for TLS verification. + | *`secretName`* __string__ | SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the Concierge impersonation proxy endpoint. + + + +If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check this secret for + +a field called "ca.crt", which will be used as the CA bundle to advertise for TLS verification. + |=== diff --git a/generated/1.30/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.30/apis/concierge/config/v1alpha1/types_credentialissuer.go index de976f5c1..6b908a90d 100644 --- a/generated/1.30/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/1.30/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -83,16 +83,16 @@ const ( ) // ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should -// serve TLS. +// serve TLS and what CA bundle to advertise for TLS verification. // // If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret -// for a field called "ca.crt", which will be used as the CertificateAuthorityData. +// for a field called "ca.crt", which will be used as the CA bundle to advertise for TLS verification. // // If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for // the impersonation proxy endpoint. type ImpersonationProxyTLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). - // Used to advertise the CA bundle for the impersonation proxy endpoint. + // Used to advertise the CA bundle for TLS verification. // // +optional CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` @@ -100,6 +100,9 @@ type ImpersonationProxyTLSSpec struct { // SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains // the TLS serving certificate for the Concierge impersonation proxy endpoint. // + // If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check this secret for + // a field called "ca.crt", which will be used as the CA bundle to advertise for TLS verification. + // // +kubebuilder:validation:MinLength=1 SecretName string `json:"secretName,omitempty"` } diff --git a/generated/1.30/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.30/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 6897b7968..225ce3fed 100644 --- a/generated/1.30/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.30/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -115,12 +115,16 @@ spec: certificateAuthorityData: description: |- X.509 Certificate Authority (base64-encoded PEM bundle). - Used to advertise the CA bundle for the impersonation proxy endpoint. + Used to advertise the CA bundle for TLS verification. type: string secretName: description: |- SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the Concierge impersonation proxy endpoint. + + + If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check this secret for + a field called "ca.crt", which will be used as the CA bundle to advertise for TLS verification. minLength: 1 type: string type: object diff --git a/generated/1.31/README.adoc b/generated/1.31/README.adoc index ba03e684a..b6371e1fb 100644 --- a/generated/1.31/README.adoc +++ b/generated/1.31/README.adoc @@ -622,11 +622,11 @@ If this field is empty, the impersonation proxy will generate its own TLS certif ==== ImpersonationProxyTLSSpec ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should -serve TLS. +serve TLS and what CA bundle to advertise for TLS verification. If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret -for a field called "ca.crt", which will be used as the CertificateAuthorityData. +for a field called "ca.crt", which will be used as the CA bundle to advertise for TLS verification. If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for @@ -641,9 +641,13 @@ the impersonation proxy endpoint. |=== | Field | Description | *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). + -Used to advertise the CA bundle for the impersonation proxy endpoint. + +Used to advertise the CA bundle for TLS verification. + | *`secretName`* __string__ | SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the Concierge impersonation proxy endpoint. + + + +If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check this secret for + +a field called "ca.crt", which will be used as the CA bundle to advertise for TLS verification. + |=== diff --git a/generated/1.31/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.31/apis/concierge/config/v1alpha1/types_credentialissuer.go index de976f5c1..6b908a90d 100644 --- a/generated/1.31/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/1.31/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -83,16 +83,16 @@ const ( ) // ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should -// serve TLS. +// serve TLS and what CA bundle to advertise for TLS verification. // // If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret -// for a field called "ca.crt", which will be used as the CertificateAuthorityData. +// for a field called "ca.crt", which will be used as the CA bundle to advertise for TLS verification. // // If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for // the impersonation proxy endpoint. type ImpersonationProxyTLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). - // Used to advertise the CA bundle for the impersonation proxy endpoint. + // Used to advertise the CA bundle for TLS verification. // // +optional CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` @@ -100,6 +100,9 @@ type ImpersonationProxyTLSSpec struct { // SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains // the TLS serving certificate for the Concierge impersonation proxy endpoint. // + // If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check this secret for + // a field called "ca.crt", which will be used as the CA bundle to advertise for TLS verification. + // // +kubebuilder:validation:MinLength=1 SecretName string `json:"secretName,omitempty"` } diff --git a/generated/1.31/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.31/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 6897b7968..225ce3fed 100644 --- a/generated/1.31/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.31/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -115,12 +115,16 @@ spec: certificateAuthorityData: description: |- X.509 Certificate Authority (base64-encoded PEM bundle). - Used to advertise the CA bundle for the impersonation proxy endpoint. + Used to advertise the CA bundle for TLS verification. type: string secretName: description: |- SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the Concierge impersonation proxy endpoint. + + + If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check this secret for + a field called "ca.crt", which will be used as the CA bundle to advertise for TLS verification. minLength: 1 type: string type: object diff --git a/generated/latest/README.adoc b/generated/latest/README.adoc index ba03e684a..b6371e1fb 100644 --- a/generated/latest/README.adoc +++ b/generated/latest/README.adoc @@ -622,11 +622,11 @@ If this field is empty, the impersonation proxy will generate its own TLS certif ==== ImpersonationProxyTLSSpec ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should -serve TLS. +serve TLS and what CA bundle to advertise for TLS verification. If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret -for a field called "ca.crt", which will be used as the CertificateAuthorityData. +for a field called "ca.crt", which will be used as the CA bundle to advertise for TLS verification. If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for @@ -641,9 +641,13 @@ the impersonation proxy endpoint. |=== | Field | Description | *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). + -Used to advertise the CA bundle for the impersonation proxy endpoint. + +Used to advertise the CA bundle for TLS verification. + | *`secretName`* __string__ | SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the Concierge impersonation proxy endpoint. + + + +If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check this secret for + +a field called "ca.crt", which will be used as the CA bundle to advertise for TLS verification. + |=== diff --git a/generated/latest/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/latest/apis/concierge/config/v1alpha1/types_credentialissuer.go index de976f5c1..6b908a90d 100644 --- a/generated/latest/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/latest/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -83,16 +83,16 @@ const ( ) // ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should -// serve TLS. +// serve TLS and what CA bundle to advertise for TLS verification. // // If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret -// for a field called "ca.crt", which will be used as the CertificateAuthorityData. +// for a field called "ca.crt", which will be used as the CA bundle to advertise for TLS verification. // // If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for // the impersonation proxy endpoint. type ImpersonationProxyTLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). - // Used to advertise the CA bundle for the impersonation proxy endpoint. + // Used to advertise the CA bundle for TLS verification. // // +optional CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` @@ -100,6 +100,9 @@ type ImpersonationProxyTLSSpec struct { // SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains // the TLS serving certificate for the Concierge impersonation proxy endpoint. // + // If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check this secret for + // a field called "ca.crt", which will be used as the CA bundle to advertise for TLS verification. + // // +kubebuilder:validation:MinLength=1 SecretName string `json:"secretName,omitempty"` }