Documentation
¶
Overview ¶
Package v1 contains API Schema definitions for the ingress v1 API group +kubebuilder:object:generate=true +groupName=ingress.pomerium.io
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ( // GroupVersion is group version used to register these objects GroupVersion = schema.GroupVersion{Group: "ingress.pomerium.io", Version: "v1"} // SchemeBuilder is used to add go types to the GroupVersionKind scheme SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} // AddToScheme adds the types in this group-version to the given scheme. AddToScheme = SchemeBuilder.AddToScheme )
Functions ¶
func GetDeprecations ¶ added in v0.20.0
func GetDeprecations(spec *PomeriumSpec) ([]pom_cfg.FieldMsg, error)
GetDeprecations returns deprecation warnings
Types ¶
type Authenticate ¶
type Authenticate struct {
// AuthenticateURL is a dedicated domain URL
// the non-authenticated persons would be referred to.
//
// <p><ul>
// <li>You do not need to create a dedicated <code>Ingress</code> for this
// virtual route, as it is handled by Pomerium internally. </li>
// <li>You do need create a secret with corresponding TLS certificate for this route
// and reference it via <a href="#prop-certificates"><code>certificates</code></a>.
// If you use <code>cert-manager</code> with <code>HTTP01</code> challenge,
// you may use <code>pomerium</code> <code>ingressClass</code> to solve it.</li>
// </ul></p>
//
// +kubebuilder:validation:Required
// +kubebuilder:validation:Type=string
// +kubebuilder:validation:Format=uri
// +kubebuilder:validation:Pattern=`^https://`
URL string `json:"url"`
// CallbackPath sets the path at which the authenticate service receives callback responses
// from your identity provider. The value must exactly match one of the authorized redirect URIs for the OAuth 2.0 client.
//
// <p>This value is referred to as the redirect_url in the OpenIDConnect and OAuth2 specs.</p>
// <p>Defaults to <code>/oauth2/callback</code></p>
//
// +optional
CallbackPath *string `json:"callbackPath,omitempty"`
}
Authenticate service configuration parameters
func (*Authenticate) DeepCopy ¶
func (in *Authenticate) DeepCopy() *Authenticate
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Authenticate.
func (*Authenticate) DeepCopyInto ¶
func (in *Authenticate) DeepCopyInto(out *Authenticate)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Cookie ¶ added in v0.20.0
type Cookie struct {
// Name sets the Pomerium session cookie name.
// Defaults to <code>_pomerium</code>
// +optional
Name *string `json:"name,omitempty"`
// Domain defaults to the same host that set the cookie.
// If you specify the domain explicitly, then subdomains would also be included.
// +optional
Domain *string `json:"domain,omitempty"`
// HTTPOnly if set to <code>false</code>, the cookie would be accessible from within the JavaScript.
// Defaults to <code>true</code>.
// +optional
HTTPOnly *bool `json:"httpOnly,omitempty"`
// Expire sets cookie and Pomerium session expiration time.
// Once session expires, users would have to re-login.
// If you change this parameter, existing sessions are not affected.
// <p>See <a href="https://www.pomerium.com/docs/enterprise/about#session-management">Session Management</a>
// (Enterprise) for a more fine-grained session controls.</p>
// <p>Defaults to 14 hours.</p>
// +kubebuilder:validation:Format=duration
// +optional
Expire *metav1.Duration `json:"expire,omitempty"`
// SameSite sets the SameSite option for cookies.
// Defaults to <code></code>.
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Type=string
// +kubebuilder:validation:Enum=strict;lax;none
SameSite *string `json:"sameSite,omitempty"`
}
Cookie customizes HTTP cookie set by Pomerium. note that cookie_secret is part of the main configuration secret
func (*Cookie) DeepCopy ¶ added in v0.20.0
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Cookie.
func (*Cookie) DeepCopyInto ¶ added in v0.20.0
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type IdentityProvider ¶
type IdentityProvider struct {
// Provider is the short-hand name of a built-in OpenID Connect (oidc) identity provider to be used for authentication.
// To use a generic provider, set to <code>oidc</code>.
// +kubebuilder:validation:Required
// +kubebuilder:validation:Enum=auth0;azure;github;gitlab;google;oidc;okta;onelogin;ping
Provider string `json:"provider"`
// URL is the base path to an identity provider's OpenID connect discovery document.
// See <a href="https://pomerium.com/docs/identity-providers">Identity Providers</a> guides for details.
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Type=string
// +kubebuilder:validation:Format=uri
// +kubebuilder:validation:Pattern=`^https://`
URL *string `json:"url"`
// Secret containing IdP provider specific parameters.
// and must contain at least <code>client_id</code> and <code>client_secret</code> values.
// +kubebuilder:validation:Required
// +kubebuilder:validation:Type=string
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:Format="namespace/name"
Secret string `json:"secret"`
// ServiceAccountFromSecret is no longer supported,
// see <a href="https://docs.pomerium.com/docs/overview/upgrading#idp-directory-sync">Upgrade Guide</a>.
// +optional
ServiceAccountFromSecret *string `json:"serviceAccountFromSecret,omitempty" deprecated:"idp_directory_sync"`
// RequestParams to be added as part of a sign-in request using OAuth2 code flow.
//
// +kubebuilder:validation:Format="namespace/name"
// +optional
RequestParams map[string]string `json:"requestParams,omitempty"`
// RequestParamsSecret is a reference to a secret for additional parameters you'd prefer not to provide in plaintext.
// +kubebuilder:validation:Format="namespace/name"
// +optional
RequestParamsSecret *string `json:"requestParamsSecret,omitempty"`
// Scopes Identity provider scopes correspond to access privilege scopes
// as defined in Section 3.3 of OAuth 2.0 RFC6749.
// +optional
Scopes []string `json:"scopes,omitempty"`
// RefreshDirectory is no longer supported,
// please see <a href="https://docs.pomerium.com/docs/overview/upgrading#idp-directory-sync">Upgrade Guide</a>.
//
// +optional
RefreshDirectory *RefreshDirectorySettings `json:"refreshDirectory" deprecated:"idp_directory_sync"`
}
IdentityProvider for single-sign-on authentication and user identity details by integrating with your downstream Identity Provider (IdP) of choice. That authentication integration is achieved using OAuth2, and OpenID Connect (OIDC). Where available, Pomerium also supports pulling additional data (like groups) using directory synchronization. An additional API token is required for directory sync. https://www.pomerium.com/docs/identity-providers/
func (*IdentityProvider) DeepCopy ¶
func (in *IdentityProvider) DeepCopy() *IdentityProvider
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IdentityProvider.
func (*IdentityProvider) DeepCopyInto ¶
func (in *IdentityProvider) DeepCopyInto(out *IdentityProvider)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Pomerium ¶
type Pomerium struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec PomeriumSpec `json:"spec,omitempty"`
Status PomeriumStatus `json:"status,omitempty"`
}
Pomerium define runtime-configurable Pomerium settings that do not fall into the category of deployment parameters
func (*Pomerium) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Pomerium.
func (*Pomerium) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*Pomerium) DeepCopyObject ¶
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type PomeriumList ¶
type PomeriumList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []Pomerium `json:"items"`
}
PomeriumList contains a list of Settings
func (*PomeriumList) DeepCopy ¶
func (in *PomeriumList) DeepCopy() *PomeriumList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PomeriumList.
func (*PomeriumList) DeepCopyInto ¶
func (in *PomeriumList) DeepCopyInto(out *PomeriumList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*PomeriumList) DeepCopyObject ¶
func (in *PomeriumList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type PomeriumSpec ¶
type PomeriumSpec struct {
// AccessLogFields sets the <a href="https://www.pomerium.com/docs/reference/access-log-fields">access fields</a> to log.
AccessLogFields *[]string `json:"accessLogFields,omitempty"`
// Authenticate sets authenticate service parameters.
// If not specified, a Pomerium-hosted authenticate service would be used.
// +kubebuilder:validation:Optional
Authenticate *Authenticate `json:"authenticate"`
// AuthorizeLogFields sets the <a href="https://www.pomerium.com/docs/reference/authorize-log-fields">authorize fields</a> to log.
AuthorizeLogFields *[]string `json:"authorizeLogFields,omitempty"`
// Certificates is a list of secrets of type TLS to use
// +kubebuilder:validation:Format="namespace/name"
// +optional
Certificates []string `json:"certificates"`
// CASecret should refer to k8s secrets with key <code>ca.crt</code> containing a CA certificate.
// +optional
CASecrets []string `json:"caSecrets"`
// Cookie defines Pomerium session cookie options.
// +optional
Cookie *Cookie `json:"cookie,omitempty"`
// IdentityProvider configure single-sign-on authentication and user identity details
// by integrating with your <a href="https://www.pomerium.com/docs/identity-providers/">Identity Provider</a>
//
// +kubebuilder:validation:Optional
IdentityProvider *IdentityProvider `json:"identityProvider"`
// JWTClaimHeaders convert claims from the assertion token
// into HTTP headers and adds them into JWT assertion header.
// Please make sure to read
// <a href="https://www.pomerium.com/docs/topics/getting-users-identity">
// Getting User Identity</a> guide.
//
// +optional
JWTClaimHeaders map[string]string `json:"jwtClaimHeaders,omitempty"`
// PassIdentityHeaders sets the <a href="https://www.pomerium.com/docs/reference/pass-identity-headers">pass identity headers</a> option.
PassIdentityHeaders *bool `json:"passIdentityHeaders,omitempty"`
// ProgrammaticRedirectDomains specifies a list of domains that can be used for
// <a href="https://www.pomerium.com/docs/capabilities/programmatic-access">programmatic redirects</a>.
ProgrammaticRedirectDomains []string `json:"programmaticRedirectDomains,omitempty"`
// RuntimeFlags sets the <a href="https://www.pomerium.com/docs/reference/runtime-flags">runtime flags</a> to enable/disable certain features.
RuntimeFlags map[string]bool `json:"runtimeFlags,omitempty"`
// Secrets references a Secret with Pomerium bootstrap parameters.
//
// <p>
// <ul>
// <li><a href="https://pomerium.com/docs/reference/shared-secret"><code>shared_secret</code></a>
// - secures inter-Pomerium service communications.
// </li>
// <li><a href="https://pomerium.com/docs/reference/cookie-secret"><code>cookie_secret</code></a>
// - encrypts Pomerium session browser cookie.
// See also other <a href="#cookie">Cookie</a> parameters.
// </li>
// <li><a href="https://pomerium.com/docs/reference/signing-key"><code>signing_key</code></a>
// signs Pomerium JWT assertion header. See
// <a href="https://www.pomerium.com/docs/topics/getting-users-identity">Getting the user's identity</a>
// guide.
// </li>
// </ul>
// </p>
// <p>
// In a default Pomerium installation manifest, they would be generated via a
// <a href="https://github.com/pomerium/ingress-controller/blob/main/config/gen_secrets/job.yaml">one-time job</a>
// and stored in a <code>pomerium/bootstrap</code> Secret.
// You may re-run the job to rotate the secrets, or update the Secret values manually.
// </p>
//
// +kubebuilder:validation:Required
// +kubebuilder:validation:Type=string
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:Format="namespace/name"
Secrets string `json:"secrets"`
// SetResponseHeaders specifies a mapping of HTTP Header to be added globally to all managed routes and pomerium's authenticate service.
// +optional
// See <a href="https://www.pomerium.com/docs/reference/set-response-headers">Set Response Headers</a>
SetResponseHeaders map[string]string `json:"setResponseHeaders,omitempty"`
// Storage defines persistent storage for sessions and other data.
// See <a href="https://www.pomerium.com/docs/topics/data-storage">Storage</a> for details.
// If no storage is specified, Pomerium would use a transient in-memory storage (not recommended for production).
//
// +kubebuilder:validation:Optional
Storage *Storage `json:"storage,omitempty"`
// Timeout specifies the <a href="https://www.pomerium.com/docs/reference/global-timeouts">global timeouts</a> for all routes.
Timeouts *Timeouts `json:"timeouts,omitempty"`
// UseProxyProtocol enables <a href="https://www.pomerium.com/docs/reference/use-proxy-protocol">Proxy Protocol</a> support.
UseProxyProtocol *bool `json:"useProxyProtocol,omitempty"`
}
PomeriumSpec defines Pomerium-specific configuration parameters.
func (*PomeriumSpec) DeepCopy ¶
func (in *PomeriumSpec) DeepCopy() *PomeriumSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PomeriumSpec.
func (*PomeriumSpec) DeepCopyInto ¶
func (in *PomeriumSpec) DeepCopyInto(out *PomeriumSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PomeriumStatus ¶
type PomeriumStatus struct {
// Routes provide per-Ingress status.
Routes map[string]ResourceStatus `json:"ingress,omitempty"`
// SettingsStatus represent most recent main configuration reconciliation status.
SettingsStatus *ResourceStatus `json:"settingsStatus,omitempty"`
}
PomeriumStatus represents configuration and Ingress status.
func (*PomeriumStatus) DeepCopy ¶
func (in *PomeriumStatus) DeepCopy() *PomeriumStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PomeriumStatus.
func (*PomeriumStatus) DeepCopyInto ¶
func (in *PomeriumStatus) DeepCopyInto(out *PomeriumStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PostgresStorage ¶
type PostgresStorage struct {
// Secret specifies a name of a Secret that must contain
// <code>connection</code> key. See
// <a href="https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING">DSN Format and Parameters</a>.
// Do not set <code>sslrootcert</code>, <code>sslcert</code> and <code>sslkey</code> via connection string,
// use <code>tlsSecret</code> and <code>caSecret</code> CRD options instead.
// +kubebuilder:validation:Required
// +kubebuilder:validation:Type=string
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:Format="namespace/name"
Secret string `json:"secret"`
// TLSSecret should refer to a k8s secret of type <code>kubernetes.io/tls</code>
// and allows to specify an optional client certificate and key,
// by constructing <code>sslcert</code> and <code>sslkey</code> connection string
// <a href="https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS">
// parameter values</a>.
//
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Type=string
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:Format="namespace/name"
TLSSecret *string `json:"tlsSecret"`
// CASecret should refer to a k8s secret with key <code>ca.crt</code> containing CA certificate
// that, if specified, would be used to populate <code>sslrootcert</code> parameter of the connection string.
//
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Type=string
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:Format="namespace/name"
CASecret *string `json:"caSecret"`
}
PostgresStorage defines Postgres connection parameters.
func (*PostgresStorage) DeepCopy ¶
func (in *PostgresStorage) DeepCopy() *PostgresStorage
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PostgresStorage.
func (*PostgresStorage) DeepCopyInto ¶
func (in *PostgresStorage) DeepCopyInto(out *PostgresStorage)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type RefreshDirectorySettings ¶
type RefreshDirectorySettings struct {
// interval is the time that pomerium will sync your IDP directory.
// +kubebuilder:validation:Format=duration
Interval metav1.Duration `json:"interval"`
// timeout is the maximum time allowed each run.
// +kubebuilder:validation:Format=duration
Timeout metav1.Duration `json:"timeout"`
}
RefreshDirectorySettings defines how frequently should directory update.
func (*RefreshDirectorySettings) DeepCopy ¶
func (in *RefreshDirectorySettings) DeepCopy() *RefreshDirectorySettings
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RefreshDirectorySettings.
func (*RefreshDirectorySettings) DeepCopyInto ¶
func (in *RefreshDirectorySettings) DeepCopyInto(out *RefreshDirectorySettings)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ResourceStatus ¶
type ResourceStatus struct {
// ObservedGeneration represents the <code>.metadata.generation</code> that was last presented to Pomerium.
ObservedGeneration int64 `json:"observedGeneration,omitempty"`
// ObservedAt is when last reconciliation attempt was made.
ObservedAt metav1.Time `json:"observedAt,omitempty"`
// Reconciled is whether this object generation was successfully synced with pomerium.
Reconciled bool `json:"reconciled"`
// Error that prevented latest observedGeneration to be synchronized with Pomerium.
// +optional
Error *string `json:"error"`
// Warnings while parsing the resource.
// +optional
Warnings []string `json:"warnings"`
}
ResourceStatus represents the outcome of the latest attempt to reconcile relevant Kubernetes resource with Pomerium.
func (*ResourceStatus) DeepCopy ¶
func (in *ResourceStatus) DeepCopy() *ResourceStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceStatus.
func (*ResourceStatus) DeepCopyInto ¶
func (in *ResourceStatus) DeepCopyInto(out *ResourceStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Storage ¶
type Storage struct {
// Postgres specifies PostgreSQL database connection parameters
// +kubebuilder:validation:Optional
Postgres *PostgresStorage `json:"postgres"`
}
Storage defines persistent storage option for the databroker and is only applied for all-in-one pomerium bootstrap, and has no effect for the split-mode deployment. If Storage is specified, the `postgresql` parameter should be set. Omit setting storage to use the in-memory storage implementation.
func (*Storage) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Storage.
func (*Storage) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Timeouts ¶ added in v0.23.0
type Timeouts struct {
// Read specifies the amount of time for the entire request stream to be received from the client.
// +kubebuilder:validation:Format=duration
// +optional
Read *metav1.Duration `json:"read,omitempty"`
// Write specifies max stream duration is the maximum time that a stream’s lifetime will span.
// An HTTP request/response exchange fully consumes a single stream.
// Therefore, this value must be greater than read_timeout as it covers both request and response time.
// +kubebuilder:validation:Format=duration
// +optional
Write *metav1.Duration `json:"write,omitempty"`
// Idle specifies the time at which a downstream or upstream connection will be terminated if there are no active streams.
// +kubebuilder:validation:Format=duration
// +optional
Idle *metav1.Duration `json:"idle,omitempty"`
}
Timeouts allows to configure global timeouts for all routes.
func (*Timeouts) DeepCopy ¶ added in v0.23.0
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Timeouts.
func (*Timeouts) DeepCopyInto ¶ added in v0.23.0
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
Source Files