---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.8.0
  creationTimestamp: null
  name: credentialissuers.config.concierge.pinniped.dev
spec:
  group: config.concierge.pinniped.dev
  names:
    categories:
    - pinniped
    kind: CredentialIssuer
    listKind: CredentialIssuerList
    plural: credentialissuers
    singular: credentialissuer
  scope: Cluster
  versions:
  - additionalPrinterColumns:
    - jsonPath: .spec.impersonationProxy.mode
      name: ProxyMode
      type: string
    - jsonPath: .status.strategies[?(@.status == "Success")].type
      name: DefaultStrategy
      type: string
    - jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
    name: v1alpha1
    schema:
      openAPIV3Schema:
        description: CredentialIssuer describes the configuration and status of the
          Pinniped Concierge credential issuer.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: Spec describes the intended configuration of the Concierge.
            properties:
              impersonationProxy:
                description: ImpersonationProxy describes the intended configuration
                  of the Concierge impersonation proxy.
                properties:
                  externalEndpoint:
                    description: "ExternalEndpoint describes the HTTPS endpoint where
                      the proxy will be exposed. If not set, the proxy will be served
                      using the external name of the LoadBalancer service or the cluster
                      service DNS name. \n This field must be non-empty when spec.impersonationProxy.service.type
                      is \"None\"."
                    type: string
                  mode:
                    description: 'Mode configures whether the impersonation proxy
                      should be started: - "disabled" explicitly disables the impersonation
                      proxy. This is the default. - "enabled" explicitly enables the
                      impersonation proxy. - "auto" enables or disables the impersonation
                      proxy based upon the cluster in which it is running.'
                    enum:
                    - auto
                    - enabled
                    - disabled
                    type: string
                  service:
                    default:
                      type: LoadBalancer
                    description: Service describes the configuration of the Service
                      provisioned to expose the impersonation proxy to clients.
                    properties:
                      annotations:
                        additionalProperties:
                          type: string
                        description: Annotations specifies zero or more key/value
                          pairs to set as annotations on the provisioned Service.
                        type: object
                      loadBalancerIP:
                        description: LoadBalancerIP specifies the IP address to set
                          in the spec.loadBalancerIP field of the provisioned Service.
                          This is not supported on all cloud providers.
                        maxLength: 255
                        minLength: 1
                        type: string
                      type:
                        default: LoadBalancer
                        description: "Type specifies the type of Service to provision
                          for the impersonation proxy. \n If the type is \"None\",
                          then the \"spec.impersonationProxy.externalEndpoint\" field
                          must be set to a non-empty value so that the Concierge can
                          properly advertise the endpoint in the CredentialIssuer's
                          status."
                        enum:
                        - LoadBalancer
                        - ClusterIP
                        - None
                        type: string
                    type: object
                  tls:
                    description: "TLS contains information about how the Concierge
                      impersonation proxy should serve TLS. \n If this field is empty,
                      the impersonation proxy will generate its own TLS certificate."
                    properties:
                      certificateAuthorityData:
                        description: X.509 Certificate Authority (base64-encoded PEM
                          bundle). Used to advertise the CA bundle for the impersonation
                          proxy endpoint.
                        type: string
                      secretName:
                        description: SecretName is the name of a Secret in the same
                          namespace, of type `kubernetes.io/tls`, which contains the
                          TLS serving certificate for the Concierge impersonation
                          proxy endpoint.
                        minLength: 1
                        type: string
                    type: object
                required:
                - mode
                - service
                type: object
            required:
            - impersonationProxy
            type: object
          status:
            description: CredentialIssuerStatus describes the status of the Concierge.
            properties:
              kubeConfigInfo:
                description: Information needed to form a valid Pinniped-based kubeconfig
                  using this credential issuer. This field is deprecated and will
                  be removed in a future version.
                properties:
                  certificateAuthorityData:
                    description: The K8s API server CA bundle.
                    minLength: 1
                    type: string
                  server:
                    description: The K8s API server URL.
                    minLength: 1
                    pattern: ^https://|^http://
                    type: string
                required:
                - certificateAuthorityData
                - server
                type: object
              strategies:
                description: List of integration strategies that were attempted by
                  Pinniped.
                items:
                  description: CredentialIssuerStrategy describes the status of an
                    integration strategy that was attempted by Pinniped.
                  properties:
                    frontend:
                      description: Frontend describes how clients can connect using
                        this strategy.
                      properties:
                        impersonationProxyInfo:
                          description: ImpersonationProxyInfo describes the parameters
                            for the impersonation proxy on this Concierge. This field
                            is only set when Type is "ImpersonationProxy".
                          properties:
                            certificateAuthorityData:
                              description: CertificateAuthorityData is the base64-encoded
                                PEM CA bundle of the impersonation proxy.
                              minLength: 1
                              type: string
                            endpoint:
                              description: Endpoint is the HTTPS endpoint of the impersonation
                                proxy.
                              minLength: 1
                              pattern: ^https://
                              type: string
                          required:
                          - certificateAuthorityData
                          - endpoint
                          type: object
                        tokenCredentialRequestInfo:
                          description: TokenCredentialRequestAPIInfo describes the
                            parameters for the TokenCredentialRequest API on this
                            Concierge. This field is only set when Type is "TokenCredentialRequestAPI".
                          properties:
                            certificateAuthorityData:
                              description: CertificateAuthorityData is the base64-encoded
                                Kubernetes API server CA bundle.
                              minLength: 1
                              type: string
                            server:
                              description: Server is the Kubernetes API server URL.
                              minLength: 1
                              pattern: ^https://|^http://
                              type: string
                          required:
                          - certificateAuthorityData
                          - server
                          type: object
                        type:
                          description: Type describes which frontend mechanism clients
                            can use with a strategy.
                          enum:
                          - TokenCredentialRequestAPI
                          - ImpersonationProxy
                          type: string
                      required:
                      - type
                      type: object
                    lastUpdateTime:
                      description: When the status was last checked.
                      format: date-time
                      type: string
                    message:
                      description: Human-readable description of the current status.
                      minLength: 1
                      type: string
                    reason:
                      description: Reason for the current status.
                      enum:
                      - Listening
                      - Pending
                      - Disabled
                      - ErrorDuringSetup
                      - CouldNotFetchKey
                      - CouldNotGetClusterInfo
                      - FetchedKey
                      type: string
                    status:
                      description: Status of the attempted integration strategy.
                      enum:
                      - Success
                      - Error
                      type: string
                    type:
                      description: Type of integration attempted.
                      enum:
                      - KubeClusterSigningCertificate
                      - ImpersonationProxy
                      type: string
                  required:
                  - lastUpdateTime
                  - message
                  - reason
                  - status
                  - type
                  type: object
                type: array
            required:
            - strategies
            type: object
        type: object
    served: true
    storage: true
    subresources:
      status: {}
status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []