156 lines
6.8 KiB
YAML
156 lines
6.8 KiB
YAML
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.4.0
|
|
creationTimestamp: null
|
|
name: ldapidentityproviders.idp.supervisor.pinniped.dev
|
|
spec:
|
|
group: idp.supervisor.pinniped.dev
|
|
names:
|
|
categories:
|
|
- pinniped
|
|
- pinniped-idp
|
|
- pinniped-idps
|
|
kind: LDAPIdentityProvider
|
|
listKind: LDAPIdentityProviderList
|
|
plural: ldapidentityproviders
|
|
singular: ldapidentityprovider
|
|
scope: Namespaced
|
|
versions:
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .spec.host
|
|
name: Host
|
|
type: string
|
|
- jsonPath: .status.phase
|
|
name: Status
|
|
type: string
|
|
- jsonPath: .metadata.creationTimestamp
|
|
name: Age
|
|
type: date
|
|
name: v1alpha1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: LDAPIdentityProvider describes the configuration of an upstream
|
|
Lightweight Directory Access Protocol (LDAP) identity provider.
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Spec for configuring the identity provider.
|
|
properties:
|
|
bind:
|
|
description: Bind contains the configuration for how to provide access
|
|
credentials during an initial bind to the LDAP server to be allowed
|
|
to perform searches and binds to validate a user's credentials during
|
|
a user's authentication attempt.
|
|
properties:
|
|
secretName:
|
|
description: SecretName contains the name of a namespace-local
|
|
Secret object that provides the username and password for an
|
|
LDAP bind user. This account will be used to perform LDAP searches.
|
|
The Secret should be of type "kubernetes.io/basic-auth" which
|
|
includes "username" and "password" keys. The username value
|
|
should be the full DN of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com".
|
|
minLength: 1
|
|
type: string
|
|
required:
|
|
- secretName
|
|
type: object
|
|
host:
|
|
description: 'Host is the hostname of this LDAP identity provider,
|
|
i.e., where to connect. For example: ldap.example.com:636.'
|
|
minLength: 1
|
|
type: string
|
|
tls:
|
|
description: TLS contains the connection settings for how to establish
|
|
the connection to the Host.
|
|
properties:
|
|
certificateAuthorityData:
|
|
description: X.509 Certificate Authority (base64-encoded PEM bundle)
|
|
to trust when connecting to the LDAP provider. If omitted, a
|
|
default set of system roots will be trusted.
|
|
type: string
|
|
type: object
|
|
userSearch:
|
|
description: UserSearch contains the configuration for searching for
|
|
a user by name in the LDAP provider.
|
|
properties:
|
|
attributes:
|
|
description: Attributes specifies how the user's information should
|
|
be read from the LDAP entry which was found as the result of
|
|
the user search.
|
|
properties:
|
|
uniqueID:
|
|
description: UniqueID specifies the name of the attribute
|
|
in the LDAP entry which whose value shall be used to uniquely
|
|
identify the user within this LDAP provider after a successful
|
|
authentication. E.g. "uidNumber" or "objectGUID".
|
|
minLength: 1
|
|
type: string
|
|
username:
|
|
description: Username specifies the name of attribute in the
|
|
LDAP entry which whose value shall become the username of
|
|
the user after a successful authentication. This would typically
|
|
be the same attribute name used in the user search filter.
|
|
E.g. "mail" or "uid" or "userPrincipalName".
|
|
minLength: 1
|
|
type: string
|
|
type: object
|
|
base:
|
|
description: Base is the DN that should be used as the search
|
|
base when searching for users. E.g. "ou=users,dc=example,dc=com".
|
|
minLength: 1
|
|
type: string
|
|
filter:
|
|
description: Filter is the LDAP search filter which should be
|
|
applied when searching for users. The pattern "{}" must occur
|
|
in the filter and will be dynamically replaced by the username
|
|
for which the search is being run. E.g. "mail={}" or "&(objectClass=person)(uid={})".
|
|
For more information about LDAP filters, see https://ldap.com/ldap-filters.
|
|
Optional. When not specified, the default will act as if the
|
|
Filter were specified as the value from Attributes.Username
|
|
appended by "={}".
|
|
type: string
|
|
type: object
|
|
required:
|
|
- host
|
|
type: object
|
|
status:
|
|
description: Status of the identity provider.
|
|
properties:
|
|
phase:
|
|
default: Pending
|
|
description: Phase summarizes the overall status of the LDAPIdentityProvider.
|
|
enum:
|
|
- Pending
|
|
- Ready
|
|
- Error
|
|
type: string
|
|
type: object
|
|
required:
|
|
- spec
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources:
|
|
status: {}
|
|
status:
|
|
acceptedNames:
|
|
kind: ""
|
|
plural: ""
|
|
conditions: []
|
|
storedVersions: []
|