bad5e60a8e
Add the field to the tmpl file and run codegen. Also update the count of the fields of our APIs in an integration test.
317 lines
18 KiB
YAML
317 lines
18 KiB
YAML
---
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.8.0
|
|
creationTimestamp: null
|
|
name: ldapidentityproviders.idp.supervisor.pinniped.dev
|
|
spec:
|
|
group: idp.supervisor.pinniped.dev
|
|
names:
|
|
categories:
|
|
- pinniped
|
|
- pinniped-idp
|
|
- pinniped-idps
|
|
kind: LDAPIdentityProvider
|
|
listKind: LDAPIdentityProviderList
|
|
plural: ldapidentityproviders
|
|
singular: ldapidentityprovider
|
|
scope: Namespaced
|
|
versions:
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .spec.host
|
|
name: Host
|
|
type: string
|
|
- jsonPath: .status.phase
|
|
name: Status
|
|
type: string
|
|
- jsonPath: .metadata.creationTimestamp
|
|
name: Age
|
|
type: date
|
|
name: v1alpha1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: LDAPIdentityProvider describes the configuration of an upstream
|
|
Lightweight Directory Access Protocol (LDAP) identity provider.
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Spec for configuring the identity provider.
|
|
properties:
|
|
bind:
|
|
description: Bind contains the configuration for how to provide access
|
|
credentials during an initial bind to the LDAP server to be allowed
|
|
to perform searches and binds to validate a user's credentials during
|
|
a user's authentication attempt.
|
|
properties:
|
|
secretName:
|
|
description: SecretName contains the name of a namespace-local
|
|
Secret object that provides the username and password for an
|
|
LDAP bind user. This account will be used to perform LDAP searches.
|
|
The Secret should be of type "kubernetes.io/basic-auth" which
|
|
includes "username" and "password" keys. The username value
|
|
should be the full dn (distinguished name) of your bind account,
|
|
e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password
|
|
must be non-empty.
|
|
minLength: 1
|
|
type: string
|
|
required:
|
|
- secretName
|
|
type: object
|
|
groupSearch:
|
|
description: GroupSearch contains the configuration for searching
|
|
for a user's group membership in the LDAP provider.
|
|
properties:
|
|
attributes:
|
|
description: Attributes specifies how the group's information
|
|
should be read from each LDAP entry which was found as the result
|
|
of the group search.
|
|
properties:
|
|
groupName:
|
|
description: GroupName specifies the name of the attribute
|
|
in the LDAP entries whose value shall become a group name
|
|
in the user's list of groups after a successful authentication.
|
|
The value of this field is case-sensitive and must match
|
|
the case of the attribute name returned by the LDAP server
|
|
in the user's entry. E.g. "cn" for common name. Distinguished
|
|
names can be used by specifying lower-case "dn". Optional.
|
|
When not specified, the default will act as if the GroupName
|
|
were specified as "dn" (distinguished name).
|
|
type: string
|
|
type: object
|
|
base:
|
|
description: Base is the dn (distinguished name) that should be
|
|
used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com".
|
|
When not specified, no group search will be performed and authenticated
|
|
users will not belong to any groups from the LDAP provider.
|
|
Also, when not specified, the values of Filter, UserAttributeForFilter,
|
|
Attributes, and SkipGroupRefresh are ignored.
|
|
type: string
|
|
filter:
|
|
description: Filter is the LDAP search filter which should be
|
|
applied when searching for groups for a user. The pattern "{}"
|
|
must occur in the filter at least once and will be dynamically
|
|
replaced by the value of an attribute of the user entry found
|
|
as a result of the user search. Which attribute's value is used
|
|
to replace the placeholder(s) depends on the value of UserAttributeForFilter.
|
|
For more information about LDAP filters, see https://ldap.com/ldap-filters.
|
|
Note that the dn (distinguished name) is not an attribute of
|
|
an entry, so "dn={}" cannot be used. Optional. When not specified,
|
|
the default will act as if the Filter were specified as "member={}".
|
|
type: string
|
|
skipGroupRefresh:
|
|
description: "The user's group membership is refreshed as they
|
|
interact with the supervisor to obtain new credentials (as their
|
|
old credentials expire). This allows group membership changes
|
|
to be quickly reflected into Kubernetes clusters. Since group
|
|
membership is often used to bind authorization policies, it
|
|
is important to keep the groups observed in Kubernetes clusters
|
|
in-sync with the identity provider. \n In some environments,
|
|
frequent group membership queries may result in a significant
|
|
performance impact on the identity provider and/or the supervisor.
|
|
The best approach to handle performance impacts is to tweak
|
|
the group query to be more performant, for example by disabling
|
|
nested group search or by using a more targeted group search
|
|
base. \n If the group search query cannot be made performant
|
|
and you are willing to have group memberships remain static
|
|
for approximately a day, then set skipGroupRefresh to true.
|
|
\ This is an insecure configuration as authorization policies
|
|
that are bound to group membership will not notice if a user
|
|
has been removed from a particular group until their next login.
|
|
\n This is an experimental feature that may be removed or significantly
|
|
altered in the future. Consumers of this configuration should
|
|
carefully read all release notes before upgrading to ensure
|
|
that the meaning of this field has not changed."
|
|
type: boolean
|
|
userAttributeForFilter:
|
|
description: UserAttributeForFilter specifies which attribute's
|
|
value from the user entry found as a result of the user search
|
|
will be used to replace the "{}" placeholder(s) in the group
|
|
search Filter. For example, specifying "uid" as the UserAttributeForFilter
|
|
while specifying "&(objectClass=posixGroup)(memberUid={})" as
|
|
the Filter would search for groups by replacing the "{}" placeholder
|
|
in the Filter with the value of the user's "uid" attribute.
|
|
Optional. When not specified, the default will act as if "dn"
|
|
were specified. For example, leaving UserAttributeForFilter
|
|
unspecified while specifying "&(objectClass=groupOfNames)(member={})"
|
|
as the Filter would search for groups by replacing the "{}"
|
|
placeholder(s) with the dn (distinguished name) of the user.
|
|
type: string
|
|
type: object
|
|
host:
|
|
description: 'Host is the hostname of this LDAP identity provider,
|
|
i.e., where to connect. For example: ldap.example.com:636.'
|
|
minLength: 1
|
|
type: string
|
|
tls:
|
|
description: TLS contains the connection settings for how to establish
|
|
the connection to the Host.
|
|
properties:
|
|
certificateAuthorityData:
|
|
description: X.509 Certificate Authority (base64-encoded PEM bundle).
|
|
If omitted, a default set of system roots will be trusted.
|
|
type: string
|
|
type: object
|
|
userSearch:
|
|
description: UserSearch contains the configuration for searching for
|
|
a user by name in the LDAP provider.
|
|
properties:
|
|
attributes:
|
|
description: Attributes specifies how the user's information should
|
|
be read from the LDAP entry which was found as the result of
|
|
the user search.
|
|
properties:
|
|
uid:
|
|
description: UID specifies the name of the attribute in the
|
|
LDAP entry which whose value shall be used to uniquely identify
|
|
the user within this LDAP provider after a successful authentication.
|
|
E.g. "uidNumber" or "objectGUID". The value of this field
|
|
is case-sensitive and must match the case of the attribute
|
|
name returned by the LDAP server in the user's entry. Distinguished
|
|
names can be used by specifying lower-case "dn".
|
|
minLength: 1
|
|
type: string
|
|
username:
|
|
description: Username specifies the name of the attribute
|
|
in the LDAP entry whose value shall become the username
|
|
of the user after a successful authentication. This would
|
|
typically be the same attribute name used in the user search
|
|
filter, although it can be different. E.g. "mail" or "uid"
|
|
or "userPrincipalName". The value of this field is case-sensitive
|
|
and must match the case of the attribute name returned by
|
|
the LDAP server in the user's entry. Distinguished names
|
|
can be used by specifying lower-case "dn". When this field
|
|
is set to "dn" then the LDAPIdentityProviderUserSearch's
|
|
Filter field cannot be blank, since the default value of
|
|
"dn={}" would not work.
|
|
minLength: 1
|
|
type: string
|
|
type: object
|
|
base:
|
|
description: Base is the dn (distinguished name) that should be
|
|
used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com".
|
|
minLength: 1
|
|
type: string
|
|
filter:
|
|
description: Filter is the LDAP search filter which should be
|
|
applied when searching for users. The pattern "{}" must occur
|
|
in the filter at least once and will be dynamically replaced
|
|
by the username for which the search is being run. E.g. "mail={}"
|
|
or "&(objectClass=person)(uid={})". For more information about
|
|
LDAP filters, see https://ldap.com/ldap-filters. Note that the
|
|
dn (distinguished name) is not an attribute of an entry, so
|
|
"dn={}" cannot be used. Optional. When not specified, the default
|
|
will act as if the Filter were specified as the value from Attributes.Username
|
|
appended by "={}". When the Attributes.Username is set to "dn"
|
|
then the Filter must be explicitly specified, since the default
|
|
value of "dn={}" would not work.
|
|
type: string
|
|
type: object
|
|
required:
|
|
- host
|
|
type: object
|
|
status:
|
|
description: Status of the identity provider.
|
|
properties:
|
|
conditions:
|
|
description: Represents the observations of an identity provider's
|
|
current state.
|
|
items:
|
|
description: Condition status of a resource (mirrored from the metav1.Condition
|
|
type added in Kubernetes 1.19). In a future API version we can
|
|
switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
|
|
properties:
|
|
lastTransitionTime:
|
|
description: lastTransitionTime is the last time the condition
|
|
transitioned from one status to another. This should be when
|
|
the underlying condition changed. If that is not known, then
|
|
using the time when the API field changed is acceptable.
|
|
format: date-time
|
|
type: string
|
|
message:
|
|
description: message is a human readable message indicating
|
|
details about the transition. This may be an empty string.
|
|
maxLength: 32768
|
|
type: string
|
|
observedGeneration:
|
|
description: observedGeneration represents the .metadata.generation
|
|
that the condition was set based upon. For instance, if .metadata.generation
|
|
is currently 12, but the .status.conditions[x].observedGeneration
|
|
is 9, the condition is out of date with respect to the current
|
|
state of the instance.
|
|
format: int64
|
|
minimum: 0
|
|
type: integer
|
|
reason:
|
|
description: reason contains a programmatic identifier indicating
|
|
the reason for the condition's last transition. Producers
|
|
of specific condition types may define expected values and
|
|
meanings for this field, and whether the values are considered
|
|
a guaranteed API. The value should be a CamelCase string.
|
|
This field may not be empty.
|
|
maxLength: 1024
|
|
minLength: 1
|
|
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
|
type: string
|
|
status:
|
|
description: status of the condition, one of True, False, Unknown.
|
|
enum:
|
|
- "True"
|
|
- "False"
|
|
- Unknown
|
|
type: string
|
|
type:
|
|
description: type of condition in CamelCase or in foo.example.com/CamelCase.
|
|
--- Many .condition.type values are consistent across resources
|
|
like Available, but because arbitrary conditions can be useful
|
|
(see .node.status.conditions), the ability to deconflict is
|
|
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
|
|
maxLength: 316
|
|
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
|
type: string
|
|
required:
|
|
- lastTransitionTime
|
|
- message
|
|
- reason
|
|
- status
|
|
- type
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-map-keys:
|
|
- type
|
|
x-kubernetes-list-type: map
|
|
phase:
|
|
default: Pending
|
|
description: Phase summarizes the overall status of the LDAPIdentityProvider.
|
|
enum:
|
|
- Pending
|
|
- Ready
|
|
- Error
|
|
type: string
|
|
type: object
|
|
required:
|
|
- spec
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources:
|
|
status: {}
|
|
status:
|
|
acceptedNames:
|
|
kind: ""
|
|
plural: ""
|
|
conditions: []
|
|
storedVersions: []
|