--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 creationTimestamp: null name: ldapidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev names: categories: - pinniped - pinniped-idp - pinniped-idps kind: LDAPIdentityProvider listKind: LDAPIdentityProviderList plural: ldapidentityproviders singular: ldapidentityprovider scope: Namespaced versions: - additionalPrinterColumns: - jsonPath: .spec.host name: Host type: string - jsonPath: .status.phase name: Status type: string - jsonPath: .metadata.creationTimestamp name: Age type: date name: v1alpha1 schema: openAPIV3Schema: description: LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access Protocol (LDAP) identity provider. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: Spec for configuring the identity provider. properties: bind: description: Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. properties: secretName: description: SecretName contains the name of a namespace-local Secret object that provides the username and password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value should be the full DN of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". minLength: 1 type: string required: - secretName type: object host: description: 'Host is the hostname of this LDAP identity provider, i.e., where to connect. For example: ldap.example.com:636.' minLength: 1 type: string tls: description: TLS contains the connection settings for how to establish the connection to the Host. properties: certificateAuthorityData: description: X.509 Certificate Authority (base64-encoded PEM bundle) to trust when connecting to the LDAP provider. If omitted, a default set of system roots will be trusted. type: string type: object userSearch: description: UserSearch contains the configuration for searching for a user by name in the LDAP provider. properties: attributes: description: Attributes specifies how the user's information should be read from the LDAP entry which was found as the result of the user search. properties: uniqueID: description: UniqueID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID". minLength: 1 type: string username: description: Username specifies the name of attribute in the LDAP entry which whose value shall become the username of the user after a successful authentication. This would typically be the same attribute name used in the user search filter. E.g. "mail" or "uid" or "userPrincipalName". minLength: 1 type: string type: object base: description: Base is the DN that should be used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". minLength: 1 type: string filter: description: Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur in the filter and will be dynamically replaced by the username for which the search is being run. E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Optional. When not specified, the default will act as if the Filter were specified as the value from Attributes.Username appended by "={}". type: string type: object required: - host type: object status: description: Status of the identity provider. properties: phase: default: Pending description: Phase summarizes the overall status of the LDAPIdentityProvider. enum: - Pending - Ready - Error type: string type: object required: - spec type: object served: true storage: true subresources: status: {} status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: []