v1

package
v0.28.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 11, 2024 License: Apache-2.0 Imports: 9 Imported by: 0

Documentation

Overview

Package v1 contains API Schema definitions for the ingress v1 API group +kubebuilder:object:generate=true +groupName=ingress.pomerium.io

Index

Constants

This section is empty.

Variables

View Source
var (
	// GroupVersion is group version used to register these objects
	GroupVersion = schema.GroupVersion{Group: "ingress.pomerium.io", Version: "v1"}

	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}

	// AddToScheme adds the types in this group-version to the given scheme.
	AddToScheme = SchemeBuilder.AddToScheme
)

Functions

func GetDeprecations added in v0.20.0

func GetDeprecations(spec *PomeriumSpec) ([]pom_cfg.FieldMsg, error)

GetDeprecations returns deprecation warnings

Types

type Authenticate

type Authenticate struct {
	// AuthenticateURL is a dedicated domain URL
	// the non-authenticated persons would be referred to.
	//
	// <p><ul>
	//  <li>You do not need to create a dedicated <code>Ingress</code> for this
	// 		virtual route, as it is handled by Pomerium internally. </li>
	//	<li>You do need create a secret with corresponding TLS certificate for this route
	//		and reference it via <a href="#prop-certificates"><code>certificates</code></a>.
	//		If you use <code>cert-manager</code> with <code>HTTP01</code> challenge,
	//		you may use <code>pomerium</code> <code>ingressClass</code> to solve it.</li>
	// </ul></p>
	//
	// +kubebuilder:validation:Required
	// +kubebuilder:validation:Type=string
	// +kubebuilder:validation:Format=uri
	// +kubebuilder:validation:Pattern=`^https://`
	URL string `json:"url"`
	// CallbackPath sets the path at which the authenticate service receives callback responses
	// from your identity provider. The value must exactly match one of the authorized redirect URIs for the OAuth 2.0 client.
	//
	// <p>This value is referred to as the redirect_url in the OpenIDConnect and OAuth2 specs.</p>
	// <p>Defaults to <code>/oauth2/callback</code></p>
	//
	// +optional
	CallbackPath *string `json:"callbackPath,omitempty"`
}

Authenticate service configuration parameters

func (*Authenticate) DeepCopy

func (in *Authenticate) DeepCopy() *Authenticate

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Authenticate.

func (*Authenticate) DeepCopyInto

func (in *Authenticate) DeepCopyInto(out *Authenticate)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Cookie struct {
	// Name sets the Pomerium session cookie name.
	// Defaults to <code>_pomerium</code>
	// +optional
	Name *string `json:"name,omitempty"`
	// Domain defaults to the same host that set the cookie.
	// If you specify the domain explicitly, then subdomains would also be included.
	// +optional
	Domain *string `json:"domain,omitempty"`
	// HTTPOnly if set to <code>false</code>, the cookie would be accessible from within the JavaScript.
	// Defaults to <code>true</code>.
	// +optional
	HTTPOnly *bool `json:"httpOnly,omitempty"`
	// Expire sets cookie and Pomerium session expiration time.
	// Once session expires, users would have to re-login.
	// If you change this parameter, existing sessions are not affected.
	// <p>See <a href="https://www.pomerium.com/docs/enterprise/about#session-management">Session Management</a>
	// (Enterprise) for a more fine-grained session controls.</p>
	// <p>Defaults to 14 hours.</p>
	// +kubebuilder:validation:Format=duration
	// +optional
	Expire *metav1.Duration `json:"expire,omitempty"`
	// SameSite sets the SameSite option for cookies.
	// Defaults to <code></code>.
	// +kubebuilder:validation:Optional
	// +kubebuilder:validation:Type=string
	// +kubebuilder:validation:Enum=strict;lax;none
	SameSite *string `json:"sameSite,omitempty"`
}

Cookie customizes HTTP cookie set by Pomerium. note that cookie_secret is part of the main configuration secret

func (*Cookie) DeepCopy added in v0.20.0

func (in *Cookie) DeepCopy() *Cookie

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Cookie.

func (*Cookie) DeepCopyInto added in v0.20.0

func (in *Cookie) DeepCopyInto(out *Cookie)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type IdentityProvider

type IdentityProvider struct {
	// Provider is the short-hand name of a built-in OpenID Connect (oidc) identity provider to be used for authentication.
	// To use a generic provider, set to <code>oidc</code>.
	// +kubebuilder:validation:Required
	// +kubebuilder:validation:Enum=auth0;azure;github;gitlab;google;oidc;okta;onelogin;ping
	Provider string `json:"provider"`
	// URL is the base path to an identity provider's OpenID connect discovery document.
	// See <a href="https://pomerium.com/docs/identity-providers">Identity Providers</a> guides for details.
	// +kubebuilder:validation:Optional
	// +kubebuilder:validation:Type=string
	// +kubebuilder:validation:Format=uri
	// +kubebuilder:validation:Pattern=`^https://`
	URL *string `json:"url"`
	// Secret containing IdP provider specific parameters.
	// and must contain at least <code>client_id</code> and <code>client_secret</code> values.
	// +kubebuilder:validation:Required
	// +kubebuilder:validation:Type=string
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:Format="namespace/name"
	Secret string `json:"secret"`
	// ServiceAccountFromSecret is no longer supported,
	// see <a href="https://docs.pomerium.com/docs/overview/upgrading#idp-directory-sync">Upgrade Guide</a>.
	// +optional
	ServiceAccountFromSecret *string `json:"serviceAccountFromSecret,omitempty" deprecated:"idp_directory_sync"`
	// RequestParams to be added as part of a sign-in request using OAuth2 code flow.
	//
	// +kubebuilder:validation:Format="namespace/name"
	// +optional
	RequestParams map[string]string `json:"requestParams,omitempty"`
	// RequestParamsSecret is a reference to a secret for additional parameters you'd prefer not to provide in plaintext.
	// +kubebuilder:validation:Format="namespace/name"
	// +optional
	RequestParamsSecret *string `json:"requestParamsSecret,omitempty"`
	// Scopes Identity provider scopes correspond to access privilege scopes
	// as defined in Section 3.3 of OAuth 2.0 RFC6749.
	// +optional
	Scopes []string `json:"scopes,omitempty"`

	// RefreshDirectory is no longer supported,
	// please see <a href="https://docs.pomerium.com/docs/overview/upgrading#idp-directory-sync">Upgrade Guide</a>.
	//
	// +optional
	RefreshDirectory *RefreshDirectorySettings `json:"refreshDirectory" deprecated:"idp_directory_sync"`
}

IdentityProvider for single-sign-on authentication and user identity details by integrating with your downstream Identity Provider (IdP) of choice. That authentication integration is achieved using OAuth2, and OpenID Connect (OIDC). Where available, Pomerium also supports pulling additional data (like groups) using directory synchronization. An additional API token is required for directory sync. https://www.pomerium.com/docs/identity-providers/

func (*IdentityProvider) DeepCopy

func (in *IdentityProvider) DeepCopy() *IdentityProvider

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IdentityProvider.

func (*IdentityProvider) DeepCopyInto

func (in *IdentityProvider) DeepCopyInto(out *IdentityProvider)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Pomerium

type Pomerium struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   PomeriumSpec   `json:"spec,omitempty"`
	Status PomeriumStatus `json:"status,omitempty"`
}

Pomerium define runtime-configurable Pomerium settings that do not fall into the category of deployment parameters

func (*Pomerium) DeepCopy

func (in *Pomerium) DeepCopy() *Pomerium

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Pomerium.

func (*Pomerium) DeepCopyInto

func (in *Pomerium) DeepCopyInto(out *Pomerium)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Pomerium) DeepCopyObject

func (in *Pomerium) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type PomeriumList

type PomeriumList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []Pomerium `json:"items"`
}

PomeriumList contains a list of Settings

func (*PomeriumList) DeepCopy

func (in *PomeriumList) DeepCopy() *PomeriumList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PomeriumList.

func (*PomeriumList) DeepCopyInto

func (in *PomeriumList) DeepCopyInto(out *PomeriumList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PomeriumList) DeepCopyObject

func (in *PomeriumList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type PomeriumSpec

type PomeriumSpec struct {
	// AccessLogFields sets the <a href="https://www.pomerium.com/docs/reference/access-log-fields">access fields</a> to log.
	AccessLogFields *[]string `json:"accessLogFields,omitempty"`

	// Authenticate sets authenticate service parameters.
	// If not specified, a Pomerium-hosted authenticate service would be used.
	// +kubebuilder:validation:Optional
	Authenticate *Authenticate `json:"authenticate"`

	// AuthorizeLogFields sets the <a href="https://www.pomerium.com/docs/reference/authorize-log-fields">authorize fields</a> to log.
	AuthorizeLogFields *[]string `json:"authorizeLogFields,omitempty"`

	// Certificates is a list of secrets of type TLS to use
	// +kubebuilder:validation:Format="namespace/name"
	// +optional
	Certificates []string `json:"certificates"`

	// CASecret should refer to k8s secrets with key <code>ca.crt</code> containing a CA certificate.
	// +optional
	CASecrets []string `json:"caSecrets"`

	// Cookie defines Pomerium session cookie options.
	// +optional
	Cookie *Cookie `json:"cookie,omitempty"`

	// IdentityProvider configure single-sign-on authentication and user identity details
	// by integrating with your <a href="https://www.pomerium.com/docs/identity-providers/">Identity Provider</a>
	//
	// +kubebuilder:validation:Optional
	IdentityProvider *IdentityProvider `json:"identityProvider"`

	// JWTClaimHeaders convert claims from the assertion token
	// into HTTP headers and adds them into JWT assertion header.
	// Please make sure to read
	// <a href="https://www.pomerium.com/docs/topics/getting-users-identity">
	// Getting User Identity</a> guide.
	//
	// +optional
	JWTClaimHeaders map[string]string `json:"jwtClaimHeaders,omitempty"`

	// PassIdentityHeaders sets the <a href="https://www.pomerium.com/docs/reference/pass-identity-headers">pass identity headers</a> option.
	PassIdentityHeaders *bool `json:"passIdentityHeaders,omitempty"`

	// ProgrammaticRedirectDomains specifies a list of domains that can be used for
	// <a href="https://www.pomerium.com/docs/capabilities/programmatic-access">programmatic redirects</a>.
	ProgrammaticRedirectDomains []string `json:"programmaticRedirectDomains,omitempty"`

	// RuntimeFlags sets the <a href="https://www.pomerium.com/docs/reference/runtime-flags">runtime flags</a> to enable/disable certain features.
	RuntimeFlags map[string]bool `json:"runtimeFlags,omitempty"`

	// Secrets references a Secret with Pomerium bootstrap parameters.
	//
	// <p>
	// <ul>
	// 	<li><a href="https://pomerium.com/docs/reference/shared-secret"><code>shared_secret</code></a>
	//		- secures inter-Pomerium service communications.
	//	</li>
	// 	<li><a href="https://pomerium.com/docs/reference/cookie-secret"><code>cookie_secret</code></a>
	//		- encrypts Pomerium session browser cookie.
	//		See also other <a href="#cookie">Cookie</a> parameters.
	//	</li>
	// 	<li><a href="https://pomerium.com/docs/reference/signing-key"><code>signing_key</code></a>
	//		signs Pomerium JWT assertion header. See
	//		<a href="https://www.pomerium.com/docs/topics/getting-users-identity">Getting the user's identity</a>
	//		guide.
	//	</li>
	// </ul>
	// </p>
	// <p>
	// In a default Pomerium installation manifest, they would be generated via a
	// <a href="https://github.com/pomerium/ingress-controller/blob/main/config/gen_secrets/job.yaml">one-time job</a>
	// and stored in a <code>pomerium/bootstrap</code> Secret.
	// You may re-run the job to rotate the secrets, or update the Secret values manually.
	// </p>
	//
	// +kubebuilder:validation:Required
	// +kubebuilder:validation:Type=string
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:Format="namespace/name"
	Secrets string `json:"secrets"`

	// SetResponseHeaders specifies a mapping of HTTP Header to be added globally to all managed routes and pomerium's authenticate service.
	// +optional
	// See <a href="https://www.pomerium.com/docs/reference/set-response-headers">Set Response Headers</a>
	SetResponseHeaders map[string]string `json:"setResponseHeaders,omitempty"`

	// Storage defines persistent storage for sessions and other data.
	// See <a href="https://www.pomerium.com/docs/topics/data-storage">Storage</a> for details.
	// If no storage is specified, Pomerium would use a transient in-memory storage (not recommended for production).
	//
	// +kubebuilder:validation:Optional
	Storage *Storage `json:"storage,omitempty"`

	// Timeout specifies the <a href="https://www.pomerium.com/docs/reference/global-timeouts">global timeouts</a> for all routes.
	Timeouts *Timeouts `json:"timeouts,omitempty"`

	// UseProxyProtocol enables <a href="https://www.pomerium.com/docs/reference/use-proxy-protocol">Proxy Protocol</a> support.
	UseProxyProtocol *bool `json:"useProxyProtocol,omitempty"`
}

PomeriumSpec defines Pomerium-specific configuration parameters.

func (*PomeriumSpec) DeepCopy

func (in *PomeriumSpec) DeepCopy() *PomeriumSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PomeriumSpec.

func (*PomeriumSpec) DeepCopyInto

func (in *PomeriumSpec) DeepCopyInto(out *PomeriumSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PomeriumStatus

type PomeriumStatus struct {
	// Routes provide per-Ingress status.
	Routes map[string]ResourceStatus `json:"ingress,omitempty"`
	// SettingsStatus represent most recent main configuration reconciliation status.
	SettingsStatus *ResourceStatus `json:"settingsStatus,omitempty"`
}

PomeriumStatus represents configuration and Ingress status.

func (*PomeriumStatus) DeepCopy

func (in *PomeriumStatus) DeepCopy() *PomeriumStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PomeriumStatus.

func (*PomeriumStatus) DeepCopyInto

func (in *PomeriumStatus) DeepCopyInto(out *PomeriumStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PostgresStorage

type PostgresStorage struct {
	// Secret specifies a name of a Secret that must contain
	// <code>connection</code> key. See
	// <a href="https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING">DSN Format and Parameters</a>.
	// Do not set <code>sslrootcert</code>, <code>sslcert</code> and <code>sslkey</code> via connection string,
	// use <code>tlsSecret</code> and <code>caSecret</code> CRD options instead.
	// +kubebuilder:validation:Required
	// +kubebuilder:validation:Type=string
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:Format="namespace/name"
	Secret string `json:"secret"`
	// TLSSecret should refer to a k8s secret of type <code>kubernetes.io/tls</code>
	// and allows to specify an optional client certificate and key,
	// by constructing <code>sslcert</code> and <code>sslkey</code> connection string
	// <a href="https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS">
	// parameter values</a>.
	//
	// +kubebuilder:validation:Optional
	// +kubebuilder:validation:Type=string
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:Format="namespace/name"
	TLSSecret *string `json:"tlsSecret"`
	// CASecret should refer to a k8s secret with key <code>ca.crt</code> containing CA certificate
	// that, if specified, would be used to populate <code>sslrootcert</code> parameter of the connection string.
	//
	// +kubebuilder:validation:Optional
	// +kubebuilder:validation:Type=string
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:Format="namespace/name"
	CASecret *string `json:"caSecret"`
}

PostgresStorage defines Postgres connection parameters.

func (*PostgresStorage) DeepCopy

func (in *PostgresStorage) DeepCopy() *PostgresStorage

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PostgresStorage.

func (*PostgresStorage) DeepCopyInto

func (in *PostgresStorage) DeepCopyInto(out *PostgresStorage)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type RefreshDirectorySettings

type RefreshDirectorySettings struct {
	// interval is the time that pomerium will sync your IDP directory.
	// +kubebuilder:validation:Format=duration
	Interval metav1.Duration `json:"interval"`
	// timeout is the maximum time allowed each run.
	// +kubebuilder:validation:Format=duration
	Timeout metav1.Duration `json:"timeout"`
}

RefreshDirectorySettings defines how frequently should directory update.

func (*RefreshDirectorySettings) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RefreshDirectorySettings.

func (*RefreshDirectorySettings) DeepCopyInto

func (in *RefreshDirectorySettings) DeepCopyInto(out *RefreshDirectorySettings)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ResourceStatus

type ResourceStatus struct {
	// ObservedGeneration represents the <code>.metadata.generation</code> that was last presented to Pomerium.
	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
	// ObservedAt is when last reconciliation attempt was made.
	ObservedAt metav1.Time `json:"observedAt,omitempty"`
	// Reconciled is whether this object generation was successfully synced with pomerium.
	Reconciled bool `json:"reconciled"`
	// Error that prevented latest observedGeneration to be synchronized with Pomerium.
	// +optional
	Error *string `json:"error"`
	// Warnings while parsing the resource.
	// +optional
	Warnings []string `json:"warnings"`
}

ResourceStatus represents the outcome of the latest attempt to reconcile relevant Kubernetes resource with Pomerium.

func (*ResourceStatus) DeepCopy

func (in *ResourceStatus) DeepCopy() *ResourceStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceStatus.

func (*ResourceStatus) DeepCopyInto

func (in *ResourceStatus) DeepCopyInto(out *ResourceStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Storage

type Storage struct {
	// Postgres specifies PostgreSQL database connection parameters
	// +kubebuilder:validation:Optional
	Postgres *PostgresStorage `json:"postgres"`
}

Storage defines persistent storage option for the databroker and is only applied for all-in-one pomerium bootstrap, and has no effect for the split-mode deployment. If Storage is specified, the `postgresql` parameter should be set. Omit setting storage to use the in-memory storage implementation.

func (*Storage) DeepCopy

func (in *Storage) DeepCopy() *Storage

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Storage.

func (*Storage) DeepCopyInto

func (in *Storage) DeepCopyInto(out *Storage)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Timeouts added in v0.23.0

type Timeouts struct {
	// Read specifies the amount of time for the entire request stream to be received from the client.
	// +kubebuilder:validation:Format=duration
	// +optional
	Read *metav1.Duration `json:"read,omitempty"`

	// Write specifies max stream duration is the maximum time that a stream’s lifetime will span.
	// An HTTP request/response exchange fully consumes a single stream.
	// Therefore, this value must be greater than read_timeout as it covers both request and response time.
	// +kubebuilder:validation:Format=duration
	// +optional
	Write *metav1.Duration `json:"write,omitempty"`

	// Idle specifies the time at which a downstream or upstream connection will be terminated if there are no active streams.
	// +kubebuilder:validation:Format=duration
	// +optional
	Idle *metav1.Duration `json:"idle,omitempty"`
}

Timeouts allows to configure global timeouts for all routes.

func (*Timeouts) DeepCopy added in v0.23.0

func (in *Timeouts) DeepCopy() *Timeouts

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Timeouts.

func (*Timeouts) DeepCopyInto added in v0.23.0

func (in *Timeouts) DeepCopyInto(out *Timeouts)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL