--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null name: credentialissuers.config.concierge.pinniped.dev spec: group: config.concierge.pinniped.dev names: categories: - pinniped kind: CredentialIssuer listKind: CredentialIssuerList plural: credentialissuers singular: credentialissuer scope: Cluster versions: - name: v1alpha1 schema: openAPIV3Schema: description: CredentialIssuer describes the configuration and status of the Pinniped Concierge credential issuer. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: Spec describes the intended configuration of the Concierge. properties: impersonationProxy: description: ImpersonationProxy describes the intended configuration of the Concierge impersonation proxy. properties: externalEndpoint: description: "ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. \n This field must be non-empty when spec.impersonationProxy.service.type is \"None\"." type: string mode: description: 'Mode configures whether the impersonation proxy should be started: - "disabled" explicitly disables the impersonation proxy. This is the default. - "enabled" explicitly enables the impersonation proxy. - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running.' enum: - auto - enabled - disabled type: string service: default: type: LoadBalancer description: Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients. properties: annotations: additionalProperties: type: string description: Annotations specifies zero or more key/value pairs to set as annotations on the provisioned Service. type: object loadBalancerIP: description: LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. This is not supported on all cloud providers. maxLength: 255 minLength: 1 type: string type: default: LoadBalancer description: "Type specifies the type of Service to provision for the impersonation proxy. \n If the type is \"None\", then the \"spec.impersonationProxy.externalEndpoint\" field must be set to a non-empty value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status." enum: - LoadBalancer - ClusterIP - None type: string type: object required: - mode - service type: object required: - impersonationProxy type: object status: description: CredentialIssuerStatus describes the status of the Concierge. properties: kubeConfigInfo: description: Information needed to form a valid Pinniped-based kubeconfig using this credential issuer. This field is deprecated and will be removed in a future version. properties: certificateAuthorityData: description: The K8s API server CA bundle. minLength: 1 type: string server: description: The K8s API server URL. minLength: 1 pattern: ^https://|^http:// type: string required: - certificateAuthorityData - server type: object strategies: description: List of integration strategies that were attempted by Pinniped. items: description: CredentialIssuerStrategy describes the status of an integration strategy that was attempted by Pinniped. properties: frontend: description: Frontend describes how clients can connect using this strategy. properties: impersonationProxyInfo: description: ImpersonationProxyInfo describes the parameters for the impersonation proxy on this Concierge. This field is only set when Type is "ImpersonationProxy". properties: certificateAuthorityData: description: CertificateAuthorityData is the base64-encoded PEM CA bundle of the impersonation proxy. minLength: 1 type: string endpoint: description: Endpoint is the HTTPS endpoint of the impersonation proxy. minLength: 1 pattern: ^https:// type: string required: - certificateAuthorityData - endpoint type: object tokenCredentialRequestInfo: description: TokenCredentialRequestAPIInfo describes the parameters for the TokenCredentialRequest API on this Concierge. This field is only set when Type is "TokenCredentialRequestAPI". properties: certificateAuthorityData: description: CertificateAuthorityData is the base64-encoded Kubernetes API server CA bundle. minLength: 1 type: string server: description: Server is the Kubernetes API server URL. minLength: 1 pattern: ^https://|^http:// type: string required: - certificateAuthorityData - server type: object type: description: Type describes which frontend mechanism clients can use with a strategy. enum: - TokenCredentialRequestAPI - ImpersonationProxy type: string required: - type type: object lastUpdateTime: description: When the status was last checked. format: date-time type: string message: description: Human-readable description of the current status. minLength: 1 type: string reason: description: Reason for the current status. enum: - Listening - Pending - Disabled - ErrorDuringSetup - CouldNotFetchKey - CouldNotGetClusterInfo - FetchedKey type: string status: description: Status of the attempted integration strategy. enum: - Success - Error type: string type: description: Type of integration attempted. enum: - KubeClusterSigningCertificate - ImpersonationProxy type: string required: - lastUpdateTime - message - reason - status - type type: object type: array required: - strategies type: object type: object served: true storage: true subresources: status: {} status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: []