Documentation ¶
Overview ¶
Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor configuration API.
Index ¶
- Constants
- Variables
- func Resource(resource string) schema.GroupResource
- type FederationDomain
- type FederationDomainIdentityProvider
- type FederationDomainList
- type FederationDomainPhase
- type FederationDomainSecrets
- type FederationDomainSpec
- type FederationDomainStatus
- type FederationDomainTLSSpec
- type FederationDomainTransforms
- type FederationDomainTransformsConstant
- type FederationDomainTransformsExample
- type FederationDomainTransformsExampleExpects
- type FederationDomainTransformsExpression
- type GrantType
- type OIDCClient
- type OIDCClientList
- type OIDCClientPhase
- type OIDCClientSpec
- type OIDCClientStatus
- type OIDCClientTokenLifetimes
- type RedirectURI
- type Scope
Constants ¶
const GroupName = "config.supervisor.pinniped.dev"
Variables ¶
var ( SchemeBuilder runtime.SchemeBuilder AddToScheme = localSchemeBuilder.AddToScheme )
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
SchemeGroupVersion is group version used to register these objects.
Functions ¶
func Resource ¶
func Resource(resource string) schema.GroupResource
Resource takes an unqualified resource and returns a Group qualified GroupResource.
Types ¶
type FederationDomain ¶
type FederationDomain struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` // Spec of the OIDC provider. Spec FederationDomainSpec `json:"spec"` // Status of the OIDC provider. Status FederationDomainStatus `json:"status,omitempty"` }
FederationDomain describes the configuration of an OIDC provider. +genclient +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +kubebuilder:resource:categories=pinniped +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer` +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +kubebuilder:subresource:status
func (*FederationDomain) DeepCopy ¶
func (in *FederationDomain) DeepCopy() *FederationDomain
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomain.
func (*FederationDomain) DeepCopyInto ¶
func (in *FederationDomain) DeepCopyInto(out *FederationDomain)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*FederationDomain) DeepCopyObject ¶
func (in *FederationDomain) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type FederationDomainIdentityProvider ¶
type FederationDomainIdentityProvider struct { // DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the // kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a // disruptive change for those users. // +kubebuilder:validation:MinLength=1 DisplayName string `json:"displayName"` // ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required. // If the reference cannot be resolved then the identity provider will not be made available. // Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider, // LDAPIdentityProvider, ActiveDirectoryIdentityProvider. ObjectRef corev1.TypedLocalObjectReference `json:"objectRef"` // Transforms is an optional way to specify transformations to be applied during user authentication and // session refresh. // +optional Transforms FederationDomainTransforms `json:"transforms,omitempty"` }
FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.
func (*FederationDomainIdentityProvider) DeepCopy ¶
func (in *FederationDomainIdentityProvider) DeepCopy() *FederationDomainIdentityProvider
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainIdentityProvider.
func (*FederationDomainIdentityProvider) DeepCopyInto ¶
func (in *FederationDomainIdentityProvider) DeepCopyInto(out *FederationDomainIdentityProvider)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FederationDomainList ¶
type FederationDomainList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata,omitempty"` Items []FederationDomain `json:"items"` }
List of FederationDomain objects. +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
func (*FederationDomainList) DeepCopy ¶
func (in *FederationDomainList) DeepCopy() *FederationDomainList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainList.
func (*FederationDomainList) DeepCopyInto ¶
func (in *FederationDomainList) DeepCopyInto(out *FederationDomainList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*FederationDomainList) DeepCopyObject ¶
func (in *FederationDomainList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type FederationDomainPhase ¶
type FederationDomainPhase string
const ( // FederationDomainPhasePending is the default phase for newly-created FederationDomain resources. FederationDomainPhasePending FederationDomainPhase = "Pending" // FederationDomainPhaseReady is the phase for an FederationDomain resource in a healthy state. FederationDomainPhaseReady FederationDomainPhase = "Ready" // FederationDomainPhaseError is the phase for an FederationDomain in an unhealthy state. FederationDomainPhaseError FederationDomainPhase = "Error" )
type FederationDomainSecrets ¶
type FederationDomainSecrets struct { // JWKS holds the name of the corev1.Secret in which this OIDC Provider's signing/verification keys are // stored. If it is empty, then the signing/verification keys are either unknown or they don't // exist. // +optional JWKS corev1.LocalObjectReference `json:"jwks,omitempty"` // TokenSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for // signing tokens is stored. // +optional TokenSigningKey corev1.LocalObjectReference `json:"tokenSigningKey,omitempty"` // StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for // signing state parameters is stored. // +optional StateSigningKey corev1.LocalObjectReference `json:"stateSigningKey,omitempty"` // StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for // encrypting state parameters is stored. // +optional StateEncryptionKey corev1.LocalObjectReference `json:"stateEncryptionKey,omitempty"` }
FederationDomainSecrets holds information about this OIDC Provider's secrets.
func (*FederationDomainSecrets) DeepCopy ¶
func (in *FederationDomainSecrets) DeepCopy() *FederationDomainSecrets
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainSecrets.
func (*FederationDomainSecrets) DeepCopyInto ¶
func (in *FederationDomainSecrets) DeepCopyInto(out *FederationDomainSecrets)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FederationDomainSpec ¶
type FederationDomainSpec struct { // Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the // identifier that it will use for the iss claim in issued JWTs. This field will also be used as // the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is // https://example.com/foo, then your authorization endpoint will look like // https://example.com/foo/some/path/to/auth/endpoint). // // See // https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. // +kubebuilder:validation:MinLength=1 Issuer string `json:"issuer"` // TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain. // +optional TLS *FederationDomainTLSSpec `json:"tls,omitempty"` // IdentityProviders is the list of identity providers available for use by this FederationDomain. // // An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, // how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to // extract a normalized user identity. Normalized user identities include a username and a list of group names. // In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which // belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations // on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid // accidental conflicts when multiple identity providers have different users with the same username (e.g. // "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication // rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow // the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could // disallow the authentication unless the user belongs to a specific group in the identity provider. // // For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, // an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which // exist in the same namespace, but also to reject all authentication requests when there is more than one identity // provider currently defined. In this backwards compatibility mode, the name of the identity provider resource // (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this // FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of // relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead // explicitly list the identity provider using this IdentityProviders field. // // +optional IdentityProviders []FederationDomainIdentityProvider `json:"identityProviders,omitempty"` }
FederationDomainSpec is a struct that describes an OIDC Provider.
func (*FederationDomainSpec) DeepCopy ¶
func (in *FederationDomainSpec) DeepCopy() *FederationDomainSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainSpec.
func (*FederationDomainSpec) DeepCopyInto ¶
func (in *FederationDomainSpec) DeepCopyInto(out *FederationDomainSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FederationDomainStatus ¶
type FederationDomainStatus struct { // Phase summarizes the overall status of the FederationDomain. // +kubebuilder:default=Pending // +kubebuilder:validation:Enum=Pending;Ready;Error Phase FederationDomainPhase `json:"phase,omitempty"` // Conditions represent the observations of an FederationDomain's current state. // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` // Secrets contains information about this OIDC Provider's secrets. // +optional Secrets FederationDomainSecrets `json:"secrets,omitempty"` }
FederationDomainStatus is a struct that describes the actual state of an OIDC Provider.
func (*FederationDomainStatus) DeepCopy ¶
func (in *FederationDomainStatus) DeepCopy() *FederationDomainStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainStatus.
func (*FederationDomainStatus) DeepCopyInto ¶
func (in *FederationDomainStatus) DeepCopyInto(out *FederationDomainStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FederationDomainTLSSpec ¶
type FederationDomainTLSSpec struct { // SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains // the TLS serving certificate for the HTTPS endpoints served by this FederationDomain. When provided, the TLS Secret // named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use // for TLS. // // Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. // // SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. // SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same // SecretName value even if they have different port numbers. // // SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is // configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). // It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to // use the default TLS certificate, which is configured elsewhere. // // When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. // // +optional SecretName string `json:"secretName,omitempty"` }
FederationDomainTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
func (*FederationDomainTLSSpec) DeepCopy ¶
func (in *FederationDomainTLSSpec) DeepCopy() *FederationDomainTLSSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTLSSpec.
func (*FederationDomainTLSSpec) DeepCopyInto ¶
func (in *FederationDomainTLSSpec) DeepCopyInto(out *FederationDomainTLSSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FederationDomainTransforms ¶
type FederationDomainTransforms struct { // Constants defines constant variables and their values which will be made available to the transform expressions. // +patchMergeKey=name // +patchStrategy=merge // +listType=map // +listMapKey=name // +optional Constants []FederationDomainTransformsConstant `json:"constants,omitempty"` // Expressions are an optional list of transforms and policies to be executed in the order given during every // authentication attempt, including during every session refresh. // Each is a CEL expression. It may use the basic CEL language as defined in // https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in // https://github.com/google/cel-go/tree/master/ext#strings. // // The username and groups extracted from the identity provider, and the constants defined in this CR, are // available as variables in all expressions. The username is provided via a variable called `username` and // the list of group names is provided via a variable called `groups` (which may be an empty list). // Each user-provided constants is provided via a variable named `strConst.varName` for string constants // and `strListConst.varName` for string list constants. // // The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. // Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated // and the authentication attempt is rejected. // Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the // username or group names. // Each username/v1 transform must return the new username (a string), which can be the same as the old username. // Transformations of type username/v1 do not return group names, and therefore cannot change the group names. // Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old // groups list. // Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. // After each expression, the new (potentially changed) username or groups get passed to the following expression. // // Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. // During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the // authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username // and group names have been decided for that authentication attempt. // // +optional Expressions []FederationDomainTransformsExpression `json:"expressions,omitempty"` // Examples can optionally be used to ensure that the sequence of transformation expressions are working as // expected. Examples define sample input identities which are then run through the expression list, and the // results are compared to the expected results. If any example in this list fails, then this // identity provider will not be available for use within this FederationDomain, and the error(s) will be // added to the FederationDomain status. This can be used to help guard against programming mistakes in the // expressions, and also act as living documentation for other administrators to better understand the expressions. // +optional Examples []FederationDomainTransformsExample `json:"examples,omitempty"` }
FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.
func (*FederationDomainTransforms) DeepCopy ¶
func (in *FederationDomainTransforms) DeepCopy() *FederationDomainTransforms
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransforms.
func (*FederationDomainTransforms) DeepCopyInto ¶
func (in *FederationDomainTransforms) DeepCopyInto(out *FederationDomainTransforms)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FederationDomainTransformsConstant ¶
type FederationDomainTransformsConstant struct { // Name determines the name of the constant. It must be a valid identifier name. // +kubebuilder:validation:Pattern=`^[a-zA-Z][_a-zA-Z0-9]*$` // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=64 Name string `json:"name"` // Type determines the type of the constant, and indicates which other field should be non-empty. // Allowed values are "string" or "stringList". // +kubebuilder:validation:Enum=string;stringList Type string `json:"type"` // StringValue should hold the value when Type is "string", and is otherwise ignored. // +optional StringValue string `json:"stringValue,omitempty"` // StringListValue should hold the value when Type is "stringList", and is otherwise ignored. // +optional StringListValue []string `json:"stringListValue,omitempty"` }
FederationDomainTransformsConstant defines a constant variable and its value which will be made available to the transform expressions. This is a union type, and Type is the discriminator field.
func (*FederationDomainTransformsConstant) DeepCopy ¶
func (in *FederationDomainTransformsConstant) DeepCopy() *FederationDomainTransformsConstant
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsConstant.
func (*FederationDomainTransformsConstant) DeepCopyInto ¶
func (in *FederationDomainTransformsConstant) DeepCopyInto(out *FederationDomainTransformsConstant)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FederationDomainTransformsExample ¶
type FederationDomainTransformsExample struct { // Username is the input username. // +kubebuilder:validation:MinLength=1 Username string `json:"username"` // Groups is the input list of group names. // +optional Groups []string `json:"groups,omitempty"` // Expects is the expected output of the entire sequence of transforms when they are run against the // input Username and Groups. Expects FederationDomainTransformsExampleExpects `json:"expects"` }
FederationDomainTransformsExample defines a transform example.
func (*FederationDomainTransformsExample) DeepCopy ¶
func (in *FederationDomainTransformsExample) DeepCopy() *FederationDomainTransformsExample
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExample.
func (*FederationDomainTransformsExample) DeepCopyInto ¶
func (in *FederationDomainTransformsExample) DeepCopyInto(out *FederationDomainTransformsExample)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FederationDomainTransformsExampleExpects ¶
type FederationDomainTransformsExampleExpects struct { // Username is the expected username after the transformations have been applied. // +optional Username string `json:"username,omitempty"` // Groups is the expected list of group names after the transformations have been applied. // +optional Groups []string `json:"groups,omitempty"` // Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression // after the transformations have been applied. True means that it is expected that the authentication would be // rejected. The default value of false means that it is expected that the authentication would not be rejected // by any policy expression. // +optional Rejected bool `json:"rejected,omitempty"` // Message is the expected error message of the transforms. When Rejected is true, then Message is the expected // message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank, // then Message will be treated as the default error message for authentication attempts which are rejected by a // policy. When Rejected is false, then Message is the expected error message for some other non-policy // transformation error, such as a runtime error. When Rejected is false, there is no default expected Message. // +optional Message string `json:"message,omitempty"` }
FederationDomainTransformsExampleExpects defines the expected result for a transforms example.
func (*FederationDomainTransformsExampleExpects) DeepCopy ¶
func (in *FederationDomainTransformsExampleExpects) DeepCopy() *FederationDomainTransformsExampleExpects
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExampleExpects.
func (*FederationDomainTransformsExampleExpects) DeepCopyInto ¶
func (in *FederationDomainTransformsExampleExpects) DeepCopyInto(out *FederationDomainTransformsExampleExpects)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FederationDomainTransformsExpression ¶
type FederationDomainTransformsExpression struct { // Type determines the type of the expression. It must be one of the supported types. // Allowed values are "policy/v1", "username/v1", or "groups/v1". // +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1 Type string `json:"type"` // Expression is a CEL expression that will be evaluated based on the Type during an authentication. // +kubebuilder:validation:MinLength=1 Expression string `json:"expression"` // Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects // an authentication attempt. When empty, a default message will be used. // +optional Message string `json:"message,omitempty"` }
FederationDomainTransformsExpression defines a transform expression.
func (*FederationDomainTransformsExpression) DeepCopy ¶
func (in *FederationDomainTransformsExpression) DeepCopy() *FederationDomainTransformsExpression
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExpression.
func (*FederationDomainTransformsExpression) DeepCopyInto ¶
func (in *FederationDomainTransformsExpression) DeepCopyInto(out *FederationDomainTransformsExpression)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type GrantType ¶
type GrantType string
+kubebuilder:validation:Enum="authorization_code";"refresh_token";"urn:ietf:params:oauth:grant-type:token-exchange"
type OIDCClient ¶
type OIDCClient struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` // Spec of the OIDC client. Spec OIDCClientSpec `json:"spec"` // Status of the OIDC client. Status OIDCClientStatus `json:"status,omitempty"` }
OIDCClient describes the configuration of an OIDC client. +genclient +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +kubebuilder:resource:categories=pinniped +kubebuilder:printcolumn:name="Privileged Scopes",type=string,JSONPath=`.spec.allowedScopes[?(@ == "pinniped:request-audience")]` +kubebuilder:printcolumn:name="Client Secrets",type=integer,JSONPath=`.status.totalClientSecrets` +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +kubebuilder:subresource:status
func (*OIDCClient) DeepCopy ¶
func (in *OIDCClient) DeepCopy() *OIDCClient
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient.
func (*OIDCClient) DeepCopyInto ¶
func (in *OIDCClient) DeepCopyInto(out *OIDCClient)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*OIDCClient) DeepCopyObject ¶
func (in *OIDCClient) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type OIDCClientList ¶
type OIDCClientList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata,omitempty"` Items []OIDCClient `json:"items"` }
List of OIDCClient objects. +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
func (*OIDCClientList) DeepCopy ¶
func (in *OIDCClientList) DeepCopy() *OIDCClientList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList.
func (*OIDCClientList) DeepCopyInto ¶
func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*OIDCClientList) DeepCopyObject ¶
func (in *OIDCClientList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type OIDCClientPhase ¶
type OIDCClientPhase string
const ( // OIDCClientPhasePending is the default phase for newly-created OIDCClient resources. OIDCClientPhasePending OIDCClientPhase = "Pending" // OIDCClientPhaseReady is the phase for an OIDCClient resource in a healthy state. OIDCClientPhaseReady OIDCClientPhase = "Ready" // OIDCClientPhaseError is the phase for an OIDCClient in an unhealthy state. OIDCClientPhaseError OIDCClientPhase = "Error" )
type OIDCClientSpec ¶
type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // client. Any other uris will be rejected. // Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. // Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri. // +listType=set // +kubebuilder:validation:MinItems=1 AllowedRedirectURIs []RedirectURI `json:"allowedRedirectURIs"` // allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this // client. // // Must only contain the following values: // - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to // authenticate users. This grant must always be listed. // - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. // This grant must be listed if allowedScopes lists offline_access. // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. // +listType=set // +kubebuilder:validation:MinItems=1 AllowedGrantTypes []GrantType `json:"allowedGrantTypes"` // allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. // // Must only contain the following values: // - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). // This scope must always be listed. // - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. // This scope must be listed if allowedGrantTypes lists refresh_token. // - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, // which is a step in the process to be able to get a cluster credential for the user. // openid, username and groups scopes must be listed when this scope is present. // This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. // - username: The client is allowed to request that ID tokens contain the user's username. // Without the username scope being requested and allowed, the ID token will not contain the user's username. // - groups: The client is allowed to request that ID tokens contain the user's group membership, // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. // +listType=set // +kubebuilder:validation:MinItems=1 AllowedScopes []Scope `json:"allowedScopes"` // tokenLifetimes are the optional overrides of token lifetimes for an OIDCClient. // +optional TokenLifetimes OIDCClientTokenLifetimes `json:"tokenLifetimes,omitempty"` }
OIDCClientSpec is a struct that describes an OIDCClient.
func (*OIDCClientSpec) DeepCopy ¶
func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec.
func (*OIDCClientSpec) DeepCopyInto ¶
func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type OIDCClientStatus ¶
type OIDCClientStatus struct { // phase summarizes the overall status of the OIDCClient. // +kubebuilder:default=Pending // +kubebuilder:validation:Enum=Pending;Ready;Error Phase OIDCClientPhase `json:"phase,omitempty"` // conditions represent the observations of an OIDCClient's current state. // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` // totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. // +optional TotalClientSecrets int32 `json:"totalClientSecrets"` // do not omitempty to allow it to show in the printer column even when it is 0 }
OIDCClientStatus is a struct that describes the actual state of an OIDCClient.
func (*OIDCClientStatus) DeepCopy ¶
func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus.
func (*OIDCClientStatus) DeepCopyInto ¶
func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type OIDCClientTokenLifetimes ¶
type OIDCClientTokenLifetimes struct { // idTokenSeconds is the lifetime of ID tokens issued to this client, in seconds. This will choose the lifetime of // ID tokens returned by the authorization flow and the refresh grant. It will not influence the lifetime of the ID // tokens returned by RFC8693 token exchange. When null, a short-lived default value will be used. // This value must be between 120 and 1,800 seconds (30 minutes), inclusive. It is recommended to make these tokens // short-lived to force the client to perform the refresh grant often, because the refresh grant will check with the // external identity provider to decide if it is acceptable for the end user to continue their session, and will // update the end user's group memberships from the external identity provider. Giving these tokens a long life is // will allow the end user to continue to use a token while avoiding these updates from the external identity // provider. However, some web applications may have reasons specific to the design of that application to prefer // longer lifetimes. // +kubebuilder:validation:Minimum=120 // +kubebuilder:validation:Maximum=1800 // +optional IDTokenSeconds *int32 `json:"idTokenSeconds,omitempty"` }
OIDCClientTokenLifetimes describes the optional overrides of token lifetimes for an OIDCClient.
func (*OIDCClientTokenLifetimes) DeepCopy ¶
func (in *OIDCClientTokenLifetimes) DeepCopy() *OIDCClientTokenLifetimes
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientTokenLifetimes.
func (*OIDCClientTokenLifetimes) DeepCopyInto ¶
func (in *OIDCClientTokenLifetimes) DeepCopyInto(out *OIDCClientTokenLifetimes)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type RedirectURI ¶
type RedirectURI string
+kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/`