fdac4d16f0
for AD and LDAP
287 lines
15 KiB
YAML
Generated
287 lines
15 KiB
YAML
Generated
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.4.0
|
|
creationTimestamp: null
|
|
name: ldapidentityproviders.idp.supervisor.pinniped.dev
|
|
spec:
|
|
group: idp.supervisor.pinniped.dev
|
|
names:
|
|
categories:
|
|
- pinniped
|
|
- pinniped-idp
|
|
- pinniped-idps
|
|
kind: LDAPIdentityProvider
|
|
listKind: LDAPIdentityProviderList
|
|
plural: ldapidentityproviders
|
|
singular: ldapidentityprovider
|
|
scope: Namespaced
|
|
versions:
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .spec.host
|
|
name: Host
|
|
type: string
|
|
- jsonPath: .status.phase
|
|
name: Status
|
|
type: string
|
|
- jsonPath: .metadata.creationTimestamp
|
|
name: Age
|
|
type: date
|
|
name: v1alpha1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: LDAPIdentityProvider describes the configuration of an upstream
|
|
Lightweight Directory Access Protocol (LDAP) identity provider.
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Spec for configuring the identity provider.
|
|
properties:
|
|
bind:
|
|
description: Bind contains the configuration for how to provide access
|
|
credentials during an initial bind to the LDAP server to be allowed
|
|
to perform searches and binds to validate a user's credentials during
|
|
a user's authentication attempt.
|
|
properties:
|
|
secretName:
|
|
description: SecretName contains the name of a namespace-local
|
|
Secret object that provides the username and password for an
|
|
LDAP bind user. This account will be used to perform LDAP searches.
|
|
The Secret should be of type "kubernetes.io/basic-auth" which
|
|
includes "username" and "password" keys. The username value
|
|
should be the full dn (distinguished name) of your bind account,
|
|
e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password
|
|
must be non-empty.
|
|
minLength: 1
|
|
type: string
|
|
required:
|
|
- secretName
|
|
type: object
|
|
groupSearch:
|
|
description: GroupSearch contains the configuration for searching
|
|
for a user's group membership in the LDAP provider.
|
|
properties:
|
|
attributes:
|
|
description: Attributes specifies how the group's information
|
|
should be read from each LDAP entry which was found as the result
|
|
of the group search.
|
|
properties:
|
|
groupName:
|
|
description: GroupName specifies the name of the attribute
|
|
in the LDAP entries whose value shall become a group name
|
|
in the user's list of groups after a successful authentication.
|
|
The value of this field is case-sensitive and must match
|
|
the case of the attribute name returned by the LDAP server
|
|
in the user's entry. E.g. "cn" for common name. Distinguished
|
|
names can be used by specifying lower-case "dn". Optional.
|
|
When not specified, the default will act as if the GroupName
|
|
were specified as "dn" (distinguished name).
|
|
type: string
|
|
type: object
|
|
base:
|
|
description: Base is the dn (distinguished name) that should be
|
|
used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com".
|
|
When not specified, no group search will be performed and authenticated
|
|
users will not belong to any groups from the LDAP provider.
|
|
Also, when not specified, the values of Filter and Attributes
|
|
are ignored.
|
|
type: string
|
|
filter:
|
|
description: Filter is the LDAP search filter which should be
|
|
applied when searching for groups for a user. The pattern "{}"
|
|
must occur in the filter at least once and will be dynamically
|
|
replaced by the dn (distinguished name) of the user entry found
|
|
as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
|
|
For more information about LDAP filters, see https://ldap.com/ldap-filters.
|
|
Note that the dn (distinguished name) is not an attribute of
|
|
an entry, so "dn={}" cannot be used. Optional. When not specified,
|
|
the default will act as if the Filter were specified as "member={}".
|
|
type: string
|
|
skipGroupRefresh:
|
|
description: SkipGroupRefresh skips the group refresh operation
|
|
that occurs with each refresh (every 5 minutes). This can be
|
|
done if group search is very slow or resource intensive for
|
|
the LDAP server.
|
|
type: boolean
|
|
required:
|
|
- skipGroupRefresh
|
|
type: object
|
|
host:
|
|
description: 'Host is the hostname of this LDAP identity provider,
|
|
i.e., where to connect. For example: ldap.example.com:636.'
|
|
minLength: 1
|
|
type: string
|
|
tls:
|
|
description: TLS contains the connection settings for how to establish
|
|
the connection to the Host.
|
|
properties:
|
|
certificateAuthorityData:
|
|
description: X.509 Certificate Authority (base64-encoded PEM bundle).
|
|
If omitted, a default set of system roots will be trusted.
|
|
type: string
|
|
type: object
|
|
userSearch:
|
|
description: UserSearch contains the configuration for searching for
|
|
a user by name in the LDAP provider.
|
|
properties:
|
|
attributes:
|
|
description: Attributes specifies how the user's information should
|
|
be read from the LDAP entry which was found as the result of
|
|
the user search.
|
|
properties:
|
|
uid:
|
|
description: UID specifies the name of the attribute in the
|
|
LDAP entry which whose value shall be used to uniquely identify
|
|
the user within this LDAP provider after a successful authentication.
|
|
E.g. "uidNumber" or "objectGUID". The value of this field
|
|
is case-sensitive and must match the case of the attribute
|
|
name returned by the LDAP server in the user's entry. Distinguished
|
|
names can be used by specifying lower-case "dn".
|
|
minLength: 1
|
|
type: string
|
|
username:
|
|
description: Username specifies the name of the attribute
|
|
in the LDAP entry whose value shall become the username
|
|
of the user after a successful authentication. This would
|
|
typically be the same attribute name used in the user search
|
|
filter, although it can be different. E.g. "mail" or "uid"
|
|
or "userPrincipalName". The value of this field is case-sensitive
|
|
and must match the case of the attribute name returned by
|
|
the LDAP server in the user's entry. Distinguished names
|
|
can be used by specifying lower-case "dn". When this field
|
|
is set to "dn" then the LDAPIdentityProviderUserSearch's
|
|
Filter field cannot be blank, since the default value of
|
|
"dn={}" would not work.
|
|
minLength: 1
|
|
type: string
|
|
type: object
|
|
base:
|
|
description: Base is the dn (distinguished name) that should be
|
|
used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com".
|
|
minLength: 1
|
|
type: string
|
|
filter:
|
|
description: Filter is the LDAP search filter which should be
|
|
applied when searching for users. The pattern "{}" must occur
|
|
in the filter at least once and will be dynamically replaced
|
|
by the username for which the search is being run. E.g. "mail={}"
|
|
or "&(objectClass=person)(uid={})". For more information about
|
|
LDAP filters, see https://ldap.com/ldap-filters. Note that the
|
|
dn (distinguished name) is not an attribute of an entry, so
|
|
"dn={}" cannot be used. Optional. When not specified, the default
|
|
will act as if the Filter were specified as the value from Attributes.Username
|
|
appended by "={}". When the Attributes.Username is set to "dn"
|
|
then the Filter must be explicitly specified, since the default
|
|
value of "dn={}" would not work.
|
|
type: string
|
|
type: object
|
|
required:
|
|
- host
|
|
type: object
|
|
status:
|
|
description: Status of the identity provider.
|
|
properties:
|
|
conditions:
|
|
description: Represents the observations of an identity provider's
|
|
current state.
|
|
items:
|
|
description: Condition status of a resource (mirrored from the metav1.Condition
|
|
type added in Kubernetes 1.19). In a future API version we can
|
|
switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
|
|
properties:
|
|
lastTransitionTime:
|
|
description: lastTransitionTime is the last time the condition
|
|
transitioned from one status to another. This should be when
|
|
the underlying condition changed. If that is not known, then
|
|
using the time when the API field changed is acceptable.
|
|
format: date-time
|
|
type: string
|
|
message:
|
|
description: message is a human readable message indicating
|
|
details about the transition. This may be an empty string.
|
|
maxLength: 32768
|
|
type: string
|
|
observedGeneration:
|
|
description: observedGeneration represents the .metadata.generation
|
|
that the condition was set based upon. For instance, if .metadata.generation
|
|
is currently 12, but the .status.conditions[x].observedGeneration
|
|
is 9, the condition is out of date with respect to the current
|
|
state of the instance.
|
|
format: int64
|
|
minimum: 0
|
|
type: integer
|
|
reason:
|
|
description: reason contains a programmatic identifier indicating
|
|
the reason for the condition's last transition. Producers
|
|
of specific condition types may define expected values and
|
|
meanings for this field, and whether the values are considered
|
|
a guaranteed API. The value should be a CamelCase string.
|
|
This field may not be empty.
|
|
maxLength: 1024
|
|
minLength: 1
|
|
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
|
type: string
|
|
status:
|
|
description: status of the condition, one of True, False, Unknown.
|
|
enum:
|
|
- "True"
|
|
- "False"
|
|
- Unknown
|
|
type: string
|
|
type:
|
|
description: type of condition in CamelCase or in foo.example.com/CamelCase.
|
|
--- Many .condition.type values are consistent across resources
|
|
like Available, but because arbitrary conditions can be useful
|
|
(see .node.status.conditions), the ability to deconflict is
|
|
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
|
|
maxLength: 316
|
|
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
|
type: string
|
|
required:
|
|
- lastTransitionTime
|
|
- message
|
|
- reason
|
|
- status
|
|
- type
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-map-keys:
|
|
- type
|
|
x-kubernetes-list-type: map
|
|
phase:
|
|
default: Pending
|
|
description: Phase summarizes the overall status of the LDAPIdentityProvider.
|
|
enum:
|
|
- Pending
|
|
- Ready
|
|
- Error
|
|
type: string
|
|
type: object
|
|
required:
|
|
- spec
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources:
|
|
status: {}
|
|
status:
|
|
acceptedNames:
|
|
kind: ""
|
|
plural: ""
|
|
conditions: []
|
|
storedVersions: []
|