diff --git a/Gopkg.lock b/Gopkg.lock index 1ee5710ddf8..5a0163917c7 100644 --- a/Gopkg.lock +++ b/Gopkg.lock @@ -364,14 +364,14 @@ version = "1.0.1" [[projects]] - digest = "1:68214731af5ff5a3bfab4d28571578e5522bc4f667ad1232745d7b4189ccb442" + digest = "1:10f7c2bfcf2b6ad513e994354d0abefa396100c3cee4059e9f1c0e4f4743d064" name = "github.com/openshift/api" packages = [ "config/v1", "route/v1", ] pruneopts = "NUT" - revision = "8241b16bb46fe9bd7aebbbce92d7af84fb71be7f" + revision = "4703f3e71d833812a81e0fa3a2da1257e3efd85c" [[projects]] digest = "1:6b1540f37963c713da08d8463791201d8469e8c755ed66a0b54ee424b15ea401" diff --git a/Gopkg.toml b/Gopkg.toml index 6101f169ed3..059eb861a32 100644 --- a/Gopkg.toml +++ b/Gopkg.toml @@ -82,7 +82,7 @@ ignored = [ [[constraint]] name = "github.com/openshift/api" - revision = "8241b16bb46fe9bd7aebbbce92d7af84fb71be7f" + revision = "4703f3e71d833812a81e0fa3a2da1257e3efd85c" [[constraint]] name = "github.com/openshift/client-go" diff --git a/data/data/manifests/openshift/cluster-authentication-crd.yaml b/data/data/manifests/openshift/cluster-authentication-crd.yaml new file mode 100644 index 00000000000..39599974e74 --- /dev/null +++ b/data/data/manifests/openshift/cluster-authentication-crd.yaml @@ -0,0 +1,18 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: authentications.config.openshift.io +spec: + group: config.openshift.io + names: + kind: Authentication + listKind: AuthenticationList + plural: authentications + singular: authentication + scope: Cluster + subresources: + status: {} + versions: + - name: v1 + served: true + storage: true diff --git a/data/data/manifests/openshift/cluster-oauth-crd.yaml b/data/data/manifests/openshift/cluster-oauth-crd.yaml new file mode 100644 index 00000000000..fcc40fa7e35 --- /dev/null +++ b/data/data/manifests/openshift/cluster-oauth-crd.yaml @@ -0,0 +1,18 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: oauths.config.openshift.io +spec: + group: config.openshift.io + names: + kind: OAuth + listKind: OAuthList + plural: oauths + singular: oauth + scope: Cluster + subresources: + status: {} + versions: + - name: v1 + served: true + storage: true diff --git a/pkg/asset/manifests/authentication.go b/pkg/asset/manifests/authentication.go new file mode 100644 index 00000000000..eec7ccdc112 --- /dev/null +++ b/pkg/asset/manifests/authentication.go @@ -0,0 +1,90 @@ +package manifests + +import ( + "path/filepath" + + "github.com/ghodss/yaml" + "github.com/pkg/errors" + + "github.com/openshift/installer/pkg/asset" + "github.com/openshift/installer/pkg/asset/installconfig" + "github.com/openshift/installer/pkg/asset/templates/content" + + configv1 "github.com/openshift/api/config/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +var ( + authCrdFilename = "cluster-authentication-crd.yaml" + authCfgFilename = filepath.Join(manifestDir, "cluster-authentication-config.yml") +) + +// Authentication generates the authentication-*.yml files. +type Authentication struct { + config *configv1.Authentication + FileList []*asset.File +} + +var _ asset.WritableAsset = (*Authentication)(nil) + +// Name returns a human friendly name for the asset. +func (*Authentication) Name() string { + return "Authentication Config" +} + +// Dependencies returns all of the dependencies directly needed to generate +// the asset. +func (*Authentication) Dependencies() []asset.Asset { + return []asset.Asset{ + &installconfig.InstallConfig{}, + } +} + +// Generate generates the Authentication and its CRD. +func (a *Authentication) Generate(dependencies asset.Parents) error { + installConfig := &installconfig.InstallConfig{} + dependencies.Get(installConfig) + + a.config = &configv1.Authentication{ + TypeMeta: metav1.TypeMeta{ + Kind: "Authentication", + APIVersion: configv1.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "cluster", + }, + } + + configData, err := yaml.Marshal(a.config) + if err != nil { + return errors.Wrapf(err, "failed to generate data for asset: %s", a.Name()) + } + + crdData, err := content.GetOpenshiftTemplate(authCrdFilename) + if err != nil { + return errors.Wrapf(err, "failed to get contentes of %s", authCrdFilename) + } + + a.FileList = []*asset.File{ + { + Filename: filepath.Join(manifestDir, authCrdFilename), + Data: []byte(crdData), + }, + { + Filename: authCfgFilename, + Data: configData, + }, + } + + return nil +} + +// Files returns the files generated by the asset. +func (a *Authentication) Files() []*asset.File { + return a.FileList +} + +// Load returns false since this asset is not written to disk by the installer. +func (a *Authentication) Load(f asset.FileFetcher) (bool, error) { + return false, nil +} diff --git a/pkg/asset/manifests/oauth.go b/pkg/asset/manifests/oauth.go new file mode 100644 index 00000000000..3bdec97c76b --- /dev/null +++ b/pkg/asset/manifests/oauth.go @@ -0,0 +1,96 @@ +package manifests + +import ( + "path/filepath" + + "github.com/ghodss/yaml" + "github.com/pkg/errors" + + "github.com/openshift/installer/pkg/asset" + "github.com/openshift/installer/pkg/asset/installconfig" + "github.com/openshift/installer/pkg/asset/templates/content" + + configv1 "github.com/openshift/api/config/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +var ( + oauthCrdFilename = "cluster-oauth-crd.yaml" + oauthCfgFilename = filepath.Join(manifestDir, "cluster-oauth-config.yml") +) + +// OAuth generates the authentication-*.yml files. +type OAuth struct { + config *configv1.OAuth + FileList []*asset.File +} + +var _ asset.WritableAsset = (*OAuth)(nil) + +// Name returns a human friendly name for the asset. +func (*OAuth) Name() string { + return "OAuth Config" +} + +// Dependencies returns all of the dependencies directly needed to generate +// the asset. +func (*OAuth) Dependencies() []asset.Asset { + return []asset.Asset{ + &installconfig.InstallConfig{}, + } +} + +// Generate generates the OAuth and its CRD. +func (o *OAuth) Generate(dependencies asset.Parents) error { + installConfig := &installconfig.InstallConfig{} + dependencies.Get(installConfig) + + o.config = &configv1.OAuth{ + TypeMeta: metav1.TypeMeta{ + Kind: "OAuth", + APIVersion: configv1.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "cluster", + }, + Spec: configv1.OAuthSpec{ + TokenConfig: configv1.TokenConfig{ + AuthorizeTokenMaxAgeSeconds: 5 * 60, // 5 minutes + AccessTokenMaxAgeSeconds: 24 * 60 * 60, // 1 day + }, + }, + } + + configData, err := yaml.Marshal(o.config) + if err != nil { + return errors.Wrapf(err, "failed to generate data for asset: %s", o.Name()) + } + + crdData, err := content.GetOpenshiftTemplate(oauthCrdFilename) + if err != nil { + return errors.Wrapf(err, "failed to get contentes of %s", oauthCrdFilename) + } + + o.FileList = []*asset.File{ + { + Filename: filepath.Join(manifestDir, oauthCrdFilename), + Data: []byte(crdData), + }, + { + Filename: oauthCfgFilename, + Data: configData, + }, + } + + return nil +} + +// Files returns the files generated by the asset. +func (o *OAuth) Files() []*asset.File { + return o.FileList +} + +// Load returns false since this asset is not written to disk by the installer. +func (o *OAuth) Load(f asset.FileFetcher) (bool, error) { + return false, nil +} diff --git a/pkg/asset/manifests/openshift.go b/pkg/asset/manifests/openshift.go index 67a3c7fb34c..275ccc10b71 100644 --- a/pkg/asset/manifests/openshift.go +++ b/pkg/asset/manifests/openshift.go @@ -46,6 +46,8 @@ func (o *Openshift) Dependencies() []asset.Asset { return []asset.Asset{ &installconfig.InstallConfig{}, &ClusterK8sIO{}, + &Authentication{}, + &OAuth{}, &machines.Worker{}, &machines.Master{}, &password.KubeadminPassword{}, @@ -62,9 +64,11 @@ func (o *Openshift) Generate(dependencies asset.Parents) error { installConfig := &installconfig.InstallConfig{} kubeadminPassword := &password.KubeadminPassword{} clusterk8sio := &ClusterK8sIO{} + authentication := &Authentication{} + oauth := &OAuth{} worker := &machines.Worker{} master := &machines.Master{} - dependencies.Get(installConfig, clusterk8sio, worker, master, kubeadminPassword) + dependencies.Get(installConfig, clusterk8sio, authentication, oauth, worker, master, kubeadminPassword) var cloudCreds cloudCredsSecretData platform := installConfig.Config.Platform.Name() switch platform { @@ -143,6 +147,8 @@ func (o *Openshift) Generate(dependencies asset.Parents) error { Data: data, }) } + o.FileList = append(o.FileList, authentication.Files()...) + o.FileList = append(o.FileList, oauth.Files()...) return nil } diff --git a/vendor/github.com/openshift/api/config/v1/types.go b/vendor/github.com/openshift/api/config/v1/types.go index bfefb67d2f1..fe8f54fcf5b 100644 --- a/vendor/github.com/openshift/api/config/v1/types.go +++ b/vendor/github.com/openshift/api/config/v1/types.go @@ -12,6 +12,14 @@ type ConfigMapReference struct { Key string `json:"filename,omitempty"` } +// LocalSecretReference references a secret within the local namespace +type LocalSecretReference struct { + // Name of the secret in the local namespace + Name string `json:"name"` + // Key selects a specific key within the local secret. Must be a valid secret key. + Key string `json:"key,omitempty"` +} + // HTTPServingInfo holds configuration for serving HTTP type HTTPServingInfo struct { // ServingInfo is the HTTP serving information diff --git a/vendor/github.com/openshift/api/config/v1/types_authentication.go b/vendor/github.com/openshift/api/config/v1/types_authentication.go index 281dca7acd3..af181c34e72 100644 --- a/vendor/github.com/openshift/api/config/v1/types_authentication.go +++ b/vendor/github.com/openshift/api/config/v1/types_authentication.go @@ -7,7 +7,6 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // Authentication holds cluster-wide information about Authentication. The canonical name is `cluster` -// TODO this object is an example of a possible grouping and is subject to change or removal type Authentication struct { metav1.TypeMeta `json:",inline"` // Standard object's metadata. @@ -20,13 +19,34 @@ type Authentication struct { } type AuthenticationSpec struct { - // webhook token auth config (ttl) - // external token address - // serviceAccountOAuthGrantMethod or remove/disallow it as an option + // oauthMetadata contains the discovery endpoint data for OAuth 2.0 + // Authorization Server Metadata for an external OAuth server. + // This discovery document can be viewed from its served location: + // oc get --raw '/.well-known/oauth-authorization-server' + // For further details, see the IETF Draft: + // https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 + // If oauthMetadata.name is non-empty, this value has precedence + // over the observed value stored in status.oauthMetadata + // +optional + OAuthMetadata ConfigMapReference `json:"oauthMetadata"` + + // webhookTokenAuthenticators configures remote token reviewers. + // These remote authentication webhooks can be used to verify bearer tokens + // via the tokenreviews.authentication.k8s.io REST API. This is required to + // honor bearer tokens that are provisioned by an external authentication service. + WebhookTokenAuthenticators []WebhookTokenAuthenticator `json:"webhookTokenAuthenticators"` } type AuthenticationStatus struct { - // internal token address + // oauthMetadata contains the discovery endpoint data for OAuth 2.0 + // Authorization Server Metadata for an external OAuth server. + // This discovery document can be viewed from its served location: + // oc get --raw '/.well-known/oauth-authorization-server' + // For further details, see the IETF Draft: + // https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 + // This contains the observed value based on cluster state. + // An explicitly set value in spec.oauthMetadata has precedence over this field. + OAuthMetadata ConfigMapReference `json:"oauthMetadata"` } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object @@ -37,3 +57,11 @@ type AuthenticationList struct { metav1.ListMeta `json:"metadata,omitempty"` Items []Authentication `json:"items"` } + +// webhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator +type WebhookTokenAuthenticator struct { + // kubeConfig contains kube config file data which describes how to access the remote webhook service. + // For further details, see: + // https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication + KubeConfig LocalSecretReference `json:"kubeConfig"` +} diff --git a/vendor/github.com/openshift/api/config/v1/types_infrastructure.go b/vendor/github.com/openshift/api/config/v1/types_infrastructure.go index 234e872c0b8..fff867d7211 100644 --- a/vendor/github.com/openshift/api/config/v1/types_infrastructure.go +++ b/vendor/github.com/openshift/api/config/v1/types_infrastructure.go @@ -25,7 +25,13 @@ type InfrastructureSpec struct { } type InfrastructureStatus struct { - // type + // cloudProvider is the IaaS provider that is running the cluster. + // + // Valid values are: + // - aws + // - openstack + // +optional + CloudProvider string `json:"cloudProvider,omitempty"` } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object diff --git a/vendor/github.com/openshift/api/config/v1/types_network.go b/vendor/github.com/openshift/api/config/v1/types_network.go index aaea1aab145..144ba15b532 100644 --- a/vendor/github.com/openshift/api/config/v1/types_network.go +++ b/vendor/github.com/openshift/api/config/v1/types_network.go @@ -13,20 +13,56 @@ type Network struct { // Standard object's metadata. metav1.ObjectMeta `json:"metadata,omitempty"` - // spec holds user settable values for configuration + // spec holds user settable values for configuration. Spec NetworkSpec `json:"spec"` // status holds observed values from the cluster. They may not be overridden. Status NetworkStatus `json:"status"` } +// NetworkSpec is the desired network configuration. +// As a general rule, this SHOULD NOT be read directly. Instead, you should +// consume the NetworkStatus, as it indicates the currently deployed configuration. +// Currently, none of these fields may be changed after installation. type NetworkSpec struct { - // serviceCIDR - // servicePortRange - // vxlanPort - // ClusterNetworks []ClusterNetworkEntry `json:"clusterNetworks"` + // IP address pool to use for pod IPs. + ClusterNetwork []ClusterNetworkEntry `json:"clusterNetwork"` + + // IP address pool for services. + // Currently, we only support a single entry here. + ServiceNetwork []string `json:"serviceNetwork"` + + // NetworkType is the plugin that is to be deployed (e.g. OpenShiftSDN). + // This should match a value that the cluster-network-operator understands, + // or else no networking will be installed. + // Currently supported values are: + // - OpenShiftSDN + NetworkType string `json:"networkType"` } +// NetworkStatus is the current network configuration. type NetworkStatus struct { + // IP address pool to use for pod IPs. + ClusterNetwork []ClusterNetworkEntry `json:"clusterNetwork"` + + // IP address pool for services. + // Currently, we only support a single entry here. + ServiceNetwork []string `json:"serviceNetwork"` + + // NetworkType is the plugin that is deployed (e.g. OpenShiftSDN). + NetworkType string `json:"networkType"` + + // ClusterNetworkMTU is the MTU for inter-pod networking. + ClusterNetworkMTU int `json:"clusterNetworkMTU"` +} + +// ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs +// are allocated. +type ClusterNetworkEntry struct { + // The complete block for pod IPs. + CIDR string `json:"cidr"` + + // The size (prefix) of block to allocate to each node. + HostPrefix uint32 `json:"hostPrefix"` } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object diff --git a/vendor/github.com/openshift/api/config/v1/types_oauth.go b/vendor/github.com/openshift/api/config/v1/types_oauth.go index d4402ed3383..91cffacdc19 100644 --- a/vendor/github.com/openshift/api/config/v1/types_oauth.go +++ b/vendor/github.com/openshift/api/config/v1/types_oauth.go @@ -1,37 +1,550 @@ package v1 -import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// OAuth Server and Identity Provider Config // +genclient // +genclient:nonNamespaced // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // OAuth holds cluster-wide information about OAuth. The canonical name is `cluster` -// TODO this object is an example of a possible grouping and is subject to change or removal type OAuth struct { - metav1.TypeMeta `json:",inline"` - // Standard object's metadata. - metav1.ObjectMeta `json:"metadata,omitempty"` - - // spec holds user settable values for configuration - Spec OAuthSpec `json:"spec"` - // status holds observed values from the cluster. They may not be overridden. - Status OAuthStatus `json:"status"` + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata"` + Spec OAuthSpec `json:"spec"` + Status OAuthStatus `json:"status,omitempty"` } +// OAuthSpec contains desired cluster auth configuration type OAuthSpec struct { - // options for configuring the embedded oauth server. - // possibly wellknown? + // identityProviders is an ordered list of ways for a user to identify themselves + IdentityProviders []OAuthIdentityProvider `json:"identityProviders"` + + // tokenConfig contains options for authorization and access tokens + TokenConfig TokenConfig `json:"tokenConfig"` + + // templates allow you to customize pages like the login page. + // +optional + Templates OAuthTemplates `json:"templates"` } +// OAuthStatus shows current known state of OAuth server in the cluster type OAuthStatus struct { + // TODO Fill in } -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// TokenConfig holds the necessary configuration options for authorization and access tokens +type TokenConfig struct { + // authorizeTokenMaxAgeSeconds defines the maximum age of authorize tokens + AuthorizeTokenMaxAgeSeconds int32 `json:"authorizeTokenMaxAgeSeconds"` + // accessTokenMaxAgeSeconds defines the maximum age of access tokens + AccessTokenMaxAgeSeconds int32 `json:"accessTokenMaxAgeSeconds"` + // accessTokenInactivityTimeoutSeconds defines the default token + // inactivity timeout for tokens granted by any client. + // The value represents the maximum amount of time that can occur between + // consecutive uses of the token. Tokens become invalid if they are not + // used within this temporal window. The user will need to acquire a new + // token to regain access once a token times out. + // Valid values are integer values: + // x < 0 Tokens time out is enabled but tokens never timeout unless configured per client (e.g. `-1`) + // x = 0 Tokens time out is disabled (default) + // x > 0 Tokens time out if there is no activity for x seconds + // The current minimum allowed value for X is 300 (5 minutes) + // +optional + AccessTokenInactivityTimeoutSeconds int32 `json:"accessTokenInactivityTimeoutSeconds,omitempty"` +} + +const ( + // LoginTemplateKey is the default key of the login template + LoginTemplateKey = "login.html" + // ProviderSelectionTemplateKey is the default key for the provider selection template + ProviderSelectionTemplateKey = "providers.html" + // ErrorsTemplateKey is the default key for the errors template + ErrorsTemplateKey = "errors.html" +) + +// OAuthTemplates allow for customization of pages like the login page +type OAuthTemplates struct { + // login is a reference to a secret that specifies a go template to use to render the login page. + // If a key is not specified, the key `login.html` is used to locate the template data. + // If unspecified, the default login page is used. + // +optional + Login LocalSecretReference `json:"login,omitemtpy"` + + // providerSelection is a reference to a secret that specifies a go template to use to render + // the provider selection page. + // If a key is not specified, the key `providers.html` is used to locate the template data. + // If unspecified, the default provider selection page is used. + // +optional + ProviderSelection LocalSecretReference `json:"providerSelection,omitempty"` + + // error is a reference to a secret that specifies a go template to use to render error pages + // during the authentication or grant flow. + // If a key is not specified, the key `errrors.html` is used to locate the template data. + // If unspecified, the default error page is used. + // +optional + Error LocalSecretReference `json:"error,omitempty"` +} + +// OAuthIdentityProvider provides identities for users authenticating using credentials +type OAuthIdentityProvider struct { + // name is used to qualify the identities returned by this provider. + // - It MUST be unique and not shared by any other identity provider used + // - It MUST be a vlid path segment: name cannot equal "." or ".." or contain "/" or "%" + // Ref: https://godoc.org/k8s.io/apimachinery/pkg/api/validation/path#ValidatePathSegmentName + Name string `json:"name"` + + // challenge indicates whether to issue WWW-Authenticate challenges for this provider + UseAsChallenger bool `json:"challenge"` + // login indicates whether to use this identity provider for unauthenticated browsers to login against + UseAsLogin bool `json:"login"` + + // mappingMethod determines how identities from this provider are mapped to users + // Defaults to "claim" + // +optional + MappingMethod MappingMethodType `json:"mappingMethod"` + + // grantMethod: allow, deny, prompt + // This method will be used only if the specific OAuth client doesn't provide a strategy + // of their own. Valid grant handling methods are: + // - auto: always approves grant requests, useful for trusted clients + // - prompt: prompts the end user for approval of grant requests, useful for third-party clients + // - deny: always denies grant requests, useful for black-listed clients + // Defaults to "prompt" if not set. + // +optional + GrantMethod GrantHandlerType `json:"grantMethod"` + + // IdentityProvidersConfig + ProviderConfig IdentityProviderConfig `json:",inline"` +} + +// MappingMethodType specifies how new identities should be mapped to users when they log in +type MappingMethodType string + +const ( + // MappingMethodClaim provisions a user with the identity’s preferred user name. Fails if a user + // with that user name is already mapped to another identity. + // Default. + MappingMethodClaim MappingMethodType = "claim" + + // MappingMethodLookup looks up existing users already mapped to an identity but does not + // automatically provision users or identities. Requires identities and users be set up + // manually or using an external process. + MappingMethodLookup MappingMethodType = "lookup" + + // MappingMethodAdd provisions a user with the identity’s preferred user name. If a user with + // that user name already exists, the identity is mapped to the existing user, adding to any + // existing identity mappings for the user. + MappingMethodAdd MappingMethodType = "add" + + // MappingMethodGenerate provisions a user with the identity’s preferred user name. If a user + // with the preferred user name is already mapped to an existing identity, a unique user name is + // generated, e.g. myuser2. This method should not be used in combination with external + // processes that require exact matches between openshift user names and the idp user name + // such as LDAP group sync. + MappingMethodGenerate MappingMethodType = "generate" +) + +// GrantHandlerType are the valid strategies for handling grant requests +type GrantHandlerType string + +const ( + // GrantHandlerAuto auto-approves client authorization grant requests + GrantHandlerAuto GrantHandlerType = "auto" + // GrantHandlerPrompt prompts the user to approve new client authorization grant requests + GrantHandlerPrompt GrantHandlerType = "prompt" + // GrantHandlerDeny auto-denies client authorization grant requests + GrantHandlerDeny GrantHandlerType = "deny" +) + +type IdentityProviderType string + +const ( + // IdentityProviderTypeBasicAuth provides identities for users authenticating with HTTP Basic Auth + IdentityProviderTypeBasicAuth IdentityProviderType = "BasicAuth" + + // IdentityProviderTypeAllowAll provides identities for all users authenticating using non-empty passwords + IdentityProviderTypeAllowAll IdentityProviderType = "AllowAll" + + // IdentityProviderTypeDenyAll provides no identities for users + IdentityProviderTypeDenyAll IdentityProviderType = "DenyAll" + + // IdentityProviderTypeHTPasswd provides identities from an HTPasswd file + IdentityProviderTypeHTPasswd IdentityProviderType = "HTPasswd" + + // IdentityProviderTypeLDAP provides identities for users authenticating using LDAP credentials + IdentityProviderTypeLDAP IdentityProviderType = "LDAP" + + // IdentityProviderTypeKeystone provides identitities for users authenticating using keystone password credentials + IdentityProviderTypeKeystone IdentityProviderType = "Keystone" + + // IdentityProviderTypeRequestHeader provides identities for users authenticating using request header credentials + IdentityProviderTypeRequestHeader IdentityProviderType = "RequestHeader" + + // IdentityProviderTypeGitHub provides identities for users authenticating using GitHub credentials + IdentityProviderTypeGitHub IdentityProviderType = "GitHub" + + // IdentityProviderTypeGitLab provides identities for users authenticating using GitLab credentials + IdentityProviderTypeGitLab IdentityProviderType = "GitLab" + + // IdentityProviderTypeGoogle provides identities for users authenticating using Google credentials + IdentityProviderTypeGoogle IdentityProviderType = "Google" + + // IdentityProviderTypeOpenID provides identities for users authenticating using OpenID credentials + IdentityProviderTypeOpenID IdentityProviderType = "OpenID" +) + +// IdentityProviderConfig contains configuration for using a specific identity provider +type IdentityProviderConfig struct { + // type identifies the identity provider type for this entry. + Type IdentityProviderType `json:"type"` + + // Provider-specific configuration + // The json tag MUST match the `Type` specified above, case-insensitively + // e.g. For `Type: "LDAP"`, the `LDAPPasswordIdentityProvider` configuration should be provided + + // basicAuth contains configuration options for the BasicAuth IdP + // +optional + BasicAuth *BasicAuthPasswordIdentityProvider `json:"basicAuth,omitempty"` + + // allowAll enables the AllowAllIdentityProvider which provides identities for users + // authenticating using non-empty passwords. + // Defaults to `false`, i.e. allowAll set to off + // +optional + AllowAll bool `json:"allowAll,omitempty"` + + // denyAll enables the DenyAllPasswordIdentityProvider which provides no identities for users + // Defaults to `false`, ie. denyAll set to off + // +optional + DenyAll bool `json:"denyAll,omitempty"` + + // htpasswd enables user authentication using an HTPasswd file to validate credentials + // +optional + HTPasswd *HTPasswdPasswordIdentityProvider `json:"htpasswd,omitempty"` + + // ldap enables user authentication using LDAP credentials + // +optional + LDAP *LDAPPasswordIdentityProvider `json:"ldap,omitempty"` + + // keystone enables user authentication using keystone password credentials + // +optional + Keystone *KeystonePasswordIdentityProvider `json:"keystone,omitempty"` + + // requestHeader enables user authentication using request header credentials + RequestHeader *RequestHeaderIdentityProvider `json:"requestHeader,omitempty"` + + // github enables user authentication using GitHub credentials + // +optional + GitHub *GitHubIdentityProvider `json:"github,omitempty"` + + // gitlab enables user authentication using GitLab credentials + // +optional + GitLab *GitLabIdentityProvider `json:"gitlab,omitempty"` + + // google enables user authentication using Google credentials + // +optional + Google *GoogleIdentityProvider `json:"google,omitempty"` + + // openID enables user authentication using OpenID credentials + // +optional + OpenID *OpenIDIdentityProvider `json:"openID,omitempty"` +} + +// BasicAuthPasswordIdentityProvider provides identities for users authenticating using HTTP basic auth credentials +type BasicAuthPasswordIdentityProvider struct { + // OAuthRemoteConnectionInfo contains information about how to connect to the external basic auth server + OAuthRemoteConnectionInfo `json:",inline"` +} + +// RemoteConnectionInfo holds information necessary for establishing a remote connection +type OAuthRemoteConnectionInfo struct { + // url is the remote URL to connect to + URL string `json:"url"` + // ca is a reference to a ConfigMap containing the CA for verifying TLS connections + CA ConfigMapReference `json:"ca"` + + // tlsClientCert references a secret containing the TLS client certificate to present when + // connecting to the server. + // Looks under the key "tls.cert" for the data unless a lookup key is specified in the secret ref + TLSClientCert LocalSecretReference `json:"tlsClientCert"` + + // tlsClientKey references a secret containing the TLS private key for the client certificate + // Looks under the key "tls.key" for the data unless a lookup key is specified in the secret ref + TLSClientKey LocalSecretReference `json:"tlsClientKey"` +} + +// HTPasswdDataKey is the default key for the htpasswd file data in a secret +const HTPasswdDataKey = "htpasswd" + +// HTPasswdPasswordIdentityProvider provides identities for users authenticating using htpasswd credentials +type HTPasswdPasswordIdentityProvider struct { + // fileData is a reference to a secret containing the data to use as the htpasswd file + // Looks under the key `htpasswd` unless a lookup key is specified in the secret ref + FileData LocalSecretReference `json:"fileData"` +} + +const ( + // BindPasswordKey is default the key for the LDAP bind password in a secret + BindPasswordKey = "bindPassword" + // ClientSecretKey is the key for the oauth client secret data in a secret + ClientSecretKey = "clientSecret" +) + +// LDAPPasswordIdentityProvider provides identities for users authenticating using LDAP credentials +type LDAPPasswordIdentityProvider struct { + // url is an RFC 2255 URL which specifies the LDAP search parameters to use. + // The syntax of the URL is: + // ldap://host:port/basedn?attribute?scope?filter + URL string `json:"url"` + + // bindDN is an optional DN to bind with during the search phase. + // +optional + BindDN string `json:"bindDN"` + + // bindPassword is a reference to the secret containing an optional password to bind + // with during the search phase. + // Looks under the key `bindPassword` unless a lookup key is specified in the secret ref + // +optional + BindPassword LocalSecretReference `json:"bindPassword"` + + // insecure, if true, indicates the connection should not use TLS + // WARNING: Should not be set to `true` with the URL scheme "ldaps://" as "ldaps://" URLs always + // attempt to connect using TLS, even when `insecure` is set to `true` + // When `true`, "ldap://" URLS connect insecurely. When `false`, "ldap://" URLs are upgraded to + // a TLS connection using StartTLS as specified in https://tools.ietf.org/html/rfc2830. + Insecure bool `json:"insecure"` + + // ca is a reference to a ConfigMap containing an optional trusted certificate authority bundle + // to use when making requests to the server. + // If empty, the default system roots are used. + // +optional + CA ConfigMapReference `json:"ca"` + + // attributes maps LDAP attributes to identities + Attributes LDAPAttributeMapping `json:"attributes"` +} + +// LDAPAttributeMapping maps LDAP attributes to OpenShift identity fields +type LDAPAttributeMapping struct { + // id is the list of attributes whose values should be used as the user ID. Required. + // First non-empty attribute is used. At least one attribute is required. If none of the listed + // attribute have a value, authentication fails. + // LDAP standard identity attribute is "dn" + ID []string `json:"id"` + // preferredUsername is the list of attributes whose values should be used as the preferred username. + // LDAP standard login attribute is "uid" + // +optional + PreferredUsername []string `json:"preferredUsername"` + // name is the list of attributes whose values should be used as the display name. Optional. + // If unspecified, no display name is set for the identity + // LDAP standard display name attribute is "cn" + // +optional + Name []string `json:"name"` + // email is the list of attributes whose values should be used as the email address. Optional. + // If unspecified, no email is set for the identity + // +optional + Email []string `json:"email"` +} + +// KeystonePasswordIdentityProvider provides identities for users authenticating using keystone password credentials +type KeystonePasswordIdentityProvider struct { + // OAuthRemoteConnectionInfo contains information about how to connect to the keystone server + OAuthRemoteConnectionInfo `json:",inline"` + // domainName is required for keystone v3 + DomainName string `json:"domainName"` + // useKeystoneIdentity flag indicates that user should be authenticated by username, not keystone ID + // DEPRECATED - only use this option for legacy systems to ensure backwards compatibiity + // +optional + LegacyLookupByUsername bool `json:"useKeystoneIdentity"` +} + +// RequestHeaderIdentityProvider provides identities for users authenticating using request header credentials +type RequestHeaderIdentityProvider struct { + // loginURL is a URL to redirect unauthenticated /authorize requests to + // Unauthenticated requests from OAuth clients which expect interactive logins will be redirected here + // ${url} is replaced with the current URL, escaped to be safe in a query parameter + // https://www.example.com/sso-login?then=${url} + // ${query} is replaced with the current query string + // https://www.example.com/auth-proxy/oauth/authorize?${query} + // Required when UseAsLogin is set to true. + LoginURL string `json:"loginURL"` + + // challengeURL is a URL to redirect unauthenticated /authorize requests to + // Unauthenticated requests from OAuth clients which expect WWW-Authenticate challenges will be + // redirected here. + // ${url} is replaced with the current URL, escaped to be safe in a query parameter + // https://www.example.com/sso-login?then=${url} + // ${query} is replaced with the current query string + // https://www.example.com/auth-proxy/oauth/authorize?${query} + // Required when UseAsChallenger is set to true. + ChallengeURL string `json:"challengeURL"` + + // clientCA is a reference to a configmap with the trusted signer certs. If empty, no request + // verification is done, and any direct request to the OAuth server can impersonate any identity + // from this provider, merely by setting a request header. + // +optional + ClientCA ConfigMapReference `json:"ca"` + + // clientCommonNames is an optional list of common names to require a match from. If empty, any + // client certificate validated against the clientCA bundle is considered authoritative. + // +optional + ClientCommonNames []string `json:"clientCommonNames"` + + // headers is the set of headers to check for identity information + Headers []string `json:"headers"` + + // preferredUsernameHeaders is the set of headers to check for the preferred username + PreferredUsernameHeaders []string `json:"preferredUsernameHeaders"` + + // nameHeaders is the set of headers to check for the display name + NameHeaders []string `json:"nameHeaders"` + + // emailHeaders is the set of headers to check for the email address + EmailHeaders []string `json:"emailHeaders"` +} + +// GitHubIdentityProvider provides identities for users authenticating using GitHub credentials +type GitHubIdentityProvider struct { + // clientID is the oauth client ID + ClientID string `json:"clientID"` + + // clientSecret is is a reference to the secret containing the oauth client secret + // The secret referenced must contain a key named `clientSecret` containing the secret data. + ClientSecret LocalSecretReference `json:"clientSecret"` + + // organizations optionally restricts which organizations are allowed to log in + // +optional + Organizations []string `json:"organizations"` + // teams optionally restricts which teams are allowed to log in. Format is /. + // +optional + Teams []string `json:"teams"` + + // hostname is the optional domain (e.g. "mycompany.com") for use with a hosted instance of + // GitHub Enterprise. + // It must match the GitHub Enterprise settings value configured at /setup/settings#hostname. + // +optional + Hostname string `json:"hostname"` + + // ca is a reference to a ConfigMap containing an optional trusted certificate authority bundle + // to use when making requests to the server. + // If empty, the default system roots are used. + // This can only be configured when hostname is set to a non-empty value. + // +optional + CA ConfigMapReference `json:"ca"` +} + +// GitLabIdentityProvider provides identities for users authenticating using GitLab credentials +type GitLabIdentityProvider struct { + // ca is a reference to a ConfigMap containing an optional trusted certificate authority bundle + // to use when making requests to the server. + // If empty, the default system roots are used. + // +optional + CA ConfigMapReference `json:"ca"` + + // url is the oauth server base URL + URL string `json:"url"` + + // clientID is the oauth client ID + ClientID string `json:"clientID"` + + // clientSecret is is a reference to the secret containing the oauth client secret + // The secret referenced must contain a key named `clientSecret` containing the secret data. + ClientSecret LocalSecretReference `json:"clientSecret"` + + // legacy determines that OAuth2 should be used, not OIDC + // +optional + LegacyOAuth2 bool `json:"legacy,omitempty"` +} + +// GoogleIdentityProvider provides identities for users authenticating using Google credentials +type GoogleIdentityProvider struct { + // clientID is the oauth client ID + ClientID string `json:"clientID"` + + // clientSecret is is a reference to the secret containing the oauth client secret + // The secret referenced must contain a key named `clientSecret` containing the secret data. + ClientSecret LocalSecretReference `json:"clientSecret"` + + // hostedDomain is the optional Google App domain (e.g. "mycompany.com") to restrict logins to + // +optional + HostedDomain string `json:"hostedDomain"` +} + +// OpenIDIdentityProvider provides identities for users authenticating using OpenID credentials +type OpenIDIdentityProvider struct { + // ca is a reference to a ConfigMap containing an optional trusted certificate authority bundle + // to use when making requests to the server. + // If empty, the default system roots are used. + // +optional + CA ConfigMapReference `json:"ca"` + + // clientID is the oauth client ID + ClientID string `json:"clientID"` + + // clientSecret is is a reference to the secret containing the oauth client secret + // The secret referenced must contain a key named `clientSecret` containing the secret data. + ClientSecret LocalSecretReference `json:"clientSecret"` + + // extraScopes are any scopes to request in addition to the standard "openid" scope. + // +optional + ExtraScopes []string `json:"extraScopes"` + + // extraAuthorizeParameters are any custom parameters to add to the authorize request. + // +optional + ExtraAuthorizeParameters map[string]string `json:"extraAuthorizeParameters"` + + // urls to use to authenticate + URLs OpenIDURLs `json:"urls"` + + // claims mappings + Claims OpenIDClaims `json:"claims"` +} + +// OpenIDURLs are URLs to use when authenticating with an OpenID identity provider +type OpenIDURLs struct { + // authorize is the oauth authorization URL + Authorize string `json:"authorize"` + // token is the oauth token granting URL + Token string `json:"token"` + // userInfo is the optional userinfo URL. + // If present, a granted access_token is used to request claims + // If empty, a granted id_token is parsed for claims + // +optional + UserInfo string `json:"userInfo"` +} + +// UserIDClaim is used in the `ID` field for an `OpenIDClaim` +// Per http://openid.net/specs/openid-connect-core-1_0.html#ClaimStability +// "The sub (subject) and iss (issuer) Claims, used together, are the only Claims that an RP can +// rely upon as a stable identifier for the End-User, since the sub Claim MUST be locally unique +// and never reassigned within the Issuer for a particular End-User, as described in Section 2. +// Therefore, the only guaranteed unique identifier for a given End-User is the combination of the +// iss Claim and the sub Claim." +const UserIDClaim = "sub" + +// OpenIDClaims contains a list of OpenID claims to use when authenticating with an OpenID identity provider +type OpenIDClaims struct { + // preferredUsername is the list of claims whose values should be used as the preferred username. + // If unspecified, the preferred username is determined from the value of the id claim + // +optional + PreferredUsername []string `json:"preferredUsername"` + // name is the list of claims whose values should be used as the display name. Optional. + // If unspecified, no display name is set for the identity + // +optional + Name []string `json:"name"` + // email is the list of claims whose values should be used as the email address. Optional. + // If unspecified, no email is set for the identity + // +optional + Email []string `json:"email"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object type OAuthList struct { metav1.TypeMeta `json:",inline"` - // Standard object's metadata. metav1.ListMeta `json:"metadata,omitempty"` Items []OAuth `json:"items"` } diff --git a/vendor/github.com/openshift/api/config/v1/types_swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1/types_swagger_doc_generated.go index 8f433b01558..55b534c2e12 100644 --- a/vendor/github.com/openshift/api/config/v1/types_swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/config/v1/types_swagger_doc_generated.go @@ -162,6 +162,16 @@ func (LeaderElection) SwaggerDoc() map[string]string { return map_LeaderElection } +var map_LocalSecretReference = map[string]string{ + "": "LocalSecretReference references a secret within the local namespace", + "name": "Name of the secret in the local namespace", + "key": "Key selects a specific key within the local secret. Must be a valid secret key.", +} + +func (LocalSecretReference) SwaggerDoc() map[string]string { + return map_LocalSecretReference +} + var map_NamedCertificate = map[string]string{ "": "NamedCertificate specifies a certificate/key, and the names it should be served for", "names": "Names is a list of DNS names this certificate should be used to secure A name can be a normal DNS name, or can contain leading wildcard segments.", diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go index 2e376017cf1..2bb7382f765 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go @@ -48,7 +48,7 @@ func (in *Authentication) DeepCopyInto(out *Authentication) { *out = *in out.TypeMeta = in.TypeMeta in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - out.Spec = in.Spec + in.Spec.DeepCopyInto(&out.Spec) out.Status = in.Status return } @@ -107,6 +107,12 @@ func (in *AuthenticationList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *AuthenticationSpec) DeepCopyInto(out *AuthenticationSpec) { *out = *in + out.OAuthMetadata = in.OAuthMetadata + if in.WebhookTokenAuthenticators != nil { + in, out := &in.WebhookTokenAuthenticators, &out.WebhookTokenAuthenticators + *out = make([]WebhookTokenAuthenticator, len(*in)) + copy(*out, *in) + } return } @@ -123,6 +129,7 @@ func (in *AuthenticationSpec) DeepCopy() *AuthenticationSpec { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *AuthenticationStatus) DeepCopyInto(out *AuthenticationStatus) { *out = *in + out.OAuthMetadata = in.OAuthMetadata return } @@ -136,6 +143,23 @@ func (in *AuthenticationStatus) DeepCopy() *AuthenticationStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *BasicAuthPasswordIdentityProvider) DeepCopyInto(out *BasicAuthPasswordIdentityProvider) { + *out = *in + out.OAuthRemoteConnectionInfo = in.OAuthRemoteConnectionInfo + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BasicAuthPasswordIdentityProvider. +func (in *BasicAuthPasswordIdentityProvider) DeepCopy() *BasicAuthPasswordIdentityProvider { + if in == nil { + return nil + } + out := new(BasicAuthPasswordIdentityProvider) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Build) DeepCopyInto(out *Build) { *out = *in @@ -305,6 +329,22 @@ func (in *ClientConnectionOverrides) DeepCopy() *ClientConnectionOverrides { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterNetworkEntry) DeepCopyInto(out *ClusterNetworkEntry) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterNetworkEntry. +func (in *ClusterNetworkEntry) DeepCopy() *ClusterNetworkEntry { + if in == nil { + return nil + } + out := new(ClusterNetworkEntry) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ClusterOperator) DeepCopyInto(out *ClusterOperator) { *out = *in @@ -895,6 +935,86 @@ func (in *GenericControllerConfig) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProvider) DeepCopyInto(out *GitHubIdentityProvider) { + *out = *in + out.ClientSecret = in.ClientSecret + if in.Organizations != nil { + in, out := &in.Organizations, &out.Organizations + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Teams != nil { + in, out := &in.Teams, &out.Teams + *out = make([]string, len(*in)) + copy(*out, *in) + } + out.CA = in.CA + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProvider. +func (in *GitHubIdentityProvider) DeepCopy() *GitHubIdentityProvider { + if in == nil { + return nil + } + out := new(GitHubIdentityProvider) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitLabIdentityProvider) DeepCopyInto(out *GitLabIdentityProvider) { + *out = *in + out.CA = in.CA + out.ClientSecret = in.ClientSecret + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitLabIdentityProvider. +func (in *GitLabIdentityProvider) DeepCopy() *GitLabIdentityProvider { + if in == nil { + return nil + } + out := new(GitLabIdentityProvider) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GoogleIdentityProvider) DeepCopyInto(out *GoogleIdentityProvider) { + *out = *in + out.ClientSecret = in.ClientSecret + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GoogleIdentityProvider. +func (in *GoogleIdentityProvider) DeepCopy() *GoogleIdentityProvider { + if in == nil { + return nil + } + out := new(GoogleIdentityProvider) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *HTPasswdPasswordIdentityProvider) DeepCopyInto(out *HTPasswdPasswordIdentityProvider) { + *out = *in + out.FileData = in.FileData + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTPasswdPasswordIdentityProvider. +func (in *HTPasswdPasswordIdentityProvider) DeepCopy() *HTPasswdPasswordIdentityProvider { + if in == nil { + return nil + } + out := new(HTPasswdPasswordIdentityProvider) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *HTTPServingInfo) DeepCopyInto(out *HTTPServingInfo) { *out = *in @@ -940,6 +1060,103 @@ func (in *IdentityProvider) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *IdentityProviderConfig) DeepCopyInto(out *IdentityProviderConfig) { + *out = *in + if in.BasicAuth != nil { + in, out := &in.BasicAuth, &out.BasicAuth + if *in == nil { + *out = nil + } else { + *out = new(BasicAuthPasswordIdentityProvider) + **out = **in + } + } + if in.HTPasswd != nil { + in, out := &in.HTPasswd, &out.HTPasswd + if *in == nil { + *out = nil + } else { + *out = new(HTPasswdPasswordIdentityProvider) + **out = **in + } + } + if in.LDAP != nil { + in, out := &in.LDAP, &out.LDAP + if *in == nil { + *out = nil + } else { + *out = new(LDAPPasswordIdentityProvider) + (*in).DeepCopyInto(*out) + } + } + if in.Keystone != nil { + in, out := &in.Keystone, &out.Keystone + if *in == nil { + *out = nil + } else { + *out = new(KeystonePasswordIdentityProvider) + **out = **in + } + } + if in.RequestHeader != nil { + in, out := &in.RequestHeader, &out.RequestHeader + if *in == nil { + *out = nil + } else { + *out = new(RequestHeaderIdentityProvider) + (*in).DeepCopyInto(*out) + } + } + if in.GitHub != nil { + in, out := &in.GitHub, &out.GitHub + if *in == nil { + *out = nil + } else { + *out = new(GitHubIdentityProvider) + (*in).DeepCopyInto(*out) + } + } + if in.GitLab != nil { + in, out := &in.GitLab, &out.GitLab + if *in == nil { + *out = nil + } else { + *out = new(GitLabIdentityProvider) + **out = **in + } + } + if in.Google != nil { + in, out := &in.Google, &out.Google + if *in == nil { + *out = nil + } else { + *out = new(GoogleIdentityProvider) + **out = **in + } + } + if in.OpenID != nil { + in, out := &in.OpenID, &out.OpenID + if *in == nil { + *out = nil + } else { + *out = new(OpenIDIdentityProvider) + (*in).DeepCopyInto(*out) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IdentityProviderConfig. +func (in *IdentityProviderConfig) DeepCopy() *IdentityProviderConfig { + if in == nil { + return nil + } + out := new(IdentityProviderConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *IdentityProviderList) DeepCopyInto(out *IdentityProviderList) { *out = *in @@ -1316,6 +1533,23 @@ func (in *IngressStatus) DeepCopy() *IngressStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KeystonePasswordIdentityProvider) DeepCopyInto(out *KeystonePasswordIdentityProvider) { + *out = *in + out.OAuthRemoteConnectionInfo = in.OAuthRemoteConnectionInfo + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KeystonePasswordIdentityProvider. +func (in *KeystonePasswordIdentityProvider) DeepCopy() *KeystonePasswordIdentityProvider { + if in == nil { + return nil + } + out := new(KeystonePasswordIdentityProvider) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *KubeClientConfig) DeepCopyInto(out *KubeClientConfig) { *out = *in @@ -1333,6 +1567,61 @@ func (in *KubeClientConfig) DeepCopy() *KubeClientConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *LDAPAttributeMapping) DeepCopyInto(out *LDAPAttributeMapping) { + *out = *in + if in.ID != nil { + in, out := &in.ID, &out.ID + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.PreferredUsername != nil { + in, out := &in.PreferredUsername, &out.PreferredUsername + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Name != nil { + in, out := &in.Name, &out.Name + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Email != nil { + in, out := &in.Email, &out.Email + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPAttributeMapping. +func (in *LDAPAttributeMapping) DeepCopy() *LDAPAttributeMapping { + if in == nil { + return nil + } + out := new(LDAPAttributeMapping) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *LDAPPasswordIdentityProvider) DeepCopyInto(out *LDAPPasswordIdentityProvider) { + *out = *in + out.BindPassword = in.BindPassword + out.CA = in.CA + in.Attributes.DeepCopyInto(&out.Attributes) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPPasswordIdentityProvider. +func (in *LDAPPasswordIdentityProvider) DeepCopy() *LDAPPasswordIdentityProvider { + if in == nil { + return nil + } + out := new(LDAPPasswordIdentityProvider) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *LeaderElection) DeepCopyInto(out *LeaderElection) { *out = *in @@ -1352,6 +1641,22 @@ func (in *LeaderElection) DeepCopy() *LeaderElection { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *LocalSecretReference) DeepCopyInto(out *LocalSecretReference) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LocalSecretReference. +func (in *LocalSecretReference) DeepCopy() *LocalSecretReference { + if in == nil { + return nil + } + out := new(LocalSecretReference) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *NamedCertificate) DeepCopyInto(out *NamedCertificate) { *out = *in @@ -1379,8 +1684,8 @@ func (in *Network) DeepCopyInto(out *Network) { *out = *in out.TypeMeta = in.TypeMeta in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - out.Spec = in.Spec - out.Status = in.Status + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) return } @@ -1438,6 +1743,16 @@ func (in *NetworkList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *NetworkSpec) DeepCopyInto(out *NetworkSpec) { *out = *in + if in.ClusterNetwork != nil { + in, out := &in.ClusterNetwork, &out.ClusterNetwork + *out = make([]ClusterNetworkEntry, len(*in)) + copy(*out, *in) + } + if in.ServiceNetwork != nil { + in, out := &in.ServiceNetwork, &out.ServiceNetwork + *out = make([]string, len(*in)) + copy(*out, *in) + } return } @@ -1454,6 +1769,16 @@ func (in *NetworkSpec) DeepCopy() *NetworkSpec { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *NetworkStatus) DeepCopyInto(out *NetworkStatus) { *out = *in + if in.ClusterNetwork != nil { + in, out := &in.ClusterNetwork, &out.ClusterNetwork + *out = make([]ClusterNetworkEntry, len(*in)) + copy(*out, *in) + } + if in.ServiceNetwork != nil { + in, out := &in.ServiceNetwork, &out.ServiceNetwork + *out = make([]string, len(*in)) + copy(*out, *in) + } return } @@ -1472,7 +1797,7 @@ func (in *OAuth) DeepCopyInto(out *OAuth) { *out = *in out.TypeMeta = in.TypeMeta in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - out.Spec = in.Spec + in.Spec.DeepCopyInto(&out.Spec) out.Status = in.Status return } @@ -1495,6 +1820,23 @@ func (in *OAuth) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OAuthIdentityProvider) DeepCopyInto(out *OAuthIdentityProvider) { + *out = *in + in.ProviderConfig.DeepCopyInto(&out.ProviderConfig) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OAuthIdentityProvider. +func (in *OAuthIdentityProvider) DeepCopy() *OAuthIdentityProvider { + if in == nil { + return nil + } + out := new(OAuthIdentityProvider) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OAuthList) DeepCopyInto(out *OAuthList) { *out = *in @@ -1528,9 +1870,37 @@ func (in *OAuthList) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OAuthRemoteConnectionInfo) DeepCopyInto(out *OAuthRemoteConnectionInfo) { + *out = *in + out.CA = in.CA + out.TLSClientCert = in.TLSClientCert + out.TLSClientKey = in.TLSClientKey + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OAuthRemoteConnectionInfo. +func (in *OAuthRemoteConnectionInfo) DeepCopy() *OAuthRemoteConnectionInfo { + if in == nil { + return nil + } + out := new(OAuthRemoteConnectionInfo) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OAuthSpec) DeepCopyInto(out *OAuthSpec) { *out = *in + if in.IdentityProviders != nil { + in, out := &in.IdentityProviders, &out.IdentityProviders + *out = make([]OAuthIdentityProvider, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + out.TokenConfig = in.TokenConfig + out.Templates = in.Templates return } @@ -1560,6 +1930,104 @@ func (in *OAuthStatus) DeepCopy() *OAuthStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OAuthTemplates) DeepCopyInto(out *OAuthTemplates) { + *out = *in + out.Login = in.Login + out.ProviderSelection = in.ProviderSelection + out.Error = in.Error + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OAuthTemplates. +func (in *OAuthTemplates) DeepCopy() *OAuthTemplates { + if in == nil { + return nil + } + out := new(OAuthTemplates) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OpenIDClaims) DeepCopyInto(out *OpenIDClaims) { + *out = *in + if in.PreferredUsername != nil { + in, out := &in.PreferredUsername, &out.PreferredUsername + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Name != nil { + in, out := &in.Name, &out.Name + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Email != nil { + in, out := &in.Email, &out.Email + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenIDClaims. +func (in *OpenIDClaims) DeepCopy() *OpenIDClaims { + if in == nil { + return nil + } + out := new(OpenIDClaims) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OpenIDIdentityProvider) DeepCopyInto(out *OpenIDIdentityProvider) { + *out = *in + out.CA = in.CA + out.ClientSecret = in.ClientSecret + if in.ExtraScopes != nil { + in, out := &in.ExtraScopes, &out.ExtraScopes + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.ExtraAuthorizeParameters != nil { + in, out := &in.ExtraAuthorizeParameters, &out.ExtraAuthorizeParameters + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + out.URLs = in.URLs + in.Claims.DeepCopyInto(&out.Claims) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenIDIdentityProvider. +func (in *OpenIDIdentityProvider) DeepCopy() *OpenIDIdentityProvider { + if in == nil { + return nil + } + out := new(OpenIDIdentityProvider) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OpenIDURLs) DeepCopyInto(out *OpenIDURLs) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenIDURLs. +func (in *OpenIDURLs) DeepCopy() *OpenIDURLs { + if in == nil { + return nil + } + out := new(OpenIDURLs) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Project) DeepCopyInto(out *Project) { *out = *in @@ -1686,6 +2154,48 @@ func (in *RemoteConnectionInfo) DeepCopy() *RemoteConnectionInfo { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RequestHeaderIdentityProvider) DeepCopyInto(out *RequestHeaderIdentityProvider) { + *out = *in + out.ClientCA = in.ClientCA + if in.ClientCommonNames != nil { + in, out := &in.ClientCommonNames, &out.ClientCommonNames + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Headers != nil { + in, out := &in.Headers, &out.Headers + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.PreferredUsernameHeaders != nil { + in, out := &in.PreferredUsernameHeaders, &out.PreferredUsernameHeaders + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.NameHeaders != nil { + in, out := &in.NameHeaders, &out.NameHeaders + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.EmailHeaders != nil { + in, out := &in.EmailHeaders, &out.EmailHeaders + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RequestHeaderIdentityProvider. +func (in *RequestHeaderIdentityProvider) DeepCopy() *RequestHeaderIdentityProvider { + if in == nil { + return nil + } + out := new(RequestHeaderIdentityProvider) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Scheduling) DeepCopyInto(out *Scheduling) { *out = *in @@ -1841,6 +2351,22 @@ func (in *StringSourceSpec) DeepCopy() *StringSourceSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TokenConfig) DeepCopyInto(out *TokenConfig) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenConfig. +func (in *TokenConfig) DeepCopy() *TokenConfig { + if in == nil { + return nil + } + out := new(TokenConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Update) DeepCopyInto(out *Update) { *out = *in @@ -1856,3 +2382,20 @@ func (in *Update) DeepCopy() *Update { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *WebhookTokenAuthenticator) DeepCopyInto(out *WebhookTokenAuthenticator) { + *out = *in + out.KubeConfig = in.KubeConfig + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookTokenAuthenticator. +func (in *WebhookTokenAuthenticator) DeepCopy() *WebhookTokenAuthenticator { + if in == nil { + return nil + } + out := new(WebhookTokenAuthenticator) + in.DeepCopyInto(out) + return out +}