e9d5743845
Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
269 lines
14 KiB
YAML
Generated
269 lines
14 KiB
YAML
Generated
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.4.0
|
|
creationTimestamp: null
|
|
name: ldapidentityproviders.idp.supervisor.pinniped.dev
|
|
spec:
|
|
group: idp.supervisor.pinniped.dev
|
|
names:
|
|
categories:
|
|
- pinniped
|
|
- pinniped-idp
|
|
- pinniped-idps
|
|
kind: LDAPIdentityProvider
|
|
listKind: LDAPIdentityProviderList
|
|
plural: ldapidentityproviders
|
|
singular: ldapidentityprovider
|
|
scope: Namespaced
|
|
versions:
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .spec.host
|
|
name: Host
|
|
type: string
|
|
- jsonPath: .status.phase
|
|
name: Status
|
|
type: string
|
|
- jsonPath: .metadata.creationTimestamp
|
|
name: Age
|
|
type: date
|
|
name: v1alpha1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: LDAPIdentityProvider describes the configuration of an upstream
|
|
Lightweight Directory Access Protocol (LDAP) identity provider.
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Spec for configuring the identity provider.
|
|
properties:
|
|
bind:
|
|
description: Bind contains the configuration for how to provide access
|
|
credentials during an initial bind to the LDAP server to be allowed
|
|
to perform searches and binds to validate a user's credentials during
|
|
a user's authentication attempt.
|
|
properties:
|
|
secretName:
|
|
description: SecretName contains the name of a namespace-local
|
|
Secret object that provides the username and password for an
|
|
LDAP bind user. This account will be used to perform LDAP searches.
|
|
The Secret should be of type "kubernetes.io/basic-auth" which
|
|
includes "username" and "password" keys. The username value
|
|
should be the full DN of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com".
|
|
minLength: 1
|
|
type: string
|
|
required:
|
|
- secretName
|
|
type: object
|
|
dryRunAuthenticationUsername:
|
|
description: DryRunAuthenticationUsername influences how the LDAPIdentityProvider's
|
|
configuration is validated. When DryRunAuthenticationUsername is
|
|
blank, the LDAPIdentityProvider will be validated by opening a connection
|
|
to the LDAP server using the Host and TLS settings and also will
|
|
bind using the Bind settings. The success or failure of the connect
|
|
and bind will be reflected in the LDAPIdentityProvider's status
|
|
conditions array. When DryRunAuthenticationUsername is not blank,
|
|
the LDAPIdentityProvider will be validated by opening a connection
|
|
to the LDAP server and performing a full dry run of authenticating
|
|
as the end user with the username specified by DryRunAuthenticationUsername.
|
|
The dry run will act as if the correct password were specified for
|
|
that end user during the authentication. This will test all of the
|
|
configuration options of the LDAPIdentityProvider. The success or
|
|
failure of the authentication dry run will be reflected in the LDAPIdentityProvider's
|
|
status conditions array, along with details of what username, UID,
|
|
and group memberships were selected for the specified user. If the
|
|
dry run fails, then that user would not be able to authenticate
|
|
in a real authentication situation either, so the LDAPIdentityProvider's
|
|
Status.Phase will be set to "Error". Therefore, the specified DryRunAuthenticationUsername
|
|
must be a valid username of a real user who should be able to authenticate
|
|
given all of the LDAPIdentityProvider's configuration. For example,
|
|
if the UserSearch configuration were set up such that an end user
|
|
should log in using their email address as their username, then
|
|
the DryRunAuthenticationUsername should be the actual email address
|
|
of a valid user who will be found in the LDAP server by the UserSearch
|
|
criteria. Once you have used DryRunAuthenticationUsername to validate
|
|
your LDAPIdentityProvider's configuration, you might choose to remove
|
|
the DryRunAuthenticationUsername configuration if you are concerned
|
|
that the user's LDAP account could change in the future, e.g. if
|
|
the account could become disabled in the future.
|
|
type: string
|
|
host:
|
|
description: 'Host is the hostname of this LDAP identity provider,
|
|
i.e., where to connect. For example: ldap.example.com:636.'
|
|
minLength: 1
|
|
type: string
|
|
tls:
|
|
description: TLS contains the connection settings for how to establish
|
|
the connection to the Host.
|
|
properties:
|
|
certificateAuthorityData:
|
|
description: X.509 Certificate Authority (base64-encoded PEM bundle)
|
|
to trust when connecting to the LDAP provider. If omitted, a
|
|
default set of system roots will be trusted.
|
|
type: string
|
|
type: object
|
|
userSearch:
|
|
description: UserSearch contains the configuration for searching for
|
|
a user by name in the LDAP provider.
|
|
properties:
|
|
attributes:
|
|
description: Attributes specifies how the user's information should
|
|
be read from the LDAP entry which was found as the result of
|
|
the user search.
|
|
properties:
|
|
uniqueID:
|
|
description: UniqueID specifies the name of the attribute
|
|
in the LDAP entry which whose value shall be used to uniquely
|
|
identify the user within this LDAP provider after a successful
|
|
authentication. E.g. "uidNumber" or "objectGUID". The value
|
|
of this field is case-sensitive and must match the case
|
|
of the attribute name returned by the LDAP server in the
|
|
user's entry. Distinguished names can be used by specifying
|
|
lower-case "dn".
|
|
minLength: 1
|
|
type: string
|
|
username:
|
|
description: Username specifies the name of attribute in the
|
|
LDAP entry which whose value shall become the username of
|
|
the user after a successful authentication. This would typically
|
|
be the same attribute name used in the user search filter,
|
|
although it can be different. E.g. "mail" or "uid" or "userPrincipalName".
|
|
The value of this field is case-sensitive and must match
|
|
the case of the attribute name returned by the LDAP server
|
|
in the user's entry. Distinguished names can be used by
|
|
specifying lower-case "dn". When this field is set to "dn"
|
|
then the LDAPIdentityProviderUserSearchSpec's Filter field
|
|
cannot be blank, since the default value of "dn={}" would
|
|
not work.
|
|
minLength: 1
|
|
type: string
|
|
type: object
|
|
base:
|
|
description: Base is the DN that should be used as the search
|
|
base when searching for users. E.g. "ou=users,dc=example,dc=com".
|
|
minLength: 1
|
|
type: string
|
|
filter:
|
|
description: Filter is the LDAP search filter which should be
|
|
applied when searching for users. The pattern "{}" must occur
|
|
in the filter and will be dynamically replaced by the username
|
|
for which the search is being run. E.g. "mail={}" or "&(objectClass=person)(uid={})".
|
|
For more information about LDAP filters, see https://ldap.com/ldap-filters.
|
|
Note that the dn (distinguished name) is not an attribute of
|
|
an entry, so "dn={}" cannot be used. Optional. When not specified,
|
|
the default will act as if the Filter were specified as the
|
|
value from Attributes.Username appended by "={}". When the Attributes.Username
|
|
is set to "dn" then the Filter must be explicitly specified,
|
|
since the default value of "dn={}" would not work.
|
|
type: string
|
|
type: object
|
|
required:
|
|
- host
|
|
type: object
|
|
status:
|
|
description: Status of the identity provider.
|
|
properties:
|
|
conditions:
|
|
description: Represents the observations of an identity provider's
|
|
current state.
|
|
items:
|
|
description: Condition status of a resource (mirrored from the metav1.Condition
|
|
type added in Kubernetes 1.19). In a future API version we can
|
|
switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
|
|
properties:
|
|
lastTransitionTime:
|
|
description: lastTransitionTime is the last time the condition
|
|
transitioned from one status to another. This should be when
|
|
the underlying condition changed. If that is not known, then
|
|
using the time when the API field changed is acceptable.
|
|
format: date-time
|
|
type: string
|
|
message:
|
|
description: message is a human readable message indicating
|
|
details about the transition. This may be an empty string.
|
|
maxLength: 32768
|
|
type: string
|
|
observedGeneration:
|
|
description: observedGeneration represents the .metadata.generation
|
|
that the condition was set based upon. For instance, if .metadata.generation
|
|
is currently 12, but the .status.conditions[x].observedGeneration
|
|
is 9, the condition is out of date with respect to the current
|
|
state of the instance.
|
|
format: int64
|
|
minimum: 0
|
|
type: integer
|
|
reason:
|
|
description: reason contains a programmatic identifier indicating
|
|
the reason for the condition's last transition. Producers
|
|
of specific condition types may define expected values and
|
|
meanings for this field, and whether the values are considered
|
|
a guaranteed API. The value should be a CamelCase string.
|
|
This field may not be empty.
|
|
maxLength: 1024
|
|
minLength: 1
|
|
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
|
type: string
|
|
status:
|
|
description: status of the condition, one of True, False, Unknown.
|
|
enum:
|
|
- "True"
|
|
- "False"
|
|
- Unknown
|
|
type: string
|
|
type:
|
|
description: type of condition in CamelCase or in foo.example.com/CamelCase.
|
|
--- Many .condition.type values are consistent across resources
|
|
like Available, but because arbitrary conditions can be useful
|
|
(see .node.status.conditions), the ability to deconflict is
|
|
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
|
|
maxLength: 316
|
|
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
|
type: string
|
|
required:
|
|
- lastTransitionTime
|
|
- message
|
|
- reason
|
|
- status
|
|
- type
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-map-keys:
|
|
- type
|
|
x-kubernetes-list-type: map
|
|
phase:
|
|
default: Pending
|
|
description: Phase summarizes the overall status of the LDAPIdentityProvider.
|
|
enum:
|
|
- Pending
|
|
- Ready
|
|
- Error
|
|
type: string
|
|
type: object
|
|
required:
|
|
- spec
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources:
|
|
status: {}
|
|
status:
|
|
acceptedNames:
|
|
kind: ""
|
|
plural: ""
|
|
conditions: []
|
|
storedVersions: []
|