239 lines
12 KiB
YAML
Generated
239 lines
12 KiB
YAML
Generated
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.4.0
|
|
creationTimestamp: null
|
|
name: oidcidentityproviders.idp.supervisor.pinniped.dev
|
|
spec:
|
|
group: idp.supervisor.pinniped.dev
|
|
names:
|
|
categories:
|
|
- pinniped
|
|
- pinniped-idp
|
|
- pinniped-idps
|
|
kind: OIDCIdentityProvider
|
|
listKind: OIDCIdentityProviderList
|
|
plural: oidcidentityproviders
|
|
singular: oidcidentityprovider
|
|
scope: Namespaced
|
|
versions:
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .spec.issuer
|
|
name: Issuer
|
|
type: string
|
|
- jsonPath: .status.phase
|
|
name: Status
|
|
type: string
|
|
- jsonPath: .metadata.creationTimestamp
|
|
name: Age
|
|
type: date
|
|
name: v1alpha1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: OIDCIdentityProvider describes the configuration of an upstream
|
|
OpenID Connect identity provider.
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Spec for configuring the identity provider.
|
|
properties:
|
|
authorizationConfig:
|
|
description: AuthorizationConfig holds information about how to form
|
|
the OAuth2 authorization request parameters to be used with this
|
|
OIDC identity provider.
|
|
properties:
|
|
additionalScopes:
|
|
description: AdditionalScopes are the scopes in addition to "openid"
|
|
that will be requested as part of the authorization request
|
|
flow with an OIDC identity provider. In the case of a Resource
|
|
Owner Password Credentials Grant flow, AdditionalScopes are
|
|
the scopes in addition to "openid" that will be requested as
|
|
part of the token request (see also the allowPasswordGrant field).
|
|
By default, only the "openid" scope will be requested.
|
|
items:
|
|
type: string
|
|
type: array
|
|
allowPasswordGrant:
|
|
description: AllowPasswordGrant, when true, will allow the use
|
|
of OAuth 2.0's Resource Owner Password Credentials Grant (see
|
|
https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to
|
|
authenticate to the OIDC provider using a username and password
|
|
without a web browser, in addition to the usual browser-based
|
|
OIDC Authorization Code Flow. The Resource Owner Password Credentials
|
|
Grant is not officially part of the OIDC specification, so it
|
|
may not be supported by your OIDC provider. If your OIDC provider
|
|
supports returning ID tokens from a Resource Owner Password
|
|
Credentials Grant token request, then you can choose to set
|
|
this field to true. This will allow end users to choose to present
|
|
their username and password to the kubectl CLI (using the Pinniped
|
|
plugin) to authenticate to the cluster, without using a web
|
|
browser to log in as is customary in OIDC Authorization Code
|
|
Flow. This may be convenient for users, especially for identities
|
|
from your OIDC provider which are not intended to represent
|
|
a human actor, such as service accounts performing actions in
|
|
a CI/CD environment. Even if your OIDC provider supports it,
|
|
you may wish to disable this behavior by setting this field
|
|
to false when you prefer to only allow users of this OIDCIdentityProvider
|
|
to log in via the browser-based OIDC Authorization Code Flow.
|
|
Using the Resource Owner Password Credentials Grant means that
|
|
the Pinniped CLI and Pinniped Supervisor will directly handle
|
|
your end users' passwords (similar to LDAPIdentityProvider),
|
|
and you will not be able to require multi-factor authentication
|
|
or use the other web-based login features of your OIDC provider
|
|
during Resource Owner Password Credentials Grant logins. AllowPasswordGrant
|
|
defaults to false.
|
|
type: boolean
|
|
type: object
|
|
claims:
|
|
description: Claims provides the names of token claims that will be
|
|
used when inspecting an identity from this OIDC identity provider.
|
|
properties:
|
|
groups:
|
|
description: Groups provides the name of the token claim that
|
|
will be used to ascertain the groups to which an identity belongs.
|
|
type: string
|
|
username:
|
|
description: Username provides the name of the token claim that
|
|
will be used to ascertain an identity's username.
|
|
type: string
|
|
type: object
|
|
client:
|
|
description: OIDCClient contains OIDC client information to be used
|
|
used with this OIDC identity provider.
|
|
properties:
|
|
secretName:
|
|
description: SecretName contains the name of a namespace-local
|
|
Secret object that provides the clientID and clientSecret for
|
|
an OIDC client. If only the SecretName is specified in an OIDCClient
|
|
struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client"
|
|
with keys "clientID" and "clientSecret".
|
|
type: string
|
|
required:
|
|
- secretName
|
|
type: object
|
|
issuer:
|
|
description: Issuer is the issuer URL of this OIDC identity provider,
|
|
i.e., where to fetch /.well-known/openid-configuration.
|
|
minLength: 1
|
|
pattern: ^https://
|
|
type: string
|
|
tls:
|
|
description: TLS configuration for discovery/JWKS requests to the
|
|
issuer.
|
|
properties:
|
|
certificateAuthorityData:
|
|
description: X.509 Certificate Authority (base64-encoded PEM bundle).
|
|
If omitted, a default set of system roots will be trusted.
|
|
type: string
|
|
type: object
|
|
required:
|
|
- client
|
|
- issuer
|
|
type: object
|
|
status:
|
|
description: Status of the identity provider.
|
|
properties:
|
|
conditions:
|
|
description: Represents the observations of an identity provider's
|
|
current state.
|
|
items:
|
|
description: Condition status of a resource (mirrored from the metav1.Condition
|
|
type added in Kubernetes 1.19). In a future API version we can
|
|
switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
|
|
properties:
|
|
lastTransitionTime:
|
|
description: lastTransitionTime is the last time the condition
|
|
transitioned from one status to another. This should be when
|
|
the underlying condition changed. If that is not known, then
|
|
using the time when the API field changed is acceptable.
|
|
format: date-time
|
|
type: string
|
|
message:
|
|
description: message is a human readable message indicating
|
|
details about the transition. This may be an empty string.
|
|
maxLength: 32768
|
|
type: string
|
|
observedGeneration:
|
|
description: observedGeneration represents the .metadata.generation
|
|
that the condition was set based upon. For instance, if .metadata.generation
|
|
is currently 12, but the .status.conditions[x].observedGeneration
|
|
is 9, the condition is out of date with respect to the current
|
|
state of the instance.
|
|
format: int64
|
|
minimum: 0
|
|
type: integer
|
|
reason:
|
|
description: reason contains a programmatic identifier indicating
|
|
the reason for the condition's last transition. Producers
|
|
of specific condition types may define expected values and
|
|
meanings for this field, and whether the values are considered
|
|
a guaranteed API. The value should be a CamelCase string.
|
|
This field may not be empty.
|
|
maxLength: 1024
|
|
minLength: 1
|
|
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
|
type: string
|
|
status:
|
|
description: status of the condition, one of True, False, Unknown.
|
|
enum:
|
|
- "True"
|
|
- "False"
|
|
- Unknown
|
|
type: string
|
|
type:
|
|
description: type of condition in CamelCase or in foo.example.com/CamelCase.
|
|
--- Many .condition.type values are consistent across resources
|
|
like Available, but because arbitrary conditions can be useful
|
|
(see .node.status.conditions), the ability to deconflict is
|
|
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
|
|
maxLength: 316
|
|
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
|
type: string
|
|
required:
|
|
- lastTransitionTime
|
|
- message
|
|
- reason
|
|
- status
|
|
- type
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-map-keys:
|
|
- type
|
|
x-kubernetes-list-type: map
|
|
phase:
|
|
default: Pending
|
|
description: Phase summarizes the overall status of the OIDCIdentityProvider.
|
|
enum:
|
|
- Pending
|
|
- Ready
|
|
- Error
|
|
type: string
|
|
type: object
|
|
required:
|
|
- spec
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources:
|
|
status: {}
|
|
status:
|
|
acceptedNames:
|
|
kind: ""
|
|
plural: ""
|
|
conditions: []
|
|
storedVersions: []
|