258 lines
12 KiB
YAML
258 lines
12 KiB
YAML
---
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.13.0
|
|
name: credentialissuers.config.concierge.pinniped.dev
|
|
spec:
|
|
group: config.concierge.pinniped.dev
|
|
names:
|
|
categories:
|
|
- pinniped
|
|
kind: CredentialIssuer
|
|
listKind: CredentialIssuerList
|
|
plural: credentialissuers
|
|
singular: credentialissuer
|
|
scope: Cluster
|
|
versions:
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .spec.impersonationProxy.mode
|
|
name: ProxyMode
|
|
type: string
|
|
- jsonPath: .status.strategies[?(@.status == "Success")].type
|
|
name: DefaultStrategy
|
|
type: string
|
|
- jsonPath: .metadata.creationTimestamp
|
|
name: Age
|
|
type: date
|
|
name: v1alpha1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: CredentialIssuer describes the configuration and status of the
|
|
Pinniped Concierge credential issuer.
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Spec describes the intended configuration of the Concierge.
|
|
properties:
|
|
impersonationProxy:
|
|
description: ImpersonationProxy describes the intended configuration
|
|
of the Concierge impersonation proxy.
|
|
properties:
|
|
externalEndpoint:
|
|
description: "ExternalEndpoint describes the HTTPS endpoint where
|
|
the proxy will be exposed. If not set, the proxy will be served
|
|
using the external name of the LoadBalancer service or the cluster
|
|
service DNS name. \n This field must be non-empty when spec.impersonationProxy.service.type
|
|
is \"None\"."
|
|
type: string
|
|
mode:
|
|
description: 'Mode configures whether the impersonation proxy
|
|
should be started: - "disabled" explicitly disables the impersonation
|
|
proxy. This is the default. - "enabled" explicitly enables the
|
|
impersonation proxy. - "auto" enables or disables the impersonation
|
|
proxy based upon the cluster in which it is running.'
|
|
enum:
|
|
- auto
|
|
- enabled
|
|
- disabled
|
|
type: string
|
|
service:
|
|
default:
|
|
type: LoadBalancer
|
|
description: Service describes the configuration of the Service
|
|
provisioned to expose the impersonation proxy to clients.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations specifies zero or more key/value
|
|
pairs to set as annotations on the provisioned Service.
|
|
type: object
|
|
loadBalancerIP:
|
|
description: LoadBalancerIP specifies the IP address to set
|
|
in the spec.loadBalancerIP field of the provisioned Service.
|
|
This is not supported on all cloud providers.
|
|
maxLength: 255
|
|
minLength: 1
|
|
type: string
|
|
type:
|
|
default: LoadBalancer
|
|
description: "Type specifies the type of Service to provision
|
|
for the impersonation proxy. \n If the type is \"None\",
|
|
then the \"spec.impersonationProxy.externalEndpoint\" field
|
|
must be set to a non-empty value so that the Concierge can
|
|
properly advertise the endpoint in the CredentialIssuer's
|
|
status."
|
|
enum:
|
|
- LoadBalancer
|
|
- ClusterIP
|
|
- None
|
|
type: string
|
|
type: object
|
|
tls:
|
|
description: "TLS contains information about how the Concierge
|
|
impersonation proxy should serve TLS. \n If this field is empty,
|
|
the impersonation proxy will generate its own TLS certificate."
|
|
properties:
|
|
certificateAuthorityData:
|
|
description: X.509 Certificate Authority (base64-encoded PEM
|
|
bundle). Used to advertise the CA bundle for the impersonation
|
|
proxy endpoint.
|
|
type: string
|
|
secretName:
|
|
description: SecretName is the name of a Secret in the same
|
|
namespace, of type `kubernetes.io/tls`, which contains the
|
|
TLS serving certificate for the Concierge impersonation
|
|
proxy endpoint.
|
|
minLength: 1
|
|
type: string
|
|
type: object
|
|
required:
|
|
- mode
|
|
- service
|
|
type: object
|
|
required:
|
|
- impersonationProxy
|
|
type: object
|
|
status:
|
|
description: CredentialIssuerStatus describes the status of the Concierge.
|
|
properties:
|
|
kubeConfigInfo:
|
|
description: Information needed to form a valid Pinniped-based kubeconfig
|
|
using this credential issuer. This field is deprecated and will
|
|
be removed in a future version.
|
|
properties:
|
|
certificateAuthorityData:
|
|
description: The K8s API server CA bundle.
|
|
minLength: 1
|
|
type: string
|
|
server:
|
|
description: The K8s API server URL.
|
|
minLength: 1
|
|
pattern: ^https://|^http://
|
|
type: string
|
|
required:
|
|
- certificateAuthorityData
|
|
- server
|
|
type: object
|
|
strategies:
|
|
description: List of integration strategies that were attempted by
|
|
Pinniped.
|
|
items:
|
|
description: CredentialIssuerStrategy describes the status of an
|
|
integration strategy that was attempted by Pinniped.
|
|
properties:
|
|
frontend:
|
|
description: Frontend describes how clients can connect using
|
|
this strategy.
|
|
properties:
|
|
impersonationProxyInfo:
|
|
description: ImpersonationProxyInfo describes the parameters
|
|
for the impersonation proxy on this Concierge. This field
|
|
is only set when Type is "ImpersonationProxy".
|
|
properties:
|
|
certificateAuthorityData:
|
|
description: CertificateAuthorityData is the base64-encoded
|
|
PEM CA bundle of the impersonation proxy.
|
|
minLength: 1
|
|
type: string
|
|
endpoint:
|
|
description: Endpoint is the HTTPS endpoint of the impersonation
|
|
proxy.
|
|
minLength: 1
|
|
pattern: ^https://
|
|
type: string
|
|
required:
|
|
- certificateAuthorityData
|
|
- endpoint
|
|
type: object
|
|
tokenCredentialRequestInfo:
|
|
description: TokenCredentialRequestAPIInfo describes the
|
|
parameters for the TokenCredentialRequest API on this
|
|
Concierge. This field is only set when Type is "TokenCredentialRequestAPI".
|
|
properties:
|
|
certificateAuthorityData:
|
|
description: CertificateAuthorityData is the base64-encoded
|
|
Kubernetes API server CA bundle.
|
|
minLength: 1
|
|
type: string
|
|
server:
|
|
description: Server is the Kubernetes API server URL.
|
|
minLength: 1
|
|
pattern: ^https://|^http://
|
|
type: string
|
|
required:
|
|
- certificateAuthorityData
|
|
- server
|
|
type: object
|
|
type:
|
|
description: Type describes which frontend mechanism clients
|
|
can use with a strategy.
|
|
enum:
|
|
- TokenCredentialRequestAPI
|
|
- ImpersonationProxy
|
|
type: string
|
|
required:
|
|
- type
|
|
type: object
|
|
lastUpdateTime:
|
|
description: When the status was last checked.
|
|
format: date-time
|
|
type: string
|
|
message:
|
|
description: Human-readable description of the current status.
|
|
minLength: 1
|
|
type: string
|
|
reason:
|
|
description: Reason for the current status.
|
|
enum:
|
|
- Listening
|
|
- Pending
|
|
- Disabled
|
|
- ErrorDuringSetup
|
|
- CouldNotFetchKey
|
|
- CouldNotGetClusterInfo
|
|
- FetchedKey
|
|
type: string
|
|
status:
|
|
description: Status of the attempted integration strategy.
|
|
enum:
|
|
- Success
|
|
- Error
|
|
type: string
|
|
type:
|
|
description: Type of integration attempted.
|
|
enum:
|
|
- KubeClusterSigningCertificate
|
|
- ImpersonationProxy
|
|
type: string
|
|
required:
|
|
- lastUpdateTime
|
|
- message
|
|
- reason
|
|
- status
|
|
- type
|
|
type: object
|
|
type: array
|
|
required:
|
|
- strategies
|
|
type: object
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources:
|
|
status: {}
|