Documentation ¶
Overview ¶
Package v1 contains API Schema definitions for the ingress v1 API group +kubebuilder:object:generate=true +groupName=ingress.pomerium.io
Index ¶
- Variables
- func GetDeprecations(spec *PomeriumSpec) ([]pom_cfg.FieldMsg, error)
- type Authenticate
- type Cookie
- type IdentityProvider
- type Pomerium
- type PomeriumList
- type PomeriumSpec
- type PomeriumStatus
- type PostgresStorage
- type RedisStorage
- type RefreshDirectorySettings
- type ResourceStatus
- type Storage
Constants ¶
This section is empty.
Variables ¶
var ( // GroupVersion is group version used to register these objects GroupVersion = schema.GroupVersion{Group: "ingress.pomerium.io", Version: "v1"} // SchemeBuilder is used to add go types to the GroupVersionKind scheme SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} // AddToScheme adds the types in this group-version to the given scheme. AddToScheme = SchemeBuilder.AddToScheme )
Functions ¶
func GetDeprecations ¶ added in v0.20.0
func GetDeprecations(spec *PomeriumSpec) ([]pom_cfg.FieldMsg, error)
GetDeprecations returns deprecation warnings
Types ¶
type Authenticate ¶
type Authenticate struct { // AuthenticateURL is a dedicated domain URL // the non-authenticated persons would be referred to. // // <p><ul> // <li>You do not need to create a dedicated <code>Ingress</code> for this // virtual route, as it is handled by Pomerium internally. </li> // <li>You do need create a secret with corresponding TLS certificate for this route // and reference it via <a href="#prop-certificates"><code>certificates</code></a>. // If you use <code>cert-manager</code> with <code>HTTP01</code> challenge, // you may use <code>pomerium</code> <code>ingressClass</code> to solve it.</li> // </ul></p> // // +kubebuilder:validation:Required // +kubebuilder:validation:Type=string // +kubebuilder:validation:Format=uri // +kubebuilder:validation:Pattern=`^https://` URL string `json:"url"` // CallbackPath sets the path at which the authenticate service receives callback responses // from your identity provider. The value must exactly match one of the authorized redirect URIs for the OAuth 2.0 client. // // <p>This value is referred to as the redirect_url in the OpenIDConnect and OAuth2 specs.</p> // <p>Defaults to <code>/oauth2/callback</code></p> // // +optional CallbackPath *string `json:"callbackPath,omitempty"` }
Authenticate service configuration parameters
func (*Authenticate) DeepCopy ¶
func (in *Authenticate) DeepCopy() *Authenticate
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Authenticate.
func (*Authenticate) DeepCopyInto ¶
func (in *Authenticate) DeepCopyInto(out *Authenticate)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Cookie ¶ added in v0.20.0
type Cookie struct { // Name sets the Pomerium session cookie name. // Defaults to <code>_pomerium</code> // +optional Name *string `json:"name,omitempty"` // Domain defaults to the same host that set the cookie. // If you specify the domain explicitly, then subdomains would also be included. // +optional Domain *string `json:"domain,omitempty"` // Secure if set to false, would make a cookie accessible over insecure protocols (HTTP). // Defaults to <code>true</code>. // +optional Secure *bool `json:"secure,omitempty"` // HTTPOnly if set to <code>false</code>, the cookie would be accessible from within the JavaScript. // Defaults to <code>true</code>. // +optional HTTPOnly *bool `json:"httpOnly,omitempty"` // Expire sets cookie and Pomerium session expiration time. // Once session expires, users would have to re-login. // If you change this parameter, existing sessions are not affected. // <p>See <a href="https://www.pomerium.com/docs/enterprise/about#session-management">Session Management</a> // (Enterprise) for a more fine-grained session controls.</p> // <p>Defaults to 14 hours.</p> // +kubebuilder:validation:Format=duration // +optional Expire *metav1.Duration `json:"expire,omitempty"` }
Cookie customizes HTTP cookie set by Pomerium. note that cookie_secret is part of the main configuration secret
func (*Cookie) DeepCopy ¶ added in v0.20.0
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Cookie.
func (*Cookie) DeepCopyInto ¶ added in v0.20.0
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type IdentityProvider ¶
type IdentityProvider struct { // Provider is the short-hand name of a built-in OpenID Connect (oidc) identity provider to be used for authentication. // To use a generic provider, set to <code>oidc</code>. // +kubebuilder:validation:Required // +kubebuilder:validation:Enum=auth0;azure;github;gitlab;google;oidc;okta;onelogin;ping Provider string `json:"provider"` // URL is the base path to an identity provider's OpenID connect discovery document. // See <a href="https://pomerium.com/docs/identity-providers">Identity Providers</a> guides for details. // +kubebuilder:validation:Optional // +kubebuilder:validation:Type=string // +kubebuilder:validation:Format=uri // +kubebuilder:validation:Pattern=`^https://` URL *string `json:"url"` // Secret containing IdP provider specific parameters. // and must contain at least <code>client_id</code> and <code>client_secret</code> values. // +kubebuilder:validation:Required // +kubebuilder:validation:Type=string // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:Format="namespace/name" Secret string `json:"secret"` // ServiceAccountFromSecret is no longer supported, // see <a href="https://docs.pomerium.com/docs/overview/upgrading#idp-directory-sync">Upgrade Guide</a>. // +optional ServiceAccountFromSecret *string `json:"serviceAccountFromSecret,omitempty" deprecated:"idp_directory_sync"` // RequestParams to be added as part of a sign-in request using OAuth2 code flow. // // +kubebuilder:validation:Format="namespace/name" // +optional RequestParams map[string]string `json:"requestParams,omitempty"` // RequestParamsSecret is a reference to a secret for additional parameters you'd prefer not to provide in plaintext. // +kubebuilder:validation:Format="namespace/name" // +optional RequestParamsSecret *string `json:"requestParamsSecret,omitempty"` // Scopes Identity provider scopes correspond to access privilege scopes // as defined in Section 3.3 of OAuth 2.0 RFC6749. // +optional Scopes []string `json:"scopes,omitempty"` // RefreshDirectory is no longer supported, // please see <a href="https://docs.pomerium.com/docs/overview/upgrading#idp-directory-sync">Upgrade Guide</a>. // // +optional RefreshDirectory *RefreshDirectorySettings `json:"refreshDirectory" deprecated:"idp_directory_sync"` }
IdentityProvider for single-sign-on authentication and user identity details by integrating with your downstream Identity Provider (IdP) of choice. That authentication integration is achieved using OAuth2, and OpenID Connect (OIDC). Where available, Pomerium also supports pulling additional data (like groups) using directory synchronization. An additional API token is required for directory sync. https://www.pomerium.com/docs/identity-providers/
func (*IdentityProvider) DeepCopy ¶
func (in *IdentityProvider) DeepCopy() *IdentityProvider
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IdentityProvider.
func (*IdentityProvider) DeepCopyInto ¶
func (in *IdentityProvider) DeepCopyInto(out *IdentityProvider)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Pomerium ¶
type Pomerium struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` Spec PomeriumSpec `json:"spec,omitempty"` Status PomeriumStatus `json:"status,omitempty"` }
Pomerium define runtime-configurable Pomerium settings that do not fall into the category of deployment parameters
func (*Pomerium) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Pomerium.
func (*Pomerium) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*Pomerium) DeepCopyObject ¶
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type PomeriumList ¶
type PomeriumList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata,omitempty"` Items []Pomerium `json:"items"` }
PomeriumList contains a list of Settings
func (*PomeriumList) DeepCopy ¶
func (in *PomeriumList) DeepCopy() *PomeriumList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PomeriumList.
func (*PomeriumList) DeepCopyInto ¶
func (in *PomeriumList) DeepCopyInto(out *PomeriumList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*PomeriumList) DeepCopyObject ¶
func (in *PomeriumList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type PomeriumSpec ¶
type PomeriumSpec struct { // Authenticate sets authenticate service parameters. // If not specified, a Pomerium-hosted authenticate service would be used. // +kubebuilder:validation:Optional Authenticate *Authenticate `json:"authenticate"` // IdentityProvider configure single-sign-on authentication and user identity details // by integrating with your <a href="https://www.pomerium.com/docs/identity-providers/">Identity Provider</a> // // +kubebuilder:validation:Optional IdentityProvider *IdentityProvider `json:"identityProvider"` // Certificates is a list of secrets of type TLS to use // +kubebuilder:validation:Format="namespace/name" // +optional Certificates []string `json:"certificates"` // CASecret should refer to k8s secrets with key <code>ca.crt</code> containing a CA certificate. // +optional CASecrets []string `json:"caSecrets"` // Secrets references a Secret with Pomerium bootstrap parameters. // // <p> // <ul> // <li><a href="https://pomerium.com/docs/reference/shared-secret"><code>shared_secret</code></a> // - secures inter-Pomerium service communications. // </li> // <li><a href="https://pomerium.com/docs/reference/cookie-secret"><code>cookie_secret</code></a> // - encrypts Pomerium session browser cookie. // See also other <a href="#cookie">Cookie</a> parameters. // </li> // <li><a href="https://pomerium.com/docs/reference/signing-key"><code>signing_key</code></a> // signs Pomerium JWT assertion header. See // <a href="https://www.pomerium.com/docs/topics/getting-users-identity">Getting the user's identity</a> // guide. // </li> // </ul> // </p> // <p> // In a default Pomerium installation manifest, they would be generated via a // <a href="https://github.com/pomerium/ingress-controller/blob/main/config/gen_secrets/job.yaml">one-time job</a> // and stored in a <code>pomerium/bootstrap</code> Secret. // You may re-run the job to rotate the secrets, or update the Secret values manually. // </p> // // +kubebuilder:validation:Required // +kubebuilder:validation:Type=string // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:Format="namespace/name" Secrets string `json:"secrets"` // Storage defines persistent storage for sessions and other data. // See <a href="https://www.pomerium.com/docs/topics/data-storage">Storage</a> for details. // If no storage is specified, Pomerium would use a transient in-memory storage (not recommended for production). // // +kubebuilder:validation:Optional Storage *Storage `json:"storage,omitempty"` // Cookie defines Pomerium session cookie options. // +optional Cookie *Cookie `json:"cookie,omitempty"` // JWTClaimHeaders convert claims from the assertion token // into HTTP headers and adds them into JWT assertion header. // Please make sure to read // <a href="https://www.pomerium.com/docs/topics/getting-users-identity"> // Getting User Identity</a> guide. // // +optional JWTClaimHeaders map[string]string `json:"jwtClaimHeaders,omitempty"` // SetResponseHeaders specifies a mapping of HTTP Header to be added globally to all managed routes and pomerium's authenticate service. // +optional // See <a href="https://www.pomerium.com/docs/reference/set-response-headers">Set Response Headers</a> SetResponseHeaders map[string]string `json:"setResponseHeaders,omitempty"` // ProgrammaticRedirectDomains specifies a list of domains that can be used for // <a href="https://www.pomerium.com/docs/capabilities/programmatic-access">programmatic redirects</a>. ProgrammaticRedirectDomains []string `json:"programmaticRedirectDomains,omitempty"` }
PomeriumSpec defines Pomerium-specific configuration parameters.
func (*PomeriumSpec) DeepCopy ¶
func (in *PomeriumSpec) DeepCopy() *PomeriumSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PomeriumSpec.
func (*PomeriumSpec) DeepCopyInto ¶
func (in *PomeriumSpec) DeepCopyInto(out *PomeriumSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PomeriumStatus ¶
type PomeriumStatus struct { // Routes provide per-Ingress status. Routes map[string]ResourceStatus `json:"ingress,omitempty"` // SettingsStatus represent most recent main configuration reconciliation status. SettingsStatus *ResourceStatus `json:"settingsStatus,omitempty"` }
PomeriumStatus represents configuration and Ingress status.
func (*PomeriumStatus) DeepCopy ¶
func (in *PomeriumStatus) DeepCopy() *PomeriumStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PomeriumStatus.
func (*PomeriumStatus) DeepCopyInto ¶
func (in *PomeriumStatus) DeepCopyInto(out *PomeriumStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PostgresStorage ¶
type PostgresStorage struct { // Secret specifies a name of a Secret that must contain // <code>connection</code> key. See // <a href="https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING">DSN Format and Parameters</a>. // Do not set <code>sslrootcert</code>, <code>sslcert</code> and <code>sslkey</code> via connection string, // use <code>tlsSecret</code> and <code>caSecret</code> CRD options instead. // +kubebuilder:validation:Required // +kubebuilder:validation:Type=string // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:Format="namespace/name" Secret string `json:"secret"` // TLSSecret should refer to a k8s secret of type <code>kubernetes.io/tls</code> // and allows to specify an optional client certificate and key, // by constructing <code>sslcert</code> and <code>sslkey</code> connection string // <a href="https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS"> // parameter values</a>. // // +kubebuilder:validation:Optional // +kubebuilder:validation:Type=string // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:Format="namespace/name" TLSSecret *string `json:"tlsSecret"` // CASecret should refer to a k8s secret with key <code>ca.crt</code> containing CA certificate // that, if specified, would be used to populate <code>sslrootcert</code> parameter of the connection string. // // +kubebuilder:validation:Optional // +kubebuilder:validation:Type=string // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:Format="namespace/name" CASecret *string `json:"caSecret"` }
PostgresStorage defines Postgres connection parameters.
func (*PostgresStorage) DeepCopy ¶
func (in *PostgresStorage) DeepCopy() *PostgresStorage
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PostgresStorage.
func (*PostgresStorage) DeepCopyInto ¶
func (in *PostgresStorage) DeepCopyInto(out *PostgresStorage)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type RedisStorage ¶
type RedisStorage struct { // Secret specifies a name of a Secret that must contain // <code>connection</code> key. // +kubebuilder:validation:Required // +kubebuilder:validation:Type=string // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:Format="namespace/name" Secret string `json:"secret"` // TLSSecret should refer to a k8s secret of type <code>kubernetes.io/tls</code> // that would be used to perform TLS connection to REDIS. // +kubebuilder:validation:Optional // +kubebuilder:validation:Type=string // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:Format="namespace/name" TLSSecret *string `json:"tlsSecret"` // CASecret should refer to a k8s secret with key <code>ca.crt</code> that must be a PEM-encoded // certificate authority to use when connecting to the databroker storage engine. // +kubebuilder:validation:Optional // +kubebuilder:validation:Type=string // +kubebuilder:validation:Format="namespace/name" CASecret *string `json:"caSecret"` // TLSSkipVerify disables TLS certificate chain validation. // +kubebuilder:validation:Optional // +kubebuilder:validation:Type=boolean TLSSkipVerify bool `json:"tlsSkipVerify"` }
RedisStorage defines REDIS databroker storage backend bootstrap parameters. Redis is supported for legacy deployments, new deployments should use PostgreSQL.
func (*RedisStorage) DeepCopy ¶
func (in *RedisStorage) DeepCopy() *RedisStorage
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RedisStorage.
func (*RedisStorage) DeepCopyInto ¶
func (in *RedisStorage) DeepCopyInto(out *RedisStorage)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type RefreshDirectorySettings ¶
type RefreshDirectorySettings struct { // interval is the time that pomerium will sync your IDP directory. // +kubebuilder:validation:Format=duration Interval metav1.Duration `json:"interval"` // timeout is the maximum time allowed each run. // +kubebuilder:validation:Format=duration Timeout metav1.Duration `json:"timeout"` }
RefreshDirectorySettings defines how frequently should directory update.
func (*RefreshDirectorySettings) DeepCopy ¶
func (in *RefreshDirectorySettings) DeepCopy() *RefreshDirectorySettings
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RefreshDirectorySettings.
func (*RefreshDirectorySettings) DeepCopyInto ¶
func (in *RefreshDirectorySettings) DeepCopyInto(out *RefreshDirectorySettings)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ResourceStatus ¶
type ResourceStatus struct { // ObservedGeneration represents the <code>.metadata.generation</code> that was last presented to Pomerium. ObservedGeneration int64 `json:"observedGeneration,omitempty"` // ObservedAt is when last reconciliation attempt was made. ObservedAt metav1.Time `json:"observedAt,omitempty"` // Reconciled is whether this object generation was successfully synced with pomerium. Reconciled bool `json:"reconciled"` // Error that prevented latest observedGeneration to be synchronized with Pomerium. // +optional Error *string `json:"error"` // Warnings while parsing the resource. // +optional Warnings []string `json:"warnings"` }
ResourceStatus represents the outcome of the latest attempt to reconcile relevant Kubernetes resource with Pomerium.
func (*ResourceStatus) DeepCopy ¶
func (in *ResourceStatus) DeepCopy() *ResourceStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceStatus.
func (*ResourceStatus) DeepCopyInto ¶
func (in *ResourceStatus) DeepCopyInto(out *ResourceStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Storage ¶
type Storage struct { // Redis defines REDIS connection parameters // +kubebuilder:validation:Optional Redis *RedisStorage `json:"redis" deprecated:"redis"` // Postgres specifies PostgreSQL database connection parameters // +kubebuilder:validation:Optional Postgres *PostgresStorage `json:"postgres"` }
Storage defines persistent storage option for the databroker and is only applied for all-in-one pomerium bootstrap, and has no effect for the split-mode deployment. If Storage is specified, either `redis` or `postgresql` parameter should be set. Omit setting storage to use in-memory storage implementation.
func (*Storage) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Storage.
func (*Storage) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.