--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 creationTimestamp: null name: credentialissuers.config.concierge.pinniped.dev spec: group: config.concierge.pinniped.dev names: categories: - pinniped kind: CredentialIssuer listKind: CredentialIssuerList plural: credentialissuers singular: credentialissuer scope: Cluster versions: - name: v1alpha1 schema: openAPIV3Schema: description: CredentialIssuer describes the configuration and status of the Pinniped Concierge credential issuer. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: default: impersonationProxy: mode: disabled service: type: LoadBalancer description: Spec describes the intended configuration of the Concierge. properties: impersonationProxy: default: mode: disabled service: type: LoadBalancer description: ImpersonationProxy describes the intended configuration of the Concierge impersonation proxy. properties: externalEndpoint: description: "ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If the proxy is enabled and this field is not set, a Service of type LoadBalancer will be automatically provisioned and its external name will be advertised. \n Setting this field disables the automatic creation of this LoadBalancer Service." type: string mode: default: disabled description: 'Mode configures whether the impersonation proxy should be started: - "disabled" explicitly disables the impersonation proxy. This is the default. - "enabled" explicitly enables the impersonation proxy. - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running.' enum: - auto - enabled - disabled type: string service: default: type: LoadBalancer description: Service describes the configuraiton properties: annotations: additionalProperties: type: string description: Annotations specifies zero or more key/value pairs to set as annotations on the provisioned Service. type: object loadBalancerIP: description: LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. This is not supported on all cloud providers. maxLength: 255 minLength: 1 type: string type: default: LoadBalancer description: "Type specifies the type of Service to provision for the impersonation proxy. \n If the type is \"None\", then the \"spec.impersonationProxy.externalEndpoint\" field must be set to a non-empty value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status." enum: - LoadBalancer - ClusterIP - None type: string type: object required: - mode - service type: object required: - impersonationProxy type: object status: description: CredentialIssuerStatus describes the status of the Concierge. properties: kubeConfigInfo: description: Information needed to form a valid Pinniped-based kubeconfig using this credential issuer. This field is deprecated and will be removed in a future version. properties: certificateAuthorityData: description: The K8s API server CA bundle. minLength: 1 type: string server: description: The K8s API server URL. minLength: 1 pattern: ^https://|^http:// type: string required: - certificateAuthorityData - server type: object strategies: description: List of integration strategies that were attempted by Pinniped. items: description: CredentialIssuerStrategy describes the status of an integration strategy that was attempted by Pinniped. properties: frontend: description: Frontend describes how clients can connect using this strategy. properties: impersonationProxyInfo: description: ImpersonationProxyInfo describes the parameters for the impersonation proxy on this Concierge. This field is only set when Type is "ImpersonationProxy". properties: certificateAuthorityData: description: CertificateAuthorityData is the base64-encoded PEM CA bundle of the impersonation proxy. minLength: 1 type: string endpoint: description: Endpoint is the HTTPS endpoint of the impersonation proxy. minLength: 1 pattern: ^https:// type: string required: - certificateAuthorityData - endpoint type: object tokenCredentialRequestInfo: description: TokenCredentialRequestAPIInfo describes the parameters for the TokenCredentialRequest API on this Concierge. This field is only set when Type is "TokenCredentialRequestAPI". properties: certificateAuthorityData: description: CertificateAuthorityData is the base64-encoded Kubernetes API server CA bundle. minLength: 1 type: string server: description: Server is the Kubernetes API server URL. minLength: 1 pattern: ^https://|^http:// type: string required: - certificateAuthorityData - server type: object type: description: Type describes which frontend mechanism clients can use with a strategy. enum: - TokenCredentialRequestAPI - ImpersonationProxy type: string required: - type type: object lastUpdateTime: description: When the status was last checked. format: date-time type: string message: description: Human-readable description of the current status. minLength: 1 type: string reason: description: Reason for the current status. enum: - Listening - Pending - Disabled - ErrorDuringSetup - CouldNotFetchKey - CouldNotGetClusterInfo - FetchedKey type: string status: description: Status of the attempted integration strategy. enum: - Success - Error type: string type: description: Type of integration attempted. enum: - KubeClusterSigningCertificate - ImpersonationProxy type: string required: - lastUpdateTime - message - reason - status - type type: object type: array required: - strategies type: object type: object served: true storage: true subresources: status: {} status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: []