diff --git a/deploy/crds/crd-clusterissuers.yaml b/deploy/crds/crd-clusterissuers.yaml index f6bbe814e..8d850f68a 100644 --- a/deploy/crds/crd-clusterissuers.yaml +++ b/deploy/crds/crd-clusterissuers.yaml @@ -1195,11 +1195,6 @@ spec: required: - role properties: - audiences: - description: TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token consisting of the issuer's namespace and name is always included. - type: array - items: - type: string mountPath: description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used. type: string @@ -1224,6 +1219,11 @@ spec: required: - name properties: + audiences: + description: TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token consisting of the issuer's namespace and name is always included. + type: array + items: + type: string name: description: Name of the ServiceAccount used to request a token. type: string diff --git a/deploy/crds/crd-issuers.yaml b/deploy/crds/crd-issuers.yaml index 252d78d42..924181324 100644 --- a/deploy/crds/crd-issuers.yaml +++ b/deploy/crds/crd-issuers.yaml @@ -1195,11 +1195,6 @@ spec: required: - role properties: - audiences: - description: TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token consisting of the issuer's namespace and name is always included. - type: array - items: - type: string mountPath: description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used. type: string @@ -1224,6 +1219,11 @@ spec: required: - name properties: + audiences: + description: TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token consisting of the issuer's namespace and name is always included. + type: array + items: + type: string name: description: Name of the ServiceAccount used to request a token. type: string diff --git a/internal/apis/certmanager/types_issuer.go b/internal/apis/certmanager/types_issuer.go index c7b0a55ec..74c32b850 100644 --- a/internal/apis/certmanager/types_issuer.go +++ b/internal/apis/certmanager/types_issuer.go @@ -259,11 +259,6 @@ type VaultKubernetesAuth struct { // A required field containing the Vault Role to assume. A Role binds a // Kubernetes ServiceAccount with a set of Vault policies. Role string - - // TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token - // consisting of the issuer's namespace and name is always included. - // +optional - TokenAudiences []string } // ServiceAccountRef is a service account used by cert-manager to request a @@ -274,6 +269,11 @@ type VaultKubernetesAuth struct { type ServiceAccountRef struct { // Name of the ServiceAccount used to request a token. Name string + + // TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token + // consisting of the issuer's namespace and name is always included. + // +optional + TokenAudiences []string } // CAIssuer configures an issuer that can issue certificates from its provided diff --git a/internal/apis/certmanager/v1/zz_generated.conversion.go b/internal/apis/certmanager/v1/zz_generated.conversion.go index be5e6dcc7..c19ff7c59 100644 --- a/internal/apis/certmanager/v1/zz_generated.conversion.go +++ b/internal/apis/certmanager/v1/zz_generated.conversion.go @@ -1409,6 +1409,7 @@ func Convert_certmanager_SelfSignedIssuer_To_v1_SelfSignedIssuer(in *certmanager func autoConvert_v1_ServiceAccountRef_To_certmanager_ServiceAccountRef(in *v1.ServiceAccountRef, out *certmanager.ServiceAccountRef, s conversion.Scope) error { out.Name = in.Name + out.TokenAudiences = *(*[]string)(unsafe.Pointer(&in.TokenAudiences)) return nil } @@ -1419,6 +1420,7 @@ func Convert_v1_ServiceAccountRef_To_certmanager_ServiceAccountRef(in *v1.Servic func autoConvert_certmanager_ServiceAccountRef_To_v1_ServiceAccountRef(in *certmanager.ServiceAccountRef, out *v1.ServiceAccountRef, s conversion.Scope) error { out.Name = in.Name + out.TokenAudiences = *(*[]string)(unsafe.Pointer(&in.TokenAudiences)) return nil } @@ -1584,7 +1586,6 @@ func autoConvert_v1_VaultKubernetesAuth_To_certmanager_VaultKubernetesAuth(in *v } out.ServiceAccountRef = (*certmanager.ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef)) out.Role = in.Role - out.TokenAudiences = *(*[]string)(unsafe.Pointer(&in.TokenAudiences)) return nil } @@ -1600,7 +1601,6 @@ func autoConvert_certmanager_VaultKubernetesAuth_To_v1_VaultKubernetesAuth(in *c } out.ServiceAccountRef = (*v1.ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef)) out.Role = in.Role - out.TokenAudiences = *(*[]string)(unsafe.Pointer(&in.TokenAudiences)) return nil } diff --git a/internal/apis/certmanager/v1alpha2/types_issuer.go b/internal/apis/certmanager/v1alpha2/types_issuer.go index 1da4b5d01..7e726e2e3 100644 --- a/internal/apis/certmanager/v1alpha2/types_issuer.go +++ b/internal/apis/certmanager/v1alpha2/types_issuer.go @@ -279,11 +279,6 @@ type VaultKubernetesAuth struct { // A required field containing the Vault Role to assume. A Role binds a // Kubernetes ServiceAccount with a set of Vault policies. Role string `json:"role"` - - // TokenAudiences is an option list of extra audiences to include in the token passed to Vault. The default token - // consisting of the issuer's namespace and name is always included. - // +optional - TokenAudiences []string `json:"audiences,omitempty"` } // ServiceAccountRef is a service account used by cert-manager to request a @@ -294,6 +289,11 @@ type VaultKubernetesAuth struct { type ServiceAccountRef struct { // Name of the ServiceAccount used to request a token. Name string `json:"name"` + + // TokenAudiences is an option list of extra audiences to include in the token passed to Vault. The default token + // consisting of the issuer's namespace and name is always included. + // +optional + TokenAudiences []string `json:"audiences,omitempty"` } type CAIssuer struct { diff --git a/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go b/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go index c6301ce17..0dc97d222 100644 --- a/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go +++ b/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go @@ -1415,6 +1415,7 @@ func Convert_certmanager_SelfSignedIssuer_To_v1alpha2_SelfSignedIssuer(in *certm func autoConvert_v1alpha2_ServiceAccountRef_To_certmanager_ServiceAccountRef(in *ServiceAccountRef, out *certmanager.ServiceAccountRef, s conversion.Scope) error { out.Name = in.Name + out.TokenAudiences = *(*[]string)(unsafe.Pointer(&in.TokenAudiences)) return nil } @@ -1425,6 +1426,7 @@ func Convert_v1alpha2_ServiceAccountRef_To_certmanager_ServiceAccountRef(in *Ser func autoConvert_certmanager_ServiceAccountRef_To_v1alpha2_ServiceAccountRef(in *certmanager.ServiceAccountRef, out *ServiceAccountRef, s conversion.Scope) error { out.Name = in.Name + out.TokenAudiences = *(*[]string)(unsafe.Pointer(&in.TokenAudiences)) return nil } @@ -1590,7 +1592,6 @@ func autoConvert_v1alpha2_VaultKubernetesAuth_To_certmanager_VaultKubernetesAuth } out.ServiceAccountRef = (*certmanager.ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef)) out.Role = in.Role - out.TokenAudiences = *(*[]string)(unsafe.Pointer(&in.TokenAudiences)) return nil } @@ -1606,7 +1607,6 @@ func autoConvert_certmanager_VaultKubernetesAuth_To_v1alpha2_VaultKubernetesAuth } out.ServiceAccountRef = (*ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef)) out.Role = in.Role - out.TokenAudiences = *(*[]string)(unsafe.Pointer(&in.TokenAudiences)) return nil } diff --git a/internal/apis/certmanager/v1alpha2/zz_generated.deepcopy.go b/internal/apis/certmanager/v1alpha2/zz_generated.deepcopy.go index 1eef57e24..f4844ff13 100644 --- a/internal/apis/certmanager/v1alpha2/zz_generated.deepcopy.go +++ b/internal/apis/certmanager/v1alpha2/zz_generated.deepcopy.go @@ -918,6 +918,11 @@ func (in *SelfSignedIssuer) DeepCopy() *SelfSignedIssuer { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ServiceAccountRef) DeepCopyInto(out *ServiceAccountRef) { *out = *in + if in.TokenAudiences != nil { + in, out := &in.TokenAudiences, &out.TokenAudiences + *out = make([]string, len(*in)) + copy(*out, *in) + } return } @@ -1013,12 +1018,7 @@ func (in *VaultKubernetesAuth) DeepCopyInto(out *VaultKubernetesAuth) { if in.ServiceAccountRef != nil { in, out := &in.ServiceAccountRef, &out.ServiceAccountRef *out = new(ServiceAccountRef) - **out = **in - } - if in.TokenAudiences != nil { - in, out := &in.TokenAudiences, &out.TokenAudiences - *out = make([]string, len(*in)) - copy(*out, *in) + (*in).DeepCopyInto(*out) } return } diff --git a/internal/apis/certmanager/v1alpha3/types_issuer.go b/internal/apis/certmanager/v1alpha3/types_issuer.go index 33a0f4337..f3406132d 100644 --- a/internal/apis/certmanager/v1alpha3/types_issuer.go +++ b/internal/apis/certmanager/v1alpha3/types_issuer.go @@ -279,11 +279,6 @@ type VaultKubernetesAuth struct { // A required field containing the Vault Role to assume. A Role binds a // Kubernetes ServiceAccount with a set of Vault policies. Role string `json:"role"` - - // TokenAudiences is an option list of extra audiences to include in the token passed to Vault. The default token - // consisting of the issuer's namespace and name is always included. - // +optional - TokenAudiences []string `json:"audiences,omitempty"` } // ServiceAccountRef is a service account used by cert-manager to request a @@ -294,6 +289,11 @@ type VaultKubernetesAuth struct { type ServiceAccountRef struct { // Name of the ServiceAccount used to request a token. Name string `json:"name"` + + // TokenAudiences is an option list of extra audiences to include in the token passed to Vault. The default token + // consisting of the issuer's namespace and name is always included. + // +optional + TokenAudiences []string `json:"audiences,omitempty"` } type CAIssuer struct { diff --git a/internal/apis/certmanager/v1alpha3/zz_generated.conversion.go b/internal/apis/certmanager/v1alpha3/zz_generated.conversion.go index 650006769..27ea8a130 100644 --- a/internal/apis/certmanager/v1alpha3/zz_generated.conversion.go +++ b/internal/apis/certmanager/v1alpha3/zz_generated.conversion.go @@ -1414,6 +1414,7 @@ func Convert_certmanager_SelfSignedIssuer_To_v1alpha3_SelfSignedIssuer(in *certm func autoConvert_v1alpha3_ServiceAccountRef_To_certmanager_ServiceAccountRef(in *ServiceAccountRef, out *certmanager.ServiceAccountRef, s conversion.Scope) error { out.Name = in.Name + out.TokenAudiences = *(*[]string)(unsafe.Pointer(&in.TokenAudiences)) return nil } @@ -1424,6 +1425,7 @@ func Convert_v1alpha3_ServiceAccountRef_To_certmanager_ServiceAccountRef(in *Ser func autoConvert_certmanager_ServiceAccountRef_To_v1alpha3_ServiceAccountRef(in *certmanager.ServiceAccountRef, out *ServiceAccountRef, s conversion.Scope) error { out.Name = in.Name + out.TokenAudiences = *(*[]string)(unsafe.Pointer(&in.TokenAudiences)) return nil } @@ -1589,7 +1591,6 @@ func autoConvert_v1alpha3_VaultKubernetesAuth_To_certmanager_VaultKubernetesAuth } out.ServiceAccountRef = (*certmanager.ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef)) out.Role = in.Role - out.TokenAudiences = *(*[]string)(unsafe.Pointer(&in.TokenAudiences)) return nil } @@ -1605,7 +1606,6 @@ func autoConvert_certmanager_VaultKubernetesAuth_To_v1alpha3_VaultKubernetesAuth } out.ServiceAccountRef = (*ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef)) out.Role = in.Role - out.TokenAudiences = *(*[]string)(unsafe.Pointer(&in.TokenAudiences)) return nil } diff --git a/internal/apis/certmanager/v1alpha3/zz_generated.deepcopy.go b/internal/apis/certmanager/v1alpha3/zz_generated.deepcopy.go index 777a33eb2..357619a13 100644 --- a/internal/apis/certmanager/v1alpha3/zz_generated.deepcopy.go +++ b/internal/apis/certmanager/v1alpha3/zz_generated.deepcopy.go @@ -913,6 +913,11 @@ func (in *SelfSignedIssuer) DeepCopy() *SelfSignedIssuer { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ServiceAccountRef) DeepCopyInto(out *ServiceAccountRef) { *out = *in + if in.TokenAudiences != nil { + in, out := &in.TokenAudiences, &out.TokenAudiences + *out = make([]string, len(*in)) + copy(*out, *in) + } return } @@ -1008,12 +1013,7 @@ func (in *VaultKubernetesAuth) DeepCopyInto(out *VaultKubernetesAuth) { if in.ServiceAccountRef != nil { in, out := &in.ServiceAccountRef, &out.ServiceAccountRef *out = new(ServiceAccountRef) - **out = **in - } - if in.TokenAudiences != nil { - in, out := &in.TokenAudiences, &out.TokenAudiences - *out = make([]string, len(*in)) - copy(*out, *in) + (*in).DeepCopyInto(*out) } return } diff --git a/internal/apis/certmanager/v1beta1/types_issuer.go b/internal/apis/certmanager/v1beta1/types_issuer.go index c0f85252a..4559bc4ac 100644 --- a/internal/apis/certmanager/v1beta1/types_issuer.go +++ b/internal/apis/certmanager/v1beta1/types_issuer.go @@ -281,11 +281,6 @@ type VaultKubernetesAuth struct { // A required field containing the Vault Role to assume. A Role binds a // Kubernetes ServiceAccount with a set of Vault policies. Role string `json:"role"` - - // TokenAudiences is an option list of extra audiences to include in the token passed to Vault. The default token - // consisting of the issuer's namespace and name is always included. - // +optional - TokenAudiences []string `json:"audiences,omitempty"` } // ServiceAccountRef is a service account used by cert-manager to request a @@ -296,6 +291,11 @@ type VaultKubernetesAuth struct { type ServiceAccountRef struct { // Name of the ServiceAccount used to request a token. Name string `json:"name"` + + // TokenAudiences is an option list of extra audiences to include in the token passed to Vault. The default token + // consisting of the issuer's namespace and name is always included. + // +optional + TokenAudiences []string `json:"audiences,omitempty"` } type CAIssuer struct { diff --git a/internal/apis/certmanager/v1beta1/zz_generated.conversion.go b/internal/apis/certmanager/v1beta1/zz_generated.conversion.go index b0be18660..f075c9b54 100644 --- a/internal/apis/certmanager/v1beta1/zz_generated.conversion.go +++ b/internal/apis/certmanager/v1beta1/zz_generated.conversion.go @@ -1397,6 +1397,7 @@ func Convert_certmanager_SelfSignedIssuer_To_v1beta1_SelfSignedIssuer(in *certma func autoConvert_v1beta1_ServiceAccountRef_To_certmanager_ServiceAccountRef(in *ServiceAccountRef, out *certmanager.ServiceAccountRef, s conversion.Scope) error { out.Name = in.Name + out.TokenAudiences = *(*[]string)(unsafe.Pointer(&in.TokenAudiences)) return nil } @@ -1407,6 +1408,7 @@ func Convert_v1beta1_ServiceAccountRef_To_certmanager_ServiceAccountRef(in *Serv func autoConvert_certmanager_ServiceAccountRef_To_v1beta1_ServiceAccountRef(in *certmanager.ServiceAccountRef, out *ServiceAccountRef, s conversion.Scope) error { out.Name = in.Name + out.TokenAudiences = *(*[]string)(unsafe.Pointer(&in.TokenAudiences)) return nil } @@ -1572,7 +1574,6 @@ func autoConvert_v1beta1_VaultKubernetesAuth_To_certmanager_VaultKubernetesAuth( } out.ServiceAccountRef = (*certmanager.ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef)) out.Role = in.Role - out.TokenAudiences = *(*[]string)(unsafe.Pointer(&in.TokenAudiences)) return nil } @@ -1588,7 +1589,6 @@ func autoConvert_certmanager_VaultKubernetesAuth_To_v1beta1_VaultKubernetesAuth( } out.ServiceAccountRef = (*ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef)) out.Role = in.Role - out.TokenAudiences = *(*[]string)(unsafe.Pointer(&in.TokenAudiences)) return nil } diff --git a/internal/apis/certmanager/v1beta1/zz_generated.deepcopy.go b/internal/apis/certmanager/v1beta1/zz_generated.deepcopy.go index 22a61f61c..b8b39cf22 100644 --- a/internal/apis/certmanager/v1beta1/zz_generated.deepcopy.go +++ b/internal/apis/certmanager/v1beta1/zz_generated.deepcopy.go @@ -913,6 +913,11 @@ func (in *SelfSignedIssuer) DeepCopy() *SelfSignedIssuer { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ServiceAccountRef) DeepCopyInto(out *ServiceAccountRef) { *out = *in + if in.TokenAudiences != nil { + in, out := &in.TokenAudiences, &out.TokenAudiences + *out = make([]string, len(*in)) + copy(*out, *in) + } return } @@ -1008,12 +1013,7 @@ func (in *VaultKubernetesAuth) DeepCopyInto(out *VaultKubernetesAuth) { if in.ServiceAccountRef != nil { in, out := &in.ServiceAccountRef, &out.ServiceAccountRef *out = new(ServiceAccountRef) - **out = **in - } - if in.TokenAudiences != nil { - in, out := &in.TokenAudiences, &out.TokenAudiences - *out = make([]string, len(*in)) - copy(*out, *in) + (*in).DeepCopyInto(*out) } return } diff --git a/internal/apis/certmanager/zz_generated.deepcopy.go b/internal/apis/certmanager/zz_generated.deepcopy.go index ce5f14e9d..a24e71fca 100644 --- a/internal/apis/certmanager/zz_generated.deepcopy.go +++ b/internal/apis/certmanager/zz_generated.deepcopy.go @@ -913,6 +913,11 @@ func (in *SelfSignedIssuer) DeepCopy() *SelfSignedIssuer { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ServiceAccountRef) DeepCopyInto(out *ServiceAccountRef) { *out = *in + if in.TokenAudiences != nil { + in, out := &in.TokenAudiences, &out.TokenAudiences + *out = make([]string, len(*in)) + copy(*out, *in) + } return } @@ -1008,12 +1013,7 @@ func (in *VaultKubernetesAuth) DeepCopyInto(out *VaultKubernetesAuth) { if in.ServiceAccountRef != nil { in, out := &in.ServiceAccountRef, &out.ServiceAccountRef *out = new(ServiceAccountRef) - **out = **in - } - if in.TokenAudiences != nil { - in, out := &in.TokenAudiences, &out.TokenAudiences - *out = make([]string, len(*in)) - copy(*out, *in) + (*in).DeepCopyInto(*out) } return } diff --git a/internal/vault/vault.go b/internal/vault/vault.go index 8daf36f62..b8001d00c 100644 --- a/internal/vault/vault.go +++ b/internal/vault/vault.go @@ -403,7 +403,7 @@ func (v *Vault) requestTokenWithKubernetesAuth(client Client, kubernetesAuth *v1 } defaultAudience += v.issuer.GetName() - audiences := append(kubernetesAuth.TokenAudiences, defaultAudience) + audiences := append(kubernetesAuth.ServiceAccountRef.TokenAudiences, defaultAudience) tokenrequest, err := v.createToken(context.Background(), kubernetesAuth.ServiceAccountRef.Name, &authv1.TokenRequest{ Spec: authv1.TokenRequestSpec{ diff --git a/internal/vault/vault_test.go b/internal/vault/vault_test.go index 9a1304fe6..2d7ea51a7 100644 --- a/internal/vault/vault_test.go +++ b/internal/vault/vault_test.go @@ -724,11 +724,11 @@ func TestSetToken(t *testing.T) { Role: "kube-vault-role", ServiceAccountRef: &v1.ServiceAccountRef{ Name: "my-service-account", + TokenAudiences: []string{ + "https://custom-audience", + }, }, Path: "my-path", - TokenAudiences: []string{ - "https://custom-audience", - }, }, }, }), @@ -766,11 +766,11 @@ func TestSetToken(t *testing.T) { Role: "kube-vault-role", ServiceAccountRef: &v1.ServiceAccountRef{ Name: "my-service-account", + TokenAudiences: []string{ + "https://custom-audience", + }, }, Path: "my-path", - TokenAudiences: []string{ - "https://custom-audience", - }, }, }, }), diff --git a/pkg/apis/certmanager/v1/types_issuer.go b/pkg/apis/certmanager/v1/types_issuer.go index 26be538b9..6757050e3 100644 --- a/pkg/apis/certmanager/v1/types_issuer.go +++ b/pkg/apis/certmanager/v1/types_issuer.go @@ -284,11 +284,6 @@ type VaultKubernetesAuth struct { // A required field containing the Vault Role to assume. A Role binds a // Kubernetes ServiceAccount with a set of Vault policies. Role string `json:"role"` - - // TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token - // consisting of the issuer's namespace and name is always included. - // +optional - TokenAudiences []string `json:"audiences,omitempty"` } // ServiceAccountRef is a service account used by cert-manager to request a @@ -299,6 +294,10 @@ type VaultKubernetesAuth struct { type ServiceAccountRef struct { // Name of the ServiceAccount used to request a token. Name string `json:"name"` + // TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token + // consisting of the issuer's namespace and name is always included. + // +optional + TokenAudiences []string `json:"audiences,omitempty"` } type CAIssuer struct { diff --git a/pkg/apis/certmanager/v1/zz_generated.deepcopy.go b/pkg/apis/certmanager/v1/zz_generated.deepcopy.go index 5a5a54ef2..bc078ab95 100644 --- a/pkg/apis/certmanager/v1/zz_generated.deepcopy.go +++ b/pkg/apis/certmanager/v1/zz_generated.deepcopy.go @@ -913,6 +913,11 @@ func (in *SelfSignedIssuer) DeepCopy() *SelfSignedIssuer { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ServiceAccountRef) DeepCopyInto(out *ServiceAccountRef) { *out = *in + if in.TokenAudiences != nil { + in, out := &in.TokenAudiences, &out.TokenAudiences + *out = make([]string, len(*in)) + copy(*out, *in) + } return } @@ -1008,12 +1013,7 @@ func (in *VaultKubernetesAuth) DeepCopyInto(out *VaultKubernetesAuth) { if in.ServiceAccountRef != nil { in, out := &in.ServiceAccountRef, &out.ServiceAccountRef *out = new(ServiceAccountRef) - **out = **in - } - if in.TokenAudiences != nil { - in, out := &in.TokenAudiences, &out.TokenAudiences - *out = make([]string, len(*in)) - copy(*out, *in) + (*in).DeepCopyInto(*out) } return }